86 lines
2.8 KiB
YAML
86 lines
2.8 KiB
YAML
# HELM first deletes RBAC of Kuma, then it tries to delete Secrets. We've got validating webhook on Secrets.
|
|
# But even that the policy of this webhook is Ignore, it fails because Kuma does not have permission to access Secrets anymore.
|
|
# Therefore we first need to delete webhook so we can delete the rest of the deployment
|
|
{{- $serviceAccountName := printf "%s-pre-delete-job" (include "kuma.name" .) }}
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: {{ $serviceAccountName }}
|
|
namespace: {{ .Release.Namespace }}
|
|
annotations:
|
|
"helm.sh/hook": "pre-delete"
|
|
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
|
|
labels:
|
|
{{- include "kuma.labels" . | nindent 4 }}
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: {{ include "kuma.name" . }}-pre-delete-job
|
|
annotations:
|
|
"helm.sh/hook": "pre-delete"
|
|
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
|
|
labels:
|
|
{{- include "kuma.labels" . | nindent 4 }}
|
|
rules:
|
|
- apiGroups:
|
|
- admissionregistration.k8s.io
|
|
resources:
|
|
- validatingwebhookconfigurations
|
|
resourceNames:
|
|
- {{ include "kuma.name" . }}-validating-webhook-configuration
|
|
verbs:
|
|
- delete
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: {{ include "kuma.name" . }}-pre-delete-job
|
|
annotations:
|
|
"helm.sh/hook": "pre-delete"
|
|
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
|
|
labels:
|
|
{{- include "kuma.labels" . | nindent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: {{ include "kuma.name" . }}-pre-delete-job
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ $serviceAccountName }}
|
|
namespace: {{ .Release.Namespace }}
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: {{ template "kuma.name" . }}-delete-webhook
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{ include "kuma.labels" . | nindent 4 }}
|
|
annotations:
|
|
"helm.sh/hook": "pre-delete"
|
|
{{/* Ensure the job is created after the RBAC resources */}}
|
|
"helm.sh/hook-weight": "5"
|
|
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
|
|
spec:
|
|
template:
|
|
metadata:
|
|
name: {{ template "kuma.name" . }}-delete-webhook
|
|
labels:
|
|
{{ include "kuma.labels" . | nindent 8 }}
|
|
spec:
|
|
serviceAccountName: {{ $serviceAccountName }}
|
|
{{- with .Values.hooks.nodeSelector }}
|
|
nodeSelector:
|
|
{{ toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
restartPolicy: OnFailure
|
|
containers:
|
|
- name: pre-delete-job
|
|
image: {{ include "kubectl.formatImage" (dict "image" .Values.kubectl.image "root" $) | quote }}
|
|
command:
|
|
- 'kubectl'
|
|
- 'delete'
|
|
- 'ValidatingWebhookConfiguration'
|
|
- {{ include "kuma.name" . }}-validating-webhook-configuration
|