diff --git a/.circleci/config.yml b/.circleci/config.yml index 8848551e..58b6af1b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -84,10 +84,14 @@ jobs: name: Helm install stackstorm-ha chart command: helm install --timeout 10m0s --debug --wait --name-template stackstorm-ha . - run: - # once https://github.com/helm/community/pull/165 is merged we will need to add the parallelism flag back into the - # below command name: Helm test command: helm test stackstorm-ha + - run: + name: Helm upgrade with RBAC enabled + command: helm upgrade --set st2.rbac.enabled=true --timeout 5m0s --debug --wait stackstorm-ha . + - run: + name: Helm test with RBAC enabled + command: helm test stackstorm-ha - run: when: always name: Show created K8s resources diff --git a/CHANGELOG.md b/CHANGELOG.md index abfe3e68..10f445af 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## In Development * Change st2packs definition to a list, to support multiple st2packs containers (#166) (by @moonrail) +* Enabled RBAC/LDAP configuration for OSS version, removed enterprise flags (#182) (by @hnanchahal) ## v0.52.0 * Improve resource allocation and scheduling by adding resources requests cpu/memory values for st2 Pods (#179) diff --git a/Chart.yaml b/Chart.yaml index 9b3321bb..d6c7b6d2 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 # StackStorm version which refers to Docker images tag -appVersion: 3.4dev +appVersion: "3.4dev" name: stackstorm-ha version: 0.52.0 description: StackStorm K8s Helm Chart, optimized for running StackStorm in HA environment. @@ -25,7 +25,7 @@ maintainers: url: https://github.com/armab details: This Helm chart is a fully installable app that codifies StackStorm cluster deployment optimized for HA and K8s environment. - RabbitMQ-HA, MongoDB-HA clusters and coordination backend st2 relies on will be deployed as 3rd party chart dependencies. + RabbitMQ-HA, MongoDB-HA clusters and Redis coordination backend st2 relies on will be deployed as 3rd party chart dependencies. For configuration details please check default values.yaml and README. dependencies: - name: rabbitmq diff --git a/templates/NOTES.txt b/templates/NOTES.txt index bd4546b0..4599e243 100644 --- a/templates/NOTES.txt +++ b/templates/NOTES.txt @@ -1,4 +1,4 @@ -Congratulations! You have just deployed StackStorm {{ if .Values.enterprise.enabled }}Enterprise {{ end }}HA! +Congratulations! You have just deployed StackStorm HA! ███████╗████████╗██████╗ ██╗ ██╗ █████╗ ██████╗ ██╗ ██╗ ██╔════╝╚══██╔══╝╚════██╗ ██║ ██║██╔══██╗ ██╔═══██╗██║ ██╔╝ @@ -11,20 +11,20 @@ Congratulations! You have just deployed StackStorm {{ if .Values.enterprise.enab {{- if contains "LoadBalancer" .Values.st2web.service.type }} NOTE: It may take a few minutes for the LoadBalancer IP to be available. - Watch the status with "kubectl get service {{ .Release.Name }}-st2web{{ template "enterpriseSuffix" . }} -o jsonpath='{.status.loadBalancer.ingress[0].hostname}'" + Watch the status with "kubectl get service {{ .Release.Name }}-st2web -o jsonpath='{.status.loadBalancer.ingress[0].hostname}'" -export ST2WEB_IP=$(kubectl get service {{ .Release.Name }}-st2web{{ template "enterpriseSuffix" . }} -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') +export ST2WEB_IP=$(kubectl get service {{ .Release.Name }}-st2web -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') echo https://${ST2WEB_IP}/ {{- else if contains "ClusterIP" .Values.st2web.service.type }} echo http://127.0.0.1:8080 -kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ .Release.Name }}-st2web{{ template "enterpriseSuffix" . }} 8080:80 +kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ .Release.Name }}-st2web 8080:80 {{- else if contains "NodePort" .Values.st2web.service.type }} export ST2WEB_IP=$(minikube ip 2>/dev/null || kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") -export ST2WEB_PORT="$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ .Release.Name }}-st2web{{ template "enterpriseSuffix" . }})" +export ST2WEB_PORT="$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ .Release.Name }}-st2web)" echo http://${ST2WEB_IP}:${ST2WEB_PORT}/ {{- end }} diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index bcf18da2..fbb552d7 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -3,27 +3,9 @@ {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} -# Image pull secret used to access private docker.stackstorm.com Docker registry with Enterprise images -{{- define "imagePullSecret" }} -{{- if required "Missing context '.Values.enterprise.enabled'!" .Values.enterprise.enabled -}} -{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" "docker.stackstorm.com" (printf "%s:%s" .Values.enterprise.license .Values.enterprise.license | b64enc) | b64enc }} -{{- end -}} -{{- end }} - -# Generate support method used in labels. This is based on community/enterprise -{{- define "supportMethod" -}} -{{- if required "Missing context '.Values.enterprise.enabled'!" .Values.enterprise.enabled -}} -enterprise -{{- else -}} -community -{{- end -}} -{{- end }} - -# Generate Docker image repository: Private 'docker.stackstorm.com' for Enterprise vs Public Docker Hub 'stackstorm' for FOSS version +# Generate Docker image repository: Public Docker Hub 'stackstorm' for FOSS version {{- define "imageRepository" -}} -{{- if required "Missing context '.Values.enterprise.enabled'!" .Values.enterprise.enabled -}} -docker.stackstorm.com -{{- else if .Values.image.repository -}} +{{- if .Values.image.repository -}} {{ .Values.image.repository }} {{- else -}} stackstorm @@ -37,11 +19,6 @@ Create the name of the stackstorm-ha service account to use {{- default .Chart.Name .Values.serviceAccount.serviceAccountName -}} {{- end -}} -# Generate '-enterprise' suffix only when it's needed for resource names, docker images, etc -{{- define "enterpriseSuffix" -}} -{{ if required "Missing context '.Values.enterprise.enabled'!" .Values.enterprise.enabled }}-enterprise{{ end }} -{{- end -}} - # Generate '-' prefix only when the variable is defined {{- define "hyphenPrefix" -}} {{ if . }}-{{ . }}{{end}} @@ -160,7 +137,7 @@ Create the name of the stackstorm-ha service account to use {{- end }} # System packs - name: st2-system-packs - image: "{{ template "imageRepository" . }}/st2actionrunner{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}" + image: "{{ template "imageRepository" . }}/st2actionrunner:{{ .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} volumeMounts: - name: st2-packs-vol diff --git a/templates/configmaps_packs.yaml b/templates/configmaps_packs.yaml index d63ee89f..b87e9998 100644 --- a/templates/configmaps_packs.yaml +++ b/templates/configmaps_packs.yaml @@ -9,7 +9,6 @@ metadata: app: st2 tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} diff --git a/templates/configmaps_rbac.yaml b/templates/configmaps_rbac.yaml index 3366ecb2..8508d6e8 100644 --- a/templates/configmaps_rbac.yaml +++ b/templates/configmaps_rbac.yaml @@ -1,4 +1,4 @@ -{{ if .Values.enterprise.enabled }} +{{- if .Values.st2.rbac.enabled }} --- apiVersion: v1 kind: ConfigMap @@ -10,12 +10,11 @@ metadata: app: st2 tier: backend vendor: stackstorm - support: enterprise chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} data: -{{ toYaml .Values.enterprise.rbac.roles | indent 2 }} +{{ toYaml .Values.st2.rbac.roles | indent 2 }} --- apiVersion: v1 @@ -28,12 +27,11 @@ metadata: app: st2 tier: backend vendor: stackstorm - support: enterprise chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} data: -{{ toYaml .Values.enterprise.rbac.assignments | indent 2 }} +{{ toYaml .Values.st2.rbac.assignments | indent 2 }} --- apiVersion: v1 @@ -46,14 +44,13 @@ metadata: app: st2 tier: backend vendor: stackstorm - support: enterprise chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} data: -{{- if .Values.enterprise.rbac.mappings }} -{{ toYaml .Values.enterprise.rbac.mappings | indent 2 }} +{{- if .Values.st2.rbac.mappings }} +{{ toYaml .Values.st2.rbac.mappings | indent 2 }} {{ else }} {} {{ end }} -{{ end }} +{{- end }} diff --git a/templates/configmaps_st2-conf.yaml b/templates/configmaps_st2-conf.yaml index cad674fa..98f326dc 100644 --- a/templates/configmaps_st2-conf.yaml +++ b/templates/configmaps_st2-conf.yaml @@ -9,7 +9,6 @@ metadata: app: st2 tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -19,7 +18,7 @@ data: # The order of merging: st2.conf < st2.docker.conf < st2.user.conf st2.docker.conf: | [auth] - api_url = http://{{ .Release.Name }}-st2api{{ template "enterpriseSuffix" . }}:9101/ + api_url = http://{{ .Release.Name }}-st2api:9101/ {{- if index .Values "redis" "enabled" }} [coordination] url = redis://{{ template "redis-nodes" $ }} @@ -44,8 +43,14 @@ data: [keyvalue] encryption_key_path = /etc/st2/keys/datastore_key.json {{- end }} + {{- if .Values.st2.rbac.enabled }} + [rbac] + enable = True + backend = default + {{- end }} # User-defined st2 config with custom settings applied on top of everything else. # The order of merging: st2.conf < st2.docker.conf < st2.user.conf st2.user.conf: | {{ .Values.st2.config | indent 4 }} + diff --git a/templates/configmaps_st2-urls.yaml b/templates/configmaps_st2-urls.yaml index 9348c1a3..9810ecd6 100644 --- a/templates/configmaps_st2-urls.yaml +++ b/templates/configmaps_st2-urls.yaml @@ -9,11 +9,10 @@ metadata: app: st2 tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} data: - ST2_AUTH_URL: http://{{ .Release.Name }}-st2auth{{ template "enterpriseSuffix" . }}:9100/ - ST2_API_URL: http://{{ .Release.Name }}-st2api{{ template "enterpriseSuffix" . }}:9101/ - ST2_STREAM_URL: http://{{ .Release.Name }}-st2stream{{ template "enterpriseSuffix" . }}:9102/ + ST2_AUTH_URL: http://{{ .Release.Name }}-st2auth:9100/ + ST2_API_URL: http://{{ .Release.Name }}-st2api:9101/ + ST2_STREAM_URL: http://{{ .Release.Name }}-st2stream:9102/ diff --git a/templates/configmaps_st2web.yaml b/templates/configmaps_st2web.yaml index c861a812..63ed6c99 100644 --- a/templates/configmaps_st2web.yaml +++ b/templates/configmaps_st2web.yaml @@ -10,7 +10,6 @@ metadata: app: st2 tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} diff --git a/templates/deployments.yaml b/templates/deployments.yaml index 2827df07..f9ff7af0 100644 --- a/templates/deployments.yaml +++ b/templates/deployments.yaml @@ -7,12 +7,11 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .Release.Name }}-st2auth{{ template "enterpriseSuffix" . }} + name: {{ .Release.Name }}-st2auth labels: app: st2auth tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -20,7 +19,6 @@ spec: selector: matchLabels: app: st2auth - support: {{ template "supportMethod" . }} release: {{ .Release.Name }} # https://docs.stackstorm.com/reference/ha.html#st2auth # Multiple st2auth processes can be behind a load balancer in an active-active configuration. @@ -31,7 +29,6 @@ spec: app: st2auth tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -40,9 +37,6 @@ spec: checksum/auth: {{ include (print $.Template.BasePath "/secrets_st2auth.yaml") . | sha256sum }} spec: imagePullSecrets: - {{- if .Values.enterprise.enabled }} - - name: {{ .Release.Name }}-st2-license - {{- end }} {{- if .Values.image.pullSecret }} - name: {{ .Values.image.pullSecret }} {{- end }} @@ -51,7 +45,7 @@ spec: {{ include "init-containers-wait-for-mq" . | indent 6 }} # Sidecar container for generating .htpasswd with st2 username & password pair and sharing produced file with the main st2auth container - name: generate-htpasswd - image: "{{ template "imageRepository" . }}/st2auth{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}" + image: "{{ template "imageRepository" . }}/st2auth:{{ .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} env: - name: ST2_AUTH_USERNAME @@ -72,8 +66,8 @@ spec: - '-ec' - printf "${ST2_AUTH_USERNAME}:$(openssl passwd -apr1 "${ST2_AUTH_PASSWORD}")\n" > /tmp/st2/htpasswd containers: - - name: st2auth{{ template "enterpriseSuffix" . }} - image: "{{ template "imageRepository" . }}/st2auth{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}" + - name: st2auth + image: "{{ template "imageRepository" . }}/st2auth:{{ .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - containerPort: 9100 @@ -123,12 +117,11 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .Release.Name }}-st2api{{ template "enterpriseSuffix" . }} + name: {{ .Release.Name }}-st2api labels: app: st2api tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -136,7 +129,6 @@ spec: selector: matchLabels: app: st2api - support: {{ template "supportMethod" . }} release: {{ .Release.Name }} # https://docs.stackstorm.com/reference/ha.html#st2api # Multiple st2api process can be behind a load balancer in an active-active configuration. @@ -147,7 +139,6 @@ spec: app: st2api tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -156,9 +147,6 @@ spec: checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }} spec: imagePullSecrets: - {{- if .Values.enterprise.enabled }} - - name: {{ .Release.Name }}-st2-license - {{- end }} {{- if .Values.image.pullSecret }} - name: {{ .Values.image.pullSecret }} {{- end }} @@ -172,8 +160,8 @@ spec: {{- include "packs-initContainers" . | indent 6 }} {{- end }} containers: - - name: st2api{{ template "enterpriseSuffix" . }} - image: "{{ template "imageRepository" . }}/st2api{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}" + - name: st2api + image: "{{ template "imageRepository" . }}/st2api:{{ .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - containerPort: 9101 @@ -240,12 +228,11 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .Release.Name }}-st2stream{{ template "enterpriseSuffix" . }} + name: {{ .Release.Name }}-st2stream labels: app: st2stream tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -253,7 +240,6 @@ spec: selector: matchLabels: app: st2stream - support: {{ template "supportMethod" . }} release: {{ .Release.Name }} # https://docs.stackstorm.com/reference/ha.html#st2stream # Multiple st2stream process can be behind a load balancer in an active-active configuration. @@ -264,7 +250,6 @@ spec: app: st2stream tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -272,9 +257,6 @@ spec: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }} spec: imagePullSecrets: - {{- if .Values.enterprise.enabled }} - - name: {{ .Release.Name }}-st2-license - {{- end }} {{- if .Values.image.pullSecret }} - name: {{ .Values.image.pullSecret }} {{- end }} @@ -282,8 +264,8 @@ spec: {{ include "init-containers-wait-for-db" . | indent 6 }} {{ include "init-containers-wait-for-mq" . | indent 6 }} containers: - - name: st2stream{{ template "enterpriseSuffix" . }} - image: "{{ template "imageRepository" . }}/st2stream{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}" + - name: st2stream + image: "{{ template "imageRepository" . }}/st2stream:{{ .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - containerPort: 9102 @@ -326,12 +308,11 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .Release.Name }}-st2web{{ template "enterpriseSuffix" . }} + name: {{ .Release.Name }}-st2web labels: app: st2web tier: frontend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -339,7 +320,6 @@ spec: selector: matchLabels: app: st2web - support: {{ template "supportMethod" . }} release: {{ .Release.Name }} replicas: {{ default 2 .Values.st2web.replicas }} template: @@ -348,7 +328,6 @@ spec: app: st2web tier: frontend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -356,15 +335,12 @@ spec: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2web.yaml") . | sha256sum }} spec: imagePullSecrets: - {{- if .Values.enterprise.enabled }} - - name: {{ .Release.Name }}-st2-license - {{- end }} {{- if .Values.image.pullSecret }} - name: {{ .Values.image.pullSecret }} {{- end }} containers: - - name: st2web{{ template "enterpriseSuffix" . }} - image: "{{ template "imageRepository" . }}/st2web{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}" + - name: st2web + image: "{{ template "imageRepository" . }}/st2web:{{ .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - containerPort: 80 @@ -428,12 +404,11 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .Release.Name }}-st2rulesengine{{ template "enterpriseSuffix" . }} + name: {{ .Release.Name }}-st2rulesengine labels: app: st2rulesengine tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -441,7 +416,6 @@ spec: selector: matchLabels: app: st2rulesengine - support: {{ template "supportMethod" . }} release: {{ .Release.Name }} # https://docs.stackstorm.com/reference/ha.html#st2rulesengine # Multiple st2rulesengine processes can run in active-active with only connections to MongoDB and RabbitMQ. All these will share the TriggerInstance load and naturally pick up more work if one or more of the processes becomes unavailable. @@ -452,7 +426,6 @@ spec: app: st2rulesengine tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -460,9 +433,6 @@ spec: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }} spec: imagePullSecrets: - {{- if .Values.enterprise.enabled }} - - name: {{ .Release.Name }}-st2-license - {{- end }} {{- if .Values.image.pullSecret }} - name: {{ .Values.image.pullSecret }} {{- end }} @@ -470,8 +440,8 @@ spec: {{ include "init-containers-wait-for-db" . | indent 6 }} {{ include "init-containers-wait-for-mq" . | indent 6 }} containers: - - name: st2rulesengine{{ template "enterpriseSuffix" . }} - image: "{{ template "imageRepository" . }}/st2rulesengine{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}" + - name: st2rulesengine + image: "{{ template "imageRepository" . }}/st2rulesengine:{{ .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} # TODO: Add liveness/readiness probes (#3) #livenessProbe: @@ -520,12 +490,11 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .Release.Name }}-st2timersengine{{ template "enterpriseSuffix" . }} + name: {{ .Release.Name }}-st2timersengine labels: app: st2timersengine tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -533,7 +502,6 @@ spec: selector: matchLabels: app: st2timersengine - support: {{ template "supportMethod" . }} release: {{ .Release.Name }} # https://docs.stackstorm.com/reference/ha.html#st2timersengine # Only single replica is created as timersengine can't work in active-active mode at the moment and it relies on @@ -545,7 +513,6 @@ spec: app: st2timersengine tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -553,9 +520,6 @@ spec: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }} spec: imagePullSecrets: - {{- if .Values.enterprise.enabled }} - - name: {{ .Release.Name }}-st2-license - {{- end }} {{- if .Values.image.pullSecret }} - name: {{ .Values.image.pullSecret }} {{- end }} @@ -563,8 +527,8 @@ spec: {{ include "init-containers-wait-for-db" . | indent 6 }} {{ include "init-containers-wait-for-mq" . | indent 6 }} containers: - - name: st2timersengine{{ template "enterpriseSuffix" . }} - image: "{{ template "imageRepository" . }}/st2timersengine{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}" + - name: st2timersengine + image: "{{ template "imageRepository" . }}/st2timersengine:{{ .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} # TODO: Add liveness/readiness probes (#3) #livenessProbe: @@ -605,12 +569,11 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .Release.Name }}-st2workflowengine{{ template "enterpriseSuffix" . }} + name: {{ .Release.Name }}-st2workflowengine labels: app: st2workflowengine tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -618,7 +581,6 @@ spec: selector: matchLabels: app: st2workflowengine - support: {{ template "supportMethod" . }} release: {{ .Release.Name }} # https://docs.stackstorm.com/reference/ha.html#st2workflowengine # Multiple st2workflowengine processes can run in active-active mode and will share the load and pick up more work if one or more of the processes become available. @@ -629,7 +591,6 @@ spec: app: st2workflowengine tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -638,9 +599,6 @@ spec: checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }} spec: imagePullSecrets: - {{- if .Values.enterprise.enabled }} - - name: {{ .Release.Name }}-st2-license - {{- end }} {{- if .Values.image.pullSecret }} - name: {{ .Values.image.pullSecret }} {{- end }} @@ -648,8 +606,8 @@ spec: {{ include "init-containers-wait-for-db" . | indent 6 }} {{ include "init-containers-wait-for-mq" . | indent 6 }} containers: - - name: st2workflowengine{{ template "enterpriseSuffix" . }} - image: "{{ template "imageRepository" . }}/st2workflowengine{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}" + - name: st2workflowengine + image: "{{ template "imageRepository" . }}/st2workflowengine:{{ .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} # TODO: Add liveness/readiness probes (#3) #livenessProbe: @@ -703,12 +661,11 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .Release.Name }}-st2scheduler{{ template "enterpriseSuffix" . }} + name: {{ .Release.Name }}-st2scheduler labels: app: st2scheduler tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -716,7 +673,6 @@ spec: selector: matchLabels: app: st2scheduler - support: {{ template "supportMethod" . }} release: {{ .Release.Name }} # https://docs.stackstorm.com/reference/ha.html#st2scheduler replicas: {{ default 2 .Values.st2scheduler.replicas }} @@ -726,7 +682,6 @@ spec: app: st2scheduler tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -735,9 +690,6 @@ spec: checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }} spec: imagePullSecrets: - {{- if .Values.enterprise.enabled }} - - name: {{ .Release.Name }}-st2-license - {{- end }} {{- if .Values.image.pullSecret }} - name: {{ .Values.image.pullSecret }} {{- end }} @@ -745,8 +697,8 @@ spec: {{ include "init-containers-wait-for-db" . | indent 6 }} {{ include "init-containers-wait-for-mq" . | indent 6 }} containers: - - name: st2scheduler{{ template "enterpriseSuffix" . }} - image: "{{ template "imageRepository" . }}/st2scheduler{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}" + - name: st2scheduler + image: "{{ template "imageRepository" . }}/st2scheduler:{{ .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} # TODO: Add liveness/readiness probes (#3) #livenessProbe: @@ -800,12 +752,11 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .Release.Name }}-st2notifier{{ template "enterpriseSuffix" . }} + name: {{ .Release.Name }}-st2notifier labels: app: st2notifier tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -813,7 +764,6 @@ spec: selector: matchLabels: app: st2notifier - support: {{ template "supportMethod" . }} release: {{ .Release.Name }} # https://docs.stackstorm.com/reference/ha.html#st2notifier # st2notifier runs in active-active mode and requires for that coordination backend like Redis or Zookeeper @@ -824,7 +774,6 @@ spec: app: st2notifier tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -832,9 +781,6 @@ spec: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }} spec: imagePullSecrets: - {{- if .Values.enterprise.enabled }} - - name: {{ .Release.Name }}-st2-license - {{- end }} {{- if .Values.image.pullSecret }} - name: {{ .Values.image.pullSecret }} {{- end }} @@ -842,8 +788,8 @@ spec: {{ include "init-containers-wait-for-db" . | indent 6 }} {{ include "init-containers-wait-for-mq" . | indent 6 }} containers: - - name: st2notifier{{ template "enterpriseSuffix" . }} - image: "{{ template "imageRepository" . }}/st2notifier{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}" + - name: st2notifier + image: "{{ template "imageRepository" . }}/st2notifier:{{ .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} # TODO: Add liveness/readiness probes (#3) #livenessProbe: @@ -885,12 +831,11 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: {{ $.Release.Name }}-st2sensorcontainer{{ template "hyphenPrefix" .name }}{{ template "enterpriseSuffix" $ }} + name: {{ $.Release.Name }}-st2sensorcontainer{{ template "hyphenPrefix" .name }} labels: app: st2sensorcontainer{{ template "hyphenPrefix" .name }} tier: backend vendor: stackstorm - support: {{ template "supportMethod" $ }} chart: {{ $.Chart.Name }}-{{ $.Chart.Version }} release: {{ $.Release.Name }} heritage: {{ $.Release.Service }} @@ -898,7 +843,6 @@ spec: selector: matchLabels: app: st2sensorcontainer{{ template "hyphenPrefix" .name }} - support: {{ template "supportMethod" $ }} release: {{ $.Release.Name }} # https://docs.stackstorm.com/reference/ha.html#st2sensorcontainer # It is possible to run st2sensorcontainer in HA mode by running one process on each compute instance. Each sensor node needs to be @@ -911,7 +855,6 @@ spec: app: st2sensorcontainer{{ template "hyphenPrefix" .name }} tier: backend vendor: stackstorm - support: {{ template "supportMethod" $ }} chart: {{ $.Chart.Name }}-{{ $.Chart.Version }} release: {{ $.Release.Name }} heritage: {{ $.Release.Service }} @@ -924,9 +867,6 @@ spec: {{- end }} spec: imagePullSecrets: - {{- if $.Values.enterprise.enabled }} - - name: {{ $.Release.Name }}-st2-license - {{- end }} {{- if $.Values.image.pullSecret }} - name: {{ $.Values.image.pullSecret }} {{- end }} @@ -940,8 +880,8 @@ spec: {{- include "packs-initContainers" $ | indent 6 }} {{- end }} containers: - - name: st2sensorcontainer{{ template "hyphenPrefix" .name }}{{ template "enterpriseSuffix" $ }} - image: "{{ template "imageRepository" $ }}/st2sensorcontainer{{ template "enterpriseSuffix" $ }}:{{ $.Chart.AppVersion }}" + - name: st2sensorcontainer{{ template "hyphenPrefix" .name }} + image: "{{ template "imageRepository" $ }}/st2sensorcontainer:{{ $.Chart.AppVersion }}" imagePullPolicy: {{ $.Values.image.pullPolicy }} {{- with .readinessProbe }} # Probe to check if app is running. Failure will lead to a pod restart. @@ -1022,12 +962,11 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .Release.Name }}-st2actionrunner{{ template "enterpriseSuffix" . }} + name: {{ .Release.Name }}-st2actionrunner labels: app: st2actionrunner tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -1035,7 +974,6 @@ spec: selector: matchLabels: app: st2actionrunner - support: {{ template "supportMethod" . }} release: {{ .Release.Name }} # https://docs.stackstorm.com/reference/ha.html#st2actionrunner # Multiple st2actionrunner processes can run in active-active with only connections to MongoDB and RabbitMQ. Work gets naturally @@ -1047,7 +985,6 @@ spec: app: st2actionrunner tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -1064,9 +1001,6 @@ spec: {{ toYaml .Values.st2actionrunner.hostAliases | indent 8 }} {{- end }} imagePullSecrets: - {{- if .Values.enterprise.enabled }} - - name: {{ .Release.Name }}-st2-license - {{- end }} {{- if .Values.image.pullSecret }} - name: {{ .Values.image.pullSecret }} {{- end }} @@ -1080,8 +1014,8 @@ spec: {{- include "packs-initContainers" . | indent 6 }} {{- end }} containers: - - name: st2actionrunner{{ template "enterpriseSuffix" . }} - image: "{{ template "imageRepository" . }}/st2actionrunner{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}" + - name: st2actionrunner + image: "{{ template "imageRepository" . }}/st2actionrunner:{{ .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} # TODO: Add liveness/readiness probes (#3) #livenessProbe: @@ -1157,12 +1091,11 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .Release.Name }}-st2garbagecollector{{ template "enterpriseSuffix" . }} + name: {{ .Release.Name }}-st2garbagecollector labels: app: st2garbagecollector tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -1170,7 +1103,6 @@ spec: selector: matchLabels: app: st2garbagecollector - support: {{ template "supportMethod" . }} release: {{ .Release.Name }} # https://docs.stackstorm.com/reference/ha.html#st2garbagecollector # Having 1 st2garbagecollector unique replica is enough for periodic task like st2 history garbage collection @@ -1181,7 +1113,6 @@ spec: app: st2garbagecollector tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -1189,9 +1120,6 @@ spec: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }} spec: imagePullSecrets: - {{- if .Values.enterprise.enabled }} - - name: {{ .Release.Name }}-st2-license - {{- end }} {{- if .Values.image.pullSecret }} - name: {{ .Values.image.pullSecret }} {{- end }} @@ -1199,8 +1127,8 @@ spec: {{ include "init-containers-wait-for-db" . | indent 6 }} {{ include "init-containers-wait-for-mq" . | indent 6 }} containers: - - name: st2garbagecollector{{ template "enterpriseSuffix" . }} - image: "{{ template "imageRepository" . }}/st2garbagecollector{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}" + - name: st2garbagecollector + image: "{{ template "imageRepository" . }}/st2garbagecollector:{{ .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} # TODO: Add liveness/readiness probes (#3) #livenessProbe: @@ -1241,12 +1169,11 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .Release.Name }}-st2client{{ template "enterpriseSuffix" . }} + name: {{ .Release.Name }}-st2client labels: app: st2client tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -1254,7 +1181,6 @@ spec: selector: matchLabels: app: st2client - support: {{ template "supportMethod" . }} release: {{ .Release.Name }} replicas: 1 template: @@ -1263,24 +1189,18 @@ spec: app: st2client tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }} - {{- if .Values.enterprise.enabled }} checksum/rbac: {{ include (print $.Template.BasePath "/configmaps_rbac.yaml") . | sha256sum }} - {{- end }} checksum/packs: {{ include (print $.Template.BasePath "/configmaps_packs.yaml") . | sha256sum }} checksum/auth: {{ include (print $.Template.BasePath "/secrets_st2auth.yaml") . | sha256sum }} checksum/ssh: {{ include (print $.Template.BasePath "/secrets_ssh.yaml") . | sha256sum }} checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }} spec: imagePullSecrets: - {{- if .Values.enterprise.enabled }} - - name: {{ .Release.Name }}-st2-license - {{- end }} {{- if .Values.st2.packs.images }} {{- include "packs-pullSecrets" . | indent 6 }} {{- end }} @@ -1293,7 +1213,7 @@ spec: {{- end }} # Sidecar container for generating st2client config with st2 username & password pair and sharing produced file with the main container - name: generate-st2client-config - image: "{{ template "imageRepository" . }}/st2actionrunner{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}" + image: "{{ template "imageRepository" . }}/st2actionrunner:{{ .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} envFrom: - configMapRef: @@ -1323,8 +1243,8 @@ spec: password = ${ST2_AUTH_PASSWORD} EOT containers: - - name: st2client{{ template "enterpriseSuffix" . }} - image: "{{ template "imageRepository" . }}/st2actionrunner{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}" + - name: st2client + image: "{{ template "imageRepository" . }}/st2actionrunner:{{ .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} env: - name: ST2CLIENT @@ -1339,14 +1259,14 @@ spec: - name: st2-config-vol mountPath: /etc/st2/st2.user.conf subPath: st2.user.conf - {{- if .Values.enterprise.enabled }} + {{- if .Values.st2.rbac.enabled }} - name: st2-rbac-roles-vol mountPath: /opt/stackstorm/rbac/roles/ - name: st2-rbac-assignments-vol mountPath: /opt/stackstorm/rbac/assignments/ - name: st2-rbac-mappings-vol mountPath: /opt/stackstorm/rbac/mappings/ - {{- end }} + {{- end }} - name: st2-pack-configs-vol mountPath: /opt/stackstorm/configs/ - name: st2client-config-vol @@ -1387,7 +1307,7 @@ spec: - name: st2-config-vol configMap: name: {{ .Release.Name }}-st2-config - {{- if .Values.enterprise.enabled }} + {{- if .Values.st2.rbac.enabled }} - name: st2-rbac-roles-vol configMap: name: {{ .Release.Name }}-st2-rbac-roles @@ -1421,12 +1341,11 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .Release.Name }}-st2chatops{{ template "enterpriseSuffix" . }} + name: {{ .Release.Name }}-st2chatops labels: app: st2chatops tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -1434,7 +1353,6 @@ spec: selector: matchLabels: app: st2chatops - support: {{ template "supportMethod" . }} release: {{ .Release.Name }} # As hubot can't be HA scaled properly, we deploy only single replica of st2chatops replicas: 1 @@ -1444,7 +1362,6 @@ spec: app: st2chatops tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -1456,7 +1373,7 @@ spec: - name: {{ .Values.image.pullSecret }} {{- end }} containers: - - name: st2chatops{{ template "enterpriseSuffix" . }} + - name: st2chatops image: "{{ .Values.st2chatops.image.repository | default "stackstorm" }}/{{ .Values.st2chatops.image.name | default "st2chatops" }}:{{ tpl (.Values.st2chatops.image.tag | default .Chart.AppVersion) . }}" imagePullPolicy: {{ .Values.st2chatops.image.pullPolicy | default .Values.image.pullPolicy }} env: diff --git a/templates/ingress.yaml b/templates/ingress.yaml index 623fc8b6..3891907b 100644 --- a/templates/ingress.yaml +++ b/templates/ingress.yaml @@ -3,12 +3,11 @@ apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: - name: {{ .Release.Name }}-st2web{{ template "enterpriseSuffix" . }}-ingress + name: {{ .Release.Name }}-st2web-ingress labels: app: ingress tier: frontend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" @@ -39,7 +38,7 @@ spec: paths: - path: "/" backend: - serviceName: {{ .Release.Name }}-st2web{{ template "enterpriseSuffix" . }} + serviceName: {{ .Release.Name }}-st2web servicePort: 80 {{- end }} {{- if .Values.ingress.tls }} diff --git a/templates/jobs.yaml b/templates/jobs.yaml index 8f1fd695..fe40d2c9 100644 --- a/templates/jobs.yaml +++ b/templates/jobs.yaml @@ -1,4 +1,4 @@ -{{ if .Values.enterprise.enabled }} +{{- if .Values.st2.rbac.enabled -}} --- apiVersion: batch/v1 kind: Job @@ -8,7 +8,6 @@ metadata: app: st2-apply-rbac-definitions tier: backend vendor: stackstorm - support: enterprise chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -24,7 +23,6 @@ spec: app: st2-apply-rbac-definitions tier: backend vendor: stackstorm - support: enterprise chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -40,7 +38,7 @@ spec: {{- end }} containers: - name: st2-apply-rbac-definitions - image: "{{ template "imageRepository" . }}/st2actionrunner{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}" + image: "{{ template "imageRepository" . }}/st2actionrunner:{{ .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} command: - st2-apply-rbac-definitions @@ -77,8 +75,8 @@ spec: configMap: name: {{ .Release.Name }}-st2-rbac-mappings restartPolicy: OnFailure -{{ end }} +{{- end }} --- apiVersion: batch/v1 kind: Job @@ -88,7 +86,6 @@ metadata: app: st2 tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -104,7 +101,6 @@ spec: app: st2 tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -114,9 +110,6 @@ spec: checksum/apikeys: {{ include (print $.Template.BasePath "/secrets_st2apikeys.yaml") . | sha256sum }} spec: imagePullSecrets: - {{- if .Values.enterprise.enabled }} - - name: {{ .Release.Name }}-st2-license - {{- end }} {{- if .Values.image.pullSecret }} - name: {{ .Values.image.pullSecret }} {{- end }} @@ -133,7 +126,7 @@ spec: done # Sidecar container for generating st2client config with st2 username & password pair and sharing produced file with the main container - name: generate-st2client-config - image: "{{ template "imageRepository" . }}/st2actionrunner{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}" + image: "{{ template "imageRepository" . }}/st2actionrunner:{{ .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} envFrom: - configMapRef: @@ -164,7 +157,7 @@ spec: EOT containers: - name: st2-apikey-load - image: "{{ template "imageRepository" . }}/st2actionrunner{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}" + image: "{{ template "imageRepository" . }}/st2actionrunner:{{ .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} command: - st2 @@ -200,7 +193,6 @@ metadata: app: st2 tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -216,7 +208,6 @@ spec: app: st2 tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -226,9 +217,6 @@ spec: checksum/urls: {{ include (print $.Template.BasePath "/configmaps_st2-urls.yaml") . | sha256sum }} spec: imagePullSecrets: - {{- if .Values.enterprise.enabled }} - - name: {{ .Release.Name }}-st2-license - {{- end }} {{- if .Values.image.pullSecret }} - name: {{ .Values.image.pullSecret }} {{- end }} @@ -236,7 +224,7 @@ spec: {{ include "init-containers-wait-for-db" . | indent 6 }} # Sidecar container for generating st2client config with st2 username & password pair and sharing produced file with the main container - name: generate-st2client-config - image: "{{ template "imageRepository" . }}/st2actionrunner{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}" + image: "{{ template "imageRepository" . }}/st2actionrunner:{{ .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} envFrom: - configMapRef: @@ -267,7 +255,7 @@ spec: EOT containers: - name: st2-key-load - image: "{{ template "imageRepository" . }}/st2actionrunner{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}" + image: "{{ template "imageRepository" . }}/st2actionrunner:{{ .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} command: - st2 @@ -312,7 +300,6 @@ metadata: app: st2-register-content tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -328,7 +315,6 @@ spec: app: st2-register-content tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -338,9 +324,6 @@ spec: checksum/packs: {{ include (print $.Template.BasePath "/configmaps_packs.yaml") . | sha256sum }} spec: imagePullSecrets: - {{- if .Values.enterprise.enabled }} - - name: {{ .Release.Name }}-st2-license - {{- end }} {{- if .Values.image.pullSecret }} - name: {{ .Values.image.pullSecret }} {{- end }} @@ -354,7 +337,7 @@ spec: {{ end }} containers: - name: st2-register-content - image: "{{ template "imageRepository" . }}/st2actionrunner{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}" + image: "{{ template "imageRepository" . }}/st2actionrunner:{{ .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} command: - st2-register-content diff --git a/templates/secrets_datastore_crypto_key.yaml b/templates/secrets_datastore_crypto_key.yaml index 0bf17bbb..0ab890d7 100644 --- a/templates/secrets_datastore_crypto_key.yaml +++ b/templates/secrets_datastore_crypto_key.yaml @@ -10,7 +10,6 @@ metadata: app: st2 tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" diff --git a/templates/secrets_rabbitmq.yaml b/templates/secrets_rabbitmq.yaml index 5872cea4..0933f5d1 100644 --- a/templates/secrets_rabbitmq.yaml +++ b/templates/secrets_rabbitmq.yaml @@ -12,7 +12,6 @@ metadata: app: st2 tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" diff --git a/templates/secrets_ssh.yaml b/templates/secrets_ssh.yaml index e2723a78..42e6294b 100644 --- a/templates/secrets_ssh.yaml +++ b/templates/secrets_ssh.yaml @@ -9,7 +9,6 @@ metadata: app: st2 tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" diff --git a/templates/secrets_st2apikeys.yaml b/templates/secrets_st2apikeys.yaml index 820e264c..6a2bd7cd 100644 --- a/templates/secrets_st2apikeys.yaml +++ b/templates/secrets_st2apikeys.yaml @@ -9,7 +9,6 @@ metadata: app: st2 tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" diff --git a/templates/secrets_st2auth.yaml b/templates/secrets_st2auth.yaml index 2c152e31..83693974 100644 --- a/templates/secrets_st2auth.yaml +++ b/templates/secrets_st2auth.yaml @@ -9,7 +9,6 @@ metadata: app: st2 tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" diff --git a/templates/secrets_st2chatops.yaml b/templates/secrets_st2chatops.yaml index 44ffbeeb..d50d4f45 100644 --- a/templates/secrets_st2chatops.yaml +++ b/templates/secrets_st2chatops.yaml @@ -10,7 +10,6 @@ metadata: app: st2chatops tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} diff --git a/templates/secrets_st2kv.yaml b/templates/secrets_st2kv.yaml index fae744ae..c7952934 100644 --- a/templates/secrets_st2kv.yaml +++ b/templates/secrets_st2kv.yaml @@ -9,7 +9,6 @@ metadata: app: st2 tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" diff --git a/templates/secrets_st2license.yaml b/templates/secrets_st2license.yaml deleted file mode 100644 index 815a6c27..00000000 --- a/templates/secrets_st2license.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.enterprise.enabled }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Release.Name }}-st2-license - annotations: - description: StackStorm Enterprise license, used to authenticate to private docker.stackstorm.com Docker Hub - labels: - app: st2 - tier: backend - vendor: stackstorm - support: enterprise - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ .Release.Name }}" - heritage: "{{ .Release.Service }}" -type: kubernetes.io/dockerconfigjson -data: - # Ensure that secret 'enterprise.license' is required and was really specified - st2_license: {{ required "Secret 'enterprise.license' is required to pull StackStorm Enterprise images! Don't have one? Obtain 90-day free trial at https://stackstorm.com/#product" .Values.enterprise.license }} - .dockerconfigjson: {{ template "imagePullSecret" . }} -{{- end }} diff --git a/templates/services.yaml b/templates/services.yaml index 915f0099..0770c0db 100644 --- a/templates/services.yaml +++ b/templates/services.yaml @@ -2,21 +2,19 @@ kind: Service apiVersion: v1 metadata: - name: {{ .Release.Name }}-st2auth{{ template "enterpriseSuffix" . }} + name: {{ .Release.Name }}-st2auth annotations: description: StackStorm st2auth - all authentication is managed by this service. labels: app: st2auth tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: selector: app: st2auth - support: {{ template "supportMethod" . }} release: {{ .Release.Name }} type: ClusterIP ports: @@ -27,21 +25,19 @@ spec: kind: Service apiVersion: v1 metadata: - name: {{ .Release.Name }}-st2api{{ template "enterpriseSuffix" . }} + name: {{ .Release.Name }}-st2api annotations: description: StackStorm st2api - service hosts the REST API endpoints that serve requests from WebUI, CLI, ChatOps and other st2 services. labels: app: st2api tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: selector: app: st2api - support: {{ template "supportMethod" . }} release: {{ .Release.Name }} type: ClusterIP ports: @@ -52,21 +48,19 @@ spec: kind: Service apiVersion: v1 metadata: - name: {{ .Release.Name }}-st2stream{{ template "enterpriseSuffix" . }} + name: {{ .Release.Name }}-st2stream annotations: description: StackStorm st2stream - exposes a server-sent event stream, used by the clients like WebUI and ChatOps to receive update from the st2stream server. labels: app: st2stream tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: selector: app: st2stream - support: {{ template "supportMethod" . }} release: {{ .Release.Name }} type: ClusterIP ports: @@ -77,7 +71,7 @@ spec: kind: Service apiVersion: v1 metadata: - name: {{ .Release.Name }}-st2web{{ template "enterpriseSuffix" . }} + name: {{ .Release.Name }}-st2web annotations: description: StackStorm st2web, - an admin Web UI and main entry point for external API requests {{- if .Values.st2web.service.hostname }} @@ -90,14 +84,12 @@ metadata: app: st2web tier: frontend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: selector: app: st2web - support: {{ template "supportMethod" . }} release: {{ .Release.Name }} type: {{ .Values.st2web.service.type }} {{- if contains "ExternalName" .Values.st2web.service.type }} @@ -114,21 +106,19 @@ spec: kind: Service apiVersion: v1 metadata: - name: {{ .Release.Name }}-st2chatops{{ template "enterpriseSuffix" . }} + name: {{ .Release.Name }}-st2chatops annotations: description: StackStorm st2chatops, - conversation-driven automation service exposed as hubot instance with predefined list of chat adapters labels: app: st2chatops tier: backend vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: selector: app: st2chatops - support: {{ template "supportMethod" . }} release: {{ .Release.Name }} type: ClusterIP ports: diff --git a/templates/tests/st2tests-pod.yaml b/templates/tests/st2tests-pod.yaml index fce08b28..7c6de4c6 100644 --- a/templates/tests/st2tests-pod.yaml +++ b/templates/tests/st2tests-pod.yaml @@ -6,7 +6,6 @@ metadata: app: st2tests tier: tests vendor: stackstorm - support: {{ template "supportMethod" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -14,10 +13,6 @@ metadata: "helm.sh/hook": test-success "helm.sh/hook-delete-policy": hook-succeeded spec: - {{- if .Values.enterprise.enabled }} - imagePullSecrets: - - name: {{ .Release.Name }}-st2-license - {{- end }} initContainers: # Sidecar container to copy BATS framework to the main container - name: test-framework @@ -33,7 +28,7 @@ spec: # Run the actual BATS tests containers: - name: st2tests - image: "{{ template "imageRepository" . }}/st2actionrunner{{ template "enterpriseSuffix" . }}:{{ .Chart.AppVersion }}" + image: "{{ template "imageRepository" . }}/st2actionrunner:{{ .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} envFrom: - configMapRef: @@ -53,6 +48,8 @@ spec: key: password - name: ST2_VERSION value: "{{ .Chart.AppVersion }}" + - name: ST2_RBAC_ENABLED + value: "{{ .Values.st2.rbac.enabled }}" volumeMounts: - name: tools mountPath: /tools diff --git a/tests/st2tests.sh b/tests/st2tests.sh index 502f2c08..255eadf2 100755 --- a/tests/st2tests.sh +++ b/tests/st2tests.sh @@ -74,3 +74,14 @@ load "${BATS_HELPERS_DIR}/bats-file/load.bash" assert_line --partial '"foo" is not found' assert_failure } + +@test 'RBAC is loaded and enabled' { + if [ $ST2_RBAC_ENABLED != "true" ]; then + skip "disabled in Helm values" + fi + + run st2 whoami + assert_success + assert_output --regexp 'RBAC:\s+ - Enabled: True' + assert_line --partial 'Roles: system_admin' +} diff --git a/values.yaml b/values.yaml index 7fdb8def..0d51f71e 100644 --- a/values.yaml +++ b/values.yaml @@ -7,7 +7,7 @@ image: # Image pull policy pullPolicy: IfNotPresent - # st2 image repository. Set this to override the default ("stackstorm") or enterprise + # st2 image repository. Set this to override the default ("stackstorm") # docker image repository ("docker.stackstorm.com"). Applies to all st2 containers except # st2chatops and st2packs (which have their own override). This also does not impact # dependencies such as mongo or redis, which have their own helm chart settings. @@ -18,50 +18,6 @@ image: #pullSecret: "your-pull-secret" -## -## StackStorm Enterprise settings (Optional) -## -enterprise: - # Enable/Disable StackStorm Enterprise. Enabling will download StackStorm Enterprise Docker images. - enabled: false - # Required StackStorm Enterprise license key. - # Don't have one? Obtain 90-day free trial at https://stackstorm.com/#product - license: "" - - # StackStorm Role Based Access Control settings (https://docs.stackstorm.com/rbac.html) - rbac: - # Custom StackStorm RBAC roles, shipped in '/opt/stackstorm/rbac/roles/' - # See https://docs.stackstorm.com/rbac.html#defining-roles-and-permission-grants - roles: - sample.yaml: | - # sample RBAC role file, see https://docs.stackstorm.com/rbac.html#defining-roles-and-permission-grants - --- - name: "sample" - description: "Example Role which contains no permission grants and serves for demonstration purposes" - - # Custom StackStorm RBAC role assignments, shipped in '/opt/stackstorm/rbac/assignments/' - # See: https://docs.stackstorm.com/rbac.html#defining-user-role-assignments - assignments: - st2admin.yaml: | - --- - username: st2admin - roles: - - system_admin - stanley.yaml: | - --- - username: stanley - roles: - - admin - - # StackStorm RBAC LDAP groups-to-roles mapping rules, shipped in '/opt/stackstorm/rbac/mappings/' - # See RBAC Roles Based on LDAP Groups: https://docs.stackstorm.com/rbac.html#automatically-granting-roles-based-on-ldap-group-membership - mappings: - #stormers.yaml: | - # --- - # group: "CN=stormers,OU=groups,DC=stackstorm,DC=net" - # description: "Automatically grant admin role to all stormers group members." - # roles: - # - "admin" ## ## Service Account @@ -152,6 +108,41 @@ st2: # metadata: {"comment": "Example unsecure ST2 API key from K8s HA Helm values.yaml"} # uid: api_key:56928c2d9637ce44338e9564d4b939df8b258410db23b5a80f8ad69d58e648b574f35f9293c3a76bde263738be9aa8379a81553cd55513ad672540b7b0ec0cac # user: st2admin + # StackStorm Role Based Access Control settings (https://docs.stackstorm.com/rbac.html) + rbac: + enabled: false + # Custom StackStorm RBAC roles, shipped in '/opt/stackstorm/rbac/roles/' + # See https://docs.stackstorm.com/rbac.html#defining-roles-and-permission-grants + roles: + sample.yaml: | + # sample RBAC role file, see https://docs.stackstorm.com/rbac.html#defining-roles-and-permission-grants + --- + name: "sample" + description: "Example Role which contains no permission grants and serves for demonstration purposes" + + # Custom StackStorm RBAC role assignments, shipped in '/opt/stackstorm/rbac/assignments/' + # See: https://docs.stackstorm.com/rbac.html#defining-user-role-assignments + assignments: + st2admin.yaml: | + --- + username: st2admin + roles: + - system_admin + stanley.yaml: | + --- + username: stanley + roles: + - admin + + # StackStorm RBAC LDAP groups-to-roles mapping rules, shipped in '/opt/stackstorm/rbac/mappings/' + # See RBAC Roles Based on LDAP Groups: https://docs.stackstorm.com/rbac.html#automatically-granting-roles-based-on-ldap-group-membership + mappings: + #stormers.yaml: | + # --- + # group: "CN=stormers,OU=groups,DC=stackstorm,DC=net" + # description: "Automatically grant admin role to all stormers group members." + # roles: + # - "admin" ## ## StackStorm HA Ingress