Allow multiple instances of Minion in the same namespace

OpenNMS · Nov 14, 2023 · 3d677c2 · 3d677c2
1 parent 86d8c8e
commit 3d677c2
Show file tree

Hide file tree

Showing 10 changed files with 39 additions and 31 deletions.
diff --git a/minion/templates/docker.secret.yaml b/minion/templates/docker.secret.yaml
@@ -1,15 +1,16 @@
 # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-{{- $namespace := .Release.Name }}
+{{- $namespace := .Release.Namespace }}
 {{- range $k, $r := .Values.imagePullSecrets }}
 # TODO: find a better way to format this JSON that won't be sensitive to special characters
 {{- $json := printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" $r.dockerServer $r.dockerUsername $r.dockerPassword $r.dockerEmail (printf "%s:%s" $r.dockerUsername $r.dockerPassword | b64enc) }}
+{{- if not (lookup "v1" "Secret" $namespace $r.name) }}
 ---
 apiVersion: v1
 kind: Secret
 type: kubernetes.io/dockerconfigjson
 metadata:
   name: {{ $r.name }}
-  namespace: {{ $namespace }}
 data:
   .dockerconfigjson: {{ $json | b64enc }}
 {{- end }}
+{{- end }}
diff --git a/minion/templates/minion-configmap.yaml b/minion/templates/minion-configmap.yaml
@@ -2,11 +2,10 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: minion-settings
-  namespace: {{ .Release.Name }}
+  name: {{ .Values.minion.name | default  .Release.Name }}-settings
 data:
   minion-config.yaml: |
-    id: {{ .Values.minion.name }}
+    id: {{ .Values.minion.name | default .Release.Name }}
     location: {{ .Values.minion.location }}
 
     system:

diff --git a/minion/templates/minion-core.sa.yaml b/minion/templates/minion-core.sa.yaml
@@ -1,8 +1,11 @@
+{{- $saname := (.Values.securitycontext).serviceaccount.name }}
+{{- $namespace := .Release.Namespace }}
 {{- if and (eq (include "onOpenShift" .) "true") ((.Values.securitycontext).serviceaccount.enabled) }}
+{{- if not (lookup "v1" "ServiceAccount" $namespace $saname) }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ (.Values.securitycontext).serviceaccount.name | quote }}
-  namespace: {{ .Release.Name }}
-{{- end }}
+{{- end }}
+{{- end }}
diff --git a/minion/templates/minion-core.scc.yaml b/minion/templates/minion-core.scc.yaml
@@ -1,9 +1,9 @@
 {{- if and (eq (include "onOpenShift" .) "true") ((.Values.securitycontext).securitycontextconstraints.enabled) }}
+{{- if not (lookup "security.openshift.io/v1" "SecurityContextConstraints" "" (.Values.securitycontext).securitycontextconstraints.name) }}
 ---
 kind: SecurityContextConstraints
 metadata:
   name: {{ (.Values.securitycontext).securitycontextconstraints.name | quote }}
-  namespace: {{ .Release.Name }}
 allowHostDirVolumePlugin: false
 allowHostIPC: false
 allowHostNetwork: false
@@ -41,4 +41,5 @@ volumes:
 - persistentVolumeClaim
 - projected
 - secret
+{{- end }}
 {{- end }}
diff --git a/minion/templates/minion-data-pvc.yaml b/minion/templates/minion-data-pvc.yaml
@@ -2,8 +2,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   creationTimestamp: null
-  name: minion-data-folder
-  namespace: {{ .Release.Name }}
+  name: {{ .Values.minion.name | default  .Release.Name }}-data-folder
 spec:
   accessModes:
     - ReadWriteOnce

diff --git a/minion/templates/minion-deployment.yaml b/minion/templates/minion-deployment.yaml
@@ -2,21 +2,20 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: minion
+  name: {{ .Values.minion.name | default  .Release.Name }}
   labels:
-    app: minion
-  namespace: {{ .Release.Name }}
+    app: {{ .Values.minion.name | default  .Release.Name }}
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: minion
+      app: {{ .Values.minion.name | default  .Release.Name }}
   strategy:
     type: Recreate
   template:
     metadata:
       labels:
-        app: minion
+        app: {{ .Values.minion.name | default  .Release.Name }}
     spec:
       {{- if and (eq (include "onOpenShift" .) "true") ((.Values.securitycontext).serviceaccount.enabled) }}
       serviceAccountName: {{ (.Values.securitycontext).serviceaccount.name | quote }} 
@@ -82,7 +81,7 @@ spec:
             failureThreshold: 3
             periodSeconds: 30
             timeoutSeconds: 20
-          name: minion
+          name: {{ .Values.minion.name | default  .Release.Name }}
           ports:
            {{- if .Values.minion.configuration.ports.karaf.enabled }}
             - containerPort: 8201
@@ -101,27 +100,27 @@ spec:
           resources: {}
           volumeMounts:
             - mountPath: /opt/minion/minion-config.yaml
-              name: minion-settings
+              name: {{ .Values.minion.name | default  .Release.Name }}-settings
               subPath: minion-config.yaml
             {{- if .Values.truststore.content }}
             - mountPath: /etc/java/jks
               name: jks
             {{- end }}
             - mountPath: /opt/minion/data
-              name: minion-data-folder
-      hostname: minion
+              name: {{ .Values.minion.name | default  .Release.Name }}-data-folder
+      hostname: {{ .Values.minion.name | default  .Release.Name }}
       restartPolicy: Always
       volumes:
-        - name: minion-data-folder
+        - name: {{ .Values.minion.name | default  .Release.Name }}-data-folder
           persistentVolumeClaim:
-            claimName: minion-data-folder
-        - name: minion-settings
+            claimName: {{ .Values.minion.name | default  .Release.Name }}-data-folder
+        - name: {{ .Values.minion.name | default  .Release.Name }}-settings
           configMap:
-            name: minion-settings
+            name: {{ .Values.minion.name | default  .Release.Name }}-settings
         {{- if .Values.truststore.content }}
         - name: jks
           secret:
             defaultMode: 420
-            secretName: minion-app-jks
+            secretName: {{ .Values.minion.name | default  .Release.Name }}-app-jks
         {{- end }}
 status: {}
diff --git a/minion/templates/minion-secret.yaml b/minion/templates/minion-secret.yaml
@@ -1,9 +1,10 @@
+{{- if .Values.truststore.content }}
 apiVersion: v1
 kind: Secret
 type: Opaque
 metadata:
-  name: minion-app-jks
-  namespace: {{ .Release.Name }}
+  name: {{ .Values.minion.name | default  .Release.Name }}-app-jks
 data: # To be mounted at /etc/java/jks
   truststore.jks: |
      {{ .Values.truststore.content }}
+{{- end }}
diff --git a/minion/templates/minion-service.yaml b/minion/templates/minion-service.yaml
@@ -3,9 +3,8 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    app: minion
-  name: minion
-  namespace: {{ .Release.Namespace }}
+    app: {{ .Values.minion.name | default  .Release.Name }}
+  name: {{ .Values.minion.name | default  .Release.Name }}
 spec:
   ports:
     {{- if .Values.minion.configuration.ports.karaf.enabled }}
@@ -26,7 +25,7 @@ spec:
       targetPort: 1514
     {{- end }}
   selector:
-    app: minion
+    app: {{ .Values.minion.name | default  .Release.Name }}
 status:
   loadBalancer: {}
 {{- end }}
diff --git a/minion/templates/minion.clusterrole.yaml b/minion/templates/minion.clusterrole.yaml
@@ -1,4 +1,6 @@
+{{ $name :=(printf "system:openshift:scc:%s" (.Values.securitycontext).securitycontextconstraints.name) }}
 {{- if and (eq (include "onOpenShift" .) "true") (.Values.clusterRole) }}
+{{- if not (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" $name ) }}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -13,3 +15,4 @@ rules:
     resourceNames:
       - {{ (.Values.securitycontext).securitycontextconstraints.name | quote }}
 {{- end }}
+{{- end }}
diff --git a/minion/templates/minion.clusterrolebinding.yaml b/minion/templates/minion.clusterrolebinding.yaml
@@ -1,14 +1,17 @@
+{{ $name :=(printf "system:openshift:scc:%s" (.Values.securitycontext).securitycontextconstraints.name) }}
 {{- if and (eq (include "onOpenShift" .) "true") (.Values.clusterRoleBinding) }}
+{{- if not (lookup "rbac.authorization.k8s.io/v1" "ClusterRoleBinding" "" $name ) }}
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: {{ printf "system:openshift:scc:%s" (.Values.securitycontext).securitycontextconstraints.name | quote }} 
 subjects:
   - kind: ServiceAccount
     name: {{ (.Values.securitycontext).serviceaccount.name | quote }}
-    namespace: {{ .Release.Name }}
+    namespace: {{ .Release.Namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: {{ printf "system:openshift:scc:%s" (.Values.securitycontext).securitycontextconstraints.name | quote }} 
 {{- end }}
+{{- end }}