[OOM] Fixing k8s ServiceAccounts

Adding service account for the jobs Cleanup MSB, ES and other common charts from AAF dependencies Issue-ID: OOM-3199 Issue-ID: OOM-3114 Issue-ID: OOM-3116 Change-Id: I55bf80876c9fb3b110e538ed1a5504e0dc1d4e1a Signed-off-by: vladimir turok <vladimir.turok@t-systems.com>
author: vladimir turok <vladimir.turok@t-systems.com> 2023-07-27 16:28:36 +0200
committer: Andreas Geissler <andreas-geissler@telekom.de> 2023-08-07 18:34:04 +0200
commit: d804418c890dde93bff26125b8cf1a9fd7fc82d1 (patch)
tree: 5c8d93188819e6a913f8e0566d061607b5be9095 /kubernetes/common
parent: 7a34dfca27abc3a13f89ed8d6b87e4aa7be9613f (diff)
20 files changed, 52 insertions, 41 deletions
diff --git a/kubernetes/common/cert-wrapper/values.yaml b/kubernetes/common/cert-wrapper/values.yaml
index fcece0e3f5..34f3ad5eea 100644
--- a/kubernetes/common/cert-wrapper/values.yaml
+++ b/kubernetes/common/cert-wrapper/values.yaml
@@ -15,3 +15,5 @@
 certInitializer:
   nameOverride: cert-initializer
   createCertsCM: true
+  serviceAccount:
+    nameOverride: cert-initializer
+\ No newline at end of file
diff --git a/kubernetes/common/certInitializer/Chart.yaml b/kubernetes/common/certInitializer/Chart.yaml
index e1bb478d8a..d70b1de52b 100644
--- a/kubernetes/common/certInitializer/Chart.yaml
+++ b/kubernetes/common/certInitializer/Chart.yaml
@@ -29,3 +29,6 @@ dependencies:
   - name: repositoryGenerator
     version: ~13.x-0
     repository: 'file://../repositoryGenerator'
+  - name: serviceAccount
+    version: ~13.x-0
+    repository: '@local'
diff --git a/kubernetes/common/certInitializer/templates/job.yaml b/kubernetes/common/certInitializer/templates/job.yaml
index 84a3e87098..3120455300 100644
--- a/kubernetes/common/certInitializer/templates/job.yaml
+++ b/kubernetes/common/certInitializer/templates/job.yaml
@@ -36,6 +36,7 @@ spec:
         volumeMounts: {{ include "common.certInitializer.volumeMount" (dict "dot" . "initRoot" .Values) | nindent 8 }}
         - name: ingress-scripts
           mountPath: /ingress
+      serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
       volumes: {{ include "common.certInitializer.volumes" (dict "dot" . "initRoot" .Values) | nindent 6 }}
       - name: localtime
         hostPath:
diff --git a/kubernetes/common/certInitializer/values.yaml b/kubernetes/common/certInitializer/values.yaml
index 747c94f4d1..0fde2cf532 100644
--- a/kubernetes/common/certInitializer/values.yaml
+++ b/kubernetes/common/certInitializer/values.yaml
@@ -70,3 +70,9 @@ envVarToCheck: cadi_keystore_password_p12
 # We had to move this CM to a separate chart to reduce the total size of our charts
 # as it exceeds the default helm limits.
 certsCMName: '{{ include "common.release" . }}-cert-wrapper-certs'
+
+#Pods Service Account
+serviceAccount:
+  nameOverride: certinitializer
+  roles:
+    - read
+\ No newline at end of file
diff --git a/kubernetes/common/elasticsearch/Chart.yaml b/kubernetes/common/elasticsearch/Chart.yaml
index d0219617c7..82c8ccd056 100644
--- a/kubernetes/common/elasticsearch/Chart.yaml
+++ b/kubernetes/common/elasticsearch/Chart.yaml
@@ -35,9 +35,6 @@ dependencies:
     version: ~13.x-0
     repository: 'file://components/curator'
     condition: elasticsearch.curator.enabled,curator.enabled
-  - name: certInitializer
-    version: ~13.x-0
-    repository: 'file://../certInitializer'
   - name: repositoryGenerator
     version: ~13.x-0
     repository: 'file://../repositoryGenerator'
diff --git a/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml b/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml
index 49ce0ef76a..e7520aeed6 100644
--- a/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml
+++ b/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml
@@ -21,11 +21,5 @@ kind: ConfigMap
 metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }}
 data:
   server-block.conf: |-
-{{ if .Values.global.aafEnabled }}
-{{ .Values.nginx.serverBlock.https | indent 4 }}
-{{ else }}
 {{ .Values.nginx.serverBlock.http | indent 4 }}
-
-
-{{ end }}
 {{- end -}}
diff --git a/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml b/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml
index 05e09cb696..43eb92dd1e 100644
--- a/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml
+++ b/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml
@@ -64,7 +64,6 @@ spec:
           securityContext:
             privileged: true
       {{- end }}
-          {{ include "common.certInitializer.initContainer" . | nindent 8 }}
 
       containers:
         - name: {{ include "common.name" . }}-nginx
@@ -85,7 +84,6 @@ spec:
           - name: nginx-server-block
             mountPath: /opt/bitnami/nginx/conf/server_blocks
           {{- end }}
-          {{- include "common.certInitializer.volumeMount" . | nindent 10 }}
 
         - name: {{ include "common.name" . }}-elasticsearch
           image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }}
@@ -172,4 +170,3 @@ spec:
           configMap:
             name: {{ include "common.fullname" . }}-nginx-server-block
         {{- end }}
-         {{ include "common.certInitializer.volumes" . | nindent 8 }}
diff --git a/kubernetes/common/elasticsearch/values.yaml b/kubernetes/common/elasticsearch/values.yaml
index 6c46f32c96..c3352ae424 100644
--- a/kubernetes/common/elasticsearch/values.yaml
+++ b/kubernetes/common/elasticsearch/values.yaml
@@ -17,7 +17,6 @@
 # Global configuration defaults.
 #################################################################
 global:
-  aafEnabled: true
   nodePortPrefix: 302
   clusterName: cluster.local
 
@@ -261,30 +260,6 @@ service:
   ##
 
 #################################################################
-# Certificate configuration
-#################################################################
-certInitializer:
-  nameOverride: elasticsearch-cert-initializer
-  aafDeployFqi: deployer@people.osaaf.org
-  aafDeployPass: demo123456!
-  # aafDeployCredsExternalSecret: some secret
-  fqdn: "elastic"
-  app_ns: "org.osaaf.aaf"
-  fqi_namespace: "org.onap.elastic"
-  fqi: "elastic@elastic.onap.org"
-  public_fqdn: "aaf.osaaf.org"
-  cadi_longitude: "0.0"
-  cadi_latitude: "0.0"
-  credsPath: /opt/app/osaaf/local
-  aaf_add_config: >
-    cd {{ .Values.credsPath }};
-    mkdir -p certs;
-    keytool -exportcert -rfc -file certs/cacert.pem -keystore {{ .Values.fqi_namespace }}.trust.jks -alias ca_local_0 -storepass $cadi_truststore_password;
-    openssl pkcs12 -in {{ .Values.fqi_namespace }}.p12 -out certs/cert.pem -passin pass:$cadi_keystore_password_p12 -passout pass:$cadi_keystore_password_p12;
-    cp {{ .Values.fqi_namespace }}.key certs/key.pem;
-    chmod -R 755 certs;
-
-#################################################################
 # subcharts configuration defaults.
 #################################################################
 
diff --git a/kubernetes/common/etcd-init/Chart.yaml b/kubernetes/common/etcd-init/Chart.yaml
index 6605f519f1..166b4172d3 100644
--- a/kubernetes/common/etcd-init/Chart.yaml
+++ b/kubernetes/common/etcd-init/Chart.yaml
@@ -25,4 +25,7 @@ dependencies:
     repository: 'file://../common'
   - name: repositoryGenerator
     version: ~13.x-0
-    repository: 'file://../repositoryGenerator'
-\ No newline at end of file
+    repository: 'file://../repositoryGenerator'
+  - name: serviceAccount
+    version: ~13.x-0
+    repository: '@local'
+\ No newline at end of file
diff --git a/kubernetes/common/etcd-init/templates/job.yaml b/kubernetes/common/etcd-init/templates/job.yaml
index 4b8e2e5fdd..a517264d57 100644
--- a/kubernetes/common/etcd-init/templates/job.yaml
+++ b/kubernetes/common/etcd-init/templates/job.yaml
@@ -98,6 +98,7 @@ spec:
       {{- if .Values.affinity }}
       affinity: {{ toYaml .Values.affinity | nindent 10 }}
       {{- end }}
+      serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
       volumes:
       - name: localtime
         hostPath:
diff --git a/kubernetes/common/etcd-init/values.yaml b/kubernetes/common/etcd-init/values.yaml
index 6ccfb3e5d7..721bcb70f3 100644
--- a/kubernetes/common/etcd-init/values.yaml
+++ b/kubernetes/common/etcd-init/values.yaml
@@ -73,6 +73,12 @@ resources:
       memory: 20Mi
   unlimited: {}
 
+#Pods Service Account
+serviceAccount:
+  nameOverride: etcd-init
+  roles:
+    - read
+
 wait_for_job_container:
   containers:
     - '{{ include "common.name" . }}'
diff --git a/kubernetes/common/mariadb-init/Chart.yaml b/kubernetes/common/mariadb-init/Chart.yaml
index f4d9c2d4af..fe134578df 100644
--- a/kubernetes/common/mariadb-init/Chart.yaml
+++ b/kubernetes/common/mariadb-init/Chart.yaml
@@ -25,4 +25,7 @@ dependencies:
     repository: 'file://../common'
   - name: repositoryGenerator
     version: ~13.x-0
-    repository: 'file://../repositoryGenerator'
-\ No newline at end of file
+    repository: 'file://../repositoryGenerator'
+  - name: serviceAccount
+    version: ~13.x-0
+    repository: '@local'
+\ No newline at end of file
diff --git a/kubernetes/common/mariadb-init/templates/job.yaml b/kubernetes/common/mariadb-init/templates/job.yaml
index e638415548..a899d93a28 100644
--- a/kubernetes/common/mariadb-init/templates/job.yaml
+++ b/kubernetes/common/mariadb-init/templates/job.yaml
@@ -101,6 +101,7 @@ spec:
       affinity:
 {{ toYaml .Values.affinity | indent 10 }}
       {{- end }}
+      serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
       volumes:
       - name: localtime
         hostPath:
diff --git a/kubernetes/common/mariadb-init/values.yaml b/kubernetes/common/mariadb-init/values.yaml
index 1d699bd5ae..2d5de97e7c 100644
--- a/kubernetes/common/mariadb-init/values.yaml
+++ b/kubernetes/common/mariadb-init/values.yaml
@@ -136,6 +136,12 @@ resources:
       memory: 20Mi
   unlimited: {}
 
+#Pods Service Account
+serviceAccount:
+  nameOverride: mariadb-init
+  roles:
+    - read
+
 wait_for_job_container:
   containers:
     - '{{ include "common.name" . }}'
diff --git a/kubernetes/common/network-name-gen/Chart.yaml b/kubernetes/common/network-name-gen/Chart.yaml
index 4bc06f9fa5..88336f49c3 100644
--- a/kubernetes/common/network-name-gen/Chart.yaml
+++ b/kubernetes/common/network-name-gen/Chart.yaml
@@ -33,4 +33,7 @@ dependencies:
   - name: mariadb-init
     version: ~13.x-0
     repository: 'file://../mariadb-init'
-    condition: global.mariadbGalera.globalCluster
-\ No newline at end of file
+    condition: global.mariadbGalera.globalCluster
+  - name: serviceAccount
+    version: ~13.x-0
+    repository: '@local'
+\ No newline at end of file
diff --git a/kubernetes/common/network-name-gen/templates/deployment.yaml b/kubernetes/common/network-name-gen/templates/deployment.yaml
index 71b7846dc9..940132f477 100644
--- a/kubernetes/common/network-name-gen/templates/deployment.yaml
+++ b/kubernetes/common/network-name-gen/templates/deployment.yaml
@@ -102,6 +102,7 @@ spec:
 {{ toYaml .Values.nodeSelector | indent 10 }}
         {{- end -}}
         {{- if .Values.affinity }}
+        serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
         affinity:
 {{ toYaml .Values.affinity | indent 10 }}
         {{- end }}
diff --git a/kubernetes/common/network-name-gen/values.yaml b/kubernetes/common/network-name-gen/values.yaml
index 8b8848b8aa..e3fdb80e71 100644
--- a/kubernetes/common/network-name-gen/values.yaml
+++ b/kubernetes/common/network-name-gen/values.yaml
@@ -72,6 +72,8 @@ mariadb-init:
     userCredentialsExternalSecret: *dbUserSecretName
     mysqlDatabase: *mysqlDbName
   nameOverride: nengdb-init
+  serviceAccount:
+    nameOverride: nengdb-init
 
 #################################################################
 # Application configuration defaults.
diff --git a/kubernetes/common/postgres-init/Chart.yaml b/kubernetes/common/postgres-init/Chart.yaml
index 34f5352ea8..59008d37bb 100644
--- a/kubernetes/common/postgres-init/Chart.yaml
+++ b/kubernetes/common/postgres-init/Chart.yaml
@@ -25,4 +25,7 @@ dependencies:
     repository: 'file://../common'
   - name: repositoryGenerator
     version: ~13.x-0
-    repository: 'file://../repositoryGenerator'
-\ No newline at end of file
+    repository: 'file://../repositoryGenerator'
+  - name: serviceAccount
+    version: ~13.x-0
+    repository: '@local'
+\ No newline at end of file
diff --git a/kubernetes/common/postgres-init/templates/job.yaml b/kubernetes/common/postgres-init/templates/job.yaml
index 15260f0b16..09c21fe9e5 100644
--- a/kubernetes/common/postgres-init/templates/job.yaml
+++ b/kubernetes/common/postgres-init/templates/job.yaml
@@ -102,6 +102,7 @@ spec:
       affinity:
 {{ toYaml .Values.affinity | indent 10 }}
       {{- end }}
+      serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
       volumes:
       - name: localtime
         hostPath:
diff --git a/kubernetes/common/postgres-init/values.yaml b/kubernetes/common/postgres-init/values.yaml
index d6d51f0b51..1b9e72b8d7 100644
--- a/kubernetes/common/postgres-init/values.yaml
+++ b/kubernetes/common/postgres-init/values.yaml
@@ -90,6 +90,12 @@ resources:
       memory: 2Gi
   unlimited: {}
 
+#Pods Service Account
+serviceAccount:
+  nameOverride: postgres-init
+  roles:
+    - read
+
 wait_for_job_container:
   containers:
     - '{{ include "common.name" . }}-update-config'
 \ No newline at end of file
author	vladimir turok <vladimir.turok@t-systems.com>	2023-07-27 16:28:36 +0200
committer	Andreas Geissler <andreas-geissler@telekom.de>	2023-08-07 18:34:04 +0200
commit	d804418c890dde93bff26125b8cf1a9fd7fc82d1 (patch)
tree	5c8d93188819e6a913f8e0566d061607b5be9095 /kubernetes/common
parent	7a34dfca27abc3a13f89ed8d6b87e4aa7be9613f (diff)