-
Notifications
You must be signed in to change notification settings - Fork 277
/
crds-upgrade-hook.yaml
127 lines (127 loc) · 3.67 KB
/
crds-upgrade-hook.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
{{- if .Values.linux.crds.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "sscd.fullname" . }}-upgrade-crds
labels:
{{ include "sscd.labels" . | indent 4 }}
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
helm.sh/hook-weight: "1"
rules:
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "create", "update", "patch"]
{{- if and .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- allow-upgrade-crds
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "sscd.fullname" . }}-upgrade-crds
labels:
{{ include "sscd.labels" . | indent 4 }}
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
helm.sh/hook-weight: "1"
subjects:
- kind: ServiceAccount
name: {{ template "sscd.fullname" . }}-upgrade-crds
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: {{ template "sscd.fullname" . }}-upgrade-crds
apiGroup: rbac.authorization.k8s.io
---
{{- if and .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: allow-upgrade-crds
labels:
{{ include "sscd.labels" . | indent 4 }}
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
helm.sh/hook-weight: "1"
spec:
fsGroup:
rule: RunAsAny
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- secret
{{- end }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "sscd.fullname" . }}-upgrade-crds
namespace: {{ .Release.Namespace }}
labels:
{{ include "sscd.labels" . | indent 4 }}
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
helm.sh/hook-weight: "1"
---
apiVersion: batch/v1
kind: Job
metadata:
name: secrets-store-csi-driver-upgrade-crds
namespace: {{ .Release.Namespace }}
labels:
{{ include "sscd.labels" . | indent 4 }}
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-weight: "10"
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
spec:
backoffLimit: 0
template:
metadata:
name: {{ template "sscd.fullname" . }}-upgrade-crds
{{- if .Values.linux.crds.annotations }}
annotations:
{{ toYaml .Values.linux.crds.annotations }}
{{- end }}
{{- if .Values.linux.crds.podLabels }}
labels:
{{- toYaml .Values.linux.crds.podLabels | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ template "sscd.fullname" . }}-upgrade-crds
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 6 }}
{{- end }}
restartPolicy: Never
containers:
- name: crds-upgrade
image: "{{ .Values.linux.crds.image.repository }}:{{ .Values.linux.crds.image.tag }}"
args:
- apply
- -f
- crds/
imagePullPolicy: {{ .Values.linux.crds.image.pullPolicy }}
nodeSelector:
kubernetes.io/os: linux
{{- if .Values.linux.nodeSelector }}
{{- toYaml .Values.linux.nodeSelector | nindent 8 }}
{{- end }}
{{- with .Values.linux.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- end }}