diff --git a/litmus-portal/cluster-k8s-manifest.yml b/litmus-portal/cluster-k8s-manifest.yml index 201a71a6b2..a886604931 100644 --- a/litmus-portal/cluster-k8s-manifest.yml +++ b/litmus-portal/cluster-k8s-manifest.yml @@ -562,11 +562,11 @@ spec: - name: ARGO_WORKFLOW_EXECUTOR_IMAGE value: "litmuschaos/argoexec:v2.11.0" - name: LITMUS_CHAOS_OPERATOR_IMAGE - value: "litmuschaos/chaos-operator:2.1.0" + value: "litmuschaos/chaos-operator:2.0.0" - name: LITMUS_CHAOS_RUNNER_IMAGE - value: "litmuschaos/chaos-runner:2.1.0" + value: "litmuschaos/chaos-runner:2.0.0" - name: LITMUS_CHAOS_EXPORTER_IMAGE - value: "litmuschaos/chaos-exporter:2.1.0" + value: "litmuschaos/chaos-exporter:2.0.0" - name: SERVER_SERVICE_NAME value: "litmusportal-server-service" - name: AGENT_DEPLOYMENTS diff --git a/litmus-portal/namespaced-k8s-template.yml b/litmus-portal/namespaced-k8s-template.yml index 88cdbdddf7..83509677d8 100644 --- a/litmus-portal/namespaced-k8s-template.yml +++ b/litmus-portal/namespaced-k8s-template.yml @@ -570,11 +570,11 @@ spec: - name: ARGO_WORKFLOW_EXECUTOR_IMAGE value: "litmuschaos/argoexec:v2.11.0" - name: LITMUS_CHAOS_OPERATOR_IMAGE - value: "litmuschaos/chaos-operator:2.1.0" + value: "litmuschaos/chaos-operator:2.0.0" - name: LITMUS_CHAOS_RUNNER_IMAGE - value: "litmuschaos/chaos-runner:2.1.0" + value: "litmuschaos/chaos-runner:2.0.0" - name: LITMUS_CHAOS_EXPORTER_IMAGE - value: "litmuschaos/chaos-exporter:2.1.0" + value: "litmuschaos/chaos-exporter:2.0.0" - name: CONTAINER_RUNTIME_EXECUTOR value: "k8sapi" - name: HUB_BRANCH_NAME diff --git a/litmus-portal/platforms/okteto/litmus-portal-dev-manifest-template.yml b/litmus-portal/platforms/okteto/litmus-portal-dev-manifest-template.yml index 88feaadce1..26b36d6304 100644 --- a/litmus-portal/platforms/okteto/litmus-portal-dev-manifest-template.yml +++ b/litmus-portal/platforms/okteto/litmus-portal-dev-manifest-template.yml @@ -570,11 +570,11 @@ spec: - name: ARGO_WORKFLOW_EXECUTOR_IMAGE value: "litmuschaos/argoexec:v2.11.0" - name: LITMUS_CHAOS_OPERATOR_IMAGE - value: "litmuschaos/chaos-operator:2.1.0" + value: "litmuschaos/chaos-operator:2.0.0" - name: LITMUS_CHAOS_RUNNER_IMAGE - value: "litmuschaos/chaos-runner:2.1.0" + value: "litmuschaos/chaos-runner:2.0.0" - name: LITMUS_CHAOS_EXPORTER_IMAGE - value: "litmuschaos/chaos-exporter:2.1.0" + value: "litmuschaos/chaos-exporter:2.0.0" - name: CONTAINER_RUNTIME_EXECUTOR value: "k8sapi" - name: HUB_BRANCH_NAME diff --git a/mkdocs/docs/2.1.0/litmus-2.1.0.yaml b/mkdocs/docs/2.1.0/litmus-2.1.0.yaml new file mode 100644 index 0000000000..f435fc3d2b --- /dev/null +++ b/mkdocs/docs/2.1.0/litmus-2.1.0.yaml @@ -0,0 +1,683 @@ +### RBAC Manifests +## If SELF_CLUSTER="true" then these permissions are required to apply +## https://github.com/litmuschaos/litmus/blob/master/litmus-portal/graphql-server/manifests/cluster/1b_argo_rbac.yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: argo-aggregate-to-admin-for-litmusportal-server +rules: + - apiGroups: [argoproj.io] + resources: [workflows, workflows/finalizers, workflowtemplates, workflowtemplates/finalizers, cronworkflows, cronworkflows/finalizers, clusterworkflowtemplates, clusterworkflowtemplates/finalizers] + verbs: [create, delete, deletecollection, get, list, patch, update, watch] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: argo-aggregate-to-edit-for-litmusportal-server +rules: + - apiGroups: [argoproj.io] + resources: [workflows, workflows/finalizers, workflowtemplates, workflowtemplates/finalizers, cronworkflows, cronworkflows/finalizers, clusterworkflowtemplates, clusterworkflowtemplates/finalizers] + verbs: [create, delete, deletecollection, get, list, patch, update, watch] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: argo-aggregate-to-view-for-litmusportal-server +rules: + - apiGroups: [argoproj.io] + resources: [workflows, workflows/finalizers, workflowtemplates, workflowtemplates/finalizers, cronworkflows, cronworkflows/finalizers, clusterworkflowtemplates, clusterworkflowtemplates/finalizers] + verbs: [get, list, watch] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: argo-cr-for-litmusportal-server +rules: + - apiGroups: [""] + resources: [pods, pods/exec] + verbs: [create, get, list, watch, update, patch, delete] + - apiGroups: [""] + resources: [configmaps] + verbs: [get, watch, list] + - apiGroups: [""] + resources: [persistentvolumeclaims] + verbs: [create, delete] + - apiGroups: [argoproj.io] + resources: [workflows, workflows/finalizers] + verbs: [get, list, watch, update, patch, delete, create] + - apiGroups: [argoproj.io] + resources: [workflowtemplates, workflowtemplates/finalizers, clusterworkflowtemplates, clusterworkflowtemplates/finalizers] + verbs: [get, list, watch] + - apiGroups: [""] + resources: [serviceaccounts] + verbs: [get, list] + - apiGroups: [argoproj.io] + resources: [cronworkflows, cronworkflows/finalizers] + verbs: [get, list, watch, update, patch, delete] + - apiGroups: [""] + resources: [events] + verbs: [create, patch] + - apiGroups: [policy] + resources: [poddisruptionbudgets] + verbs: [create, get, delete] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: argo-crb-for-litmusportal-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argo-cr-for-litmusportal-server +subjects: + - kind: ServiceAccount + name: litmus-server-account + namespace: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: argo-aggregate-to-view-crb-for-litmusportal-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argo-aggregate-to-view-for-litmusportal-server +subjects: + - kind: ServiceAccount + name: litmus-server-account + namespace: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: argo-aggregate-to-admin-crb-for-litmusportal-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argo-aggregate-to-admin-for-litmusportal-server +subjects: + - kind: ServiceAccount + name: litmus-server-account + namespace: litmus +#these permissions are required to apply https://github.com/litmuschaos/litmus/blob/master/litmus-portal/graphql-server/manifests/cluster/2b_litmus_rbac.yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: litmus-cluster-scope-for-litmusportal-server + labels: + app.kubernetes.io/name: litmus + # provide unique instance-id if applicable + # app.kubernetes.io/instance: litmus-abcxzy + app.kubernetes.io/version: v2.0.0 + app.kubernetes.io/component: operator-clusterrole + app.kubernetes.io/part-of: litmus + app.kubernetes.io/managed-by: kubectl + name: litmus-cluster-scope-for-litmusportal-server +rules: + - apiGroups: [""] + resources: [replicationcontrollers, secrets] + verbs: [get, list] + - apiGroups: [apps.openshift.io] + resources: [deploymentconfigs] + verbs: [get, list] + - apiGroups: [apps] + resources: [deployments, daemonsets, replicasets, statefulsets] + verbs: [get, list] + - apiGroups: [batch] + resources: [jobs] + verbs: [get, list, deletecollection] + - apiGroups: [argoproj.io] + resources: [rollouts] + verbs: [get, list] + - apiGroups: [""] + resources: [pods, configmaps, events, services] + verbs: [get, create, update, patch, delete, list, watch, deletecollection] + - apiGroups: [litmuschaos.io] + resources: [chaosengines, chaosexperiments, chaosresults] + verbs: [get, create, update, patch, delete, list, watch, deletecollection] + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [list, get] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: litmus-cluster-scope-crb-for-litmusportal-server + labels: + app.kubernetes.io/name: litmus + # provide unique instance-id if applicable + # app.kubernetes.io/instance: litmus-abcxzy + app.kubernetes.io/version: v2.0.0 + app.kubernetes.io/component: operator-clusterrolebinding + app.kubernetes.io/part-of: litmus + app.kubernetes.io/managed-by: kubectl + name: litmus-cluster-scope-crb-for-litmusportal-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: litmus-cluster-scope-for-litmusportal-server +subjects: + - kind: ServiceAccount + name: litmus-server-account + namespace: litmus +#these permissions are required to apply https://github.com/litmuschaos/litmus/blob/master/litmus-portal/graphql-server/manifests/cluster/3a_agents_rbac.yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: litmus-admin-cr-for-litmusportal-server + labels: + name: litmus-admin-cr-for-litmusportal-server +rules: + # *************************************************************************************** + # Permissions needed for preparing and monitor the chaos resources by chaos-runner + # *************************************************************************************** + + # The chaos operator watches the chaosengine resource and orchestartes the chaos experiment.. + ## .. by creating the chaos-runner + + # for creating and monitoring the chaos-runner pods + - apiGroups: [""] + resources: [pods,events] + verbs: [create, delete, get, list, patch, update, deletecollection] + + # for fetching configmaps and secrets to inject into chaos-runner pod (if specified) + - apiGroups: [""] + resources: [secrets, configmaps] + verbs: [get, list] + + # for tracking & getting logs of the pods created by chaos-runner to implement individual steps in the runner + - apiGroups: [""] + resources: [pods/log] + verbs: [get, list, watch] + + # for configuring and monitor the experiment job by chaos-runner pod + - apiGroups: [batch] + resources: [jobs] + verbs: [create, list, get, delete, deletecollection] + + # ******************************************************************** + # Permissions needed for creation and discovery of chaos experiments + # ******************************************************************** + + # The helper pods are created by experiment to perform the actual chaos injection ... + # ... for a period of chaos duration + + # for creating and deleting the helper or target app pod and events by experiment + - apiGroups: [""] + resources: [pods] + verbs: [create, delete, deletecollection] + + # for creating and monitoring the events for chaos operations + - apiGroups: [""] + resources: [events] + verbs: [create, delete, get, list, patch, update, deletecollection] + + # for monitoring the helper and target app pod + - apiGroups: [""] + resources: [pods] + verbs: [get, list, patch, update] + + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: [pods/exec, pods/eviction, replicationcontrollers] + verbs: [get,list,create] + + # for tracking & getting logs of the pods created by experiment pod to implement individual steps in the experiment + - apiGroups: [""] + resources: [pods/log] + verbs: [get, list, watch] + + # for creating and monitoring liveness services or monitoring target app services during chaos injection + - apiGroups: [""] + resources: [services] + verbs: [create, delete, get, list, delete, deletecollection] + + # for checking the app parent resources as deployments or sts and are eligible chaos candidates + - apiGroups: [apps] + resources: [deployments, statefulsets] + verbs: [list, get, patch, update] + + # for checking the app parent resources as replicasets and are eligible chaos candidates + - apiGroups: [apps] + resources: [replicasets] + verbs: [list, get] + + # for checking the app parent resources as deamonsets and are eligible chaos candidates + - apiGroups: [apps] + resources: [daemonsets] + verbs: [list, get, delete] + + # for checking (openshift) app parent resources if they are eligible chaos candidates + - apiGroups: [apps.openshift.io] + resources: [deploymentconfigs] + verbs: [list, get] + + # for checking (argo) app parent resources if they are eligible chaos candidates + - apiGroups: [argoproj.io] + resources: [rollouts] + verbs: [list, get] + + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: [litmuschaos.io] + resources: [chaosengines, chaosexperiments, chaosresults] + verbs: [create, list, get, patch, update, delete] + + # for experiment to perform node status checks and other node level operations like taint, drain in the experiment. + - apiGroups: [""] + resources: [nodes] + verbs: [patch, get, list, update] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: litmus-admin-crb-for-litmusportal-server + labels: + name: litmus-admin-crb-for-litmusportal-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: litmus-admin-cr-for-litmusportal-server +subjects: + - kind: ServiceAccount + name: litmus-server-account + namespace: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: chaos-cr-for-litmusportal-server +rules: + # for managing the pods created by workflow controller to implement individual steps in the workflow + - apiGroups: [""] + resources: [pods, services, namespaces] + verbs: [create, get, watch, patch, delete, list] + + # for tracking & getting logs of the pods created by workflow controller to implement individual steps in the workflow + - apiGroups: [""] + resources: [pods/log, secrets, configmaps] + verbs: [get, watch, create, delete, patch] + + # for creation & deletion of application in predefined workflows + - apiGroups: [apps] + resources: [deployments, statefulsets] + verbs: [get, watch, patch, create, delete] + + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: [litmuschaos.io] + resources: [chaosengines, chaosexperiments, chaosresults, chaosschedules] + verbs: [create, list, get, patch, delete, watch] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: chaos-crb-for-litmusportal-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chaos-cr-for-litmusportal-server +subjects: + - kind: ServiceAccount + name: litmus-server-account + namespace: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: subscriber-cr-for-litmusportal-server + namespace: litmus + labels: + name: subscriber-cr-for-litmusportal-server +rules: + - apiGroups: [""] + resources: [configmaps] + verbs: [get, create, delete, update] + - apiGroups: [""] + resources: [pods/log] + verbs: [get, list, watch] + - apiGroups: [""] + resources: [pods, namespaces, nodes, services] + verbs: [get, list, watch] + - apiGroups: [litmuschaos.io] + resources: [chaosengines, chaosschedules, chaosresults] + verbs: [get, list, create, delete, update, watch] + - apiGroups: [apps.openshift.io] + resources: [deploymentconfigs] + verbs: [get, list] + - apiGroups: [apps] + resources: [deployments, daemonsets, replicasets, statefulsets] + verbs: [get, list, delete] + - apiGroups: [argoproj.io] + resources: [workflows, workflows/finalizers, workflowtemplates, workflowtemplates/finalizers, cronworkflows, cronworkflows/finalizers, clusterworkflowtemplates, clusterworkflowtemplates/finalizers, rollouts] + verbs: [get, list, create, delete, update, watch] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: subscriber-crb-for-litmusportal-server + namespace: litmus +subjects: + - kind: ServiceAccount + name: litmus-server-account + namespace: litmus +roleRef: + kind: ClusterRole + name: subscriber-cr-for-litmusportal-server + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: event-tracker-cr-for-litmusportal-server +rules: + - apiGroups: [eventtracker.litmuschaos.io] + resources: [eventtrackerpolicies] + verbs: [create, delete, get, list, patch, update, watch] + - apiGroups: [eventtracker.litmuschaos.io] + resources: [eventtrackerpolicies/status] + verbs: [get, patch, update] + - apiGroups: ["", extensions, apps] + resources: [deployments, daemonsets, statefulsets, pods, configmaps] + verbs: [get, list, watch] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: event-tracker-crb-for-litmusportal-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: event-tracker-cr-for-litmusportal-server +subjects: + - kind: ServiceAccount + name: litmus-server-account + namespace: litmus +# litmus-server-cr is used by the litmusportal-server +# If SELF_CLUSTER=false, then only litmus-server-cr and litmus-server-crb are required. +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: litmus-server-cr +rules: + - apiGroups: [networking.k8s.io, extensions] + resources: [ingresses] + verbs: [get] + - apiGroups: [""] + resources: [services, nodes, pods/log] + verbs: [get, watch] + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [create] + - apiGroups: [apps] + resources: [deployments] + verbs: [create] + - apiGroups: [""] + resources: [configmaps] + verbs: [get] + - apiGroups: [""] + resources: [serviceaccounts] + verbs: [create] + - apiGroups: [rbac.authorization.k8s.io] + resources: [rolebindings, roles, clusterrolebindings, clusterroles] + verbs: [create] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: litmus-server-crb +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: litmus-server-cr +subjects: + - kind: ServiceAccount + name: litmus-server-account + namespace: litmus +## Control plane manifests +--- +apiVersion: v1 +kind: Namespace +metadata: + name: litmus +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: litmus-server-account + namespace: litmus +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: litmus-portal-admin-config + namespace: litmus +data: + AGENT_SCOPE: cluster + AGENT_NAMESPACE: litmus + DB_SERVER: "mongodb://mongo-service:27017" + JWT_SECRET: "litmus-portal@123" + DB_USER: "admin" + DB_PASSWORD: "1234" + VERSION: "2.1.0" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: litmusportal-frontend + namespace: litmus + labels: + component: litmusportal-frontend +spec: + replicas: 1 + selector: + matchLabels: + component: litmusportal-frontend + template: + metadata: + labels: + component: litmusportal-frontend + spec: + containers: + - name: litmusportal-frontend + image: litmuschaos/litmusportal-frontend:2.1.0 + imagePullPolicy: Always + ports: + - containerPort: 8080 + env: + - name: AGENT_SCOPE + valueFrom: + configMapKeyRef: + name: litmus-portal-admin-config + key: AGENT_SCOPE +--- +apiVersion: v1 +kind: Service +metadata: + name: litmusportal-frontend-service + namespace: litmus +spec: + type: NodePort + ports: + - name: http + port: 9091 + targetPort: 8080 + selector: + component: litmusportal-frontend +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: litmusportal-server + namespace: litmus + labels: + component: litmusportal-server +spec: + replicas: 1 + selector: + matchLabels: + component: litmusportal-server + template: + metadata: + labels: + component: litmusportal-server + spec: + initContainers: + - name: wait-for-mongodb + image: litmuschaos/curl:latest + command: ["/bin/sh", "-c"] + args: + [ + "while [[ $(curl -sw '%{http_code}' http://mongo-service:27017 -o /dev/null) -ne 200 ]]; do sleep 5; echo 'Waiting for the MongoDB to be ready...'; done; echo 'Connection with MongoDB established'", + ] + containers: + - name: graphql-server + image: litmuschaos/litmusportal-server:2.1.0 + envFrom: + - configMapRef: + name: litmus-portal-admin-config + env: + - name: SELF_CLUSTER + value: "true" + - name: LITMUS_PORTAL_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: PORTAL_SCOPE + value: "cluster" + - name: SUBSCRIBER_IMAGE + value: "litmuschaos/litmusportal-subscriber:2.1.0" + - name: EVENT_TRACKER_IMAGE + value: "litmuschaos/litmusportal-event-tracker:2.1.0" + - name: ARGO_WORKFLOW_CONTROLLER_IMAGE + value: "litmuschaos/workflow-controller:v2.11.0" + - name: ARGO_WORKFLOW_EXECUTOR_IMAGE + value: "litmuschaos/argoexec:v2.11.0" + - name: LITMUS_CHAOS_OPERATOR_IMAGE + value: "litmuschaos/chaos-operator:2.0.0" + - name: LITMUS_CHAOS_RUNNER_IMAGE + value: "litmuschaos/chaos-runner:2.0.0" + - name: LITMUS_CHAOS_EXPORTER_IMAGE + value: "litmuschaos/chaos-exporter:2.0.0" + - name: SERVER_SERVICE_NAME + value: "litmusportal-server-service" + - name: AGENT_DEPLOYMENTS + value: "[\"app=chaos-exporter\", \"name=chaos-operator\", \"app=event-tracker\", \"app=workflow-controller\"]" + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: INGRESS + value: "false" + - name: INGRESS_NAME + value: "litmus-ingress" + - name: CONTAINER_RUNTIME_EXECUTOR + value: "k8sapi" + - name: HUB_BRANCH_NAME + value: "v2.0.x" + ports: + - containerPort: 8080 + imagePullPolicy: Always + - name: auth-server + image: litmuschaos/litmusportal-auth-server:2.1.0 + envFrom: + - configMapRef: + name: litmus-portal-admin-config + env: + - name: STRICT_PASSWORD_POLICY + value: "false" + - name: ADMIN_USERNAME + value: "admin" + - name: ADMIN_PASSWORD + value: "litmus" + ports: + - containerPort: 3000 + imagePullPolicy: Always + serviceAccountName: litmus-server-account +--- +apiVersion: v1 +kind: Service +metadata: + name: litmusportal-server-service + namespace: litmus +spec: + type: NodePort + ports: + - name: graphql-server + port: 9002 + targetPort: 8080 + - name: auth-server + port: 9003 + targetPort: 3000 + selector: + component: litmusportal-server +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: mongo + namespace: litmus + labels: + app: mongo +spec: + selector: + matchLabels: + component: database + serviceName: mongo + replicas: 1 + template: + metadata: + labels: + component: database + spec: + containers: + - name: mongo + image: litmuschaos/mongo:4.2.8 + ports: + - containerPort: 27017 + imagePullPolicy: Always + volumeMounts: + - name: mongo-persistent-storage + mountPath: /data/db + env: + - name: MONGO_INITDB_ROOT_USERNAME + valueFrom: + configMapKeyRef: + name: litmus-portal-admin-config + key: DB_USER + - name: MONGO_INITDB_ROOT_PASSWORD + valueFrom: + configMapKeyRef: + name: litmus-portal-admin-config + key: DB_PASSWORD + volumeClaimTemplates: + - metadata: + name: mongo-persistent-storage + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 20Gi +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: mongo + name: mongo-service + namespace: litmus +spec: + ports: + - port: 27017 + targetPort: 27017 + selector: + component: database \ No newline at end of file diff --git a/mkdocs/docs/2.1.0/litmus-namespaced-2.1.0.yaml b/mkdocs/docs/2.1.0/litmus-namespaced-2.1.0.yaml new file mode 100644 index 0000000000..1492fffbd3 --- /dev/null +++ b/mkdocs/docs/2.1.0/litmus-namespaced-2.1.0.yaml @@ -0,0 +1,676 @@ +### RBAC Manifests +## If SELF_CLUSTER="true" then these permissions are required to apply +## https://github.com/litmuschaos/litmus/blob/master/litmus-portal/graphql-server/manifests/namespace/1b_argo_rbac.yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: argo-aggregate-to-admin-for-litmusportal-server +rules: + - apiGroups: [argoproj.io] + resources: [workflows, workflows/finalizers, workflowtemplates, workflowtemplates/finalizers, cronworkflows, cronworkflows/finalizers] + verbs: [create, delete, deletecollection, get, list, patch, update, watch] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: argo-aggregate-to-edit-for-litmusportal-server +rules: + - apiGroups: [argoproj.io] + resources: [workflows, workflows/finalizers, workflowtemplates, workflowtemplates/finalizers, cronworkflows, cronworkflows/finalizers] + verbs: [create, delete, deletecollection, get, list, patch, update, watch] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: argo-aggregate-to-view-for-litmusportal-server +rules: + - apiGroups: [argoproj.io] + resources: [workflows, workflows/finalizers, workflowtemplates, workflowtemplates/finalizers, cronworkflows, cronworkflows/finalizers] + verbs: [get, list, watch] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: argo-role-for-litmusportal-server +rules: + - apiGroups: [""] + resources: [pods, pods/exec] + verbs: [create, get, list, watch, update, patch, delete] + - apiGroups: [""] + resources: [configmaps] + verbs: [get, watch, list] + - apiGroups: [""] + resources: [persistentvolumeclaims] + verbs: [create, delete] + - apiGroups: [argoproj.io] + resources: [workflows, workflows/finalizers] + verbs: [get, list, watch, update, patch, delete, create] + - apiGroups: [argoproj.io] + resources: [workflowtemplates, workflowtemplates/finalizers] + verbs: [get, list, watch] + - apiGroups: [""] + resources: [serviceaccounts] + verbs: [get, list] + - apiGroups: [""] + resources: [secrets] + verbs: [get] + - apiGroups: [argoproj.io] + resources: [cronworkflows, cronworkflows/finalizers] + verbs: [get, list, watch, update, patch, delete] + - apiGroups: [""] + resources: [events] + verbs: [create, patch] + - apiGroups: [policy] + resources: [poddisruptionbudgets] + verbs: [create, get, delete] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: argo-rb-for-litmusportal-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argo-role-for-litmusportal-server +subjects: + - kind: ServiceAccount + name: litmus-server-account + namespace: ${LITMUS_PORTAL_NAMESPACE} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: argo-aggregate-to-admin-rb-for-litmusportal-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argo-aggregate-to-admin-for-litmusportal-server +subjects: + - kind: ServiceAccount + name: litmus-server-account + namespace: ${LITMUS_PORTAL_NAMESPACE} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: argo-aggregate-to-edit-rb-for-litmusportal-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argo-aggregate-to-edit-for-litmusportal-server +subjects: + - kind: ServiceAccount + name: litmus-server-account + namespace: ${LITMUS_PORTAL_NAMESPACE} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: argo-aggregate-to-view-rb-for-litmusportal-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argo-aggregate-to-view-for-litmusportal-server +subjects: + - kind: ServiceAccount + name: litmus-server-account + namespace: ${LITMUS_PORTAL_NAMESPACE} +#these permissions are required to apply https://github.com/litmuschaos/litmus/blob/master/litmus-portal/graphql-server/manifests/namespace/2a_litmus_rbac.yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: litmus-namespace-scope-for-litmusportal-server + labels: + app.kubernetes.io/name: litmus + # provide unique instance-id if applicable + # app.kubernetes.io/instance: litmus-abcxzy + app.kubernetes.io/version: v2.0.0 + app.kubernetes.io/component: operator-role + app.kubernetes.io/part-of: litmus + app.kubernetes.io/managed-by: kubectl + name: litmus-namespace-scope-for-litmusportal-server +rules: + - apiGroups: [""] + resources: [replicationcontrollers, secrets] + verbs: [get, list] + - apiGroups: [apps.openshift.io] + resources: [deploymentconfigs] + verbs: [get, list] + - apiGroups: [apps] + resources: [deployments, daemonsets, replicasets, statefulsets] + verbs: [get, list, update] + - apiGroups: [batch] + resources: [jobs] + verbs: [get, list, create, deletecollection] + - apiGroups: [argoproj.io] + resources: [rollouts] + verbs: [get, list] + - apiGroups: [""] + resources: [pods, pods/exec, configmaps, events, services] + verbs: [get, create, update, patch, delete, list, watch, deletecollection] + - apiGroups: [litmuschaos.io] + resources: [chaosengines, chaosexperiments, chaosresults] + verbs: [get, create, update, patch, delete, list, watch, deletecollection] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: litmus-namespace-scope-rb-for-litmusportal-server + labels: + app.kubernetes.io/name: litmus + # provide unique instance-id if applicable + # app.kubernetes.io/instance: litmus-abcxzy + app.kubernetes.io/version: v2.0.0 + app.kubernetes.io/component: operator-rolebinding + app.kubernetes.io/part-of: litmus + app.kubernetes.io/managed-by: kubectl + name: litmus-namespace-scope-rb-for-litmusportal-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: litmus-namespace-scope-for-litmusportal-server +subjects: + - kind: ServiceAccount + name: litmus-server-account + namespace: ${LITMUS_PORTAL_NAMESPACE} +#these permissions are required to apply https://github.com/litmuschaos/litmus/blob/master/litmus-portal/graphql-server/manifests/namespace/3a_agents_rbac.yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: subscriber-role-for-litmusportal-server + labels: + name: subscriber-role-for-litmusportal-server +rules: + - apiGroups: [""] + resources: [configmaps] + verbs: [get, create, delete, update] + + - apiGroups: [""] + resources: [pods/log] + verbs: [get, list, watch] + + - apiGroups: [""] + resources: [pods, namespaces, nodes, services] + verbs: [get, list, watch] + + - apiGroups: [litmuschaos.io] + resources: [chaosengines, chaosschedules, chaosresults] + verbs: [get, list, create, delete, update, watch] + + - apiGroups: [apps.openshift.io] + resources: [deploymentconfigs] + verbs: [get, list] + + - apiGroups: [apps] + resources: [deployments, daemonsets, replicasets, statefulsets] + verbs: [get, list, delete] + + - apiGroups: [argoproj.io] + resources: [workflows, workflows/finalizers, workflowtemplates, workflowtemplates/finalizers, cronworkflows, cronworkflows/finalizers, rollouts] + verbs: [get, list, create, delete, update, watch] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: subscriber-rb-for-litmusportal-server +subjects: + - kind: ServiceAccount + name: litmus-server-account + namespace: ${LITMUS_PORTAL_NAMESPACE} +roleRef: + kind: Role + name: subscriber-role-for-litmusportal-server + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: litmus-admin-role-for-litmusportal-server + labels: + name: litmus-admin-role-for-litmusportal-server +rules: + # *************************************************************************************** + # Permissions needed for preparing and monitor the chaos resources by chaos-runner + # *************************************************************************************** + + # The chaos operator watches the chaosengine resource and orchestartes the chaos experiment.. + ## .. by creating the chaos-runner + + # for creating and monitoring the chaos-runner pods + - apiGroups: [""] + resources: [pods, events] + verbs: [create, delete, get, list, patch, update, deletecollection] + + # for fetching configmaps and secrets to inject into chaos-runner pod (if specified) + - apiGroups: [""] + resources: [secrets, configmaps] + verbs: [get, list] + + # for tracking & getting logs of the pods created by chaos-runner to implement individual steps in the runner + - apiGroups: [""] + resources: [pods/log] + verbs: [get, list, watch] + + # for configuring and monitor the experiment job by chaos-runner pod + - apiGroups: [batch] + resources: [jobs] + verbs: [create, list, get, delete, deletecollection] + + # ******************************************************************** + # Permissions needed for creation and discovery of chaos experiments + # ******************************************************************** + + # The helper pods are created by experiment to perform the actual chaos injection ... + # ... for a period of chaos duration + + # for creating and deleting the helper or target app pod and events by experiment + - apiGroups: [""] + resources: [pods] + verbs: [create, delete, deletecollection] + + # for creating and monitoring the events for chaos operations + - apiGroups: [""] + resources: [events] + verbs: [create, delete, get, list, patch, update, deletecollection] + + # for monitoring the helper and target app pod + - apiGroups: [""] + resources: [pods] + verbs: [get, list, patch, update] + + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: [pods/exec, pods/eviction, replicationcontrollers] + verbs: [get, list, create] + + # for tracking & getting logs of the pods created by experiment pod to implement individual steps in the experiment + - apiGroups: [""] + resources: [pods/log] + verbs: [get, list, watch] + + # for creating and monitoring liveness services or monitoring target app services during chaos injection + - apiGroups: [""] + resources: [services] + verbs: [create, delete, get, list, delete, deletecollection] + + # for checking the app parent resources as deployments or sts and are eligible chaos candidates + - apiGroups: [apps] + resources: [deployments, statefulsets] + verbs: [list, get, patch, update] + + # for checking the app parent resources as replicasets and are eligible chaos candidates + - apiGroups: [apps] + resources: [replicasets] + verbs: [list, get] + + # for checking the app parent resources as deamonsets and are eligible chaos candidates + - apiGroups: [apps] + resources: [daemonsets] + verbs: [list, get, delete] + + # for checking (openshift) app parent resources if they are eligible chaos candidates + - apiGroups: [apps.openshift.io] + resources: [deploymentconfigs] + verbs: [list, get] + + # for checking (argo) app parent resources if they are eligible chaos candidates + - apiGroups: [argoproj.io] + resources: [rollouts] + verbs: [list, get] + + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: [litmuschaos.io] + resources: [chaosengines, chaosexperiments, chaosresults] + verbs: [create, list, get, patch, update, delete] + + # for experiment to perform node status checks and other node level operations like taint, drain in the experiment. + - apiGroups: [""] + resources: [nodes] + verbs: [patch, get, list, update] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: litmus-admin-rb-for-litmusportal-server + labels: + name: litmus-admin-rb-for-litmusportal-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: litmus-admin-role-for-litmusportal-server +subjects: + - kind: ServiceAccount + name: litmus-server-account + namespace: ${LITMUS_PORTAL_NAMESPACE} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: chaos-role-for-litmusportal-server +rules: + # for managing the pods created by workflow controller to implement individual steps in the workflow + - apiGroups: [""] + resources: [pods, services] + verbs: [create, get, watch, patch, delete, list] + + # for tracking & getting logs of the pods created by workflow controller to implement individual steps in the workflow + - apiGroups: [""] + resources: [pods/log, secrets, configmaps] + verbs: [get, watch, create, delete, patch] + + # for creation & deletion of application in predefined workflows + - apiGroups: [apps] + resources: [deployments, statefulsets] + verbs: [get, watch, patch , create, delete] + + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: [litmuschaos.io] + resources: + [chaosengines, chaosexperiments, chaosresults, chaosschedules] + verbs: [create, list, get, patch, delete, watch] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: chaos-rb-for-litmusportal-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chaos-role-for-litmusportal-server +subjects: + - kind: ServiceAccount + name: litmus-server-account + namespace: ${LITMUS_PORTAL_NAMESPACE} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: event-tracker-role-for-litmusportal-server +rules: + - apiGroups: [eventtracker.litmuschaos.io] + resources: [eventtrackerpolicies] + verbs: [create, delete, get, list, patch, update, watch] + - apiGroups: [eventtracker.litmuschaos.io] + resources: [eventtrackerpolicies/status] + verbs: [get, patch, update] + - apiGroups: ["", extensions, apps] + resources: [deployments, daemonsets, statefulsets, pods, configmaps] + verbs: [get, list, watch] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: event-tracker-rb-for-litmusportal-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: event-tracker-role-for-litmusportal-server +subjects: + - kind: ServiceAccount + name: litmus-server-account + namespace: ${LITMUS_PORTAL_NAMESPACE} +# litmus-server-role is used by the litmusportal-server +# If SELF_CLUSTER=false, then only litmus-server-role and litmus-server-rb are required. +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: litmus-server-role +rules: + - apiGroups: [networking.k8s.io, extensions] + resources: [ingresses] + verbs: [get] + - apiGroups: [""] + resources: [services, pods/log] + verbs: [get, watch] + - apiGroups: [apps] + resources: [deployments] + verbs: [create] + - apiGroups: [""] + resources: [configmaps] + verbs: [get] + - apiGroups: [""] + resources: [serviceaccounts] + verbs: [create] + - apiGroups: [rbac.authorization.k8s.io] + resources: [rolebindings, roles] + verbs: [create] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: litmus-server-rb +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: litmus-server-role +subjects: + - kind: ServiceAccount + name: litmus-server-account + namespace: ${LITMUS_PORTAL_NAMESPACE} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: litmus-server-account +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: litmus-portal-admin-config +data: + AGENT_SCOPE: namespace + AGENT_NAMESPACE: ${LITMUS_PORTAL_NAMESPACE} + DB_SERVER: "mongodb://mongo-service:27017" + JWT_SECRET: "litmus-portal@123" + DB_USER: "admin" + DB_PASSWORD: "1234" + VERSION: "2.1.0" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: litmusportal-frontend + labels: + component: litmusportal-frontend +spec: + replicas: 1 + selector: + matchLabels: + component: litmusportal-frontend + template: + metadata: + labels: + component: litmusportal-frontend + spec: + containers: + - name: litmusportal-frontend + image: litmuschaos/litmusportal-frontend:2.1.0 + imagePullPolicy: Always + ports: + - containerPort: 8080 + env: + - name: AGENT_SCOPE + valueFrom: + configMapKeyRef: + name: litmus-portal-admin-config + key: AGENT_SCOPE +--- +apiVersion: v1 +kind: Service +metadata: + name: litmusportal-frontend-service +spec: + type: NodePort + ports: + - name: http + port: 9091 + targetPort: 8080 + selector: + component: litmusportal-frontend +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: litmusportal-server + labels: + component: litmusportal-server +spec: + replicas: 1 + selector: + matchLabels: + component: litmusportal-server + template: + metadata: + labels: + component: litmusportal-server + spec: + initContainers: + - name: wait-for-mongodb + image: litmuschaos/curl:latest + command: ["/bin/sh", "-c"] + args: + [ + "while [[ $(curl -sw '%{http_code}' http://mongo-service:27017 -o /dev/null) -ne 200 ]]; do sleep 5; echo 'Waiting for the MongoDB to be ready...'; done; echo 'Connection with MongoDB established'", + ] + containers: + - name: graphql-server + image: litmuschaos/litmusportal-server:2.1.0 + envFrom: + - configMapRef: + name: litmus-portal-admin-config + env: + - name: LITMUS_PORTAL_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SELF_CLUSTER + value: "true" + - name: PORTAL_SCOPE + value: "namespace" + - name: AGENT_DEPLOYMENTS + value: "[\"app=chaos-exporter\", \"name=chaos-operator\", \"app=event-tracker\", \"app=workflow-controller\"]" + - name: PORTAL_ENDPOINT + value: "http://litmusportal-server-service:9002" + - name: SUBSCRIBER_IMAGE + value: "litmuschaos/litmusportal-subscriber:2.1.0" + - name: EVENT_TRACKER_IMAGE + value: "litmuschaos/litmusportal-event-tracker:2.1.0" + - name: ARGO_WORKFLOW_CONTROLLER_IMAGE + value: "litmuschaos/workflow-controller:v2.11.0" + - name: ARGO_WORKFLOW_EXECUTOR_IMAGE + value: "litmuschaos/argoexec:v2.11.0" + - name: LITMUS_CHAOS_OPERATOR_IMAGE + value: "litmuschaos/chaos-operator:2.0.0" + - name: LITMUS_CHAOS_RUNNER_IMAGE + value: "litmuschaos/chaos-runner:2.0.0" + - name: LITMUS_CHAOS_EXPORTER_IMAGE + value: "litmuschaos/chaos-exporter:2.0.0" + - name: CONTAINER_RUNTIME_EXECUTOR + value: "k8sapi" + - name: HUB_BRANCH_NAME + value: "v2.0.x" + ports: + - containerPort: 8080 + imagePullPolicy: Always + - name: auth-server + image: litmuschaos/litmusportal-auth-server:2.1.0 + envFrom: + - configMapRef: + name: litmus-portal-admin-config + env: + - name: STRICT_PASSWORD_POLICY + value: "false" + - name: ADMIN_USERNAME + value: "admin" + - name: ADMIN_PASSWORD + value: "litmus" + ports: + - containerPort: 3000 + imagePullPolicy: Always + serviceAccountName: litmus-server-account +--- +apiVersion: v1 +kind: Service +metadata: + name: litmusportal-server-service +spec: + type: NodePort + ports: + - name: graphql-server + port: 9002 + targetPort: 8080 + - name: auth-server + port: 9003 + targetPort: 3000 + selector: + component: litmusportal-server +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: mongo + labels: + app: mongo +spec: + selector: + matchLabels: + component: database + serviceName: mongo + replicas: 1 + template: + metadata: + labels: + component: database + spec: + containers: + - name: mongo + image: litmuschaos/mongo:4.2.8 + ports: + - containerPort: 27017 + imagePullPolicy: Always + volumeMounts: + - name: mongo-persistent-storage + mountPath: /data/db + env: + - name: MONGO_INITDB_ROOT_USERNAME + valueFrom: + configMapKeyRef: + name: litmus-portal-admin-config + key: DB_USER + - name: MONGO_INITDB_ROOT_PASSWORD + valueFrom: + configMapKeyRef: + name: litmus-portal-admin-config + key: DB_PASSWORD + volumeClaimTemplates: + - metadata: + name: mongo-persistent-storage + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 20Gi +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: mongo + name: mongo-service +spec: + ports: + - port: 27017 + targetPort: 27017 + selector: + component: database