From c2de775c80b8daa629af514f24118f704c521c18 Mon Sep 17 00:00:00 2001 From: Dan Yocum Date: Tue, 23 Jan 2018 13:17:06 -0500 Subject: moving files to their correct /files dir for the openshift_web_console and template_service_broker roles --- files/origin-components/apiserver-config.yaml | 4 - files/origin-components/apiserver-template.yaml | 125 --------------------- files/origin-components/console-config.yaml | 23 ---- files/origin-components/console-rbac-template.yaml | 38 ------- files/origin-components/console-template.yaml | 121 -------------------- files/origin-components/rbac-template.yaml | 92 --------------- .../template-service-broker-registration.yaml | 25 ----- 7 files changed, 428 deletions(-) delete mode 100644 files/origin-components/apiserver-config.yaml delete mode 100644 files/origin-components/apiserver-template.yaml delete mode 100644 files/origin-components/console-config.yaml delete mode 100644 files/origin-components/console-rbac-template.yaml delete mode 100644 files/origin-components/console-template.yaml delete mode 100644 files/origin-components/rbac-template.yaml delete mode 100644 files/origin-components/template-service-broker-registration.yaml (limited to 'files/origin-components') diff --git a/files/origin-components/apiserver-config.yaml b/files/origin-components/apiserver-config.yaml deleted file mode 100644 index e4048d1da..000000000 --- a/files/origin-components/apiserver-config.yaml +++ /dev/null @@ -1,4 +0,0 @@ -kind: TemplateServiceBrokerConfig -apiVersion: config.templateservicebroker.openshift.io/v1 -templateNamespaces: -- openshift diff --git a/files/origin-components/apiserver-template.yaml b/files/origin-components/apiserver-template.yaml deleted file mode 100644 index 4dd9395d0..000000000 --- a/files/origin-components/apiserver-template.yaml +++ /dev/null @@ -1,125 +0,0 @@ -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: template-service-broker-apiserver -parameters: -- name: IMAGE - value: openshift/origin-template-service-broker:latest -- name: NAMESPACE - value: openshift-template-service-broker -- name: LOGLEVEL - value: "0" -- name: API_SERVER_CONFIG - value: | - kind: TemplateServiceBrokerConfig - apiVersion: config.templateservicebroker.openshift.io/v1 - templateNamespaces: - - openshift -- name: NODE_SELECTOR - value: "{}" -objects: - -# to create the tsb server -- apiVersion: extensions/v1beta1 - kind: DaemonSet - metadata: - namespace: ${NAMESPACE} - name: apiserver - labels: - apiserver: "true" - spec: - template: - metadata: - name: apiserver - labels: - apiserver: "true" - spec: - serviceAccountName: apiserver - containers: - - name: c - image: ${IMAGE} - imagePullPolicy: IfNotPresent - command: - - "/usr/bin/template-service-broker" - - "start" - - "template-service-broker" - - "--secure-port=8443" - - "--audit-log-path=-" - - "--tls-cert-file=/var/serving-cert/tls.crt" - - "--tls-private-key-file=/var/serving-cert/tls.key" - - "--v=${LOGLEVEL}" - - "--config=/var/apiserver-config/apiserver-config.yaml" - ports: - - containerPort: 8443 - volumeMounts: - - mountPath: /var/serving-cert - name: serving-cert - - mountPath: /var/apiserver-config - name: apiserver-config - readinessProbe: - httpGet: - path: /healthz - port: 8443 - scheme: HTTPS - nodeSelector: "${{NODE_SELECTOR}}" - volumes: - - name: serving-cert - secret: - defaultMode: 420 - secretName: apiserver-serving-cert - - name: apiserver-config - configMap: - defaultMode: 420 - name: apiserver-config - -# to create the config for the TSB -- apiVersion: v1 - kind: ConfigMap - metadata: - namespace: ${NAMESPACE} - name: apiserver-config - data: - apiserver-config.yaml: ${API_SERVER_CONFIG} - -# to be able to assign powers to the process -- apiVersion: v1 - kind: ServiceAccount - metadata: - namespace: ${NAMESPACE} - name: apiserver - -# to be able to expose TSB inside the cluster -- apiVersion: v1 - kind: Service - metadata: - namespace: ${NAMESPACE} - name: apiserver - annotations: - service.alpha.openshift.io/serving-cert-secret-name: apiserver-serving-cert - spec: - selector: - apiserver: "true" - ports: - - port: 443 - targetPort: 8443 - -# This service account will be granted permission to call the TSB. -# The token for this SA will be provided to the service catalog for -# use when calling the TSB. -- apiVersion: v1 - kind: ServiceAccount - metadata: - namespace: ${NAMESPACE} - name: templateservicebroker-client - -# This secret will be populated with a copy of the templateservicebroker-client SA's -# auth token. Since this secret has a static name, it can be referenced more -# easily than the auto-generated secret for the service account. -- apiVersion: v1 - kind: Secret - metadata: - namespace: ${NAMESPACE} - name: templateservicebroker-client - annotations: - kubernetes.io/service-account.name: templateservicebroker-client - type: kubernetes.io/service-account-token diff --git a/files/origin-components/console-config.yaml b/files/origin-components/console-config.yaml deleted file mode 100644 index 32a28775f..000000000 --- a/files/origin-components/console-config.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: webconsole.config.openshift.io/v1 -kind: WebConsoleConfiguration -clusterInfo: - consolePublicURL: https://127.0.0.1:8443/console/ - loggingPublicURL: "" - logoutPublicURL: "" - masterPublicURL: https://127.0.0.1:8443 - metricsPublicURL: "" -extensions: - scriptURLs: [] - stylesheetURLs: [] - properties: null -features: - inactivityTimeoutMinutes: 0 -servingInfo: - bindAddress: 0.0.0.0:8443 - bindNetwork: tcp4 - certFile: /var/serving-cert/tls.crt - clientCA: "" - keyFile: /var/serving-cert/tls.key - maxRequestsInFlight: 0 - namedCertificates: null - requestTimeoutSeconds: 0 diff --git a/files/origin-components/console-rbac-template.yaml b/files/origin-components/console-rbac-template.yaml deleted file mode 100644 index 9ee117199..000000000 --- a/files/origin-components/console-rbac-template.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: web-console-server-rbac -parameters: -- name: NAMESPACE - # This namespace cannot be changed. Only `openshift-web-console` is supported. - value: openshift-web-console -objects: - - -# allow grant powers to the webconsole server for cluster inspection -- apiVersion: rbac.authorization.k8s.io/v1beta1 - kind: ClusterRole - metadata: - name: system:openshift:web-console-server - rules: - - apiGroups: - - "servicecatalog.k8s.io" - resources: - - clusterservicebrokers - verbs: - - get - - list - - watch - -# Grant the service account for the web console -- apiVersion: rbac.authorization.k8s.io/v1beta1 - kind: ClusterRoleBinding - metadata: - name: system:openshift:web-console-server - roleRef: - kind: ClusterRole - name: system:openshift:web-console-server - subjects: - - kind: ServiceAccount - namespace: ${NAMESPACE} - name: webconsole diff --git a/files/origin-components/console-template.yaml b/files/origin-components/console-template.yaml deleted file mode 100644 index 7bf2d0cf4..000000000 --- a/files/origin-components/console-template.yaml +++ /dev/null @@ -1,121 +0,0 @@ -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: openshift-web-console - annotations: - openshift.io/display-name: OpenShift Web Console - description: The server for the OpenShift web console. - iconClass: icon-openshift - tags: openshift,infra - openshift.io/documentation-url: https://github.com/openshift/origin-web-console-server - openshift.io/support-url: https://access.redhat.com - openshift.io/provider-display-name: Red Hat, Inc. -parameters: -- name: IMAGE - value: openshift/origin-web-console:latest -- name: NAMESPACE - # This namespace cannot be changed. Only `openshift-web-console` is supported. - value: openshift-web-console -- name: LOGLEVEL - value: "0" -- name: API_SERVER_CONFIG -- name: NODE_SELECTOR - value: "{}" -- name: REPLICA_COUNT - value: "1" -objects: - -# to create the web console server -- apiVersion: apps/v1beta1 - kind: Deployment - metadata: - namespace: ${NAMESPACE} - name: webconsole - labels: - app: openshift-web-console - webconsole: "true" - spec: - replicas: "${{REPLICA_COUNT}}" - strategy: - type: Recreate - template: - metadata: - name: webconsole - labels: - webconsole: "true" - spec: - serviceAccountName: webconsole - containers: - - name: webconsole - image: ${IMAGE} - imagePullPolicy: IfNotPresent - command: - - "/usr/bin/origin-web-console" - - "--audit-log-path=-" - - "-v=${LOGLEVEL}" - - "--config=/var/webconsole-config/webconsole-config.yaml" - ports: - - containerPort: 8443 - volumeMounts: - - mountPath: /var/serving-cert - name: serving-cert - - mountPath: /var/webconsole-config - name: webconsole-config - readinessProbe: - httpGet: - path: /healthz - port: 8443 - scheme: HTTPS - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - nodeSelector: "${{NODE_SELECTOR}}" - volumes: - - name: serving-cert - secret: - defaultMode: 400 - secretName: webconsole-serving-cert - - name: webconsole-config - configMap: - defaultMode: 440 - name: webconsole-config - -# to create the config for the web console -- apiVersion: v1 - kind: ConfigMap - metadata: - namespace: ${NAMESPACE} - name: webconsole-config - labels: - app: openshift-web-console - data: - webconsole-config.yaml: ${API_SERVER_CONFIG} - -# to be able to assign powers to the process -- apiVersion: v1 - kind: ServiceAccount - metadata: - namespace: ${NAMESPACE} - name: webconsole - labels: - app: openshift-web-console - -# to be able to expose web console inside the cluster -- apiVersion: v1 - kind: Service - metadata: - namespace: ${NAMESPACE} - name: webconsole - labels: - app: openshift-web-console - annotations: - service.alpha.openshift.io/serving-cert-secret-name: webconsole-serving-cert - spec: - selector: - webconsole: "true" - ports: - - name: https - port: 443 - targetPort: 8443 diff --git a/files/origin-components/rbac-template.yaml b/files/origin-components/rbac-template.yaml deleted file mode 100644 index 0937a9065..000000000 --- a/files/origin-components/rbac-template.yaml +++ /dev/null @@ -1,92 +0,0 @@ -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: template-service-broker-rbac -parameters: -- name: NAMESPACE - value: openshift-template-service-broker -- name: KUBE_SYSTEM - value: kube-system -objects: - -# Grant the service account permission to call the TSB -- apiVersion: rbac.authorization.k8s.io/v1beta1 - kind: ClusterRoleBinding - metadata: - name: templateservicebroker-client - roleRef: - kind: ClusterRole - name: system:openshift:templateservicebroker-client - subjects: - - kind: ServiceAccount - namespace: ${NAMESPACE} - name: templateservicebroker-client - -# to delegate authentication and authorization -- apiVersion: rbac.authorization.k8s.io/v1beta1 - kind: ClusterRoleBinding - metadata: - name: auth-delegator-${NAMESPACE} - roleRef: - kind: ClusterRole - name: system:auth-delegator - subjects: - - kind: ServiceAccount - namespace: ${NAMESPACE} - name: apiserver - -# to have the template service broker powers -- apiVersion: rbac.authorization.k8s.io/v1beta1 - kind: ClusterRoleBinding - metadata: - name: tsb-${NAMESPACE} - roleRef: - kind: ClusterRole - name: system:openshift:controller:template-service-broker - subjects: - - kind: ServiceAccount - namespace: ${NAMESPACE} - name: apiserver - -# to read the config for terminating authentication -- apiVersion: rbac.authorization.k8s.io/v1beta1 - kind: RoleBinding - metadata: - namespace: ${KUBE_SYSTEM} - name: extension-apiserver-authentication-reader-${NAMESPACE} - roleRef: - kind: Role - name: extension-apiserver-authentication-reader - subjects: - - kind: ServiceAccount - namespace: ${NAMESPACE} - name: apiserver - -# allow the kube service catalog's SA to read the static secret defined -# above, which will contain the token for the SA that can call the TSB. -- apiVersion: rbac.authorization.k8s.io/v1beta1 - kind: Role - metadata: - name: templateservicebroker-auth-reader - namespace: ${NAMESPACE} - rules: - - apiGroups: - - "" - resourceNames: - - templateservicebroker-client - resources: - - secrets - verbs: - - get -- apiVersion: rbac.authorization.k8s.io/v1beta1 - kind: RoleBinding - metadata: - namespace: ${NAMESPACE} - name: templateservicebroker-auth-reader - roleRef: - kind: Role - name: templateservicebroker-auth-reader - subjects: - - kind: ServiceAccount - namespace: kube-service-catalog - name: service-catalog-controller diff --git a/files/origin-components/template-service-broker-registration.yaml b/files/origin-components/template-service-broker-registration.yaml deleted file mode 100644 index 95fb72924..000000000 --- a/files/origin-components/template-service-broker-registration.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: template-service-broker-registration -parameters: -- name: TSB_NAMESPACE - value: openshift-template-service-broker -- name: CA_BUNDLE - required: true -objects: -# register the tsb with the service catalog -- apiVersion: servicecatalog.k8s.io/v1beta1 - kind: ClusterServiceBroker - metadata: - name: template-service-broker - spec: - url: https://apiserver.${TSB_NAMESPACE}.svc:443/brokers/template.openshift.io - insecureSkipTLSVerify: false - caBundle: ${CA_BUNDLE} - authInfo: - bearer: - secretRef: - kind: Secret - name: templateservicebroker-client - namespace: ${TSB_NAMESPACE} -- cgit v1.2.3