curityio · bokristoffersson · Apr 6, 2022 · Apr 12, 2022 · Apr 12, 2022 · May 12, 2022
diff --git a/idsvr/templates/cluster-conf.yaml b/idsvr/templates/cluster-conf.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.curity.onlyRuntimeNodes }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -86,4 +87,5 @@ spec:
           configMap:
             name: {{ include "curity.fullname" . }}-cluster-conf-map
       serviceAccountName: {{ include "curity.fullname" . }}-service-account
-      restartPolicy: Never
+      restartPolicy: Never
+{{- end }}
diff --git a/idsvr/templates/config-backup.yaml b/idsvr/templates/config-backup.yaml
@@ -1,4 +1,5 @@
 {{- if .Values.curity.config.backup -}}
+{{- required "\n Admin node need to be running if curity.config.backup is true! use --set curity.config.onlyRuntimeNodes=false" ( .Values.curity.onlyRuntimeNodes ) }}
 apiVersion: v1
 kind: Secret
 metadata:

diff --git a/idsvr/templates/deployment-admin.yaml b/idsvr/templates/deployment-admin.yaml
@@ -1,4 +1,5 @@
 {{- $root := . -}}
+  {{- if not .Values.curity.onlyRuntimeNodes -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -245,4 +246,5 @@ spec:
       {{- with .Values.tolerations }}
       tolerations:
             {{- toYaml . | nindent 8 }}
-            {{- end }}
+{{- end }}
+{{- end }}
diff --git a/idsvr/templates/deployment-runtime.yaml b/idsvr/templates/deployment-runtime.yaml
@@ -91,15 +91,18 @@ spec:
             successThreshold: {{ .Values.curity.runtime.readinessProbe.successThreshold }}
             periodSeconds: {{ .Values.curity.runtime.readinessProbe.periodSeconds }}
             initialDelaySeconds: {{ .Values.curity.runtime.readinessProbe.initialDelaySeconds }}
+            {{- if or .Values.curity.runtime.logging.stdout ( not .Values.curity.onlyRuntimeNodes ) .Values.curity.config.configurationSecret .Values.curity.config.configurationConfigMap .Values.curity.config.configuration }}
           volumeMounts:
             {{- if .Values.curity.runtime.logging.stdout }}
             - mountPath: /opt/idsvr/var/log/
               name: log-volume
             {{- end }}
+            {{- if not .Values.curity.onlyRuntimeNodes }}
             - mountPath: /opt/idsvr/etc/init/cluster.xml
               subPath: cluster.xml
               name: cluster-xml
               readOnly: true
+            {{- end }}
             {{- if .Values.curity.config.configurationSecret }}
             - mountPath: /opt/idsvr/etc/init/config.xml
               subPath: config.xml
@@ -130,6 +133,7 @@ spec:
             {{- end }}
             {{- end }}
             {{- end }}
+            {{- end }}
           resources:
                 {{- toYaml .Values.resources | nindent 12 }}
         {{- if .Values.curity.runtime.logging.stdout }}
@@ -150,17 +154,20 @@ spec:
       imagePullSecrets:
         - name: {{ .Values.image.pullSecret}}
       {{- end }}
+      {{- if or .Values.curity.runtime.logging.stdout ( ne .Values.curity.onlyRuntimeNodes true ) .Values.curity.config.configurationSecret .Values.curity.config.configurationConfigMap .Values.curity.config.configuration }}
       volumes:
         {{- if .Values.curity.runtime.logging.stdout }}
         - name: log-volume
           emptyDir: {}
         {{- end }}
+        {{- if ne .Values.curity.onlyRuntimeNodes true }}
         - name: cluster-xml
           secret:
             secretName: {{ include "curity.fullname" . }}-cluster-config-xml
             items:
               - key: cluster-{{ .Release.Revision }}.xml
                 path: cluster.xml
+        {{- end }}
         {{- if .Values.curity.config.configurationSecret }}
         - name: config
           secret:
@@ -195,6 +202,7 @@ spec:
                 path: {{ $confItem.path }}
               {{- end }}
         {{- end }}
+        {{- end }}
         {{- end }}
             {{- with .Values.nodeSelector }}
       nodeSelector:

diff --git a/idsvr/templates/ingress.yaml b/idsvr/templates/ingress.yaml
@@ -12,7 +12,7 @@ metadata:
 spec:
 {{- if or .Values.ingress.admin.secretName .Values.ingress.runtime.secretName }}
   tls:
-    {{- if .Values.ingress.admin.secretName }}
+    {{- if and .Values.curity.config.uiEnabled ( not .Values.curity.onlyRuntimeNodes ) }}
     - hosts:
         - {{ .Values.ingress.admin.host}}
       secretName: {{ .Values.ingress.admin.secretName }}
@@ -36,7 +36,7 @@ spec:
                 port:
                   name: http-port
           {{- end }}
-  {{- if .Values.curity.config.uiEnabled }}
+  {{- if and .Values.curity.config.uiEnabled ( not .Values.curity.onlyRuntimeNodes ) }}
     - host: {{ .Values.ingress.admin.host }}
       http:
         paths:

diff --git a/idsvr/templates/network.yaml b/idsvr/templates/network.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.networkpolicy.enabled -}}
+{{- if and .Values.networkpolicy.enabled ( .Values.curity.onlyRuntimeNodes ) -}}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:

diff --git a/idsvr/templates/rbac.yaml b/idsvr/templates/rbac.yaml
@@ -1,3 +1,4 @@
+{{- if or ( not .Values.curity.onlyRuntimeNodes ) .Values.curity.config.convertKeystore -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -40,4 +41,5 @@ roleRef:
   name: {{ include "curity.fullname" . }}-create-secret
 subjects:
   - kind: ServiceAccount
-    name: {{ include "curity.fullname" . }}-service-account
+    name: {{ include "curity.fullname" . }}-service-account
+{{- end }}
diff --git a/idsvr/templates/service-admin.yaml b/idsvr/templates/service-admin.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.curity.onlyRuntimeNodes -}}
 apiVersion: v1
 kind: Service
 metadata:
@@ -34,4 +35,4 @@ spec:
     app.kubernetes.io/name: {{ include "curity.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     role: {{ include "curity.fullname" . }}-admin
-    
+{{- end }}
diff --git a/idsvr/values.yaml b/idsvr/values.yaml
@@ -19,6 +19,7 @@ curity:
   healthCheckPort: 4465
   adminUiPort: 6749
   adminUiHttp: false
+  onlyRuntimeNodes: false
 
   admin:
     role: admin