Update Helm Core (#234)

Updates mTLS handling and unifies image pull secrets, namespaces all
resources to the release name, so it's not hard coded.

Author: spjmurray

charts/kubernetes/Chart.yaml

@@ -11,5 +11,5 @@ icon: https://raw.githubusercontent.com/unikorn-cloud/assets/main/images/logos/d
 
 dependencies:
 - name: unikorn-common
-  version: v0.1.14
+  version: v0.1.15
   repository: https://unikorn-cloud.github.io/helm-common

charts/kubernetes/templates/_helpers.tpl

@@ -20,15 +20,3 @@ Create the container images
 {{- define "unikorn.serverImage" -}}
 {{- .Values.server.image | default (printf "%s/unikorn-server:%s" (include "unikorn.defaultRepositoryPath" .) (.Values.tag | default .Chart.Version)) }}
 {{- end }}
-
-{{/*
-Create image pull secrets
-*/}}
-{{- define "unikorn.imagePullSecrets" -}}
-{{- if .Values.imagePullSecret -}}
-- name: {{ .Values.imagePullSecret }}
-{{ end }}
-{{- if .Values.dockerConfig -}}
-- name: docker-config
-{{- end }}
-{{- end }}

charts/kubernetes/templates/certificate.yaml

@@ -1,7 +1,7 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: unikorn-kubernetes-client
+  name: {{ .Release.Name }}-client
   labels:
     {{- include "unikorn.labels" . | nindent 4 }}
 spec:
@@ -13,5 +13,5 @@ spec:
     algorithm: RSA
     encoding: PKCS8
     size: 4096
-  secretName: {{ .Release.Namespace }}-client-certificate
+  secretName: {{ include "unikorn.mtls.certificate-name" . }}
   commonName: unikorn-kubernetes

charts/kubernetes/templates/cluster-controller/clusterrole.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: unikorn-cluster-controller
+  name: {{ .Release.Name }}-cluster-controller
   labels:
     {{- include "unikorn.labels" . | nindent 4 }}
 rules:

charts/kubernetes/templates/cluster-controller/clusterrolebinding.yaml

@@ -1,14 +1,14 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: unikorn-cluster-controller
+  name: {{ .Release.Name }}-cluster-controller
   labels:
     {{- include "unikorn.labels" . | nindent 4 }}
 subjects:
 - kind: ServiceAccount
   namespace: {{ .Release.Namespace }}
-  name: unikorn-cluster-controller
+  name: {{ .Release.Name }}-cluster-controller
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: unikorn-cluster-controller
+  name: {{ .Release.Name }}-cluster-controller

charts/kubernetes/templates/cluster-controller/deployment.yaml

@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: unikorn-cluster-controller
+  name: {{ .Release.Name }}-cluster-controller
   labels:
     {{- include "unikorn.labels" . | nindent 4 }}
 spec:
@@ -22,8 +22,7 @@ spec:
         {{- include "unikorn.identity.flags" . | nindent 8 }}
         {{- include "unikorn.region.flags" . | nindent 8 }}
         {{- include "unikorn.otlp.flags" . | nindent 8 }}
-        - --client-certificate-namespace={{ .Release.Namespace }}
-        - --client-certificate-name={{ .Release.Namespace }}-client-certificate
+        {{- include "unikorn.mtls.flags" . | nindent 8 }}
         ports:
         - name: prometheus
           containerPort: 8080
@@ -36,6 +35,6 @@ spec:
             memory: 100Mi
         securityContext:
           readOnlyRootFilesystem: true
-      serviceAccountName: unikorn-cluster-controller
+      serviceAccountName: {{ .Release.Name }}-cluster-controller
       securityContext:
         runAsNonRoot: true

charts/kubernetes/templates/cluster-controller/role.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: unikorn-cluster-controller
+  name: {{ .Release.Name }}-cluster-controller
   labels:
     {{- include "unikorn.labels" . | nindent 4 }}
 rules:

charts/kubernetes/templates/cluster-controller/rolebinding.yaml

@@ -1,14 +1,14 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: unikorn-cluster-controller
+  name: {{ .Release.Name }}-cluster-controller
   labels:
     {{- include "unikorn.labels" . | nindent 4 }}
 subjects:
 - kind: ServiceAccount
   namespace: {{ .Release.Namespace }}
-  name: unikorn-cluster-controller
+  name: {{ .Release.Name }}-cluster-controller
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: unikorn-cluster-controller
+  name: {{ .Release.Name }}-cluster-controller

charts/kubernetes/templates/cluster-controller/service.yaml

@@ -1,12 +1,12 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: unikorn-cluster-controller
+  name: {{ .Release.Name }}-cluster-controller
   labels:
     {{- include "unikorn.labels" . | nindent 4 }}
 spec:
   selector:
-    app: unikorn-cluster-controller
+    app: {{ .Release.Name }}-cluster-controller
   ports:
   - name: prometheus
     port: 8080

charts/kubernetes/templates/cluster-controller/serviceaccount.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: unikorn-cluster-controller
+  name: {{ .Release.Name }}-cluster-controller
   labels:
     {{- include "unikorn.labels" . | nindent 4 }}
 {{- with ( include "unikorn.imagePullSecrets" . ) }}

charts/kubernetes/templates/cluster-manager-controller/clusterrole.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: unikorn-cluster-manager-controller
+  name: {{ .Release.Name }}-cluster-manager-controller
   labels:
     {{- include "unikorn.labels" . | nindent 4 }}
 rules:

charts/kubernetes/templates/cluster-manager-controller/clusterrolebinding.yaml

@@ -1,14 +1,14 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: unikorn-cluster-manager-controller
+  name: {{ .Release.Name }}-cluster-manager-controller
   labels:
     {{- include "unikorn.labels" . | nindent 4 }}
 subjects:
 - kind: ServiceAccount
   namespace: {{ .Release.Namespace }}
-  name: unikorn-cluster-manager-controller
+  name: {{ .Release.Name }}-cluster-manager-controller
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: unikorn-cluster-manager-controller
+  name: {{ .Release.Name }}-cluster-manager-controller

charts/kubernetes/templates/cluster-manager-controller/deployment.yaml

@@ -1,21 +1,21 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: unikorn-cluster-manager-controller
+  name: {{ .Release.Name }}-cluster-manager-controller
   labels:
     {{- include "unikorn.labels" . | nindent 4 }}
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: unikorn-cluster-manager-controller
+      app: {{ .Release.Name }}-cluster-manager-controller
   template:
     metadata:
       labels:
-        app: unikorn-cluster-manager-controller
+        app: {{ .Release.Name }}-cluster-manager-controller
     spec:
       containers:
-      - name: unikorn-cluster-manager-controller
+      - name: {{ .Release.Name }}-cluster-manager-controller
         image: {{ include "unikorn.clusterManagerControllerImage" . }}
         args:
         {{- include "unikorn.core.flags" . | nindent 8 }}
@@ -32,6 +32,6 @@ spec:
             memory: 100Mi
         securityContext:
           readOnlyRootFilesystem: true
-      serviceAccountName: unikorn-cluster-manager-controller
+      serviceAccountName: {{ .Release.Name }}-cluster-manager-controller
       securityContext:
         runAsNonRoot: true

charts/kubernetes/templates/cluster-manager-controller/role.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: unikorn-cluster-manager-controller
+  name: {{ .Release.Name }}-cluster-manager-controller
   labels:
     {{- include "unikorn.labels" . | nindent 4 }}
 rules:

charts/kubernetes/templates/cluster-manager-controller/rolebinding.yaml

@@ -1,14 +1,14 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: unikorn-cluster-manager-controller
+  name: {{ .Release.Name }}-cluster-manager-controller
   labels:
     {{- include "unikorn.labels" . | nindent 4 }}
 subjects:
 - kind: ServiceAccount
   namespace: {{ .Release.Namespace }}
-  name: unikorn-cluster-manager-controller
+  name: {{ .Release.Name }}-cluster-manager-controller
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: unikorn-cluster-manager-controller
+  name: {{ .Release.Name }}-cluster-manager-controller

charts/kubernetes/templates/cluster-manager-controller/service.yaml

@@ -1,12 +1,12 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: unikorn-cluster-manager-controller
+  name: {{ .Release.Name }}-cluster-manager-controller
   labels:
     {{- include "unikorn.labels" . | nindent 4 }}
 spec:
   selector:
-    app: unikorn-cluster-manager-controller
+    app: {{ .Release.Name }}-cluster-manager-controller
   ports:
   - name: prometheus
     port: 8080

charts/kubernetes/templates/cluster-manager-controller/serviceaccount.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: unikorn-cluster-manager-controller
+  name: {{ .Release.Name }}-cluster-manager-controller
   labels:
     {{- include "unikorn.labels" . | nindent 4 }}
 {{- with ( include "unikorn.imagePullSecrets" . ) }}

charts/kubernetes/templates/image-pull-secret.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: unikorn-monitor
+  name: {{ .Release.Name }}-monitor
   labels:
     {{- include "unikorn.labels" . | nindent 4 }}
 rules:

charts/kubernetes/templates/monitor/clusterrole.yaml

@@ -1,14 +1,14 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: unikorn-monitor
+  name: {{ .Release.Name }}-monitor
   labels:
     {{- include "unikorn.labels" . | nindent 4 }}
 subjects:
 - kind: ServiceAccount
   namespace: {{ .Release.Namespace }}
-  name: unikorn-monitor
+  name: {{ .Release.Name }}-monitor
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: unikorn-monitor
+  name: {{ .Release.Name }}-monitor

charts/kubernetes/templates/monitor/clusterrolebinding.yaml

@@ -1,21 +1,21 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: unikorn-monitor
+  name: {{ .Release.Name }}-monitor
   labels:
     {{- include "unikorn.labels" . | nindent 4 }}
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: unikorn-monitor
+      app: {{ .Release.Name }}-monitor
   template:
     metadata:
       labels:
-        app: unikorn-monitor
+        app: {{ .Release.Name }}-monitor
     spec:
       containers:
-      - name: unikorn-monitor
+      - name: {{ .Release.Name }}-monitor
         image: {{ include "unikorn.monitorImage" . }}
         resources:
           requests:
@@ -26,6 +26,6 @@ spec:
             memory: 100Mi
         securityContext:
           readOnlyRootFilesystem: true
-      serviceAccountName: unikorn-monitor
+      serviceAccountName: {{ .Release.Name }}-monitor
       securityContext:
         runAsNonRoot: true

charts/kubernetes/templates/monitor/deployment.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: unikorn-monitor
+  name: {{ .Release.Name }}-monitor
   labels:
     {{- include "unikorn.labels" . | nindent 4 }}
 {{- with ( include "unikorn.imagePullSecrets" . ) }}

charts/kubernetes/templates/monitor/serviceaccount.yaml

@@ -2,7 +2,7 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
-  name: unikorn-controller
+  name: {{ .Release.Name }}-controller
   namespace: {{ .Values.monitoring.namespace }}
   labels:
     {{- include "unikorn.labels" . | nindent 4 }}

charts/kubernetes/templates/prometheus.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: unikorn-server
+  name: {{ .Release.Name }}-server
   labels:
     {{- include "unikorn.labels" . | nindent 4 }}
 rules:
@@ -22,11 +22,9 @@ rules:
 - apiGroups:
   - unikorn-cloud.org
   resources:
-  - regions
   - clustermanagerapplicationbundles
   - kubernetesclusterapplicationbundles
   - virtualkubernetesclusterapplicationbundles
-  - helmapplications
   verbs:
   - list
   - watch
@@ -38,11 +36,3 @@ rules:
   verbs:
   - list
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  - services
-  verbs:
-  - list
-  - watch

charts/kubernetes/templates/server/clusterrole.yaml

@@ -1,14 +1,14 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: unikorn-server
+  name: {{ .Release.Name }}-server
   labels:
     {{- include "unikorn.labels" . | nindent 4 }}
 subjects:
 - kind: ServiceAccount
   namespace: {{ .Release.Namespace }}
-  name: unikorn-server
+  name: {{ .Release.Name }}-server
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: unikorn-server
+  name: {{ .Release.Name }}-server