From 8e41b6f3026b0e2174ae38cf8735c3984ef0f2c3 Mon Sep 17 00:00:00 2001 From: "bo.kristoffersson" Date: Wed, 6 Apr 2022 16:35:48 +0200 Subject: [PATCH 1/5] only deploy runtime nodes --- idsvr/README.md | 1 + idsvr/templates/deployment-admin.yaml | 2 +- idsvr/templates/deployment-runtime.yaml | 4 ++++ idsvr/values.yaml | 1 + 4 files changed, 7 insertions(+), 1 deletion(-) diff --git a/idsvr/README.md b/idsvr/README.md index 0628dc9..1cb2905 100644 --- a/idsvr/README.md +++ b/idsvr/README.md @@ -54,6 +54,7 @@ Parameter | Description | Default `curity.healthCheckPort`| The port to use for the status server |`4465` `curity.adminUiPort`| The admin UI and API port. Ignored if `curity.config.uiEnabled=false` |`6749` `curity.adminUiHttp`| Controls if admin UI will be on http or https mode after installation if enabled. Ignored if `curity.config.uiEnabled=false` |`false` +`curity.onlyRuntimeNodes` | Only deploy runtime nodes | `false` `curity.admin.role`| The role of the admin server |`admin` `curity.admin.service.type`| The admin service type |`ClusterIP` `curity.admin.service.port`| The admin configuration port |`6789` diff --git a/idsvr/templates/deployment-admin.yaml b/idsvr/templates/deployment-admin.yaml index 44378e2..efa88a2 100644 --- a/idsvr/templates/deployment-admin.yaml +++ b/idsvr/templates/deployment-admin.yaml @@ -7,7 +7,7 @@ metadata: {{- include "curity.labels" . | nindent 4 }} role: {{ include "curity.fullname" . }}-admin spec: - replicas: 1 + replicas: {{ if .Values.curity.onlyRuntimeNodes}}0{{ else }}1{{ end }} selector: matchLabels: app.kubernetes.io/name: {{ include "curity.name" . }} diff --git a/idsvr/templates/deployment-runtime.yaml b/idsvr/templates/deployment-runtime.yaml index 925bac5..57a71e3 100644 --- a/idsvr/templates/deployment-runtime.yaml +++ b/idsvr/templates/deployment-runtime.yaml @@ -89,10 +89,12 @@ spec: - mountPath: /opt/idsvr/var/log/ name: log-volume {{- end }} + {{- if not .Values.curity.onlyRuntimeNodes}} - mountPath: /opt/idsvr/etc/init/cluster.xml subPath: cluster.xml name: cluster-xml readOnly: true + {{- end }} {{- if .Values.curity.config.configurationSecret }} - mountPath: /opt/idsvr/etc/init/config.xml subPath: config.xml @@ -130,12 +132,14 @@ spec: - name: log-volume emptyDir: {} {{- end }} + {{- if not .Values.curity.onlyRuntimeNodes}} - name: cluster-xml secret: secretName: {{ include "curity.fullname" . }}-cluster-config-xml items: - key: cluster-{{ .Release.Revision }}.xml path: cluster.xml + {{- end }} {{- if .Values.curity.config.configurationSecret }} - name: config secret: diff --git a/idsvr/values.yaml b/idsvr/values.yaml index 4424e6e..ca4f270 100644 --- a/idsvr/values.yaml +++ b/idsvr/values.yaml @@ -19,6 +19,7 @@ curity: healthCheckPort: 4465 adminUiPort: 6749 adminUiHttp: false + onlyRuntimeNodes: false admin: role: admin From 494b769ff484292ef678f82cadaa8be824ca7361 Mon Sep 17 00:00:00 2001 From: "bo.kristoffersson" Date: Tue, 12 Apr 2022 08:00:03 +0200 Subject: [PATCH 2/5] only create resources that are needed wehn runtime nodes only --- idsvr/templates/cluster-conf.yaml | 4 +++- idsvr/templates/config-backup.yaml | 2 +- idsvr/templates/deployment-admin.yaml | 4 +++- idsvr/templates/ingress.yaml | 4 ++-- idsvr/templates/network.yaml | 2 +- idsvr/templates/service-admin.yaml | 3 ++- 6 files changed, 12 insertions(+), 7 deletions(-) diff --git a/idsvr/templates/cluster-conf.yaml b/idsvr/templates/cluster-conf.yaml index ae7482f..13cfd8b 100644 --- a/idsvr/templates/cluster-conf.yaml +++ b/idsvr/templates/cluster-conf.yaml @@ -1,3 +1,4 @@ +{{- if ne .Values.curity.onlyRuntimes true -}} apiVersion: v1 kind: Secret metadata: @@ -86,4 +87,5 @@ spec: configMap: name: {{ include "curity.fullname" . }}-cluster-conf-map serviceAccountName: {{ include "curity.fullname" . }}-service-account - restartPolicy: Never \ No newline at end of file + restartPolicy: Never +{{- end }} \ No newline at end of file diff --git a/idsvr/templates/config-backup.yaml b/idsvr/templates/config-backup.yaml index 75141ba..8032180 100644 --- a/idsvr/templates/config-backup.yaml +++ b/idsvr/templates/config-backup.yaml @@ -1,4 +1,4 @@ -{{- if .Values.curity.config.backup -}} +{{- if and .Values.curity.config.backup ( ne .Values.curity.onlyRuntimes true ) -}} apiVersion: v1 kind: Secret metadata: diff --git a/idsvr/templates/deployment-admin.yaml b/idsvr/templates/deployment-admin.yaml index efa88a2..8fa48ab 100644 --- a/idsvr/templates/deployment-admin.yaml +++ b/idsvr/templates/deployment-admin.yaml @@ -1,4 +1,5 @@ {{- $root := . -}} +{{- if ne .Values.curity.onlyRuntimes true -}} apiVersion: apps/v1 kind: Deployment metadata: @@ -197,4 +198,5 @@ spec: {{- with .Values.tolerations }} tolerations: {{- toYaml . | nindent 8 }} - {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/idsvr/templates/ingress.yaml b/idsvr/templates/ingress.yaml index b221ca9..75a930b 100644 --- a/idsvr/templates/ingress.yaml +++ b/idsvr/templates/ingress.yaml @@ -12,7 +12,7 @@ metadata: spec: {{- if or .Values.ingress.admin.secretName .Values.ingress.runtime.secretName }} tls: - {{- if .Values.ingress.admin.secretName }} + {{- if and .Values.ingress.admin.secretName ( ne .Values.curity.onlyRuntimes true ) }} - hosts: - {{ .Values.ingress.admin.host}} secretName: {{ .Values.ingress.admin.secretName }} @@ -36,7 +36,7 @@ spec: port: name: http-port {{- end }} - {{- if .Values.curity.config.uiEnabled }} + {{- if and .Values.curity.config.uiEnabled ( ne .Values.curity.onlyRuntimes true ) }} - host: {{ .Values.ingress.admin.host }} http: paths: diff --git a/idsvr/templates/network.yaml b/idsvr/templates/network.yaml index 2e0ba65..9f5a7c7 100644 --- a/idsvr/templates/network.yaml +++ b/idsvr/templates/network.yaml @@ -1,4 +1,4 @@ -{{- if .Values.networkpolicy.enabled -}} +{{- if and .Values.networkpolicy.enabled ( ne .Values.curity.onlyRuntimes true ) -}} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/idsvr/templates/service-admin.yaml b/idsvr/templates/service-admin.yaml index 42e613a..d2f294e 100644 --- a/idsvr/templates/service-admin.yaml +++ b/idsvr/templates/service-admin.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.curity.onlyRuntimes -}} apiVersion: v1 kind: Service metadata: @@ -30,4 +31,4 @@ spec: app.kubernetes.io/name: {{ include "curity.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} role: {{ include "curity.fullname" . }}-admin - \ No newline at end of file +{{- end }} \ No newline at end of file From 779f8c421a2c136fc3940977a6c12d3ae6daebc2 Mon Sep 17 00:00:00 2001 From: "bo.kristoffersson" Date: Tue, 12 Apr 2022 08:00:30 +0200 Subject: [PATCH 3/5] only create resources that are needed wehn runtime nodes only --- idsvr/templates/rbac.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/idsvr/templates/rbac.yaml b/idsvr/templates/rbac.yaml index d2c3131..da16036 100644 --- a/idsvr/templates/rbac.yaml +++ b/idsvr/templates/rbac.yaml @@ -1,3 +1,4 @@ +{{- if ne .Values.curity.onlyRuntimes true -}} apiVersion: v1 kind: ServiceAccount metadata: @@ -40,4 +41,5 @@ roleRef: name: {{ include "curity.fullname" . }}-create-secret subjects: - kind: ServiceAccount - name: {{ include "curity.fullname" . }}-service-account \ No newline at end of file + name: {{ include "curity.fullname" . }}-service-account +{{- end } \ No newline at end of file From 8f550061eb5f29ef551e1682eaf4dff0b8edf685 Mon Sep 17 00:00:00 2001 From: "bo.kristoffersson" Date: Thu, 12 May 2022 14:53:17 +0200 Subject: [PATCH 4/5] add support for only runtime nodes --- idsvr/templates/cluster-conf.yaml | 4 +++- idsvr/templates/config-backup.yaml | 3 ++- idsvr/templates/deployment-admin.yaml | 4 +++- idsvr/templates/deployment-runtime.yaml | 4 ++++ idsvr/templates/ingress.yaml | 4 ++-- idsvr/templates/network.yaml | 2 +- idsvr/templates/rbac.yaml | 4 +++- idsvr/templates/service-admin.yaml | 3 ++- idsvr/values.yaml | 1 + 9 files changed, 21 insertions(+), 8 deletions(-) diff --git a/idsvr/templates/cluster-conf.yaml b/idsvr/templates/cluster-conf.yaml index ae7482f..f253fc8 100644 --- a/idsvr/templates/cluster-conf.yaml +++ b/idsvr/templates/cluster-conf.yaml @@ -1,3 +1,4 @@ +{{- if eq .Values.curity.onlyRuntimeNodes false }} apiVersion: v1 kind: Secret metadata: @@ -86,4 +87,5 @@ spec: configMap: name: {{ include "curity.fullname" . }}-cluster-conf-map serviceAccountName: {{ include "curity.fullname" . }}-service-account - restartPolicy: Never \ No newline at end of file + restartPolicy: Never +{{- end }} \ No newline at end of file diff --git a/idsvr/templates/config-backup.yaml b/idsvr/templates/config-backup.yaml index 75141ba..0b718d6 100644 --- a/idsvr/templates/config-backup.yaml +++ b/idsvr/templates/config-backup.yaml @@ -1,4 +1,5 @@ -{{- if .Values.curity.config.backup -}} +{{- if and .Values.curity.config.backup -}} +{{- required "\n Admin node need to be running if curity.config.backup is true! use --set curity.config.onlyRuntimeNodes=false" ( .Values.curity.onlyRuntimeNodes ) }} apiVersion: v1 kind: Secret metadata: diff --git a/idsvr/templates/deployment-admin.yaml b/idsvr/templates/deployment-admin.yaml index b4ceba3..46ebf0a 100644 --- a/idsvr/templates/deployment-admin.yaml +++ b/idsvr/templates/deployment-admin.yaml @@ -1,4 +1,5 @@ {{- $root := . -}} + {{- if eq .Values.curity.onlyRuntimeNodes false -}} apiVersion: apps/v1 kind: Deployment metadata: @@ -245,4 +246,5 @@ spec: {{- with .Values.tolerations }} tolerations: {{- toYaml . | nindent 8 }} - {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/idsvr/templates/deployment-runtime.yaml b/idsvr/templates/deployment-runtime.yaml index e4e0645..52e9e91 100644 --- a/idsvr/templates/deployment-runtime.yaml +++ b/idsvr/templates/deployment-runtime.yaml @@ -96,10 +96,12 @@ spec: - mountPath: /opt/idsvr/var/log/ name: log-volume {{- end }} + {{- if eq .Values.curity.onlyRuntimeNodes false }} - mountPath: /opt/idsvr/etc/init/cluster.xml subPath: cluster.xml name: cluster-xml readOnly: true + {{- end }} {{- if .Values.curity.config.configurationSecret }} - mountPath: /opt/idsvr/etc/init/config.xml subPath: config.xml @@ -155,12 +157,14 @@ spec: - name: log-volume emptyDir: {} {{- end }} + {{- if eq .Values.curity.onlyRuntimeNodes false }} - name: cluster-xml secret: secretName: {{ include "curity.fullname" . }}-cluster-config-xml items: - key: cluster-{{ .Release.Revision }}.xml path: cluster.xml + {{- end }} {{- if .Values.curity.config.configurationSecret }} - name: config secret: diff --git a/idsvr/templates/ingress.yaml b/idsvr/templates/ingress.yaml index b221ca9..0e4da8e 100644 --- a/idsvr/templates/ingress.yaml +++ b/idsvr/templates/ingress.yaml @@ -12,7 +12,7 @@ metadata: spec: {{- if or .Values.ingress.admin.secretName .Values.ingress.runtime.secretName }} tls: - {{- if .Values.ingress.admin.secretName }} + {{- if and .Values.curity.config.uiEnabled ( eq .Values.curity.onlyRuntimeNodes false ) }} - hosts: - {{ .Values.ingress.admin.host}} secretName: {{ .Values.ingress.admin.secretName }} @@ -36,7 +36,7 @@ spec: port: name: http-port {{- end }} - {{- if .Values.curity.config.uiEnabled }} + {{- if and .Values.curity.config.uiEnabled ( eq .Values.curity.onlyRuntimeNodes false ) }} - host: {{ .Values.ingress.admin.host }} http: paths: diff --git a/idsvr/templates/network.yaml b/idsvr/templates/network.yaml index 2e0ba65..b19717c 100644 --- a/idsvr/templates/network.yaml +++ b/idsvr/templates/network.yaml @@ -1,4 +1,4 @@ -{{- if .Values.networkpolicy.enabled -}} +{{- if and .Values.networkpolicy.enabled ( eq .Values.curity.onlyRuntimeNodes false ) -}} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/idsvr/templates/rbac.yaml b/idsvr/templates/rbac.yaml index d2c3131..35c62d3 100644 --- a/idsvr/templates/rbac.yaml +++ b/idsvr/templates/rbac.yaml @@ -1,3 +1,4 @@ +{{- if or ( eq .Values.curity.onlyRuntimeNodes false ) .Values.curity.config.convertKeystore -}} apiVersion: v1 kind: ServiceAccount metadata: @@ -40,4 +41,5 @@ roleRef: name: {{ include "curity.fullname" . }}-create-secret subjects: - kind: ServiceAccount - name: {{ include "curity.fullname" . }}-service-account \ No newline at end of file + name: {{ include "curity.fullname" . }}-service-account +{{- end }} \ No newline at end of file diff --git a/idsvr/templates/service-admin.yaml b/idsvr/templates/service-admin.yaml index afd4370..e27fcbd 100644 --- a/idsvr/templates/service-admin.yaml +++ b/idsvr/templates/service-admin.yaml @@ -1,3 +1,4 @@ +{{- if eq .Values.curity.onlyRuntimeNodes false -}} apiVersion: v1 kind: Service metadata: @@ -34,4 +35,4 @@ spec: app.kubernetes.io/name: {{ include "curity.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} role: {{ include "curity.fullname" . }}-admin - \ No newline at end of file +{{- end }} \ No newline at end of file diff --git a/idsvr/values.yaml b/idsvr/values.yaml index 55d6b75..4f3210a 100644 --- a/idsvr/values.yaml +++ b/idsvr/values.yaml @@ -19,6 +19,7 @@ curity: healthCheckPort: 4465 adminUiPort: 6749 adminUiHttp: false + onlyRuntimeNodes: false admin: role: admin From 40893f5c641032bde6e2c61841901603d0e4791a Mon Sep 17 00:00:00 2001 From: "bo.kristoffersson" Date: Thu, 8 Sep 2022 11:31:06 +0200 Subject: [PATCH 5/5] enable to deploy only runtime nodes --- idsvr/templates/cluster-conf.yaml | 2 +- idsvr/templates/config-backup.yaml | 2 +- idsvr/templates/deployment-admin.yaml | 2 +- idsvr/templates/deployment-runtime.yaml | 8 ++++++-- idsvr/templates/ingress.yaml | 4 ++-- idsvr/templates/network.yaml | 2 +- idsvr/templates/rbac.yaml | 2 +- idsvr/templates/service-admin.yaml | 2 +- 8 files changed, 14 insertions(+), 10 deletions(-) diff --git a/idsvr/templates/cluster-conf.yaml b/idsvr/templates/cluster-conf.yaml index f253fc8..8916ee7 100644 --- a/idsvr/templates/cluster-conf.yaml +++ b/idsvr/templates/cluster-conf.yaml @@ -1,4 +1,4 @@ -{{- if eq .Values.curity.onlyRuntimeNodes false }} +{{- if not .Values.curity.onlyRuntimeNodes }} apiVersion: v1 kind: Secret metadata: diff --git a/idsvr/templates/config-backup.yaml b/idsvr/templates/config-backup.yaml index 0b718d6..f6cde65 100644 --- a/idsvr/templates/config-backup.yaml +++ b/idsvr/templates/config-backup.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.curity.config.backup -}} +{{- if .Values.curity.config.backup -}} {{- required "\n Admin node need to be running if curity.config.backup is true! use --set curity.config.onlyRuntimeNodes=false" ( .Values.curity.onlyRuntimeNodes ) }} apiVersion: v1 kind: Secret diff --git a/idsvr/templates/deployment-admin.yaml b/idsvr/templates/deployment-admin.yaml index 46ebf0a..151f452 100644 --- a/idsvr/templates/deployment-admin.yaml +++ b/idsvr/templates/deployment-admin.yaml @@ -1,5 +1,5 @@ {{- $root := . -}} - {{- if eq .Values.curity.onlyRuntimeNodes false -}} + {{- if not .Values.curity.onlyRuntimeNodes -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/idsvr/templates/deployment-runtime.yaml b/idsvr/templates/deployment-runtime.yaml index 52e9e91..81401db 100644 --- a/idsvr/templates/deployment-runtime.yaml +++ b/idsvr/templates/deployment-runtime.yaml @@ -91,12 +91,13 @@ spec: successThreshold: {{ .Values.curity.runtime.readinessProbe.successThreshold }} periodSeconds: {{ .Values.curity.runtime.readinessProbe.periodSeconds }} initialDelaySeconds: {{ .Values.curity.runtime.readinessProbe.initialDelaySeconds }} + {{- if or .Values.curity.runtime.logging.stdout ( not .Values.curity.onlyRuntimeNodes ) .Values.curity.config.configurationSecret .Values.curity.config.configurationConfigMap .Values.curity.config.configuration }} volumeMounts: {{- if .Values.curity.runtime.logging.stdout }} - mountPath: /opt/idsvr/var/log/ name: log-volume {{- end }} - {{- if eq .Values.curity.onlyRuntimeNodes false }} + {{- if not .Values.curity.onlyRuntimeNodes }} - mountPath: /opt/idsvr/etc/init/cluster.xml subPath: cluster.xml name: cluster-xml @@ -132,6 +133,7 @@ spec: {{- end }} {{- end }} {{- end }} + {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} {{- if .Values.curity.runtime.logging.stdout }} @@ -152,12 +154,13 @@ spec: imagePullSecrets: - name: {{ .Values.image.pullSecret}} {{- end }} + {{- if or .Values.curity.runtime.logging.stdout ( ne .Values.curity.onlyRuntimeNodes true ) .Values.curity.config.configurationSecret .Values.curity.config.configurationConfigMap .Values.curity.config.configuration }} volumes: {{- if .Values.curity.runtime.logging.stdout }} - name: log-volume emptyDir: {} {{- end }} - {{- if eq .Values.curity.onlyRuntimeNodes false }} + {{- if ne .Values.curity.onlyRuntimeNodes true }} - name: cluster-xml secret: secretName: {{ include "curity.fullname" . }}-cluster-config-xml @@ -199,6 +202,7 @@ spec: path: {{ $confItem.path }} {{- end }} {{- end }} + {{- end }} {{- end }} {{- with .Values.nodeSelector }} nodeSelector: diff --git a/idsvr/templates/ingress.yaml b/idsvr/templates/ingress.yaml index 0e4da8e..09bde8b 100644 --- a/idsvr/templates/ingress.yaml +++ b/idsvr/templates/ingress.yaml @@ -12,7 +12,7 @@ metadata: spec: {{- if or .Values.ingress.admin.secretName .Values.ingress.runtime.secretName }} tls: - {{- if and .Values.curity.config.uiEnabled ( eq .Values.curity.onlyRuntimeNodes false ) }} + {{- if and .Values.curity.config.uiEnabled ( not .Values.curity.onlyRuntimeNodes ) }} - hosts: - {{ .Values.ingress.admin.host}} secretName: {{ .Values.ingress.admin.secretName }} @@ -36,7 +36,7 @@ spec: port: name: http-port {{- end }} - {{- if and .Values.curity.config.uiEnabled ( eq .Values.curity.onlyRuntimeNodes false ) }} + {{- if and .Values.curity.config.uiEnabled ( not .Values.curity.onlyRuntimeNodes ) }} - host: {{ .Values.ingress.admin.host }} http: paths: diff --git a/idsvr/templates/network.yaml b/idsvr/templates/network.yaml index b19717c..c79f04b 100644 --- a/idsvr/templates/network.yaml +++ b/idsvr/templates/network.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.networkpolicy.enabled ( eq .Values.curity.onlyRuntimeNodes false ) -}} +{{- if and .Values.networkpolicy.enabled ( .Values.curity.onlyRuntimeNodes ) -}} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/idsvr/templates/rbac.yaml b/idsvr/templates/rbac.yaml index 35c62d3..74bf6c2 100644 --- a/idsvr/templates/rbac.yaml +++ b/idsvr/templates/rbac.yaml @@ -1,4 +1,4 @@ -{{- if or ( eq .Values.curity.onlyRuntimeNodes false ) .Values.curity.config.convertKeystore -}} +{{- if or ( not .Values.curity.onlyRuntimeNodes ) .Values.curity.config.convertKeystore -}} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/idsvr/templates/service-admin.yaml b/idsvr/templates/service-admin.yaml index e27fcbd..ef32cc6 100644 --- a/idsvr/templates/service-admin.yaml +++ b/idsvr/templates/service-admin.yaml @@ -1,4 +1,4 @@ -{{- if eq .Values.curity.onlyRuntimeNodes false -}} +{{- if not .Values.curity.onlyRuntimeNodes -}} apiVersion: v1 kind: Service metadata: