✨ Update service account (#399)

go-sigma · Sep 18, 2024 · be03712 · be03712
1 parent db42d1c
commit be03712
Show file tree

Hide file tree

Showing 23 changed files with 60 additions and 26 deletions.
diff --git a/conf/config-dev.yaml b/conf/config-dev.yaml
@@ -136,7 +136,7 @@ daemon:
       network: sigma
     kubernetes:
       kubeconfig:
-      namespace: default
+      namespace: sigma-builder
     podman:
       uri: unix:///run/podman/podman.sock
 

diff --git a/conf/config-full.yaml b/conf/config-full.yaml
@@ -140,7 +140,7 @@ daemon:
       network: sigma
     kubernetes:
       kubeconfig:
-      namespace: default
+      namespace: sigma-builder
     podman:
       uri: unix:///run/podman/podman.sock
 

diff --git a/conf/config.yaml b/conf/config.yaml
@@ -136,7 +136,7 @@ daemon:
       network: sigma
     kubernetes:
       kubeconfig:
-      namespace: default
+      namespace: sigma-builder
     podman:
       uri: unix:///run/podman/podman.sock
 

diff --git a/deploy/sigma/templates/configmap.yaml b/deploy/sigma/templates/configmap.yaml
@@ -41,6 +41,13 @@ data:
       server: 0.0.0.0:{{.Values.service.server.port}}
       worker: 0.0.0.0:{{.Values.service.worker.port}}
     daemon:
+      builder:
+        enabled: {{ .Values.config.daemon.builder.enabled }}
+        image: "{{ .Values.image.registry }}/{{ .Values.config.daemon.builder.image.repository }}:{{ .Values.config.daemon.builder.image.tag | default .Chart.AppVersion }}"
+        type: {{ .Values.config.daemon.builder.type | quote }}
+        kubernetes:
+          kubeconfig: ""
+          namespace: {{ .Values.config.daemon.builder.kubernetes.namespace | quote }}
       gc:
         # if blob not associate with artifact
         retention: 72h

diff --git a/deploy/sigma/templates/distribution/deployment.yaml b/deploy/sigma/templates/distribution/deployment.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "sigma.distribution" . }}
+  namespace: "{{ .Release.Namespace }}"
   labels:
     {{- include "sigma.distribution.labels" . | nindent 4 }}
 spec:

diff --git a/deploy/sigma/templates/distribution/hpa.yaml b/deploy/sigma/templates/distribution/hpa.yaml
@@ -3,6 +3,7 @@ apiVersion: autoscaling/v2beta1
 kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "sigma.distribution" . }}
+  namespace: "{{ .Release.Namespace }}"
   labels:
     {{- include "sigma.distribution.labels" . | nindent 4 }}
 spec:

diff --git a/deploy/sigma/templates/distribution/service.yaml b/deploy/sigma/templates/distribution/service.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "sigma.distribution" . }}
+  namespace: "{{ .Release.Namespace }}"
   labels:
     {{- include "sigma.distribution.labels" . | nindent 4 }}
 spec:

diff --git a/deploy/sigma/templates/ingress.yaml b/deploy/sigma/templates/ingress.yaml
@@ -3,6 +3,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: {{ include "sigma.fullname" . }}
+  namespace: "{{ .Release.Namespace }}"
   labels:
     {{- include "sigma.labels" . | nindent 4 }}
   {{- with .Values.ingress.annotations }}

diff --git a/deploy/sigma/templates/namespace.yaml b/deploy/sigma/templates/namespace.yaml
@@ -0,0 +1,8 @@
+{{- if and .Values.config.daemon.builder.enabled ( eq .Values.config.daemon.builder.type "kubernetes" ) }}
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: {{ .Values.config.daemon.builder.kubernetes.namespace | quote }}
+  labels:
+    {{- include "sigma.labels" . | nindent 4 }}
+{{- end }}
diff --git a/deploy/sigma/templates/server/deployment.yaml b/deploy/sigma/templates/server/deployment.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "sigma.server" . }}
+  namespace: "{{ .Release.Namespace }}"
   labels:
     {{- include "sigma.server.labels" . | nindent 4 }}
 spec:

diff --git a/deploy/sigma/templates/server/hpa.yaml b/deploy/sigma/templates/server/hpa.yaml
@@ -3,6 +3,7 @@ apiVersion: autoscaling/v2beta1
 kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "sigma.server" . }}
+  namespace: "{{ .Release.Namespace }}"
   labels:
     {{- include "sigma.server.labels" . | nindent 4 }}
 spec:

diff --git a/deploy/sigma/templates/server/service.yaml b/deploy/sigma/templates/server/service.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "sigma.server" . }}
+  namespace: "{{ .Release.Namespace }}"
   labels:
     {{- include "sigma.server.labels" . | nindent 4 }}
 spec:

diff --git a/deploy/sigma/templates/serviceaccount.yaml b/deploy/sigma/templates/serviceaccount.yaml
@@ -1,9 +1,10 @@
+{{- if and .Values.config.daemon.builder.enabled ( eq .Values.config.daemon.builder.type "kubernetes" ) }}
 ---
 kind: Role
 apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
 metadata:
   name: {{ include "sigma.fullname" . | quote }}
-  namespace: {{ include "common.names.namespace" . | quote }}
+  namespace: {{ .Values.config.daemon.builder.kubernetes.namespace | quote }}
   {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.image "chart" .Chart ) ) }}
   {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
@@ -14,7 +15,7 @@ rules:
   - apiGroups:
       - ""
     resources:
-      - configmaps
+      - pods
     verbs:
       - get
       - list
@@ -26,34 +27,23 @@ rules:
   - apiGroups:
       - ""
     resources:
-      - configmaps/status
+      - pods/status
     verbs:
       - get
       - update
       - patch
   - apiGroups:
       - ""
     resources:
-      - events
+      - pods/finalizers
     verbs:
-      - create
-  - apiGroups:
-      - "coordination.k8s.io"
-    resources:
-      - leases
-    verbs:
-      - get
-      - list
-      - watch
-      - create
       - update
-      - patch
-      - delete
 ---
 kind: RoleBinding
 apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
 metadata:
   name: {{ include "sigma.fullname" . | quote }}
+  namespace: {{ .Values.config.daemon.builder.kubernetes.namespace | quote }}
   {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.image "chart" .Chart ) ) }}
   {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
@@ -67,7 +57,7 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "sigma.fullname" . }}
-    namespace: {{ include "common.names.namespace" . | quote }}
+    namespace: {{ .Release.Namespace | quote }}
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -82,3 +72,4 @@ metadata:
   annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
   {{- end }}
 automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+{{- end }}
diff --git a/deploy/sigma/templates/web/deployment.yaml b/deploy/sigma/templates/web/deployment.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "sigma.web" . }}
+  namespace: "{{ .Release.Namespace }}"
   labels:
     {{- include "sigma.web.labels" . | nindent 4 }}
 spec:

diff --git a/deploy/sigma/templates/web/hpa.yaml b/deploy/sigma/templates/web/hpa.yaml
@@ -3,6 +3,7 @@ apiVersion: autoscaling/v2beta1
 kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "sigma.web" . }}
+  namespace: "{{ .Release.Namespace }}"
   labels:
     {{- include "sigma.web.labels" . | nindent 4 }}
 spec:

diff --git a/deploy/sigma/templates/web/service.yaml b/deploy/sigma/templates/web/service.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "sigma.web" . }}
+  namespace: "{{ .Release.Namespace }}"
   labels:
     {{- include "sigma.web.labels" . | nindent 4 }}
 spec:

diff --git a/deploy/sigma/templates/worker/deployment.yaml b/deploy/sigma/templates/worker/deployment.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "sigma.worker" . }}
+  namespace: "{{ .Release.Namespace }}"
   labels:
     {{- include "sigma.worker.labels" . | nindent 4 }}
 spec:

diff --git a/deploy/sigma/templates/worker/hpa.yaml b/deploy/sigma/templates/worker/hpa.yaml
@@ -3,6 +3,7 @@ apiVersion: autoscaling/v2beta1
 kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "sigma.worker" . }}
+  namespace: "{{ .Release.Namespace }}"
   labels:
     {{- include "sigma.worker.labels" . | nindent 4 }}
 spec:

diff --git a/deploy/sigma/templates/worker/service.yaml b/deploy/sigma/templates/worker/service.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "sigma.worker" . }}
+  namespace: "{{ .Release.Namespace }}"
   labels:
     {{- include "sigma.worker.labels" . | nindent 4 }}
 spec:

diff --git a/deploy/sigma/values.yaml b/deploy/sigma/values.yaml
@@ -100,7 +100,7 @@ serviceAccount:
   ## @param serviceAccount.annotations Additional Service Account annotations (evaluated as a template)
   annotations: {}
   ## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account
-  automountServiceAccountToken: false
+  automountServiceAccountToken: true
 
 config:
   log:
@@ -121,7 +121,16 @@ config:
     type: s3
     filesystem:
       path: /
-  # Notice: the tag never update after the first pulled from remote registry, unless you delete the image and pull again.
+  daemon:
+    builder:
+      enabled: true
+      image:
+        repository: tosone/sigma-builder
+        tag: latest
+      type: kubernetes
+      kubernetes:
+        kubeconfig: ""
+        namespace: sigma-builder
   proxy:
     enabled: true
     endpoint: https://registry-1.docker.io

diff --git a/docs/docs/configuration.mdx b/docs/docs/configuration.mdx
@@ -136,7 +136,7 @@ daemon:
       network: sigma
     kubernetes:
       kubeconfig:
-      namespace: default
+      namespace: sigma-builder
     podman:
       uri: unix:///run/podman/podman.sock
 

diff --git a/pkg/builder/kubernetes/informer.go b/pkg/builder/kubernetes/informer.go
@@ -49,4 +49,7 @@ func (i *instance) informer(_ context.Context) {
 	if err != nil {
 		log.Error().Err(err).Msg("Informer add event handler failed")
 	}
+
+	var stopChan = make(chan struct{})
+	podInformer.Run(stopChan)
 }
diff --git a/pkg/builder/kubernetes/k8s.go b/pkg/builder/kubernetes/k8s.go
@@ -21,6 +21,7 @@ import (
 	"path"
 	"reflect"
 	"strconv"
+	"strings"
 
 	"gopkg.in/yaml.v3"
 	corev1 "k8s.io/api/core/v1"
@@ -46,11 +47,13 @@ var _ builder.Factory = factory{}
 
 // New returns a new filesystem storage driver
 func (f factory) New(config configs.Configuration) (builder.Builder, error) {
-	i := &instance{}
+	i := &instance{
+		config: config,
+	}
 
 	var err error
 	var restConfig *restclient.Config
-	if config.Daemon.Builder.Kubernetes.Kubeconfig != nil {
+	if strings.TrimSpace(ptr.To(config.Daemon.Builder.Kubernetes.Kubeconfig)) != "" {
 		cfg := clientcmdapi.NewConfig()
 		err := yaml.Unmarshal([]byte(ptr.To(config.Daemon.Builder.Kubernetes.Kubeconfig)), &cfg)
 		if err != nil {
@@ -62,7 +65,7 @@ func (f factory) New(config configs.Configuration) (builder.Builder, error) {
 			return nil, fmt.Errorf("Get k8s rest config failed: %v", err)
 		}
 	} else {
-		restConfig, err = clientcmd.BuildConfigFromFlags("", "")
+		restConfig, err = restclient.InClusterConfig()
 		if err != nil {
 			return nil, fmt.Errorf("Get k8s client in cluster failed: %v", err)
 		}