diff --git a/CHANGELOG.md b/CHANGELOG.md index 8d020176..909409ed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,10 @@ numbering uses [semantic versioning](http://semver.org). NOTE: The change log until version `v0.2.4` is auto-generated. +## [v5.18.0](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v5.18.0) (2022-05-20) + +- feat: add pod security policies + ## [v5.17.0](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v5.17.0) (2022-04-13) - fix: delete parameter '--strip-components 1' of Puppetserver certificate (unzip) diff --git a/Chart.yaml b/Chart.yaml index 4e86286d..bd056b11 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: puppetserver -version: 5.17.0 +version: 5.18.0 appVersion: 7.4.2 description: Puppet automates the delivery and operation of software. keywords: ["puppet", "puppetserver", "automation", "iac", "infrastructure", "cm", "ci", "cd"] diff --git a/README.md b/README.md index a08c1d30..f3d3092d 100644 --- a/README.md +++ b/README.md @@ -206,6 +206,10 @@ The following table lists the configurable parameters of the Puppetserver chart | `puppetserver.preGeneratedCertsJob.enabled` | puppetserver pre-generated certs |`false`| | `puppetserver.preGeneratedCertsJob.jobDeadline` | puppetserver pre-generated certs job deadline in seconds |`60`| | `puppetserver.puppeturl`| puppetserver control repo url |``| +| `puppetserver.serviceAccount.enabled`| Enable service account (Note: Service Account will only be automatically created if `puppetserver.serviceAccount.create` is not set. |`false`| +| `puppetserver.serviceAccount.create`| puppetserver additional masters svc labels |`false`| +| `puppetserver.rbac.create`| Enable PodSecurityPolicy's RBAC rules |`false`| +| `puppetserver.psp.create`| Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later |`false`| | `r10k.name` | r10k component label | `r10k`| | `r10k.image` | r10k img | `puppet/r10k`| | `r10k.tag` | r10k img tag | `3.5.1`| @@ -247,6 +251,10 @@ The following table lists the configurable parameters of the Puppetserver chart | `puppetdb.customPersistentVolumeClaim.storage.enable`| If true, use custom PVC for storage |``| | `puppetdb.customPersistentVolumeClaim.storage.config`| Configuration for custom PVC for storage |``| | `puppetdb.extraContainers`| Extra containers to inject into the puppetdb pod |``| +| `puppetdb.serviceAccount.enabled`| Enable service account (Note: Service Account will only be automatically created if `puppetdb.serviceAccount.create` is not set. |`false`| +| `puppetdb.serviceAccount.create`| puppetdb additional masters svc labels |`false`| +| `puppetdb.rbac.create`| Enable PodSecurityPolicy's RBAC rules |`false`| +| `puppetdb.psp.create`| Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later |`false`| | `puppetboard.enabled` | puppetboard availability | `false`| | `puppetboard.name` | puppetboard component label | `puppetboard`| | `puppetboard.image` | puppetboard img | `xtigyro/puppetboard`| @@ -353,3 +361,4 @@ kill %[job_numbers_above] * [Manasseh MMadu](https://github.com/mensaah), Contributor * [Aidan](https://github.com/artificial-aidan), Contributor * [Aurélien Le Clainche](https://www.linkedin.com/in/aurelien-le-clainche/), Contributor +* [David Phayanouvong](https://github.com/davidphayanouvong), Contributor \ No newline at end of file diff --git a/templates/puppetdb-deployment.yaml b/templates/puppetdb-deployment.yaml index e428dcbd..f53273f6 100644 --- a/templates/puppetdb-deployment.yaml +++ b/templates/puppetdb-deployment.yaml @@ -21,6 +21,9 @@ spec: {{- end }} spec: hostname: puppetdb + {{- if .Values.puppetdb.serviceAccount.enabled }} + serviceAccountName: {{ .Values.puppetdb.serviceAccount.accountName }} + {{- end }} containers: {{- with .Values.puppetdb.extraContainers }} {{- toYaml . | nindent 8 }} diff --git a/templates/puppetdb-podsecuritypolicy.yaml b/templates/puppetdb-podsecuritypolicy.yaml new file mode 100644 index 00000000..86c482c1 --- /dev/null +++ b/templates/puppetdb-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if .Values.puppetdb.psp.create }} +apiVersion: {{ include "podsecuritypolicy.apiVersion" . }} +kind: PodSecurityPolicy +metadata: + name: {{ default "puppetdb" .Values.puppetdb.serviceAccount.accountName }}-psp + namespace: {{ .Release.Namespace }} +spec: + privileged: true + volumes: + - 'configMap' + - 'secret' + - 'persistentVolumeClaim' + - 'emptyDir' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/templates/puppetdb-role.yaml b/templates/puppetdb-role.yaml new file mode 100644 index 00000000..b08a0cdb --- /dev/null +++ b/templates/puppetdb-role.yaml @@ -0,0 +1,15 @@ +{{- if .Values.puppetdb.rbac.create }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ default "puppetdb" .Values.puppetdb.serviceAccount.accountName }}-role + namespace: {{ .Release.Namespace }} +rules: + {{- if .Values.puppetdb.psp.create }} + - apiGroups: ["extensions"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: + - {{ default "puppetdb" .Values.puppetdb.serviceAccount.accountName }}-psp + {{- end }} +{{- end }} diff --git a/templates/puppetdb-rolebinding.yaml b/templates/puppetdb-rolebinding.yaml new file mode 100644 index 00000000..018893af --- /dev/null +++ b/templates/puppetdb-rolebinding.yaml @@ -0,0 +1,15 @@ +{{- if .Values.puppetdb.rbac.create }} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ default "puppetdb" .Values.puppetdb.serviceAccount.accountName }}-rb + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ default "puppetdb" .Values.puppetdb.serviceAccount.accountName }}-role +subjects: + - kind: ServiceAccount + name: {{ default "puppetdb" .Values.puppetdb.serviceAccount.accountName }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/templates/puppetdb-serviceaccount.yaml b/templates/puppetdb-serviceaccount.yaml new file mode 100644 index 00000000..10d5fff4 --- /dev/null +++ b/templates/puppetdb-serviceaccount.yaml @@ -0,0 +1,7 @@ +{{- if and (.Values.puppetdb.serviceAccount.enabled) (.Values.puppetdb.serviceAccount.create) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.puppetdb.serviceAccount.accountName | default "puppetdb" }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/templates/puppetserver-deployment-masters.yaml b/templates/puppetserver-deployment-masters.yaml index d46d96b8..a5d4f387 100644 --- a/templates/puppetserver-deployment-masters.yaml +++ b/templates/puppetserver-deployment-masters.yaml @@ -27,6 +27,9 @@ spec: {{- end }} spec: hostname: {{ template "puppetserver.puppetserver-masters.serviceName" . }} + {{- if .Values.puppetserver.serviceAccount.enabled }} + serviceAccountName: {{ .Values.puppetserver.serviceAccount.accountName }} + {{- end }} initContainers: - name: perms-and-dirs image: "{{.Values.puppetserver.image}}:{{.Values.puppetserver.tag}}" diff --git a/templates/puppetserver-podsecuritypolicy.yaml b/templates/puppetserver-podsecuritypolicy.yaml new file mode 100644 index 00000000..ae96b9fb --- /dev/null +++ b/templates/puppetserver-podsecuritypolicy.yaml @@ -0,0 +1,36 @@ +{{- if .Values.puppetserver.psp.create }} +apiVersion: {{ include "podsecuritypolicy.apiVersion" . }} +kind: PodSecurityPolicy +metadata: + name: {{ default "puppetserver" .Values.puppetserver.serviceAccount.accountName }}-psp + namespace: {{ .Release.Namespace }} + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-10" +spec: + privileged: true + volumes: + - 'configMap' + - 'secret' + - 'persistentVolumeClaim' + - 'emptyDir' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/templates/puppetserver-role.yaml b/templates/puppetserver-role.yaml new file mode 100644 index 00000000..f9c780af --- /dev/null +++ b/templates/puppetserver-role.yaml @@ -0,0 +1,19 @@ +{{- if .Values.puppetserver.rbac.create }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ default "puppetserver" .Values.puppetserver.serviceAccount.accountName }}-role + namespace: {{ .Release.Namespace }} + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-10" +rules: + {{- if .Values.puppetserver.psp.create }} + - apiGroups: ["extensions"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: + - {{ default "puppetserver" .Values.puppetserver.serviceAccount.accountName }}-psp + {{- end }} +{{- end }} diff --git a/templates/puppetserver-rolebinding.yaml b/templates/puppetserver-rolebinding.yaml new file mode 100644 index 00000000..6e2cba03 --- /dev/null +++ b/templates/puppetserver-rolebinding.yaml @@ -0,0 +1,19 @@ +{{- if .Values.puppetserver.rbac.create }} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ default "puppetserver" .Values.puppetserver.serviceAccount.accountName }}-rb + namespace: {{ .Release.Namespace }} + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-10" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ default "puppetserver" .Values.puppetserver.serviceAccount.accountName }}-role +subjects: + - kind: ServiceAccount + name: {{ default "puppetserver" .Values.puppetserver.serviceAccount.accountName }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/templates/puppetserver-serviceaccount.yaml b/templates/puppetserver-serviceaccount.yaml new file mode 100644 index 00000000..edc832fb --- /dev/null +++ b/templates/puppetserver-serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and (.Values.puppetserver.serviceAccount.enabled) (.Values.puppetserver.serviceAccount.create) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.puppetserver.serviceAccount.accountName | default "puppet" }} + namespace: {{ .Release.Namespace }} + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-10" +{{- end }} diff --git a/templates/puppetserver-statefulset-compilers.yaml b/templates/puppetserver-statefulset-compilers.yaml index 7c8bec97..4b000758 100644 --- a/templates/puppetserver-statefulset-compilers.yaml +++ b/templates/puppetserver-statefulset-compilers.yaml @@ -31,6 +31,9 @@ spec: {{- toYaml .Values.podAnnotations | nindent 8 }} {{- end }} spec: + {{- if .Values.puppetserver.serviceAccount.enabled }} + serviceAccountName: {{ .Values.puppetserver.serviceAccount.accountName }} + {{- end }} initContainers: - name: perms-and-dirs image: "{{.Values.puppetserver.image}}:{{.Values.puppetserver.tag}}" diff --git a/values.yaml b/values.yaml index cf451e4b..f92e936d 100644 --- a/values.yaml +++ b/values.yaml @@ -283,6 +283,18 @@ puppetserver: enabled: false jobDeadline: 300 + ## Optional configure serviceAccount & rbac + serviceAccount: + enabled: false + create: false + + rbac: + create: false + + psp: + create: false + + ## The pattern of managing Hieradata in a separate repository is ## both common and acceptable. Doing so provides the ability to decouple ## the management of configuration data from that of the Puppet code base. @@ -427,6 +439,17 @@ puppetdb: enable: false config: {} + ## Optional configure serviceAccount & rbac + serviceAccount: + enabled: false + create: false + + rbac: + create: false + + psp: + create: false + ## PostgreSQL Sub-Chart Configuration ## Please check: https://github.com/bitnami/charts/tree/master/bitnami/postgresql ##