Updated the k8s objects with correct labels

- added the label for app=cps-and-ncmp to all the kubernetes objects
- also added the relevant components label based on the type of
  kubernetes object
- added a custom service account cps-hazelcast-service-account to just
  provide the least amount of priviledges
- added cps-hazelcast-rbac file so that the hazelcast members are able
  to discover using the k8s discovery service

Issue-ID: CPS-2960
Change-Id: I32d76fc3a955bd846c5e6aa0d78b80b8995a9c42
Signed-off-by: mpriyank <priyank.maheshwari@est.tech>

diff --git a/cps-charts/templates/cps-deployment.yaml b/cps-charts/templates/cps-deployment.yaml
index a09fa7f..4fe8677 100644 (file)
--- a/cps-charts/templates/cps-deployment.yaml
+++ b/cps-charts/templates/cps-deployment.yaml
@@ -2,6 +2,9 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "cps-and-ncmp.fullname" . }}-cps
+  labels:
+    app: {{ include "cps-and-ncmp.name" . }}
+    component: cps-and-ncmp
 spec:
   replicas: {{ .Values.cps.replicas }}
   selector:
@@ -14,6 +17,7 @@ spec:
         app: {{ include "cps-and-ncmp.name" . }}
         component: cps
     spec:
+      serviceAccountName: cps-hazelcast-service-account
       containers:
         - name: cps
           image: "{{ .Values.cps.image.repository }}:{{ .Values.cps.image.tag }}"

diff --git a/cps-charts/templates/cps-hazelcast-rbac.yaml b/cps-charts/templates/cps-hazelcast-rbac.yaml
new file mode 100644 (file)
index 0000000..9a48529
--- /dev/null
+++ b/cps-charts/templates/cps-hazelcast-rbac.yaml
@@ -0,0 +1,54 @@
+# Reference : https://raw.githubusercontent.com/hazelcast/hazelcast/master/kubernetes-rbac.yaml
+# Simplified kubernetes-rbac.yaml with minimum necessary permissions granted to pods to query Kubernetes API.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cps-hazelcast-service-account
+  namespace: default
+  labels:
+    app: {{ include "cps-and-ncmp.name" . }}
+    component: hazelcast
+  annotations:
+    description: "Hazelcast discovery via Kubernetes API to find cluster members - minimal RBAC"
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cps-hazelcast-role
+  labels:
+    app: {{ include "cps-and-ncmp.name" . }}
+    component: hazelcast
+rules:
+  - apiGroups:
+      - ""  # core API group (pods, nodes, services, endpoints)
+    resources:
+      - endpoints # used to discover other hazelcast members using kubernetes services
+      - pods
+      - services
+    verbs:
+      - get
+      - list
+  - apiGroups:
+      - "discovery.k8s.io"
+    resources:
+      - endpointslices # (for newer kubernetes versions) used to discover other hazelcast members using kubernetes services
+    verbs:
+      - get
+      - list
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cps-hazelcast-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cps-hazelcast-role
+subjects:
+  - kind: ServiceAccount
+    name: cps-hazelcast-service-account
+    namespace: default
\ No newline at end of file

diff --git a/cps-charts/templates/cps-hazelcast-service.yaml b/cps-charts/templates/cps-hazelcast-service.yaml
index 310f869..2385b40 100644 (file)
--- a/cps-charts/templates/cps-hazelcast-service.yaml
+++ b/cps-charts/templates/cps-hazelcast-service.yaml
@@ -2,6 +2,9 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "cps-and-ncmp.name" . }}-cps-hazelcast
+  labels:
+    app: {{ include "cps-and-ncmp.name" . }}
+    component: cps-and-ncmp
 spec:
   clusterIP: None
   selector:

diff --git a/cps-charts/templates/cps-service.yaml b/cps-charts/templates/cps-service.yaml
index c19df5c..de8bffd 100644 (file)
--- a/cps-charts/templates/cps-service.yaml
+++ b/cps-charts/templates/cps-service.yaml
@@ -2,6 +2,9 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "cps-and-ncmp.fullname" . }}-cps
+  labels:
+    app: {{ include "cps-and-ncmp.name" . }}
+    component: cps-and-ncmp
 spec:
   type: {{ .Values.cps.service.type | default "ClusterIP" }}
   selector:

diff --git a/cps-charts/templates/dmi-stub-deployment.yaml b/cps-charts/templates/dmi-stub-deployment.yaml
index f0a59a9..dd56bfa 100644 (file)
--- a/cps-charts/templates/dmi-stub-deployment.yaml
+++ b/cps-charts/templates/dmi-stub-deployment.yaml
@@ -4,6 +4,7 @@ metadata:
   name: {{ include "cps-and-ncmp.fullname" . }}-dmi-stub
   labels:
     app: {{ include "cps-and-ncmp.name" . }}
+    component: dmi-stub
 spec:
   replicas: {{ .Values.dmiStub.replicaCount }}
   selector:

diff --git a/cps-charts/templates/dmi-stub-service.yaml b/cps-charts/templates/dmi-stub-service.yaml
index bc8b0b6..79f727d 100644 (file)
--- a/cps-charts/templates/dmi-stub-service.yaml
+++ b/cps-charts/templates/dmi-stub-service.yaml
@@ -4,6 +4,7 @@ metadata:
   name: {{ include "cps-and-ncmp.fullname" . }}-dmi-stub
   labels:
     app: {{ include "cps-and-ncmp.name" . }}
+    component: dmi-stub
 spec:
   type: {{ .Values.dmiStub.service.type }}
   ports:

diff --git a/cps-charts/templates/kafka-deployment.yaml b/cps-charts/templates/kafka-deployment.yaml
index eb7e97e..46fa90e 100644 (file)
--- a/cps-charts/templates/kafka-deployment.yaml
+++ b/cps-charts/templates/kafka-deployment.yaml
@@ -3,7 +3,8 @@ kind: Deployment
 metadata:
   name: {{ include "cps-and-ncmp.fullname" . }}-kafka
   labels:
-    app: kafka
+    app: {{ include "cps-and-ncmp.name" . }}
+    component: kafka
 spec:
   replicas: {{ .Values.kafka.replicaCount }}
   selector:

diff --git a/cps-charts/templates/kafka-service.yaml b/cps-charts/templates/kafka-service.yaml
index a2cdba3..b50aadd 100644 (file)
--- a/cps-charts/templates/kafka-service.yaml
+++ b/cps-charts/templates/kafka-service.yaml
@@ -3,7 +3,8 @@ kind: Service
 metadata:
   name: {{ include "cps-and-ncmp.fullname" . }}-kafka
   labels:
-    app: kafka
+    app: {{ include "cps-and-ncmp.name" . }}
+    component: kafka
 spec:
   type: {{ .Values.kafka.service.type }}
   ports:

diff --git a/cps-charts/templates/postgres-init-configmap.yaml b/cps-charts/templates/postgres-init-configmap.yaml
index 5a5344b..1a2aca6 100644 (file)
--- a/cps-charts/templates/postgres-init-configmap.yaml
+++ b/cps-charts/templates/postgres-init-configmap.yaml
@@ -2,6 +2,9 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: postgres-init-sql
+  labels:
+    app: {{ include "cps-and-ncmp.name" . }}
+    component: postgres
 data:
   postgres-init.sql: |-
     {{ .Files.Get "config/postgres-init.sql" | indent 4 }}
\ No newline at end of file

diff --git a/cps-charts/templates/postgresql-deployment.yaml b/cps-charts/templates/postgresql-deployment.yaml
index ecc2137..3f888f7 100644 (file)
--- a/cps-charts/templates/postgresql-deployment.yaml
+++ b/cps-charts/templates/postgresql-deployment.yaml
@@ -2,6 +2,9 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "cps-and-ncmp.fullname" . }}-postgresql
+  labels:
+    app: {{ include "cps-and-ncmp.name" . }}
+    component: postgres
 spec:
   replicas: 1
   selector:

diff --git a/cps-charts/templates/postgresql-service.yaml b/cps-charts/templates/postgresql-service.yaml
index 1997c7d..ad6b0e6 100644 (file)
--- a/cps-charts/templates/postgresql-service.yaml
+++ b/cps-charts/templates/postgresql-service.yaml
@@ -2,6 +2,9 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "cps-and-ncmp.fullname" . }}-postgresql
+  labels:
+    app: {{ include "cps-and-ncmp.name" . }}
+    component: postgres
 spec:
   type: ClusterIP
   selector: