Add RBAC support - issue 107 (#128)

* Add RBAC support

* RBAC support issue 107 changes requested

charts/virtual-kubelet-0.1.1-rbac/Chart.yaml

@@ -0,0 +1,8 @@
+name: virtual-kubelet
+version: 0.1.1
+description: a Helm chart to install virtual kubelet inside a Kubernetes cluster.
+sources:
+  - https://github.com/virtual-kubelet/virtual-kubelet
+maintainers:
+  - name: Robbie Zhang
+    email: junjiez@microsoft.com

charts/virtual-kubelet-0.1.1-rbac/templates/NOTES.txt

@@ -0,0 +1,21 @@
+{{- if and .Values.env.azureClientId .Values.env.azureClientKey .Values.env.azureTenantId .Values.env.azureSubscriptionId .Values.env.aciResourceGroup -}}
+
+The virtual kubelet is getting deployed on your cluster.
+
+To verify that virtual kubelet has started, run:
+
+  kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "fullname" . }}"
+
+{{- else -}}
+##############################################################################
+####  ERROR: You are missing required values in the values.yaml file.     ####
+##############################################################################
+
+This deployment will be incomplete until all the required fields in the values.yaml file have been provided.
+
+To update, run:
+
+    helm upgrade {{ .Release.Name }} \
+    --set env.azureClientId=<YOUR-AZURECLIENTID-HERE>,env.azureClientKey=<YOUR-AZURECLIENTKEY-HERE>,env.azureTenantId=<YOUR-AZURETENANTID-HERE>,env.azureSubscriptionId=<YOUR-AZURESUBSCRIPTIONID-HERE>,env.aciResourceGroup=<YOUR-ACIRESOURCEGROUP-HERE>,ev.aciOsType=<Linux|Windows>,rbac.install=<false|true>
+
+{{- end }}

charts/virtual-kubelet-0.1.1-rbac/templates/_helpers.tpl

@@ -0,0 +1,16 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 24 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}

charts/virtual-kubelet-0.1.1-rbac/templates/clusterrolebinding.yaml

@@ -0,0 +1,14 @@
+{{ if .Values.rbac.install }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "fullname" . }}-role-binding
+subjects:
+- kind: ServiceAccount
+  name: {{ template "fullname" . }}-service-account
+  namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.rbac.roleRef }}
+{{ end }}

charts/virtual-kubelet-0.1.1-rbac/templates/deployment.yaml

@@ -0,0 +1,42 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: {{ template "fullname" . }}
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: {{ template "fullname" . }}
+    spec:
+      containers:
+      - name: {{ template "fullname" . }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        env:
+        - name: KUBELET_PORT
+          value: "10250"
+        - name: AZURE_AUTH_LOCATION
+          value: /etc/virtual-kubelet/credentials.json
+        - name: ACI_RESOURCE_GROUP
+          value: {{ .Values.env.aciResourceGroup }}
+        - name: ACI_REGION
+          value: {{ default "westus" .Values.env.aciRegion }}
+        - name: APISERVER_CERT_LOCATION
+          value: /etc/virtual-kubelet/cert.pem
+        - name: APISERVER_KEY_LOCATION
+          value: /etc/virtual-kubelet/key.pem
+        - name: VKUBELET_POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        volumeMounts:
+        - name: credentials
+          mountPath: "/etc/virtual-kubelet"
+        command: ["virtual-kubelet"]
+        args: ["--provider", "azure", "--namespace", "default", "--nodename", {{ default "virtual-kubelet" .Values.env.nodeName | quote }} , "--os", {{ default "Linux" .Values.env.nodeOsType | quote }}, "--taint", {{ default "azure.com/aci" .Values.env.nodeTaint | quote }}]
+      volumes:
+      - name: credentials
+        secret:
+          secretName: {{ template "fullname" . }}
+      serviceAccountName: {{ if .Values.rbac.install }} "{{ template "fullname" . }}-service-account" {{ end }}

charts/virtual-kubelet-0.1.1-rbac/templates/secrets.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "fullname" . }}
+type: Opaque
+data:
+  credentials.json: {{ printf "{ \"clientId\": \"%s\", \"clientSecret\": \"%s\", \"subscriptionId\": \"%s\", \"tenantId\": \"%s\", \"activeDirectoryEndpointUrl\": \"https://login.microsoftonline.com/\", \"resourceManagerEndpointUrl\": \"https://management.azure.com/\", \"activeDirectoryGraphResourceId\": \"https://graph.windows.net/\", \"sqlManagementEndpointUrl\": \"database.windows.net\", \"galleryEndpointUrl\": \"https://gallery.azure.com/\", \"managementEndpointUrl\": \"https://management.core.windows.net/\" }" (default "MISSING" .Values.env.azureClientId) (default "MISSING" .Values.env.azureClientKey) (default "MISSING" .Values.env.azureSubscriptionId) (default "MISSING" .Values.env.azureTenantId) | b64enc | quote }}
+  cert.pem: {{ (default "TUlTU0lORw==" .Values.env.apiserverCert) | quote }}
+  key.pem: {{ (default "TUlTU0lORw==" .Values.env.apiserverKey) | quote }}

charts/virtual-kubelet-0.1.1-rbac/templates/serviceaccount.yaml

@@ -0,0 +1,6 @@
+{{ if .Values.rbac.install }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "fullname" . }}-service-account
+{{ end }}

charts/virtual-kubelet-0.1.1-rbac/values.yaml

@@ -0,0 +1,25 @@
+image:
+  repository: microsoft/virtual-kubelet
+  tag: latest
+  pullPolicy: Always
+env:
+  azureClientId: 
+  azureClientKey: 
+  azureTenantId: 
+  azureSubscriptionId: 
+  aciResourceGroup: 
+  aciRegion: 
+  nodeName: 
+  nodeTaint: 
+  nodeOsType: 
+  apiserverCert: 
+  apiserverKey: 
+
+# Install Default RBAC roles and bindings
+rbac:
+  install: false
+  serviceAccountName: virtual-kubelet
+  # RBAC api version (currently v1beta1)
+  apiVersion: v1beta1
+  # Cluster role reference
+  roleRef: cluster-admin

providers/azure/README.md

@@ -201,7 +201,7 @@ export VK_RELEASE=virtual-kubelet-for-aks-0.1.3
 For any other type of Kubernetes cluster:
 
 ```cli
-export VK_RELEASE=virtual-kubelet-0.1.0
+export VK_RELEASE=virtual-kubelet-0.1.1
 ```
 
 ```cli
@@ -214,9 +214,11 @@ chmod +x createCertAndKey.sh
 . ./createCertAndKey.sh
 
 helm install "$CHART_URL" --name "$RELEASE_NAME" \
-    --set env.azureClientId="$AZURE_CLIENT_ID",env.azureClientKey="$AZURE_CLIENT_SECRET",env.azureTenantId="$AZURE_TENANT_ID",env.azureSubscriptionId="$AZURE_SUBSCRIPTION_ID",env.aciResourceGroup="$AZURE_RG",env.nodeName="$NODE_NAME",env.nodeOsType=<Linux|Windows>,env.apiserverCert=$cert,env.apiserverKey=$key
+    --set env.azureClientId="$AZURE_CLIENT_ID",env.azureClientKey="$AZURE_CLIENT_SECRET",env.azureTenantId="$AZURE_TENANT_ID",env.azureSubscriptionId="$AZURE_SUBSCRIPTION_ID",env.aciResourceGroup="$AZURE_RG",env.nodeName="$NODE_NAME",env.nodeOsType=<Linux|Windows>,env.apiserverCert=$cert,env.apiserverKey=$key,rbac.install=false
 ```
 
+If your cluster has RBAC enabled set ```rbac.install=true```
+
 Output:
 
 ```console