From 9cfc9531df1a857e777faebf716087f81643bde4 Mon Sep 17 00:00:00 2001 From: Marcio Silva Date: Wed, 31 Jan 2024 18:38:06 -0500 Subject: [PATCH] Customized pullPolicy for `verifier`, `tenant`, `registrar` and `agent` Signed-off-by: Marcio Silva --- Makefile | 32 +++++++++---------- .../keylime-agent/templates/_helpers.tpl | 11 +++++++ .../keylime-registrar/templates/_helpers.tpl | 12 ++++++- .../keylime-tenant/templates/_helpers.tpl | 11 +++++++ .../keylime-verifier/templates/_helpers.tpl | 11 +++++++ build/helm/keylime/templates/_helpers.tpl | 1 + build/helm/keylime/values.yaml | 8 +++++ 7 files changed, 69 insertions(+), 17 deletions(-) diff --git a/Makefile b/Makefile index d4ef79e..5641df5 100644 --- a/Makefile +++ b/Makefile @@ -231,22 +231,22 @@ helm-keylime-clean: ## Cleans the packaged keylime helm chart .PHONY: helm-keylime-undeploy helm-keylime-undeploy: ## Undeploy the keylime helm chart { \ - helm list --namespace $(HELM_CHART_NAMESPACE) | grep -q $(HELM_CHART_RELEASE_NAME) &&\ - helm uninstall $(HELM_CHART_RELEASE_NAME) --namespace $(HELM_CHART_NAMESPACE);\ - kubectl get persistentvolumeclaim/data-$(HELM_CHART_RELEASE_NAME)-mysql-0 --namespace $(HELM_CHART_NAMESPACE) > /dev/null 2>&1 &&\ - kubectl delete persistentvolumeclaim/data-$(HELM_CHART_RELEASE_NAME)-mysql-0 --namespace $(HELM_CHART_NAMESPACE);\ - kubectl get secret/$(HELM_CHART_RELEASE_NAME)-keylime-ca-password --namespace $(HELM_CHART_NAMESPACE) > /dev/null 2>&1 &&\ - kubectl delete secret/$(HELM_CHART_RELEASE_NAME)-keylime-ca-password --namespace $(HELM_CHART_NAMESPACE);\ - kubectl get secret/$(HELM_CHART_RELEASE_NAME)-keylime-mysql-password --namespace $(HELM_CHART_NAMESPACE) > /dev/null 2>&1 &&\ - kubectl delete secret/$(HELM_CHART_RELEASE_NAME)-keylime-mysql-password --namespace $(HELM_CHART_NAMESPACE);\ - kubectl get secret/$(HELM_CHART_RELEASE_NAME)-keylime-certs --namespace $(HELM_CHART_NAMESPACE) > /dev/null 2>&1 &&\ - kubectl delete secret/$(HELM_CHART_RELEASE_NAME)-keylime-certs --namespace $(HELM_CHART_NAMESPACE);\ - kubectl get secret/$(HELM_CHART_RELEASE_NAME)-keylime-tpm-cert-store --namespace $(HELM_CHART_NAMESPACE) > /dev/null 2>&1 &&\ - kubectl delete secret/$(HELM_CHART_RELEASE_NAME)-keylime-tpm-cert-store --namespace $(HELM_CHART_NAMESPACE);\ - kubectl get secret/$(HELM_CHART_RELEASE_NAME)-keylime-tpm-extra-cert-store --namespace $(HELM_CHART_NAMESPACE) > /dev/null 2>&1 &&\ - kubectl delete secret/$(HELM_CHART_RELEASE_NAME)-keylime-tpm-extra-cert-store --namespace $(HELM_CHART_NAMESPACE);\ - kubectl get job/$(HELM_CHART_RELEASE_NAME)-keylime-init-ca --namespace $(HELM_CHART_NAMESPACE) > /dev/null 2>&1 &&\ - kubectl delete job/$(HELM_CHART_RELEASE_NAME)-keylime-init-ca --namespace $(HELM_CHART_NAMESPACE);\ + helm list --namespace $(HELM_CHART_NAMESPACE) --kubeconfig $(HELM_CHART_KUBECONFIG) | grep -q $(HELM_CHART_RELEASE_NAME) &&\ + helm uninstall $(HELM_CHART_RELEASE_NAME) --namespace $(HELM_CHART_NAMESPACE) --kubeconfig $(HELM_CHART_KUBECONFIG);\ + kubectl --kubeconfig $(HELM_CHART_KUBECONFIG) get persistentvolumeclaim/data-$(HELM_CHART_RELEASE_NAME)-mysql-0 --namespace $(HELM_CHART_NAMESPACE) > /dev/null 2>&1 &&\ + kubectl --kubeconfig $(HELM_CHART_KUBECONFIG) delete persistentvolumeclaim/data-$(HELM_CHART_RELEASE_NAME)-mysql-0 --namespace $(HELM_CHART_NAMESPACE);\ + kubectl --kubeconfig $(HELM_CHART_KUBECONFIG) get secret/$(HELM_CHART_RELEASE_NAME)-keylime-ca-password --namespace $(HELM_CHART_NAMESPACE) > /dev/null 2>&1 &&\ + kubectl --kubeconfig $(HELM_CHART_KUBECONFIG) delete secret/$(HELM_CHART_RELEASE_NAME)-keylime-ca-password --namespace $(HELM_CHART_NAMESPACE);\ + kubectl --kubeconfig $(HELM_CHART_KUBECONFIG) get secret/$(HELM_CHART_RELEASE_NAME)-keylime-mysql-password --namespace $(HELM_CHART_NAMESPACE) > /dev/null 2>&1 &&\ + kubectl --kubeconfig $(HELM_CHART_KUBECONFIG) delete secret/$(HELM_CHART_RELEASE_NAME)-keylime-mysql-password --namespace $(HELM_CHART_NAMESPACE);\ + kubectl --kubeconfig $(HELM_CHART_KUBECONFIG) get secret/$(HELM_CHART_RELEASE_NAME)-keylime-certs --namespace $(HELM_CHART_NAMESPACE) > /dev/null 2>&1 &&\ + kubectl --kubeconfig $(HELM_CHART_KUBECONFIG) delete secret/$(HELM_CHART_RELEASE_NAME)-keylime-certs --namespace $(HELM_CHART_NAMESPACE);\ + kubectl --kubeconfig $(HELM_CHART_KUBECONFIG) get secret/$(HELM_CHART_RELEASE_NAME)-keylime-tpm-cert-store --namespace $(HELM_CHART_NAMESPACE) > /dev/null 2>&1 &&\ + kubectl --kubeconfig $(HELM_CHART_KUBECONFIG) delete secret/$(HELM_CHART_RELEASE_NAME)-keylime-tpm-cert-store --namespace $(HELM_CHART_NAMESPACE);\ + kubectl --kubeconfig $(HELM_CHART_KUBECONFIG) get secret/$(HELM_CHART_RELEASE_NAME)-keylime-tpm-extra-cert-store --namespace $(HELM_CHART_NAMESPACE) > /dev/null 2>&1 &&\ + kubectl --kubeconfig $(HELM_CHART_KUBECONFIG) delete secret/$(HELM_CHART_RELEASE_NAME)-keylime-tpm-extra-cert-store --namespace $(HELM_CHART_NAMESPACE);\ + kubectl --kubeconfig $(HELM_CHART_KUBECONFIG) get job/$(HELM_CHART_RELEASE_NAME)-keylime-init-ca --namespace $(HELM_CHART_NAMESPACE) > /dev/null 2>&1 &&\ + kubectl --kubeconfig $(HELM_CHART_KUBECONFIG) delete job/$(HELM_CHART_RELEASE_NAME)-keylime-init-ca --namespace $(HELM_CHART_NAMESPACE);\ rm -f $(MKFILE_DIR)/kt;\ } diff --git a/build/helm/keylime/charts/keylime-agent/templates/_helpers.tpl b/build/helm/keylime/charts/keylime-agent/templates/_helpers.tpl index 2cc36d0..6340efa 100644 --- a/build/helm/keylime/charts/keylime-agent/templates/_helpers.tpl +++ b/build/helm/keylime/charts/keylime-agent/templates/_helpers.tpl @@ -135,6 +135,17 @@ Define a custom init image tag. {{- end }} {{- end }} +{{/* +Define a custom image pullpolicy. +*/}} +{{- define "agent.image.pullPolicy" -}} +{{- if .Values.global.service.agent.image.pullPolicy }} +{{- toYaml .Values.global.service.agent.image.pullPolicy }} +{{- else }} +{{- toYaml .Values.image.pullPolicy }} +{{- end }} +{{- end }} + {{/* Define a custom plugin image repository. */}} diff --git a/build/helm/keylime/charts/keylime-registrar/templates/_helpers.tpl b/build/helm/keylime/charts/keylime-registrar/templates/_helpers.tpl index 2172f8f..cdce10c 100644 --- a/build/helm/keylime/charts/keylime-registrar/templates/_helpers.tpl +++ b/build/helm/keylime/charts/keylime-registrar/templates/_helpers.tpl @@ -157,7 +157,6 @@ Will expand a whole 'storageClassName: ' section, or nothing if the setti {{- end }} {{- end }} - {{/* Define a custom image repository. */}} @@ -179,3 +178,14 @@ Define a custom image tag. {{- toYaml .Chart.AppVersion }} {{- end }} {{- end }} + +{{/* +Define a custom image pullpolicy. +*/}} +{{- define "registrar.image.pullPolicy" -}} +{{- if .Values.global.service.registrar.image.pullPolicy }} +{{- toYaml .Values.global.service.registrar.image.pullPolicy }} +{{- else }} +{{- toYaml .Values.image.pullPolicy }} +{{- end }} +{{- end }} diff --git a/build/helm/keylime/charts/keylime-tenant/templates/_helpers.tpl b/build/helm/keylime/charts/keylime-tenant/templates/_helpers.tpl index 611312b..89f7511 100644 --- a/build/helm/keylime/charts/keylime-tenant/templates/_helpers.tpl +++ b/build/helm/keylime/charts/keylime-tenant/templates/_helpers.tpl @@ -115,3 +115,14 @@ Define a custom image tag. {{- toYaml .Chart.AppVersion }} {{- end }} {{- end }} + +{{/* +Define a custom image pullpolicy. +*/}} +{{- define "tenant.image.pullPolicy" -}} +{{- if .Values.global.service.tenant.image.pullPolicy }} +{{- toYaml .Values.global.service.tenant.image.pullPolicy }} +{{- else }} +{{- toYaml .Values.image.pullPolicy }} +{{- end }} +{{- end }} diff --git a/build/helm/keylime/charts/keylime-verifier/templates/_helpers.tpl b/build/helm/keylime/charts/keylime-verifier/templates/_helpers.tpl index aa01bf1..249d860 100644 --- a/build/helm/keylime/charts/keylime-verifier/templates/_helpers.tpl +++ b/build/helm/keylime/charts/keylime-verifier/templates/_helpers.tpl @@ -167,3 +167,14 @@ Define a custom image tag. {{- toYaml .Chart.AppVersion }} {{- end }} {{- end }} + +{{/* +Define a custom image pullpolicy. +*/}} +{{- define "verifier.image.pullPolicy" -}} +{{- if .Values.global.service.verifier.image.pullPolicy }} +{{- toYaml .Values.global.service.verifier.image.pullPolicy }} +{{- else }} +{{- toYaml .Values.image.pullPolicy }} +{{- end }} +{{- end }} diff --git a/build/helm/keylime/templates/_helpers.tpl b/build/helm/keylime/templates/_helpers.tpl index 2512913..cd549e2 100644 --- a/build/helm/keylime/templates/_helpers.tpl +++ b/build/helm/keylime/templates/_helpers.tpl @@ -144,3 +144,4 @@ Always expands to the name of the secret used for the TPM cert store when the in {{- define "keylime.tpmCertStore.extrasecret" -}} {{- printf "%s-%s" .Release.Name "keylime-tpm-extra-cert-store" | trunc 63 | trimSuffix "-" }} {{- end }} + diff --git a/build/helm/keylime/values.yaml b/build/helm/keylime/values.yaml index 8b98de8..980c969 100644 --- a/build/helm/keylime/values.yaml +++ b/build/helm/keylime/values.yaml @@ -161,11 +161,15 @@ global: # Default image is the from quay, default tag is tag the chart appVersion image: repository: quay.io/keylime/keylime_tenant + # Default image pull policy + pullPolicy: IfNotPresent # registrar options registrar: # Default image is the from quay, default tag is tag the chart appVersion image: repository: quay.io/keylime/keylime_registrar + # Default image pull policy + pullPolicy: IfNotPresent # number of replicas, with default 1. IMPORTANT: if "sqlite" database backend is selected, then this value will be ignored and 1 will be used instead replicas: 1 # type of service, with "ClusterIP" as default. Switch to "NodePort" or "LoadBalancer" to allow @@ -178,6 +182,8 @@ global: # Default image is the from quay, default tag is tag the chart appVersion image: repository: quay.io/keylime/keylime_verifier + # Default image pull policy + pullPolicy: IfNotPresent # number of replicas, with default 1. IMPORTANT: if "sqlite" database backend is selected, then this value will be ignored and 1 will be used instead replicas: 1 # type of service, with "ClusterIP" as default. Switch to "NodePort" or "LoadBalancer" to allow @@ -190,6 +196,8 @@ global: repository: quay.io/keylime/keylime_tenant image: repository: quay.io/keylime/keylime_agent + # Default image pull policy + pullPolicy: IfNotPresent # the device plugin image is used when deploying unprivileged agents pluginImage: repository: ghcr.io/keylime/k8s-tpm-device-plugin