kube_cluster 0.16.0 → 0.17.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile.lock +1 -1
- data/lib/kube/cluster/standard/cron_job_with_service_account.rb +71 -0
- data/lib/kube/cluster/standard/job_with_service_account.rb +67 -0
- data/lib/kube/cluster/standard/role.rb +6 -6
- data/lib/kube/cluster/standard/service_account_with_role.rb +6 -3
- data/lib/kube/cluster/version.rb +1 -1
- metadata +3 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f7b1fa07c1c7e080961d17a281c4b2c8a6e84abc6cc9d4ae6c568415b2e989ae
|
|
4
|
+
data.tar.gz: 80994ba308efe68700f925dff182abf89908a55b1d35224c75eb577d7a42485c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ac7da1390a3fedf1973a709b0ce5547ee99590d68dfdf46686d4fcf64e237b3a37e86f27b3dfc1350ef22bd264828d4c13705b79e05e6abc1f5ac20ae2cd8364
|
|
7
|
+
data.tar.gz: 96154be98c24b04e56a49c2c6a4df93b94fe67bfa8b79c754c62e543187a7083418815049e05a47db516b16d58db91e2e9dc649a46f9d04243219c28af87df27
|
data/Gemfile.lock
CHANGED
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "bundler/setup"
|
|
4
|
+
require "kube/cluster"
|
|
5
|
+
|
|
6
|
+
module Kube
|
|
7
|
+
module Cluster
|
|
8
|
+
module Standard
|
|
9
|
+
# A CronJob plus the ServiceAccount/Role/RoleBinding it runs as, bundled
|
|
10
|
+
# into one Manifest. The RBAC rules use the Role shorthand; the CronJob's
|
|
11
|
+
# serviceAccountName is wired to the generated ServiceAccount. Everything
|
|
12
|
+
# is named after +name+.
|
|
13
|
+
#
|
|
14
|
+
# CronJobWithServiceAccount.new(
|
|
15
|
+
# name: "glauth-config-builder",
|
|
16
|
+
# image: "nixery.dev/shell/ruby/kubectl/cacert",
|
|
17
|
+
# schedule: "*/5 * * * *",
|
|
18
|
+
# rules: [
|
|
19
|
+
# "secrets" => %w[get list],
|
|
20
|
+
# "batch/jobs" => %w[create],
|
|
21
|
+
# ],
|
|
22
|
+
# command: RubyScript(<<~'BUILD'),
|
|
23
|
+
# ...
|
|
24
|
+
# BUILD
|
|
25
|
+
# )
|
|
26
|
+
#
|
|
27
|
+
class CronJobWithServiceAccount < Kube::Cluster::Manifest
|
|
28
|
+
def initialize(name:, image:, schedule:, rules:, env: {}, command: nil,
|
|
29
|
+
backoff_limit: 3, ttl: 300, concurrency_policy: "Forbid", &block)
|
|
30
|
+
service_account_with_role = Kube::Cluster::Standard::ServiceAccountWithRole.new(
|
|
31
|
+
service_account: Kube::Cluster::Standard::ServiceAccount.new(name: name),
|
|
32
|
+
role: Kube::Cluster::Standard::Role.new(rules: rules),
|
|
33
|
+
)
|
|
34
|
+
|
|
35
|
+
cron_job = Kube::Cluster::Standard::CronJob.new(
|
|
36
|
+
name: name,
|
|
37
|
+
image: image,
|
|
38
|
+
schedule: schedule,
|
|
39
|
+
env: env,
|
|
40
|
+
command: command,
|
|
41
|
+
backoff_limit: backoff_limit,
|
|
42
|
+
ttl: ttl,
|
|
43
|
+
concurrency_policy: concurrency_policy,
|
|
44
|
+
) do
|
|
45
|
+
spec.jobTemplate.spec.template.spec.serviceAccountName = name
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
super(*service_account_with_role.to_a, cron_job)
|
|
49
|
+
|
|
50
|
+
instance_exec(&block) if block
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
end
|
|
54
|
+
end
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
test do
|
|
58
|
+
describe "CronJobWithServiceAccount" do
|
|
59
|
+
it "emits the RBAC trio plus the cron job" do
|
|
60
|
+
m = Kube::Cluster::Standard::CronJobWithServiceAccount.new(
|
|
61
|
+
name: "builder",
|
|
62
|
+
image: "nixery.dev/shell/kubectl",
|
|
63
|
+
schedule: "*/5 * * * *",
|
|
64
|
+
rules: ["secrets" => %w[get list]],
|
|
65
|
+
command: ["true"],
|
|
66
|
+
)
|
|
67
|
+
|
|
68
|
+
m.map { |r| r.to_h[:kind] }.sort.should == %w[CronJob Role RoleBinding ServiceAccount]
|
|
69
|
+
end
|
|
70
|
+
end
|
|
71
|
+
end
|
|
@@ -0,0 +1,67 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "bundler/setup"
|
|
4
|
+
require "kube/cluster"
|
|
5
|
+
|
|
6
|
+
module Kube
|
|
7
|
+
module Cluster
|
|
8
|
+
module Standard
|
|
9
|
+
# A one-shot Job plus the ServiceAccount/Role/RoleBinding it runs as,
|
|
10
|
+
# bundled into one Manifest. The RBAC rules use the Role shorthand; the
|
|
11
|
+
# Job's serviceAccountName is wired to the generated ServiceAccount.
|
|
12
|
+
# Everything is named after +name+.
|
|
13
|
+
#
|
|
14
|
+
# JobWithServiceAccount.new(
|
|
15
|
+
# name: "glauth-config-seed",
|
|
16
|
+
# image: "nixery.dev/shell/kubectl",
|
|
17
|
+
# rules: [
|
|
18
|
+
# "batch/cronjobs" => %w[get],
|
|
19
|
+
# "batch/jobs" => %w[create],
|
|
20
|
+
# ],
|
|
21
|
+
# command: BashScript(<<~'SEED'),
|
|
22
|
+
# ...
|
|
23
|
+
# SEED
|
|
24
|
+
# )
|
|
25
|
+
#
|
|
26
|
+
class JobWithServiceAccount < Kube::Cluster::Manifest
|
|
27
|
+
def initialize(name:, image:, rules:, env: {}, command: nil,
|
|
28
|
+
backoff_limit: 3, ttl: 300, &block)
|
|
29
|
+
service_account_with_role = Kube::Cluster::Standard::ServiceAccountWithRole.new(
|
|
30
|
+
service_account: Kube::Cluster::Standard::ServiceAccount.new(name: name),
|
|
31
|
+
role: Kube::Cluster::Standard::Role.new(rules: rules),
|
|
32
|
+
)
|
|
33
|
+
|
|
34
|
+
job = Kube::Cluster::Standard::Job.new(
|
|
35
|
+
name: name,
|
|
36
|
+
image: image,
|
|
37
|
+
env: env,
|
|
38
|
+
command: command,
|
|
39
|
+
backoff_limit: backoff_limit,
|
|
40
|
+
ttl: ttl,
|
|
41
|
+
) do
|
|
42
|
+
spec.template.spec.serviceAccountName = name
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
super(*service_account_with_role.to_a, job)
|
|
46
|
+
|
|
47
|
+
instance_exec(&block) if block
|
|
48
|
+
end
|
|
49
|
+
end
|
|
50
|
+
end
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
test do
|
|
55
|
+
describe "JobWithServiceAccount" do
|
|
56
|
+
it "emits the RBAC trio plus the job" do
|
|
57
|
+
m = Kube::Cluster::Standard::JobWithServiceAccount.new(
|
|
58
|
+
name: "seed",
|
|
59
|
+
image: "nixery.dev/shell/kubectl",
|
|
60
|
+
rules: ["batch/jobs" => %w[create]],
|
|
61
|
+
command: ["true"],
|
|
62
|
+
)
|
|
63
|
+
|
|
64
|
+
m.map { |r| r.to_h[:kind] }.sort.should == %w[Job Role RoleBinding ServiceAccount]
|
|
65
|
+
end
|
|
66
|
+
end
|
|
67
|
+
end
|
|
@@ -16,12 +16,16 @@ module Kube
|
|
|
16
16
|
# ])
|
|
17
17
|
#
|
|
18
18
|
class Role < Kube::Cluster["Role"]
|
|
19
|
+
# The original rules shorthand, so a named copy can be rebuilt from it
|
|
20
|
+
# (rebuild downgrades the class; reconstructing keeps it a Standard::Role).
|
|
21
|
+
attr_reader :rules_input
|
|
22
|
+
|
|
19
23
|
def initialize(rules:, name: nil, &block)
|
|
20
|
-
|
|
24
|
+
@rules_input = rules
|
|
21
25
|
|
|
22
26
|
super() do
|
|
23
27
|
metadata.name = name if name
|
|
24
|
-
self.rules =
|
|
28
|
+
self.rules = Role.build_rules(rules)
|
|
25
29
|
instance_exec(&block) if block
|
|
26
30
|
end
|
|
27
31
|
end
|
|
@@ -30,10 +34,6 @@ module Kube
|
|
|
30
34
|
to_h.dig(:metadata, :name)
|
|
31
35
|
end
|
|
32
36
|
|
|
33
|
-
def name=(value)
|
|
34
|
-
metadata.name = value
|
|
35
|
-
end
|
|
36
|
-
|
|
37
37
|
def self.build_rules(rules)
|
|
38
38
|
entries = rules.is_a?(Hash) ? [rules] : Array(rules)
|
|
39
39
|
|
|
@@ -21,15 +21,18 @@ module Kube
|
|
|
21
21
|
class ServiceAccountWithRole < Kube::Cluster::Manifest
|
|
22
22
|
def initialize(service_account:, role:, name: nil, &block)
|
|
23
23
|
name ||= service_account.name
|
|
24
|
-
|
|
24
|
+
|
|
25
|
+
# Rebuild the Role with the derived name (a Standard::Role, so the
|
|
26
|
+
# binding's role.name reader works).
|
|
27
|
+
named_role = Kube::Cluster::Standard::Role.new(name: name, rules: role.rules_input)
|
|
25
28
|
|
|
26
29
|
role_binding = Kube::Cluster::Standard::RoleBinding.new(
|
|
27
|
-
role:
|
|
30
|
+
role: named_role,
|
|
28
31
|
service_account: service_account,
|
|
29
32
|
name: name,
|
|
30
33
|
)
|
|
31
34
|
|
|
32
|
-
super(service_account,
|
|
35
|
+
super(service_account, named_role, role_binding)
|
|
33
36
|
|
|
34
37
|
instance_exec(&block) if block
|
|
35
38
|
end
|
data/lib/kube/cluster/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: kube_cluster
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.17.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Nathan K
|
|
@@ -218,6 +218,7 @@ files:
|
|
|
218
218
|
- lib/kube/cluster/standard/cloud_native_pg/helm.rb
|
|
219
219
|
- lib/kube/cluster/standard/config_map.rb
|
|
220
220
|
- lib/kube/cluster/standard/cron_job.rb
|
|
221
|
+
- lib/kube/cluster/standard/cron_job_with_service_account.rb
|
|
221
222
|
- lib/kube/cluster/standard/custom_resource_definition.rb
|
|
222
223
|
- lib/kube/cluster/standard/daemon_set.rb
|
|
223
224
|
- lib/kube/cluster/standard/deployment_with_service.rb
|
|
@@ -226,6 +227,7 @@ files:
|
|
|
226
227
|
- lib/kube/cluster/standard/forgejo/helm.rb
|
|
227
228
|
- lib/kube/cluster/standard/gateway_api/http_route.rb
|
|
228
229
|
- lib/kube/cluster/standard/job.rb
|
|
230
|
+
- lib/kube/cluster/standard/job_with_service_account.rb
|
|
229
231
|
- lib/kube/cluster/standard/kube_virt/virtual_machine.rb
|
|
230
232
|
- lib/kube/cluster/standard/meta_controller/composite_controller.rb
|
|
231
233
|
- lib/kube/cluster/standard/meta_controller/decorator_controller.rb
|