update chart

AccessibleAI · Feb 8, 2024 · 56cf541 · 56cf541
1 parent 6d97eca
commit 56cf541
Show file tree

Hide file tree

Showing 15 changed files with 132 additions and 178 deletions.
diff --git a/charts/cnvrg-non-privileged/Chart.yaml → charts/cnvrg-mlops/Chart.yaml b/charts/cnvrg-non-privileged/Chart.yaml → charts/cnvrg-mlops/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: cnvrg-operator
-description: A cnvrg.io operator v3 chart for K8s
+description: A cnvrg.io operator chart for K8s
 type: application
 version: 5.0.0
 appVersion: 1.2.3
diff --git a/...ileged/crds/mlops.cnvrg.io_cnvrgapps.yaml → ...-mlops/crds/mlops.cnvrg.io_cnvrgapps.yaml b/...ileged/crds/mlops.cnvrg.io_cnvrgapps.yaml → ...-mlops/crds/mlops.cnvrg.io_cnvrgapps.yaml
diff --git a/.../cnvrg-non-privileged/templates/NOTES.txt → charts/cnvrg-mlops/templates/NOTES.txt b/.../cnvrg-non-privileged/templates/NOTES.txt → charts/cnvrg-mlops/templates/NOTES.txt
diff --git a/...ts/cnvrg-non-privileged/templates/cap.yml → charts/cnvrg-mlops/templates/cap.yml b/...ts/cnvrg-non-privileged/templates/cap.yml → charts/cnvrg-mlops/templates/cap.yml
@@ -1,7 +1,7 @@
 apiVersion: mlops.cnvrg.io/v1
 kind: CnvrgApp
 metadata:
-  name: cnvrg-app
+  name: {{ .Release.Name }}
   namespace: {{ .Release.Namespace}}
 spec:
   clusterDomain: {{.Values.clusterDomain}}

diff --git a/charts/cnvrg-mlops/templates/hooks.yml b/charts/cnvrg-mlops/templates/hooks.yml
@@ -0,0 +1,32 @@
+####################################### Uninstall hooks #######################################
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: pre-cnvrg-cleanup
+  namespace: {{ .Release.Namespace}}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "2"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  template:
+    spec:
+      serviceAccountName: cnvrg-operator
+      imagePullSecrets:
+        - name: operator-pull-secret
+      containers:
+        - name: delete-cnvrgapp
+          image: "{{ .Values.imageHub }}/cnvrg-tools:v0.3"
+          args:
+            - /bin/bash
+            - -c
+            - |
+              set -x
+              echo "running cleanup"
+              kubectl delete cnvrgapp {{ .Release.Name }} -n {{ .Release.Namespace }} --ignore-not-found
+              while (( $(kubectl get cnvrgapp {{ .Release.Name }} -n {{ .Release.Namespace }} --ignore-not-found | grep {{ .Release.Name }} | wc -l ) != 0 )); do
+                echo "waiting for cnvrgapp will be deleted. . . ";
+                sleep 1
+              done
+      restartPolicy: Never
+  backoffLimit: 4
diff --git a/charts/cnvrg-mlops/templates/ocp-scc.yml b/charts/cnvrg-mlops/templates/ocp-scc.yml
@@ -0,0 +1,89 @@
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: "cnvrg-pg-scc"
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: false
+allowPrivilegedContainer: false
+allowedCapabilities: null
+readOnlyRootFilesystem: false
+runAsUser:
+  type: MustRunAs
+  uid: 26
+seLinuxContext:
+  type: MustRunAs
+fsGroup:
+  type: MustRunAs
+  ranges:
+    - min: 26
+      max: 26
+supplementalGroups:
+  type: MustRunAs
+  ranges:
+    - min: 26
+      max: 26
+users:
+- "system:serviceaccount:{{.Release.Namespace}}:{{.Values.dbs.pg.serviceAccount}}"
+---
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: "cnvrg-minio-redis-es-scc"
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: false
+allowPrivilegedContainer: false
+allowedCapabilities: null
+readOnlyRootFilesystem: false
+runAsUser:
+  type: MustRunAs
+  uid: 1000
+seLinuxContext:
+  type: MustRunAs
+fsGroup:
+  type: MustRunAs
+  ranges:
+    - min: 1000
+      max: 1000
+supplementalGroups:
+  type: MustRunAs
+  ranges:
+    - min: 1000
+      max: 1000
+users:
+  - "system:serviceaccount:{{.Release.Namespace}}:{{.Values.dbs.minio.serviceAccount}}"
+  - "system:serviceaccount:{{.Release.Namespace}}:{{.Values.dbs.redis.serviceAccount}}"
+  - "system:serviceaccount:{{.Release.Namespace}}:{{.Values.dbs.es.serviceAccount}}"
+  - "system:serviceaccount:{{.Release.Namespace}}:cnvrg-prom"
+---
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: "cnvrg-jobs"
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: false
+allowedCapabilities: null
+readOnlyRootFilesystem: false
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+fsGroup:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+users:
+  - "system:serviceaccount:cnvrg:cnvrg-job"
+
diff --git a/...vrg-non-privileged/templates/operator.yml → charts/cnvrg-mlops/templates/operator.yml b/...vrg-non-privileged/templates/operator.yml → charts/cnvrg-mlops/templates/operator.yml
@@ -63,7 +63,7 @@ spec:
             - start
             - --max-concurrent-reconciles
             - "3"
-          image: "docker.io/cnvrg/cnvrg-operator:DEV-22107-no-cluster-roles"
+          image: "docker.io/cnvrg/cnvrg-operator:slim.non.priv"
           imagePullPolicy: Always
           name: cnvrg-operator
           resources:
@@ -73,5 +73,13 @@ spec:
             requests:
               cpu: 500m
               memory: 200Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            seccompProfile:
+              type: "RuntimeDefault"
+            capabilities:
+              drop:
+                - "ALL"
       serviceAccountName: cnvrg-operator
       terminationGracePeriodSeconds: 10
diff --git a/charts/cnvrg-non-privileged/values.yaml → charts/cnvrg-mlops/values.yaml b/charts/cnvrg-non-privileged/values.yaml → charts/cnvrg-mlops/values.yaml
diff --git a/charts/cnvrg-non-privileged/templates/ocp-scc-jobs.yml b/charts/cnvrg-non-privileged/templates/ocp-scc-jobs.yml
diff --git a/charts/cnvrg-non-privileged/templates/ocp-scc-pg.yml b/charts/cnvrg-non-privileged/templates/ocp-scc-pg.yml
diff --git a/charts/cnvrg-non-privileged/templates/ocp-scc-prom.yml b/charts/cnvrg-non-privileged/templates/ocp-scc-prom.yml
diff --git a/pkg/app/controlplane/controlplane.go b/pkg/app/controlplane/controlplane.go
@@ -66,15 +66,6 @@ func (m *CpStateManager) Load() error {
 	}
 	m.AddToAssets(rbac)
 
-	//if m.app.Spec.Networking.Ingress.Type == mlopsv1.OpenShiftIngress {
-	//	assetName := []string{"ocp-scc.tpl"}
-	//	ocpScc := desired.NewAssetsGroup(fs, fsRoot+"/conf/rbac", m.Log(), &desired.LoadFilter{AssetName: assetName})
-	//	if err := ocpScc.LoadAssets(); err != nil {
-	//		return err
-	//	}
-	//	m.AddToAssets(ocpScc)
-	//}
-
 	if m.app.Spec.ControlPlane.CnvrgClusterProvisionerOperator.Enabled {
 		ccp := desired.NewAssetsGroup(fs, fsRoot+"/ccp", m.Log(), f)
 		if err := ccp.LoadAssets(); err != nil {

diff --git a/pkg/app/controlplane/tmpl/conf/rbac/ocp-scc-adopted.tpl b/pkg/app/controlplane/tmpl/conf/rbac/ocp-scc-adopted.tpl
diff --git a/pkg/app/controlplane/tmpl/conf/rbac/ocp-scc-jobs.tpl b/pkg/app/controlplane/tmpl/conf/rbac/ocp-scc-jobs.tpl
diff --git a/pkg/app/controlplane/tmpl/conf/rbac/ocp-scc.tpl b/pkg/app/controlplane/tmpl/conf/rbac/ocp-scc.tpl