DEV Community: gre9ory The latest articles on DEV Community by gre9ory (@gre9ory). https://dev.to/gre9ory https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F737950%2Fc4f81558-c5ba-4147-b9ab-179e64642bdc.jpeg DEV Community: gre9ory https://dev.to/gre9ory en HULL Tutorial 08: Wrapping up with a Summary and Analysis gre9ory Tue, 31 May 2022 11:25:52 +0000 https://dev.to/gre9ory/hull-tutorial-08-wrapping-up-with-a-summary-and-analysis-4b27 https://dev.to/gre9ory/hull-tutorial-08-wrapping-up-with-a-summary-and-analysis-4b27 <h1> Summary </h1> <p>To finish this tutorial let's do some comparisons. For this copy over once more the last chart state which is also the final one and make the <code>values.full.yaml</code> the <code>values.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~/kubernetes-dashboard-hull <span class="o">&amp;&amp;</span> <span class="nb">cp</span> <span class="nt">-R</span> 07_advanced_configuration/ 08_summary <span class="o">&amp;&amp;</span> <span class="nb">cd </span>08_summary/kubernetes-dashboard-hull <span class="o">&amp;&amp;</span> <span class="nb">rm </span>values.yaml <span class="o">&amp;&amp;</span> <span class="nb">cp </span>values.full.yaml values.yaml </code></pre> </div> <p>And here is the final <code>values.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">metrics-server</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">hull</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="na">specific</span><span class="pi">:</span> <span class="na">externalPort</span><span class="pi">:</span> <span class="m">443</span> <span class="na">protocolHttp</span><span class="pi">:</span> <span class="no">false</span> <span class="na">rbac</span><span class="pi">:</span> <span class="na">clusterReadOnlyRole</span><span class="pi">:</span> <span class="no">false</span> <span class="na">clusterRoleMetrics</span><span class="pi">:</span> <span class="no">true</span> <span class="na">settings</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">pinnedCRDs</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">objects</span><span class="pi">:</span> <span class="na">servicemonitor</span><span class="pi">:</span> <span class="na">dashboard</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">endpoints</span><span class="pi">:</span> <span class="pi">|-</span> <span class="s">_HT![</span> <span class="s">{{ if (index . "$").Values.hull.config.specific.protocolHttp }}</span> <span class="s">{ port: "http" }</span> <span class="s">{{ else }}</span> <span class="s">{ port: "https" }</span> <span class="s">{{ end }}</span> <span class="s">]</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="s">_HT&amp;dashboard</span> <span class="na">networkpolicy</span><span class="pi">:</span> <span class="na">dashboard</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">_HT!{{- default (index . "$").Chart.Name (index . "$").Values.nameOverride | trunc 63 | trimSuffix "-" -}}</span> <span class="na">chart</span><span class="pi">:</span> <span class="s">_HT!{{- printf "%s-%s" (index . "$").Chart.Name (index . "$").Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}</span> <span class="na">release</span><span class="pi">:</span> <span class="s">_HT!{{ (index . "$").Release.Name }}</span> <span class="na">heritage</span><span class="pi">:</span> <span class="s">_HT!{{ (index . "$").Release.Service }}</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="s">_HT&amp;dashboard</span> <span class="na">ingress</span><span class="pi">:</span> <span class="pi">|-</span> <span class="s">_HT![</span> <span class="s">{ ports:</span> <span class="s">[</span> <span class="s">{</span> <span class="s">protocol: TCP,</span> <span class="s">{{ if (index . "$").Values.hull.config.specific.protocolHttp }}</span> <span class="s">port: "http"</span> <span class="s">{{ else }}</span> <span class="s">port: "https"</span> <span class="s">{{ end }}</span> <span class="s">}</span> <span class="s">]</span> <span class="s">}</span> <span class="s">]</span> <span class="na">poddisruptionbudget</span><span class="pi">:</span> <span class="na">dashboard</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="s">_HT&amp;dashboard</span> <span class="na">podsecuritypolicy</span><span class="pi">:</span> <span class="na">dashboard</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">seccomp.security.alpha.kubernetes.io/allowedProfileNames</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="na">privileged</span><span class="pi">:</span> <span class="no">false</span> <span class="na">fsGroup</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">RunAsAny</span> <span class="na">runAsUser</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">RunAsAny</span> <span class="na">runAsGroup</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">RunAsAny</span> <span class="na">seLinux</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">RunAsAny</span> <span class="na">supplementalGroups</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">RunAsAny</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">configMap</span> <span class="pi">-</span> <span class="s">secret</span> <span class="pi">-</span> <span class="s">emptyDir</span> <span class="na">allowPrivilegeEscalation</span><span class="pi">:</span> <span class="no">false</span> <span class="na">hostNetwork</span><span class="pi">:</span> <span class="no">false</span> <span class="na">hostIPC</span><span class="pi">:</span> <span class="no">false</span> <span class="na">hostPID</span><span class="pi">:</span> <span class="no">false</span> <span class="na">rolebinding</span><span class="pi">:</span> <span class="na">psp</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">_HT?(index . "$").Values.hull.objects.podsecuritypolicy.dashboard.enabled</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">_HT^psp</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">_HT!{{ (index . "$").Release.Namespace }}</span> <span class="na">name</span><span class="pi">:</span> <span class="s">_HT^default</span> <span class="na">service</span><span class="pi">:</span> <span class="na">dashboard</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="c1">## Enable or disable the kubernetes.io/cluster-service label. Should be disabled for GKE clusters &gt;=1.15.</span> <span class="c1">## Otherwise, the addon manager will presume ownership of the service and try to delete it.</span> <span class="s2">"</span><span class="s">kubernetes.io/cluster-service"</span><span class="err">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="na">ports</span><span class="pi">:</span> <span class="na">http</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">_HT?(index . "$").Values.hull.config.specific.protocolHttp</span> <span class="na">port</span><span class="pi">:</span> <span class="s">_HT*hull.config.specific.externalPort</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">http</span> <span class="na">https</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">_HT?(not (index . "$").Values.hull.config.specific.protocolHttp)</span> <span class="na">port</span><span class="pi">:</span> <span class="s">_HT*hull.config.specific.externalPort</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">https</span> <span class="na">ingress</span><span class="pi">:</span> <span class="na">dashboard</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">|-</span> <span class="s">_HT!{</span> <span class="s">{{ if not (index . "$").Values.hull.config.specific.protocolHttp }}</span> <span class="s">"nginx.ingress.kubernetes.io/backend-protocol": "HTTPS",</span> <span class="s">"service.alpha.kubernetes.io/app-protocols": "{\"https\":\"HTTPS\"}"</span> <span class="s">{{ end }}</span> <span class="s">}</span> <span class="na">rules</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="na">root</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">ImplementationSpecific</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="s">_HT*hull.config.specific.externalPort</span> <span class="na">deployment</span><span class="pi">:</span> <span class="na">dashboard</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">true</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">rollingUpdate</span><span class="pi">:</span> <span class="na">maxSurge</span><span class="pi">:</span> <span class="m">0</span> <span class="na">maxUnavailable</span><span class="pi">:</span> <span class="m">1</span> <span class="na">type</span><span class="pi">:</span> <span class="s">RollingUpdate</span> <span class="na">pod</span><span class="pi">:</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">seccompProfile</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">RuntimeDefault</span> <span class="na">containers</span><span class="pi">:</span> <span class="na">dashboard</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="na">repository</span><span class="pi">:</span> <span class="s">kubernetesui/dashboard</span> <span class="na">tag</span><span class="pi">:</span> <span class="s">v2.5.0</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> <span class="na">args</span><span class="pi">:</span> <span class="s">_HT![</span> <span class="s">{{- $p := (index . "$") }}</span> <span class="s">"--namespace={{ $p.Release.Namespace }}",</span> <span class="s">{{- if not $p.Values.hull.config.specific.protocolHttp }}</span> <span class="s">"--auto-generate-certificates",</span> <span class="s">{{- end }}</span> <span class="s">{{- if $p.Values.hull.objects.deployment.dashboard.pod.containers.metricsscraper.enabled }}</span> <span class="s">"--sidecar-host=http://127.0.0.1:8000",</span> <span class="s">{{- else }}</span> <span class="s">"--metrics-provider=none",</span> <span class="s">{{- end }}</span> <span class="s">]</span> <span class="na">ports</span><span class="pi">:</span> <span class="na">http</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">_HT?(index . "$").Values.hull.config.specific.protocolHttp</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9090</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">https</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">_HT?(not (index . "$").Values.hull.config.specific.protocolHttp)</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8443</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="na">dashboard</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-certs</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/certs</span> <span class="na">tmp</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tmp-volume</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/tmp</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="pi">|-</span> <span class="s">_HT!{</span> <span class="s">httpGet: {</span> <span class="s">path: /,</span> <span class="s">scheme: {{ (index . "$").Values.hull.config.specific.protocolHttp | ternary "HTTP" "HTTPS" }},</span> <span class="s">port: {{ (index . "$").Values.hull.config.specific.protocolHttp | ternary 9090 8443 }}</span> <span class="s">}</span> <span class="s">}</span> <span class="s">initialDelaySeconds: 30</span> <span class="s">timeoutSeconds: 30</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">100m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">200Mi</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="m">2</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">200Mi</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">allowPrivilegeEscalation</span><span class="pi">:</span> <span class="no">false</span> <span class="na">readOnlyRootFilesystem</span><span class="pi">:</span> <span class="no">true</span> <span class="na">runAsUser</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">runAsGroup</span><span class="pi">:</span> <span class="m">2001</span> <span class="na">metricsscraper</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">image</span><span class="pi">:</span> <span class="na">repository</span><span class="pi">:</span> <span class="s">kubernetesui/metrics-scraper</span> <span class="na">tag</span><span class="pi">:</span> <span class="s">v1.0.7</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> <span class="na">ports</span><span class="pi">:</span> <span class="na">tcp</span><span class="pi">:</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8000</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">scheme</span><span class="pi">:</span> <span class="s">HTTP</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8000</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">30</span> <span class="na">timeoutSeconds</span><span class="pi">:</span> <span class="m">30</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="na">tmp</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tmp-volume</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/tmp</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">allowPrivilegeEscalation</span><span class="pi">:</span> <span class="no">false</span> <span class="na">readOnlyRootFilesystem</span><span class="pi">:</span> <span class="no">true</span> <span class="na">runAsUser</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">runAsGroup</span><span class="pi">:</span> <span class="m">2001</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">kubernetes-dashboard-certs</span><span class="pi">:</span> <span class="na">secret</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">certs</span> <span class="na">tmp-volume</span><span class="pi">:</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">role</span><span class="pi">:</span> <span class="na">psp</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">_HT?(index . "$").Values.hull.objects.podsecuritypolicy.dashboard.enabled</span> <span class="na">rules</span><span class="pi">:</span> <span class="na">psp</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">extensions</span> <span class="pi">-</span> <span class="s">policy/v1beta1</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">podsecuritypolicies</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">use</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="s">_HT![ {{ include "hull.metadata.fullname" (dict "PARENT_CONTEXT" (index . "$") "COMPONENT" "psp") }} ]</span> <span class="na">default</span><span class="pi">:</span> <span class="na">rules</span><span class="pi">:</span> <span class="na">secrets</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">secrets</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="s">_HT![</span> <span class="s">{{ include "hull.metadata.fullname" (dict "PARENT_CONTEXT" (index . "$") "COMPONENT" "certs") }},</span> <span class="s">"kubernetes-dashboard-csrf",</span> <span class="s">"kubernetes-dashboard-key-holder"</span> <span class="s">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">update</span> <span class="pi">-</span> <span class="s">delete</span> <span class="na">configmaps</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">configmaps</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="s">_HT![</span> <span class="s">{{ include "hull.metadata.fullname" (dict "PARENT_CONTEXT" (index . "$") "COMPONENT" "settings") }} ]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">update</span> <span class="na">services</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">services</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">heapster"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">dashboard-metrics-scraper"</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">proxy</span> <span class="na">services_proxy</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">services/proxy</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">heapster"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">http:heapster:"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">https:heapster:"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">dashboard-metrics-scraper"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">http:dashboard-metrics-scraper"</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="na">clusterrole</span><span class="pi">:</span> <span class="na">readonly</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">_HT?(index . "$").Values.hull.config.specific.rbac.clusterReadOnlyRole</span> <span class="na">rules</span><span class="pi">:</span> <span class="na">cluster_objects</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">configmaps</span> <span class="pi">-</span> <span class="s">endpoints</span> <span class="pi">-</span> <span class="s">persistentvolumeclaims</span> <span class="pi">-</span> <span class="s">pods</span> <span class="pi">-</span> <span class="s">replicationcontrollers</span> <span class="pi">-</span> <span class="s">replicationcontrollers/scale</span> <span class="pi">-</span> <span class="s">serviceaccounts</span> <span class="pi">-</span> <span class="s">services</span> <span class="pi">-</span> <span class="s">nodes</span> <span class="pi">-</span> <span class="s">persistentvolumeclaims</span> <span class="pi">-</span> <span class="s">persistentvolumes</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">statuses</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">bindings</span> <span class="pi">-</span> <span class="s">events</span> <span class="pi">-</span> <span class="s">limitranges</span> <span class="pi">-</span> <span class="s">namespaces/status</span> <span class="pi">-</span> <span class="s">pods/log</span> <span class="pi">-</span> <span class="s">pods/status</span> <span class="pi">-</span> <span class="s">replicationcontrollers/status</span> <span class="pi">-</span> <span class="s">resourcequotas</span> <span class="pi">-</span> <span class="s">resourcequotas/status</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">namespaces</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">namespaces</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">apps</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apps</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">daemonsets</span> <span class="pi">-</span> <span class="s">deployments</span> <span class="pi">-</span> <span class="s">deployments/scale</span> <span class="pi">-</span> <span class="s">replicasets</span> <span class="pi">-</span> <span class="s">replicasets/scale</span> <span class="pi">-</span> <span class="s">statefulsets</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">autoscaling</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">autoscaling</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">horizontalpodautoscalers</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">batch</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">cronjobs</span> <span class="pi">-</span> <span class="s">jobs</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">extensions</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">extensions</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">daemonsets</span> <span class="pi">-</span> <span class="s">deployments</span> <span class="pi">-</span> <span class="s">deployments/scale</span> <span class="pi">-</span> <span class="s">ingresses</span> <span class="pi">-</span> <span class="s">networkpolicies</span> <span class="pi">-</span> <span class="s">replicasets</span> <span class="pi">-</span> <span class="s">replicasets/scale</span> <span class="pi">-</span> <span class="s">replicationcontrollers/scale</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">pdb</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">policy</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">poddisruptionbudgets</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">network</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">networking.k8s.io</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">networkpolicies</span> <span class="pi">-</span> <span class="s">ingresses</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">storage</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">storage.k8s.io</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">storageclasses</span> <span class="pi">-</span> <span class="s">volumeattachments</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">rbac</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">clusterrolebindings</span> <span class="pi">-</span> <span class="s">clusterroles</span> <span class="pi">-</span> <span class="s">roles</span> <span class="pi">-</span> <span class="s">rolebindings</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">metrics</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">_HT?(index . "$").Values.hull.config.specific.rbac.clusterRoleMetrics</span> <span class="na">rules</span><span class="pi">:</span> <span class="na">metrics</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">metrics.k8s.io"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pods</span> <span class="pi">-</span> <span class="s">nodes</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">clusterrolebinding</span><span class="pi">:</span> <span class="na">readonly</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">_HT?(index . "$").Values.hull.config.specific.rbac.clusterReadOnlyRole</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">_HT^readonly</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">_HT!{{ (index . "$").Release.Namespace }}</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">_HT^default</span> <span class="na">metrics</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">_HT?(index . "$").Values.hull.config.specific.rbac.clusterRoleMetrics</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">_HT^metrics</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">_HT!{{ (index . "$").Release.Namespace }}</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">_HT^default</span> <span class="na">configmap</span><span class="pi">:</span> <span class="na">settings</span><span class="pi">:</span> <span class="na">data</span><span class="pi">:</span> <span class="na">_global</span><span class="pi">:</span> <span class="na">inline</span><span class="pi">:</span> <span class="s">_HT!{{ toJson (index . "$").Values.hull.config.specific.settings | quote }}</span> <span class="na">_pinnedCRD</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">files/pinnedCRDs</span> <span class="na">secret</span><span class="pi">:</span> <span class="na">certs</span><span class="pi">:</span> <span class="na">data</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">kubernetes-dashboard-csrf</span><span class="pi">:</span> <span class="na">data</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">staticName</span><span class="pi">:</span> <span class="no">true</span> <span class="na">kubernetes-dashboard-key-holder</span><span class="pi">:</span> <span class="na">data</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">staticName</span><span class="pi">:</span> <span class="no">true</span> </code></pre> </div> <p>It could do with some sorting of object types and brushing up with <strong>lots</strong> of comments and documentation. The effort not spend on template creation should be put into writing good and extensive documentation of the <code>values.yaml</code> - only for reasons of keeping everything shorter no comments were added in this tutorial.</p> <p>Let's render it finally with everything included:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm template <span class="nb">.</span> </code></pre> </div> <p>and here it is - the default configuration of <code>kubernetes-dashboard-hull</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">certs</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-certs</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-csrf</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-csrf</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-key-holder</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-key-holder</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">_global</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{}'</span> <span class="na">_pinnedCRD</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{}'</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">settings</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-settings</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">metrics</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-metrics</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">metrics.k8s.io</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pods</span> <span class="pi">-</span> <span class="s">nodes</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">metrics</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-metrics</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-metrics</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">release-name-kubernetes-dashboard-settings</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">configmaps</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">update</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">release-name-kubernetes-dashboard-certs</span> <span class="pi">-</span> <span class="s">kubernetes-dashboard-csrf</span> <span class="pi">-</span> <span class="s">kubernetes-dashboard-key-holder</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">secrets</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">update</span> <span class="pi">-</span> <span class="s">delete</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">heapster</span> <span class="pi">-</span> <span class="s">dashboard-metrics-scraper</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">services</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">proxy</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">heapster</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">http:heapster:'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">https:heapster:'</span> <span class="pi">-</span> <span class="s">dashboard-metrics-scraper</span> <span class="pi">-</span> <span class="s">http:dashboard-metrics-scraper</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">services/proxy</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">kubernetes.io/cluster-service</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-dashboard</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">https</span> <span class="na">port</span><span class="pi">:</span> <span class="m">443</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">https</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-dashboard</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">rollingUpdate</span><span class="pi">:</span> <span class="na">maxSurge</span><span class="pi">:</span> <span class="m">0</span> <span class="na">maxUnavailable</span><span class="pi">:</span> <span class="m">1</span> <span class="na">type</span><span class="pi">:</span> <span class="s">RollingUpdate</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">--namespace=default</span> <span class="pi">-</span> <span class="s">--auto-generate-certificates</span> <span class="pi">-</span> <span class="s">--metrics-provider=none</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">image</span><span class="pi">:</span> <span class="s">kubernetesui/dashboard:v2.5.0</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8443</span> <span class="na">scheme</span><span class="pi">:</span> <span class="s">HTTPS</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8443</span> <span class="na">name</span><span class="pi">:</span> <span class="s">https</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="m">2</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">200Mi</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">100m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">200Mi</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">allowPrivilegeEscalation</span><span class="pi">:</span> <span class="no">false</span> <span class="na">readOnlyRootFilesystem</span><span class="pi">:</span> <span class="no">true</span> <span class="na">runAsGroup</span><span class="pi">:</span> <span class="m">2001</span> <span class="na">runAsUser</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/certs</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-certs</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/tmp</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tmp-volume</span> <span class="na">imagePullSecrets</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">initContainers</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">seccompProfile</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">RuntimeDefault</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-certs</span> <span class="na">secret</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-certs</span> <span class="pi">-</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tmp-volume</span> </code></pre> </div> <h2> Lines of Code </h2> <p>Assuming you have created that functionally resembles the original <code>kubernetes-dashboard</code> Helm chart, let's consider some numbers. </p> <p>Here is a Lines of Code analysis performed with the Visual Studio Code LoC Extension for the original <code>kubernetes-dashboard</code> charts relevant configuration files (<code>values.yaml</code> + templates):</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>File</th> <th>Lines of Code</th> <th>Comments</th> </tr> </thead> <tbody> <tr> <td><code>values.yaml</code></td> <td>149</td> <td>161</td> </tr> <tr> <td><code>templates/_helpers.tpl</code></td> <td>64</td> <td>15</td> </tr> <tr> <td><code>templates/_tplvalues.tpl</code></td> <td>23</td> <td>5</td> </tr> <tr> <td><code>templates/clusterrole-metrics.yaml</code></td> <td>33</td> <td>1</td> </tr> <tr> <td><code>templates/clusterrole-readonly.yaml</code></td> <td>153</td> <td>1</td> </tr> <tr> <td><code>templates/clusterrolebinding-metrics.yaml</code></td> <td>36</td> <td>1</td> </tr> <tr> <td><code>templates/clusterrolebinding-readonly.yaml</code></td> <td>36</td> <td>1</td> </tr> <tr> <td><code>templates/configmap.yaml</code></td> <td>33</td> <td>1</td> </tr> <tr> <td><code>templates/deployment.yaml</code></td> <td>186</td> <td>2</td> </tr> <tr> <td><code>templates/ingress.yaml</code></td> <td>88</td> <td>1</td> </tr> <tr> <td><code>templates/networkpolicy.yaml</code></td> <td>44</td> <td>1</td> </tr> <tr> <td><code>templates/pdb.yaml</code></td> <td>38</td> <td>1</td> </tr> <tr> <td><code>templates/psp.yaml</code></td> <td>81</td> <td>1</td> </tr> <tr> <td><code>templates/role.yaml</code></td> <td>48</td> <td>1</td> </tr> <tr> <td><code>templates/rolebinding.yaml</code></td> <td>36</td> <td>1</td> </tr> <tr> <td><code>templates/secret.yaml</code></td> <td>46</td> <td>1</td> </tr> <tr> <td><code>templates/service.yaml</code></td> <td>58</td> <td>1</td> </tr> <tr> <td><code>templates/serviceaccount.yaml</code></td> <td>28</td> <td>1</td> </tr> <tr> <td><code>templates/servicemonitor.yaml</code></td> <td>40</td> <td>1</td> </tr> <tr> <td>Total</td> <td>1220</td> <td>198</td> </tr> </tbody> </table></div> <p>Essentially there exist ~1220 lines of configurational code written which need to be maintained by the chart maintainers. The chart consumers need to understand and maintain ~150 lines of configuration in the <code>values.yaml</code> but will likely need to check the templates too to understand the inner workings.</p> <p>Compared to that, the <code>kubernetes-dashboard-hull</code>'s <code>values.yaml</code> - containing all configuration code - consists of a mere 460 lines of configuration. With only about a third of the original configuration code to maintain, the HULL based chart arguably covers the default structure and logic of the source chart. But still it is relatively unrestricted in the ways you can adapt the configuration to your needs in any given deployment scenario.</p> <p>Thank you for staying with us and hope you enjoyed the turorial :)</p> HULL Tutorial 07: Configuring Advanced Objects gre9ory Tue, 31 May 2022 11:25:35 +0000 https://dev.to/gre9ory/hull-tutorial-07-configuring-advanced-objects-1jbi https://dev.to/gre9ory/hull-tutorial-07-configuring-advanced-objects-1jbi <h2> Preparation </h2> <p>In this tutorial section you are going to deal with the remaining template files and a little more advanced things you can tweak in the <code>kubernetes-dashboard</code> chart which we haven't covered yet. This will conclude the educational conversion of objects from a 'regular' Helm chart to a HULL based chart.</p> <p>But before diving into this prepare your working folder again and copy over the last sections result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~/kubernetes-dashboard-hull <span class="o">&amp;&amp;</span> <span class="nb">cp</span> <span class="nt">-R</span> 06_service_api/ 07_advanced_configuration <span class="o">&amp;&amp;</span> <span class="nb">cd </span>07_advanced_configuration/kubernetes-dashboard-hull </code></pre> </div> <p>Prepare the <code>values.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sed</span> <span class="s1">'/ objects:/Q'</span> values.full.yaml <span class="o">&gt;</span> values.yaml </code></pre> </div> <p>and once more verify the result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat </span>values.yaml </code></pre> </div> <p>currently looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">metrics-server</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">hull</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="na">specific</span><span class="pi">:</span> <span class="na">externalPort</span><span class="pi">:</span> <span class="m">443</span> <span class="na">protocolHttp</span><span class="pi">:</span> <span class="no">false</span> <span class="na">rbac</span><span class="pi">:</span> <span class="na">clusterReadOnlyRole</span><span class="pi">:</span> <span class="no">false</span> <span class="na">clusterRoleMetrics</span><span class="pi">:</span> <span class="no">true</span> <span class="na">settings</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">pinnedCRDs</span><span class="pi">:</span> <span class="pi">{}</span> </code></pre> </div> <p>For a reminder of the source template check the templates folder again:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">ls</span> ../kubernetes-dashboard/templates </code></pre> </div> <p>showing the following files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">NOTES.txt clusterrole-metrics.yaml clusterrolebinding-readonly.yaml ingress.yaml psp.yaml secret.yaml servicemonitor.yaml</span> <span class="s">_helpers.tpl clusterrole-readonly.yaml configmap.yaml networkpolicy.yaml role.yaml service.yaml</span> <span class="s">_tplvalues.tpl clusterrolebinding-metrics.yaml deployment.yaml pdb.yaml rolebinding.yaml serviceaccount.yaml</span> </code></pre> </div> <p>Most of them are covered by now, the remaining ones and subject of this tutorial section are:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">networkpolicy.yaml</span> <span class="s">pdb.yaml</span> <span class="s">psp.yaml</span> <span class="s">servicemonitor.yaml</span> </code></pre> </div> <p>Aspects such as NetworkPolicies, PodDisruptionBudgets, PodSecurityPolicies and ServiceMonitors can be considered more advanced use vases as you can see that you need to enable each of these features explicitly to use them in the <code>kubernetes-dashboard</code> chart.</p> <h2> Using in-built ServiceMonitors and CRDs </h2> <p>The ServiceMonitor concept is part of the Prometheus Operator concept and offers a convenient way to add and remove endpoints which export Prometheus metrics so a Prometheus instance can dynamically monitor them. </p> <p>Since it is a very popular concept to expose an applications metric, the ServiceMonitor has its own object type <code>servicemonitor</code> in the HULL world.</p> <p>By default the ServiceMonitor in <code>values.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/values.yaml | <span class="nb">grep</span> <span class="s2">"^serviceMonitor:"</span> <span class="nt">-B</span> 1 <span class="nt">-A</span> 2 </code></pre> </div> <p>is disabled:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">serviceMonitor</span><span class="pi">:</span> <span class="c1"># Whether or not to create a Prometheus Operator service monitor.</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> </code></pre> </div> <p>Here you can create the <code>servicemonitor</code> object according to its underlying logic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">' objects: servicemonitor: dashboard: enabled: false endpoints: |- _HT![ {{ if (index . "$").Values.hull.config.specific.protocolHttp }} { port: "http" } {{ else }} { port: "https" } {{ end }} ] selector: matchLabels: _HT&amp;dashboard'</span> <span class="o">&gt;&gt;</span> values.yaml </code></pre> </div> <p>Enable the ServiceMonitor with this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: objects: servicemonitor: dashboard: enabled: true'</span> <span class="o">&gt;</span> ../configs/servicemonitor.yaml <span class="se">\</span> <span class="o">&amp;&amp;</span> helm template <span class="nt">-f</span> ../configs/disable-default-rbac.yaml <span class="nt">-f</span> ../configs/servicemonitor.yaml <span class="nb">.</span> </code></pre> </div> <p>and test the output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">monitoring.coreos.com/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceMonitor</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-dashboard</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">endpoints</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="s">https</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> </code></pre> </div> <p>If there are any other CustomResourceDefinitions or CustomResources to create within your Helm chart this is possible too in HULL by:</p> <ul> <li>the ability to <a href="https://helm.sh/docs/chart_best_practices/custom_resource_definitions/">deploy your CRDs with the <code>crds</code> folder</a> </li> <li>the ability to specify any CustomResource as a <a href="https://github.com/vidispine/hull/blob/main/hull/doc/objects_customresource.md"><code>customresource</code> object instance.</a> For CustomResources you additionally need to specify the <code>kind</code> and <code>apiVersion</code> besides the free form <code>spec</code> of your object.</li> </ul> <h2> Specifying NetworkPolicies </h2> <p>The <code>networkpolicy.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/templates/networkpolicy.yaml </code></pre> </div> <p>is pretty lightweight:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Copyright 2017 The Kubernetes Authors.</span> <span class="c1">#</span> <span class="c1"># Licensed under the Apache License, Version 2.0 (the "License");</span> <span class="c1"># you may not use this file except in compliance with the License.</span> <span class="c1"># You may obtain a copy of the License at</span> <span class="c1">#</span> <span class="c1"># http://www.apache.org/licenses/LICENSE-2.0</span> <span class="c1">#</span> <span class="c1"># Unless required by applicable law or agreed to in writing, software</span> <span class="c1"># distributed under the License is distributed on an "AS IS" BASIS,</span> <span class="c1"># WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span> <span class="c1"># See the License for the specific language governing permissions and</span> <span class="c1"># limitations under the License.</span> <span class="pi">{{</span> <span class="nv">if .Values.networkPolicy.enabled -</span><span class="pi">}}</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">NetworkPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.fullname" .</span> <span class="pi">}}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.name" .</span> <span class="pi">}}</span> <span class="na">chart</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.chart" .</span> <span class="pi">}}</span> <span class="na">release</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Release.Name</span> <span class="pi">}}</span> <span class="na">heritage</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Release.Service</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.commonLabels</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if .Values.commonAnnotations</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "kubernetes-dashboard.matchLabels" . | nindent 6</span> <span class="pi">}}</span> <span class="na">ingress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if .Values.protocolHttp</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="s">http</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="pi">{{</span><span class="nv">- else</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="s">https</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> </code></pre> </div> <p>and disabled by default as shown:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/values.yaml | <span class="nb">grep</span> <span class="s2">"^networkPolicy:"</span> <span class="nt">-B</span> 1 <span class="nt">-A</span> 3 </code></pre> </div> <p>in the <code>values.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">networkPolicy</span><span class="pi">:</span> <span class="c1"># Whether to create a network policy that allows/restricts access to the service</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> </code></pre> </div> <p>The addition of the new fixed labels here:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.name" .</span> <span class="pi">}}</span> <span class="na">chart</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.chart" .</span> <span class="pi">}}</span> <span class="na">release</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Release.Name</span> <span class="pi">}}</span> <span class="na">heritage</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Release.Service</span> <span class="pi">}}</span> </code></pre> </div> <p>appears to be pretty much out of line with the metadata handling of the other objects in this chart and may likely not have a functionality even. Anyway for completeness sake add them to the new objects metadata labels by transporting the underlying logic.</p> <p>Regarding the <code>podSelector</code> you can utilize HULL's <code>hull.tranformation.selector</code> function to create the corresponding labels to match the <code>dashboard</code> pods. </p> <p>That's all, write it to the <code>values.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">' networkpolicy: dashboard: enabled: false labels: app: _HT!{{- default (index . "$").Chart.Name (index . "$").Values.nameOverride | trunc 63 | trimSuffix "-" -}} chart: _HT!{{- printf "%s-%s" (index . "$").Chart.Name (index . "$").Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} release: _HT!{{ (index . "$").Release.Name }} heritage: _HT!{{ (index . "$").Release.Service }} podSelector: matchLabels: _HT&amp;dashboard ingress: |- _HT![ { ports: [ { protocol: TCP, {{ if (index . "$").Values.hull.config.specific.protocolHttp }} port: "http" {{ else }} port: "https" {{ end }} } ] } ]'</span><span class="o">&gt;&gt;</span> values.yaml </code></pre> </div> <p>and apply the <code>helm template</code> command on the enabled networkpolicy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: objects: networkpolicy: dashboard: enabled: true'</span> <span class="o">&gt;</span> ../configs/networkpolicy.yaml <span class="se">\</span> <span class="o">&amp;&amp;</span> helm template <span class="nt">-f</span> ../configs/disable-default-rbac.yaml <span class="nt">-f</span> ../configs/networkpolicy.yaml <span class="nb">.</span> </code></pre> </div> <p>and verify the results correctness:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">NetworkPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">heritage</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">release</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-dashboard</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ingress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="s">https</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> </code></pre> </div> <h2> Specifying a PodDisruptionBudget </h2> <p><a href="https://kubernetes.io/docs/tasks/run-application/configure-pdb/">PodDisruptionBudgets</a> have three fields:</p> <ul> <li>A label selector .spec.selector to specify the set of pods to which it applies. This field is required.</li> <li>.spec.minAvailable which is a description of the number of pods from that set that must still be available after the eviction, even in the absence of the evicted pod. minAvailable can be either an absolute number or a percentage.</li> <li>.spec.maxUnavailable (available in Kubernetes 1.7 and higher) which is a description of the number of pods from that set that can be unavailable after the eviction. It can be either an absolute number or a percentage.</li> </ul> <p>Take a look at our PodDisruptionBudget definition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/templates/pdb.yaml </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Copyright 2017 The Kubernetes Authors.</span> <span class="c1">#</span> <span class="c1"># Licensed under the Apache License, Version 2.0 (the "License");</span> <span class="c1"># you may not use this file except in compliance with the License.</span> <span class="c1"># You may obtain a copy of the License at</span> <span class="c1">#</span> <span class="c1"># http://www.apache.org/licenses/LICENSE-2.0</span> <span class="c1">#</span> <span class="c1"># Unless required by applicable law or agreed to in writing, software</span> <span class="c1"># distributed under the License is distributed on an "AS IS" BASIS,</span> <span class="c1"># WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span> <span class="c1"># See the License for the specific language governing permissions and</span> <span class="c1"># limitations under the License.</span> <span class="pi">{{</span> <span class="nv">if .Values.podDisruptionBudget.enabled -</span><span class="pi">}}</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">policy/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PodDisruptionBudget</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "kubernetes-dashboard.labels" . | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.commonLabels</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if .Values.commonAnnotations</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.fullname" .</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if .Values.podDisruptionBudget.minAvailable</span> <span class="pi">}}</span> <span class="na">minAvailable</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.podDisruptionBudget.minAvailable</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.podDisruptionBudget.maxUnavailable</span> <span class="pi">}}</span> <span class="na">maxUnavailable</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.podDisruptionBudget.maxUnavailable</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "kubernetes-dashboard.matchLabels" . | nindent 6</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> </code></pre> </div> <p>In the <code>values.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/values.yaml | <span class="nb">grep</span> <span class="s2">"^podDisruptionBudget:"</span> <span class="nt">-B</span> 3 <span class="nt">-A</span> 6 </code></pre> </div> <p>default values are omitted for <code>minAvailable</code> and <code>maxUnavailable</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="c1">## podDisruptionBudget</span> <span class="c1">## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/</span> <span class="na">podDisruptionBudget</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="c1">## Minimum available instances; ignored if there is no PodDisruptionBudget</span> <span class="na">minAvailable</span><span class="pi">:</span> <span class="c1">## Maximum unavailable instances; ignored if there is no PodDisruptionBudget</span> <span class="na">maxUnavailable</span><span class="pi">:</span> </code></pre> </div> <p>Again you can put the handy <code>_HT&amp;</code> selector transformation to good use here and specify the object template:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">' poddisruptionbudget: dashboard: enabled: false selector: matchLabels: _HT&amp;dashboard'</span> <span class="o">&gt;&gt;</span> values.yaml </code></pre> </div> <p>and again do a quick check by enabling the PodDisruptionBudget:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: objects: poddisruptionbudget: dashboard: enabled: true'</span> <span class="o">&gt;</span> ../configs/pdb.yaml <span class="se">\</span> <span class="o">&amp;&amp;</span> helm template <span class="nt">-f</span> ../configs/disable-default-rbac.yaml <span class="nt">-f</span> ../configs/pdb.yaml <span class="nb">.</span> </code></pre> </div> <p>which is pretty bare bones:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">policy/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PodDisruptionBudget</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-dashboard</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> </code></pre> </div> <h2> Setting up PodSecurityPolicies </h2> <p>When you inspect the remaining PodSecurityPolicy file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/templates/psp.yaml </code></pre> </div> <p>you find a PodSecurityPolicy and - surprisingly - another Role and RoleBinding:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Copyright 2017 The Kubernetes Authors.</span> <span class="c1">#</span> <span class="c1"># Licensed under the Apache License, Version 2.0 (the "License");</span> <span class="c1"># you may not use this file except in compliance with the License.</span> <span class="c1"># You may obtain a copy of the License at</span> <span class="c1">#</span> <span class="c1"># http://www.apache.org/licenses/LICENSE-2.0</span> <span class="c1">#</span> <span class="c1"># Unless required by applicable law or agreed to in writing, software</span> <span class="c1"># distributed under the License is distributed on an "AS IS" BASIS,</span> <span class="c1"># WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span> <span class="c1"># See the License for the specific language governing permissions and</span> <span class="c1"># limitations under the License.</span> <span class="pi">{{</span> <span class="nv">if .Values.podSecurityPolicy.enabled -</span><span class="pi">}}</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">policy/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PodSecurityPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.fullname" .</span> <span class="pi">}}</span><span class="s">-psp</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "kubernetes-dashboard.labels" . | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.commonLabels</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">seccomp.security.alpha.kubernetes.io/allowedProfileNames</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="pi">{{</span><span class="nv">- if .Values.commonAnnotations</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">privileged</span><span class="pi">:</span> <span class="no">false</span> <span class="na">fsGroup</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">RunAsAny</span> <span class="na">runAsUser</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">RunAsAny</span> <span class="na">runAsGroup</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">RunAsAny</span> <span class="na">seLinux</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">RunAsAny</span> <span class="na">supplementalGroups</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">RunAsAny</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">configMap'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">secret'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">emptyDir'</span> <span class="na">allowPrivilegeEscalation</span><span class="pi">:</span> <span class="no">false</span> <span class="na">hostNetwork</span><span class="pi">:</span> <span class="no">false</span> <span class="na">hostIPC</span><span class="pi">:</span> <span class="no">false</span> <span class="na">hostPID</span><span class="pi">:</span> <span class="no">false</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.fullname" .</span> <span class="pi">}}</span><span class="s">-psp</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "kubernetes-dashboard.labels" . | nindent 4</span> <span class="pi">}}</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.fullname" .</span> <span class="pi">}}</span><span class="s">-psp</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.serviceAccountName" .</span> <span class="pi">}}</span> <span class="na">namespace</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Release.Namespace</span> <span class="pi">}}</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.fullname" .</span> <span class="pi">}}</span><span class="s">-psp</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "kubernetes-dashboard.labels" . | nindent 4</span> <span class="pi">}}</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">extensions</span> <span class="pi">-</span> <span class="s">policy/v1beta1</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">podsecuritypolicies</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">use</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.fullname" .</span> <span class="pi">}}</span><span class="s">-psp</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> </code></pre> </div> <p>The <code>values.yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/values.yaml | <span class="nb">grep</span> <span class="s2">"^podSecurityPolicy:"</span> <span class="nt">-B</span> 2 <span class="nt">-A</span> 3 </code></pre> </div> <p>offers the following content on <code>podSecurityPolicy</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="c1">## podSecurityPolicy for fine-grained authorization of pod creation and updates</span> <span class="na">podSecurityPolicy</span><span class="pi">:</span> <span class="c1"># Specifies whether a pod security policy should be created</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> </code></pre> </div> <p>Apart from the surprise of the unexpected objects there is nothing new to be found here and we can straight up convert them by adding the PodSecurityPolicy, the Role and RoleBinding:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">' podsecuritypolicy: dashboard: enabled: false annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" privileged: false fsGroup: rule: RunAsAny runAsUser: rule: RunAsAny runAsGroup: rule: RunAsAny seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny volumes: - configMap - secret - emptyDir allowPrivilegeEscalation: false hostNetwork: false hostIPC: false hostPID: false rolebinding: psp: enabled: _HT?(index . "$").Values.hull.objects.podsecuritypolicy.dashboard.enabled roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: _HT^psp subjects: - kind: ServiceAccount namespace: _HT!{{ (index . "$").Release.Namespace }} name: _HT^default role: psp: enabled: _HT?(index . "$").Values.hull.objects.podsecuritypolicy.dashboard.enabled rules: psp: apiGroups: - extensions - policy/v1beta1 resources: - podsecuritypolicies verbs: - use resourceNames: _HT![ {{ include "hull.metadata.fullname" (dict "PARENT_CONTEXT" (index . "$") "COMPONENT" "psp") }} ]'</span> <span class="o">&gt;&gt;</span> values.yaml </code></pre> </div> <p>Enable the PSP with this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: objects: podsecuritypolicy: dashboard: enabled: true'</span> <span class="o">&gt;</span> ../configs/psp.yaml <span class="se">\</span> <span class="o">&amp;&amp;</span> helm template <span class="nt">-f</span> ../configs/disable-default-rbac.yaml <span class="nt">-f</span> ../configs/psp.yaml <span class="nb">.</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">policy/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PodSecurityPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">seccomp.security.alpha.kubernetes.io/allowedProfileNames</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-dashboard</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">allowPrivilegeEscalation</span><span class="pi">:</span> <span class="no">false</span> <span class="na">fsGroup</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">RunAsAny</span> <span class="na">hostIPC</span><span class="pi">:</span> <span class="no">false</span> <span class="na">hostNetwork</span><span class="pi">:</span> <span class="no">false</span> <span class="na">hostPID</span><span class="pi">:</span> <span class="no">false</span> <span class="na">privileged</span><span class="pi">:</span> <span class="no">false</span> <span class="na">runAsGroup</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">RunAsAny</span> <span class="na">runAsUser</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">RunAsAny</span> <span class="na">seLinux</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">RunAsAny</span> <span class="na">supplementalGroups</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">RunAsAny</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">configMap</span> <span class="pi">-</span> <span class="s">secret</span> <span class="pi">-</span> <span class="s">emptyDir</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">psp</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-psp</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">extensions</span> <span class="pi">-</span> <span class="s">policy/v1beta1</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">release-name-kubernetes-dashboard-psp</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">podsecuritypolicies</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">use</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">psp</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-psp</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-psp</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> </code></pre> </div> <h2> Wrap Up </h2> <p>The object conversion is done, time to clean up once more.</p> <ol> <li> <p>Your <code>values.yaml</code> should resemble this now:<br> </p> <pre class="highlight yaml"><code><span class="na">metrics-server</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">hull</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="na">specific</span><span class="pi">:</span> <span class="na">externalPort</span><span class="pi">:</span> <span class="m">443</span> <span class="na">protocolHttp</span><span class="pi">:</span> <span class="no">false</span> <span class="na">rbac</span><span class="pi">:</span> <span class="na">clusterReadOnlyRole</span><span class="pi">:</span> <span class="no">false</span> <span class="na">clusterRoleMetrics</span><span class="pi">:</span> <span class="no">true</span> <span class="na">settings</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">pinnedCRDs</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">objects</span><span class="pi">:</span> <span class="na">servicemonitor</span><span class="pi">:</span> <span class="na">dashboard</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">endpoints</span><span class="pi">:</span> <span class="pi">|-</span> <span class="s">_HT![</span> <span class="s">{{ if (index . "$").Values.hull.config.specific.protocolHttp }}</span> <span class="s">{ port: "http" }</span> <span class="s">{{ else }}</span> <span class="s">{ port: "https" }</span> <span class="s">{{ end }}</span> <span class="s">]</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="s">_HT&amp;dashboard</span> <span class="na">networkpolicy</span><span class="pi">:</span> <span class="na">dashboard</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">_HT!{{- default (index . "$").Chart.Name (index . "$").Values.nameOverride | trunc 63 | trimSuffix "-" -}}</span> <span class="na">chart</span><span class="pi">:</span> <span class="s">_HT!{{- printf "%s-%s" (index . "$").Chart.Name (index . "$").Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}</span> <span class="na">release</span><span class="pi">:</span> <span class="s">_HT!{{ (index . "$").Release.Name }}</span> <span class="na">heritage</span><span class="pi">:</span> <span class="s">_HT!{{ (index . "$").Release.Service }}</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="s">_HT&amp;dashboard</span> <span class="na">ingress</span><span class="pi">:</span> <span class="pi">|-</span> <span class="s">_HT![</span> <span class="s">{ ports:</span> <span class="s">[</span> <span class="s">{</span> <span class="s">protocol: TCP,</span> <span class="s">{{ if (index . "$").Values.hull.config.specific.protocolHttp }}</span> <span class="s">port: "http"</span> <span class="s">{{ else }}</span> <span class="s">port: "https"</span> <span class="s">{{ end }}</span> <span class="s">}</span> <span class="s">]</span> <span class="s">}</span> <span class="s">]</span> <span class="na">poddisruptionbudget</span><span class="pi">:</span> <span class="na">dashboard</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="s">_HT&amp;dashboard</span> <span class="na">podsecuritypolicy</span><span class="pi">:</span> <span class="na">dashboard</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">seccomp.security.alpha.kubernetes.io/allowedProfileNames</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="na">privileged</span><span class="pi">:</span> <span class="no">false</span> <span class="na">fsGroup</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">RunAsAny</span> <span class="na">runAsUser</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">RunAsAny</span> <span class="na">runAsGroup</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">RunAsAny</span> <span class="na">seLinux</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">RunAsAny</span> <span class="na">supplementalGroups</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">RunAsAny</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">configMap</span> <span class="pi">-</span> <span class="s">secret</span> <span class="pi">-</span> <span class="s">emptyDir</span> <span class="na">allowPrivilegeEscalation</span><span class="pi">:</span> <span class="no">false</span> <span class="na">hostNetwork</span><span class="pi">:</span> <span class="no">false</span> <span class="na">hostIPC</span><span class="pi">:</span> <span class="no">false</span> <span class="na">hostPID</span><span class="pi">:</span> <span class="no">false</span> <span class="na">rolebinding</span><span class="pi">:</span> <span class="na">psp</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">_HT?(index . "$").Values.hull.objects.podsecuritypolicy.dashboard.enabled</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">_HT^psp</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">_HT!{{ (index . "$").Release.Namespace }}</span> <span class="na">name</span><span class="pi">:</span> <span class="s">_HT^default</span> <span class="na">role</span><span class="pi">:</span> <span class="na">psp</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">_HT?(index . "$").Values.hull.objects.podsecuritypolicy.dashboard.enabled</span> <span class="na">rules</span><span class="pi">:</span> <span class="na">psp</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">extensions</span> <span class="pi">-</span> <span class="s">policy/v1beta1</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">podsecuritypolicies</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">use</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="s">_HT![ {{ include "hull.metadata.fullname" (dict "PARENT_CONTEXT" (index . "$") "COMPONENT" "psp") }} ]</span> </code></pre> </li> <li> <p>Backup what you did in this tutorial part:<br> </p> <pre class="highlight shell"><code><span class="nb">cp </span>values.yaml values.tutorial-part.yaml </code></pre> </li> <li> <p>Since there exists a <code>role</code> block now in the current <code>values.full.yaml</code> and our local <code>values.yaml</code> it is required to merge them appropriately. Otherwise the second <code>role</code> key will overwrite the first which is not helpful. To create the final <code>values.full.yaml</code> you hence need to do a little more work but you can just copy and paste the following 'one liner' and it should do:<br> </p> <pre class="highlight shell"><code><span class="nb">sed</span> <span class="s1">'1,/objects:/d'</span> values.full.yaml <span class="o">&gt;</span> _tmp <span class="se">\</span> <span class="o">&amp;&amp;</span> <span class="nb">sed</span> <span class="s1">'/^\s\s\s\srole:/r'</span>&lt;<span class="o">(</span> <span class="nb">echo</span> <span class="s2">" psp:"</span> <span class="nb">echo</span> <span class="s2">" enabled: _HT?(index . </span><span class="se">\"</span><span class="nv">$\</span><span class="s2">"</span><span class="o">)</span>.Values.hull.objects.podsecuritypolicy.dashboard.enabled<span class="s2">" echo "</span> rules:<span class="s2">" echo "</span> psp:<span class="s2">" echo "</span> apiGroups:<span class="s2">" echo "</span> - extensions<span class="s2">" echo "</span> - policy/v1beta1<span class="s2">" echo "</span> resources:<span class="s2">" echo "</span> - podsecuritypolicies<span class="s2">" echo "</span> verbs:<span class="s2">" echo "</span> - use<span class="s2">" echo ' resourceNames: _HT![ {{ include "</span>hull.metadata.fullname<span class="s2">" (dict "</span>PARENT_CONTEXT<span class="s2">" (index . "$") "</span>COMPONENT<span class="s2">" "</span>psp<span class="s2">") }} ]' ) -i -- _tmp </span><span class="se">\</span><span class="s2"> &amp;&amp; cp values.yaml values.full.yaml </span><span class="se">\</span><span class="s2"> &amp;&amp; sed '/^</span><span class="se">\s\s\s\s</span><span class="s2">role:/,</span><span class="nv">$d</span><span class="s2">' -i values.full.yaml </span><span class="se">\</span><span class="s2"> &amp;&amp; cat _tmp &gt;&gt; values.full.yaml </span><span class="se">\</span><span class="s2"> &amp;&amp; rm _tmp </span></code></pre> </li> </ol> <p>Thanks again, only <a href="https://dev.to/gre9ory/hull-tutorial-08-wrapping-up-with-a-summary-and-analysis-4b27">the wrap up of everything and summary</a> left in this tutorial series. </p> HULL Tutorial 06: Writing Services and Ingresses gre9ory Tue, 31 May 2022 11:25:23 +0000 https://dev.to/gre9ory/hull-tutorial-06-writing-services-and-ingresses-27ba https://dev.to/gre9ory/hull-tutorial-06-writing-services-and-ingresses-27ba <h2> Preparation </h2> <p>Next up is a closer look at the objects from the <a href="https://kubernetes.io/docs/reference/kubernetes-api/service-resources/">Kubernetes Service API</a> which includes Services, Ingresses and Endpoints.</p> <p>But as before copy over our working chart from the last tutorial part to a new folder:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~/kubernetes-dashboard-hull <span class="o">&amp;&amp;</span> <span class="nb">cp</span> <span class="nt">-R</span> 05_workloads/ 06_service_api <span class="o">&amp;&amp;</span> <span class="nb">cd </span>06_service_api/kubernetes-dashboard-hull </code></pre> </div> <p>To remove the HULL <code>hull.objects</code> from <code>values.full.yaml</code> and prepare our testing <code>values.yaml</code> enter:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sed</span> <span class="s1">'/ objects:/Q'</span> values.full.yaml <span class="o">&gt;</span> values.yaml </code></pre> </div> <p>and verify the result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat </span>values.yaml </code></pre> </div> <p>looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">metrics-server</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">hull</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="na">specific</span><span class="pi">:</span> <span class="na">protocolHttp</span><span class="pi">:</span> <span class="no">false</span> <span class="na">rbac</span><span class="pi">:</span> <span class="na">clusterReadOnlyRole</span><span class="pi">:</span> <span class="no">false</span> <span class="na">clusterRoleMetrics</span><span class="pi">:</span> <span class="no">true</span> <span class="na">settings</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">pinnedCRDs</span><span class="pi">:</span> <span class="pi">{}</span> </code></pre> </div> <h2> Check for existing Service API objects </h2> <p>Start the investigation as you did before:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>find ../kubernetes-dashboard/templates <span class="nt">-type</span> f <span class="nt">-iregex</span> <span class="s1">'.*\(Service\|\Ingress\|\Endpoint\).*'</span> | <span class="nb">sort</span> </code></pre> </div> <p>which returns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">../kubernetes-dashboard/templates/ingress.yaml</span> <span class="s">../kubernetes-dashboard/templates/service.yaml</span> <span class="s">../kubernetes-dashboard/templates/serviceaccount.yaml</span> <span class="s">../kubernetes-dashboard/templates/servicemonitor.yaml</span> </code></pre> </div> <p>Ignoring the ServiceAccount (already handled) and the ServiceMonitor (handled later) there exists a Service and an Ingress definition.</p> <h2> Defining Services in HULL </h2> <p>The Service template contents of <code>/templates/service.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/templates/service.yaml </code></pre> </div> <p>do look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Copyright 2017 The Kubernetes Authors.</span> <span class="c1">#</span> <span class="c1"># Licensed under the Apache License, Version 2.0 (the "License");</span> <span class="c1"># you may not use this file except in compliance with the License.</span> <span class="c1"># You may obtain a copy of the License at</span> <span class="c1">#</span> <span class="c1"># http://www.apache.org/licenses/LICENSE-2.0</span> <span class="c1">#</span> <span class="c1"># Unless required by applicable law or agreed to in writing, software</span> <span class="c1"># distributed under the License is distributed on an "AS IS" BASIS,</span> <span class="c1"># WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span> <span class="c1"># See the License for the specific language governing permissions and</span> <span class="c1"># limitations under the License.</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.fullname" .</span> <span class="pi">}}</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "kubernetes-dashboard.labels" . | nindent 4</span> <span class="pi">}}</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="pi">{{</span> <span class="nv">.Values.service.clusterServiceLabel.key | nindent 4</span><span class="pi">}}</span><span class="err">:</span> <span class="pi">{{</span> <span class="nv">.Values.service.clusterServiceLabel.enabled | quote</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.service.labels</span> <span class="pi">}}</span> <span class="pi">{{</span> <span class="nv">toYaml .Values.service.labels | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.commonLabels</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if .Values.commonAnnotations</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.service.annotations</span> <span class="pi">}}</span> <span class="pi">{{</span> <span class="nv">toYaml .Values.service.annotations | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.service.type</span> <span class="pi">}}</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.service.externalPort</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.protocolHttp</span> <span class="pi">}}</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">http</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="pi">{{</span><span class="nv">- else</span> <span class="pi">}}</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">https</span> <span class="na">name</span><span class="pi">:</span> <span class="s">https</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if hasKey .Values.service "nodePort"</span> <span class="pi">}}</span> <span class="na">nodePort</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.service.nodePort</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.service.loadBalancerSourceRanges</span> <span class="pi">}}</span> <span class="na">loadBalancerSourceRanges</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toYaml .Values.service.loadBalancerSourceRanges | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">selector</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "kubernetes-dashboard.matchLabels" . | nindent 4</span> <span class="pi">}}</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="pi">{{</span><span class="nv">- if .Values.service.loadBalancerIP</span> <span class="pi">}}</span> <span class="na">loadBalancerIP</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.service.loadBalancerIP</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <p>Again there is a reference to the <code>.Values.protocolHttp</code> property which now exists in the <code>hull.config.specific</code> section. The <code>ports</code>' <code>name</code> and <code>targetPort</code> are set dependent on <code>protocolHttp</code> while the <code>externalPort</code> is centrally defined. Therefore it makes sense to centralize access to <code>externalPort</code> under <code>hull.config.specific</code>, even more so because the <code>externalPort</code> is also accessed when defining the Ingress (more on that later). To do so execute:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sed</span> <span class="s1">'/^\s\s\s\sspecific/r'</span>&lt;<span class="o">(</span> <span class="nb">echo</span> <span class="s2">" externalPort: 443"</span> <span class="o">)</span> <span class="nt">-i</span> <span class="nt">--</span> values.yaml </code></pre> </div> <p>Apart from the <code>port</code>s there is only the <code>selector</code> worth discussing, the rest of the Service template is straightforward 1:1 mappings. But also check on the service block defaults in the <code>kubernetes-dashboard</code>'s <code>values.yaml</code> with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/values.yaml | <span class="nb">grep</span> <span class="s2">"^service:"</span> <span class="nt">-B</span> 1 <span class="nt">-A</span> 23 </code></pre> </div> <p>which prints:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">service</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="c1"># Dashboard service port</span> <span class="na">externalPort</span><span class="pi">:</span> <span class="m">443</span> <span class="c1">## LoadBalancerSourcesRange is a list of allowed CIDR values, which are combined with ServicePort to</span> <span class="c1">## set allowed inbound rules on the security group assigned to the master load balancer</span> <span class="c1"># loadBalancerSourceRanges: []</span> <span class="c1">## A user-specified IP address for load balancer to use as External IP (if supported)</span> <span class="c1"># loadBalancerIP:</span> <span class="c1">## Additional Kubernetes Dashboard Service annotations</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="c1">## Here labels can be added to the Kubernetes Dashboard service</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{}</span> <span class="c1">## Enable or disable the kubernetes.io/cluster-service label. Should be disabled for GKE clusters &gt;=1.15.</span> <span class="c1">## Otherwise, the addon manager will presume ownership of the service and try to delete it.</span> <span class="na">clusterServiceLabel</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">true</span> <span class="na">key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">kubernetes.io/cluster-service"</span> </code></pre> </div> <p>The label <code>kubernetes.io/cluster-service</code> is added to the Service object and the <code>enabled</code> value serves as the value, this is represented in this part of the Service template:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">{{</span> <span class="nv">.Values.service.clusterServiceLabel.key | nindent 4</span><span class="pi">}}</span><span class="err">:</span> <span class="pi">{{</span> <span class="nv">.Values.service.clusterServiceLabel.enabled | quote</span> <span class="pi">}}</span> </code></pre> </div> <p>While you could mimic the logic and move the <code>clusterServiceLabel</code> to the <code>hull.config.specific</code> section it does not offer any advantage over adding the label to the new service instance with the default value of <code>true</code>. A comment may be added of course to explain the deeper meaning of this label.</p> <h3> A closer look at <code>selector</code>s of Services </h3> <p>As previously highlighted, the <code>selector</code> <code>matchLabels</code> for workloads are automatically constructed from the following labels:</p> <ul> <li><code>app.kubernetes.io/component: default</code></li> <li><code>app.kubernetes.io/instance: release-name</code></li> <li><code>app.kubernetes.io/name: kubernetes-dashboard</code></li> </ul> <p>The Service object's <code>selector</code>'s in HULL follow the same construction principle, so this means that any Service whose key is identical to a workload object instance the <code>selector</code> will match and the Service will front the pods of the workload. For our example, if you define either a Deployment, DaemonSet or StatefulSet with key <code>dashboard</code>, any Service object with the same key <code>dashboard</code> will match and pose as the Service object to the pods on the network level. This is what you want to achieve here, a Service for the <code>dashboard</code> Deployment. On a side note, for Jobs the <code>selector</code> property is omitted automatically by HULL because in this case the <code>selector</code> handling of Jobs is internally managed by Kubernetes.</p> <p>So if you leave out the <code>selector</code> specification you will automatically have the default <code>selector</code> created but if you want to model the <code>selector</code> property yourself you can overwrite it explicitly. A use case for this is e.g. the creation of an additional headless Service for StatefulSets or any other more finegrained controlling of Service to Pod matching. For this there also exists a HULL transformation, the <code>hull.util.transformation.selector</code> or short <code>_HT&amp;</code>, which will be put to use later on. </p> <p>But for now here is the converted Service object for the <code>dashboard</code> employing the techniques that you already have learned:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">' objects: service: dashboard: labels: ## Enable or disable the kubernetes.io/cluster-service label. Should be disabled for GKE clusters &gt;=1.15. ## Otherwise, the addon manager will presume ownership of the service and try to delete it. "kubernetes.io/cluster-service": "true" type: ClusterIP ports: http: enabled: _HT?(index . "$").Values.hull.config.specific.protocolHttp port: _HT*hull.config.specific.externalPort targetPort: http https: enabled: _HT?(not (index . "$").Values.hull.config.specific.protocolHttp) port: _HT*hull.config.specific.externalPort targetPort: https'</span> <span class="o">&gt;&gt;</span> values.yaml </code></pre> </div> <h2> Defining Ingresses for inbound traffic </h2> <p>Next take a look at the original ingress definition with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/templates/ingress.yaml </code></pre> </div> <p>returning:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Copyright 2017 The Kubernetes Authors.</span> <span class="c1">#</span> <span class="c1"># Licensed under the Apache License, Version 2.0 (the "License");</span> <span class="c1"># you may not use this file except in compliance with the License.</span> <span class="c1"># You may obtain a copy of the License at</span> <span class="c1">#</span> <span class="c1"># http://www.apache.org/licenses/LICENSE-2.0</span> <span class="c1">#</span> <span class="c1"># Unless required by applicable law or agreed to in writing, software</span> <span class="c1"># distributed under the License is distributed on an "AS IS" BASIS,</span> <span class="c1"># WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span> <span class="c1"># See the License for the specific language governing permissions and</span> <span class="c1"># limitations under the License.</span> <span class="pi">{{</span> <span class="nv">if .Values.ingress.enabled -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- $serviceName</span> <span class="pi">:</span><span class="nv">= include "kubernetes-dashboard.fullname" . -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- $servicePort</span> <span class="pi">:</span><span class="nv">= .Values.service.externalPort -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- $paths</span> <span class="pi">:</span><span class="nv">= .Values.ingress.paths -</span><span class="pi">}}</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.fullname" .</span> <span class="pi">}}</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "kubernetes-dashboard.labels" . | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- range $key</span><span class="pi">,</span> <span class="nv">$value</span> <span class="pi">:</span><span class="nv">= .Values.ingress.labels</span> <span class="pi">}}</span> <span class="pi">{{</span> <span class="nv">$key</span> <span class="pi">}}</span><span class="err">:</span> <span class="pi">{{</span> <span class="nv">$value | quote</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.commonLabels</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if .Values.commonAnnotations</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if not .Values.protocolHttp</span> <span class="pi">}}</span> <span class="c1"># Add https backend protocol support for ingress-nginx</span> <span class="na">nginx.ingress.kubernetes.io/backend-protocol</span><span class="pi">:</span> <span class="s2">"</span><span class="s">HTTPS"</span> <span class="c1"># Add https backend protocol support for GKE</span> <span class="na">service.alpha.kubernetes.io/app-protocols</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{"https":"HTTPS"}'</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .Values.ingress.annotations</span> <span class="pi">}}</span> <span class="pi">{{</span> <span class="nv">toYaml . | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- with .Values.ingress.className</span> <span class="pi">}}</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">. | quote</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if .Values.ingress.hosts</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- range $host</span> <span class="pi">:</span><span class="nv">= .Values.ingress.hosts</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">$host</span> <span class="pi">}}</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if len ($.Values.ingress.customPaths)</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- "\n"</span> <span class="pi">}}{{</span> <span class="nv">tpl (toYaml $.Values.ingress.customPaths | nindent 10) $</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- else</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- range $p</span> <span class="pi">:</span><span class="nv">= $paths</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">$p</span> <span class="pi">}}</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">ImplementationSpecific</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">$serviceName</span> <span class="pi">}}</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">$servicePort</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- else</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if len ($.Values.ingress.customPaths)</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- "\n"</span> <span class="pi">}}{{</span> <span class="nv">tpl (toYaml $.Values.ingress.customPaths | nindent 10) $</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- else</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- range $p</span> <span class="pi">:</span><span class="nv">= $paths</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">$p</span> <span class="pi">}}</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">ImplementationSpecific</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">$serviceName</span> <span class="pi">}}</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">$servicePort</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.ingress.tls</span> <span class="pi">}}</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toYaml .Values.ingress.tls | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> </code></pre> </div> <p>This is what the <code>values.yaml</code> has to say about the <code>ingress</code> definition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/values.yaml | <span class="nb">grep</span> <span class="s2">"^ingress:"</span> <span class="nt">-B</span> 1 <span class="nt">-A</span> 59 </code></pre> </div> <p>which is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">ingress</span><span class="pi">:</span> <span class="c1">## If true, Kubernetes Dashboard Ingress will be created.</span> <span class="c1">##</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="c1">## Kubernetes Dashboard Ingress labels</span> <span class="c1"># labels:</span> <span class="c1"># key: value</span> <span class="c1">## Kubernetes Dashboard Ingress annotations</span> <span class="c1"># annotations:</span> <span class="c1"># kubernetes.io/ingress.class: nginx</span> <span class="c1"># kubernetes.io/tls-acme: 'true'</span> <span class="c1">## If you plan to use TLS backend with enableInsecureLogin set to false</span> <span class="c1">## (default), you need to uncomment the below.</span> <span class="c1">## If you use ingress-nginx &lt; 0.21.0</span> <span class="c1"># nginx.ingress.kubernetes.io/secure-backends: "true"</span> <span class="c1">## if you use ingress-nginx &gt;= 0.21.0</span> <span class="c1"># nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"</span> <span class="c1">## Kubernetes Dashboard Ingress Class</span> <span class="c1"># className: "example-lb"</span> <span class="c1">## Kubernetes Dashboard Ingress paths</span> <span class="c1">## Both `/` and `/*` are required to work on gce ingress.</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/</span> <span class="c1"># - /*</span> <span class="c1">## Custom Kubernetes Dashboard Ingress paths. Will override default paths.</span> <span class="c1">##</span> <span class="na">customPaths</span><span class="pi">:</span> <span class="pi">[]</span> <span class="c1"># - pathType: ImplementationSpecific</span> <span class="c1"># backend:</span> <span class="c1"># service:</span> <span class="c1"># name: ssl-redirect</span> <span class="c1"># port:</span> <span class="c1"># name: use-annotation</span> <span class="c1"># - pathType: ImplementationSpecific</span> <span class="c1"># backend:</span> <span class="c1"># service:</span> <span class="c1"># name: &gt;-</span> <span class="c1"># {{ include "kubernetes-dashboard.fullname" . }}</span> <span class="c1"># port:</span> <span class="c1"># # Don't use string here, use only integer value!</span> <span class="c1"># number: 443</span> <span class="c1">## Kubernetes Dashboard Ingress hostnames</span> <span class="c1">## Must be provided if Ingress is enabled</span> <span class="c1">##</span> <span class="c1"># hosts:</span> <span class="c1"># - kubernetes-dashboard.domain.com</span> <span class="c1">## Kubernetes Dashboard Ingress TLS configuration</span> <span class="c1">## Secrets must be manually created in the namespace</span> <span class="c1">##</span> <span class="c1"># tls:</span> <span class="c1"># - secretName: kubernetes-dashboard-tls</span> <span class="c1"># hosts:</span> <span class="c1"># - kubernetes-dashboard.domain.com</span> </code></pre> </div> <p>The <code>values.yaml</code> documentation is a little confusing and the template quite difficult to decipher at once so break it apart to see what is happening here:</p> <ul> <li>annotations are to be added to the ingress on the condition that <code>protocolHttp</code> is not true. Excerpt from ingress template: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">{{</span><span class="nv">- if not .Values.protocolHttp</span> <span class="pi">}}</span> <span class="c1"># Add https backend protocol support for ingress-nginx</span> <span class="na">nginx.ingress.kubernetes.io/backend-protocol</span><span class="pi">:</span> <span class="s2">"</span><span class="s">HTTPS"</span> <span class="c1"># Add https backend protocol support for GKE</span> <span class="na">service.alpha.kubernetes.io/app-protocols</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{"https":"HTTPS"}'</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <ul> <li>the <code>rules</code> entries section is basically repeated in the template, one time for all the hosts if any are given or once without <code>host</code> property if no hosts are given. Regarding the <code>paths</code> to process in both blocks the template will write out all fully specified <code>customPaths</code> if any are provided or will iterate over the predefined <code>paths</code> if no <code>customPaths</code> are given where the <code>paths</code> all point to the <code>dashboard</code> Service: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">rules</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if .Values.ingress.hosts</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- range $host</span> <span class="pi">:</span><span class="nv">= .Values.ingress.hosts</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">$host</span> <span class="pi">}}</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if len ($.Values.ingress.customPaths)</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- "\n"</span> <span class="pi">}}{{</span> <span class="nv">tpl (toYaml $.Values.ingress.customPaths | nindent 10) $</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- else</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- range $p</span> <span class="pi">:</span><span class="nv">= $paths</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">$p</span> <span class="pi">}}</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">ImplementationSpecific</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">$serviceName</span> <span class="pi">}}</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">$servicePort</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- else</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if len ($.Values.ingress.customPaths)</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- "\n"</span> <span class="pi">}}{{</span> <span class="nv">tpl (toYaml $.Values.ingress.customPaths | nindent 10) $</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- else</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- range $p</span> <span class="pi">:</span><span class="nv">= $paths</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">$p</span> <span class="pi">}}</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">ImplementationSpecific</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">$serviceName</span> <span class="pi">}}</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">$servicePort</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> </code></pre> </div> <p>Here is a simple approach to model this ingress where the default rule is being added as would be the case in the original <code>values.yaml</code> configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">' ingress: dashboard: enabled: false annotations: |- _HT!{ {{ if not (index . "$").Values.hull.config.specific.protocolHttp }} "nginx.ingress.kubernetes.io/backend-protocol": "HTTPS", "service.alpha.kubernetes.io/app-protocols": "{\"https\":\"HTTPS\"}" {{ end }} } rules: default: http: paths: root: path: / pathType: ImplementationSpecific backend: service: name: dashboard port: number: _HT*hull.config.specific.externalPort'</span> <span class="o">&gt;&gt;</span> values.yaml </code></pre> </div> <p>If you need to change it at deploy time you could:</p> <ul> <li>add a <code>host</code> to the <code>default</code> path</li> <li>alter the <code>path</code> for the <code>default</code> rule for example to match your wanted route</li> <li>set the <code>rule</code> for <code>default: null</code> in which it will not be rendered anymore and create your own <code>rule</code> </li> </ul> <p>As a sanity check you should enable the ingress to see it prints out as expected:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: objects: ingress: dashboard: enabled: true'</span> <span class="o">&gt;</span> ../configs/enable-ingress.yaml <span class="se">\</span> <span class="o">&amp;&amp;</span> helm template <span class="nt">-f</span> ../configs/disable-default-rbac.yaml <span class="nt">-f</span> ../configs/enable-ingress.yaml <span class="nb">.</span> </code></pre> </div> <p>and there it is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">kubernetes.io/cluster-service</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-dashboard</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">https</span> <span class="na">port</span><span class="pi">:</span> <span class="m">443</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">https</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">nginx.ingress.kubernetes.io/backend-protocol</span><span class="pi">:</span> <span class="s">HTTPS</span> <span class="na">service.alpha.kubernetes.io/app-protocols</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{"https":"HTTPS"}'</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-dashboard</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-dashboard</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">443</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">ImplementationSpecific</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">[]</span> </code></pre> </div> <p>Since the <code>protocolHttp</code> option has a significant effect on the rendered output also do a quick test if everything is in order:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: config: specific: protocolHttp: true objects: ingress: dashboard: enabled: true'</span> <span class="o">&gt;</span> ../configs/enable-ingress-http.yaml <span class="se">\</span> <span class="o">&amp;&amp;</span> helm template <span class="nt">-f</span> ../configs/disable-default-rbac.yaml <span class="nt">-f</span> ../configs/enable-ingress-http.yaml <span class="nb">.</span> </code></pre> </div> <p>and there it is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">kubernetes.io/cluster-service</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-dashboard</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">port</span><span class="pi">:</span> <span class="m">443</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">http</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-dashboard</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-dashboard</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">443</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">ImplementationSpecific</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">[]</span> </code></pre> </div> <h2> Another Wrap Up </h2> <p>So to finish this quickly:</p> <ol> <li> <p>That is how your <code>values.yaml</code>should look right now:<br> </p> <pre class="highlight yaml"><code><span class="na">metrics-server</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">hull</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="na">specific</span><span class="pi">:</span> <span class="na">externalPort</span><span class="pi">:</span> <span class="m">443</span> <span class="na">protocolHttp</span><span class="pi">:</span> <span class="no">false</span> <span class="na">rbac</span><span class="pi">:</span> <span class="na">clusterReadOnlyRole</span><span class="pi">:</span> <span class="no">false</span> <span class="na">clusterRoleMetrics</span><span class="pi">:</span> <span class="no">true</span> <span class="na">settings</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">pinnedCRDs</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">objects</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">dashboard</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="c1">## Enable or disable the kubernetes.io/cluster-service label. Should be disabled for GKE clusters &gt;=1.15.</span> <span class="c1">## Otherwise, the addon manager will presume ownership of the service and try to delete it.</span> <span class="s2">"</span><span class="s">kubernetes.io/cluster-service"</span><span class="err">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="na">ports</span><span class="pi">:</span> <span class="na">http</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">_HT?(index . "$").Values.hull.config.specific.protocolHttp</span> <span class="na">port</span><span class="pi">:</span> <span class="s">_HT*hull.config.specific.externalPort</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">http</span> <span class="na">https</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">_HT?(not (index . "$").Values.hull.config.specific.protocolHttp)</span> <span class="na">port</span><span class="pi">:</span> <span class="s">_HT*hull.config.specific.externalPort</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">https</span> <span class="na">ingress</span><span class="pi">:</span> <span class="na">dashboard</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">|-</span> <span class="s">_HT!{</span> <span class="s">{{ if not (index . "$").Values.hull.config.specific.protocolHttp }}</span> <span class="s">"nginx.ingress.kubernetes.io/backend-protocol": "HTTPS",</span> <span class="s">"service.alpha.kubernetes.io/app-protocols": "{\"https\":\"HTTPS\"}"</span> <span class="s">{{ end }}</span> <span class="s">}</span> <span class="na">rules</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="na">root</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">ImplementationSpecific</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="s">_HT*hull.config.specific.externalPort</span> </code></pre> </li> <li> <p>Run the <code>values.yaml</code> backup:<br> </p> <pre class="highlight shell"><code><span class="nb">cp </span>values.yaml values.tutorial-part.yaml </code></pre> </li> <li> <p>Add in the already created objects:<br> </p> <pre class="highlight shell"><code><span class="nb">sed</span> <span class="s1">'1,/objects:/d'</span> values.full.yaml <span class="o">&gt;</span> _tmp <span class="o">&amp;&amp;</span> <span class="nb">cp </span>values.yaml values.full.yaml <span class="o">&amp;&amp;</span> <span class="nb">cat </span>_tmp <span class="o">&gt;&gt;</span> values.full.yaml <span class="o">&amp;&amp;</span> <span class="nb">rm </span>_tmp </code></pre> </li> </ol> <p>Thanks for taking part and hope to see you <a href="https://dev.to/gre9ory/hull-tutorial-07-configuring-advanced-objects-1jbi">in the next tutorial part on advanced object configuration</a> as well!</p> HULL Tutorial 05: Defining Workload objects gre9ory Tue, 31 May 2022 11:25:10 +0000 https://dev.to/gre9ory/hull-tutorial-05-defining-workload-objects-268l https://dev.to/gre9ory/hull-tutorial-05-defining-workload-objects-268l <h2> Preparation </h2> <p>In this Part of the tutorial workload objects are created. A workload object has a pod at its core in which containers run code. Most important workload types are Deployments, DaemonSets, StatefulSets, Jobs and CronJobs. </p> <p>First off we again copy over our working chart from the last tutorial part to a new folder in the same manner as we did before. Go to your working directory and execute:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~/kubernetes-dashboard-hull <span class="o">&amp;&amp;</span> <span class="nb">cp</span> <span class="nt">-R</span> 04_rbac/ 05_workloads <span class="o">&amp;&amp;</span> <span class="nb">cd </span>05_workloads/kubernetes-dashboard-hull </code></pre> </div> <p>As before, to delete the HULL <code>hull.objects</code> from <code>values.full.yaml</code> and copy the current <code>hull.config</code> to the <code>values.yaml</code> type the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sed</span> <span class="s1">'/ objects:/Q'</span> values.full.yaml <span class="o">&gt;</span> values.yaml </code></pre> </div> <p>and verify the result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat </span>values.yaml </code></pre> </div> <p>looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">metrics-server</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">hull</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="na">specific</span><span class="pi">:</span> <span class="na">rbac</span><span class="pi">:</span> <span class="na">clusterReadOnlyRole</span><span class="pi">:</span> <span class="no">false</span> <span class="na">clusterRoleMetrics</span><span class="pi">:</span> <span class="no">true</span> <span class="na">settings</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">pinnedCRDs</span><span class="pi">:</span> <span class="pi">{}</span> </code></pre> </div> <p>If yes, then you are good to start the next tutorial part.</p> <h2> Examining existing workloads </h2> <p>Now having the preparation out of the way first find out which of those mentioned workload objects are present in the original chart:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>find ../kubernetes-dashboard/templates <span class="nt">-type</span> f <span class="nt">-iregex</span> <span class="s1">'.*\(deployment\|daemonset\|statefulset\|job\).*'</span> | <span class="nb">sort</span> </code></pre> </div> <p>which returns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">../kubernetes-dashboard/templates/deployment.yaml</span> </code></pre> </div> <p>Only the <code>dashboard</code> deployment but it will suffice to explain the process.</p> <h3> Specifying workloads with HULL </h3> <p>Now check the <code>templates/deployment.yaml</code> Deployment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/templates/deployment.yaml </code></pre> </div> <p>which is defined as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Copyright 2017 The Kubernetes Authors.</span> <span class="c1">#</span> <span class="c1"># Licensed under the Apache License, Version 2.0 (the "License");</span> <span class="c1"># you may not use this file except in compliance with the License.</span> <span class="c1"># You may obtain a copy of the License at</span> <span class="c1">#</span> <span class="c1"># http://www.apache.org/licenses/LICENSE-2.0</span> <span class="c1">#</span> <span class="c1"># Unless required by applicable law or agreed to in writing, software</span> <span class="c1"># distributed under the License is distributed on an "AS IS" BASIS,</span> <span class="c1"># WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span> <span class="c1"># See the License for the specific language governing permissions and</span> <span class="c1"># limitations under the License.</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.fullname" .</span> <span class="pi">}}</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if .Values.commonAnnotations</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .Values.annotations</span> <span class="pi">}}</span> <span class="pi">{{</span> <span class="nv">toYaml . | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "kubernetes-dashboard.labels" . | nindent 4</span> <span class="pi">}}</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="pi">{{</span><span class="nv">- with .Values.labels</span> <span class="pi">}}</span> <span class="pi">{{</span> <span class="nv">toYaml . | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.commonLabels</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.replicaCount</span> <span class="pi">}}</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">rollingUpdate</span><span class="pi">:</span> <span class="na">maxSurge</span><span class="pi">:</span> <span class="m">0</span> <span class="na">maxUnavailable</span><span class="pi">:</span> <span class="m">1</span> <span class="na">type</span><span class="pi">:</span> <span class="s">RollingUpdate</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "kubernetes-dashboard.matchLabels" . | nindent 6</span> <span class="pi">}}</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if .Values.podAnnotations</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "kubernetes-dashboard.labels" . | nindent 8</span> <span class="pi">}}</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="pi">{{</span><span class="nv">- if .Values.podLabels</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 8</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">spec</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- with .Values.securityContext</span> <span class="pi">}}</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toYaml . | nindent 8</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.serviceAccountName" .</span> <span class="pi">}}</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Chart.Name</span> <span class="pi">}}</span> <span class="na">image</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">.Values.image.repository</span><span class="nv"> </span><span class="s">}}:{{</span><span class="nv"> </span><span class="s">.Values.image.tag</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.image.pullPolicy</span> <span class="pi">}}</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">--namespace={{ .Release.Namespace }}</span> <span class="pi">{{</span><span class="nv">- if not .Values.protocolHttp</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="s">--auto-generate-certificates</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.metricsScraper.enabled</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="s">--sidecar-host=http://127.0.0.1:8000</span> <span class="pi">{{</span><span class="nv">- else</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="s">--metrics-provider=none</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .Values.extraArgs</span> <span class="pi">}}</span> <span class="pi">{{</span> <span class="nv">toYaml . | nindent 10</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .Values.extraEnv</span> <span class="pi">}}</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toYaml . | nindent 10</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if .Values.protocolHttp</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9090</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="pi">{{</span><span class="nv">- else</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">https</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8443</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-certs</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/certs</span> <span class="c1"># Create on-disk volume to store exec logs</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/tmp</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tmp-volume</span> <span class="pi">{{</span><span class="nv">- with .Values.extraVolumeMounts</span> <span class="pi">}}</span> <span class="pi">{{</span> <span class="nv">toYaml . | nindent 8</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if .Values.protocolHttp</span> <span class="pi">}}</span> <span class="na">scheme</span><span class="pi">:</span> <span class="s">HTTP</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9090</span> <span class="pi">{{</span><span class="nv">- else</span> <span class="pi">}}</span> <span class="na">scheme</span><span class="pi">:</span> <span class="s">HTTPS</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8443</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.livenessProbe.initialDelaySeconds</span> <span class="pi">}}</span> <span class="na">timeoutSeconds</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.livenessProbe.timeoutSeconds</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .Values.resources</span> <span class="pi">}}</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toYaml . | nindent 10</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .Values.containerSecurityContext</span> <span class="pi">}}</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toYaml . | nindent 10</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.metricsScraper.enabled</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dashboard-metrics-scraper</span> <span class="na">image</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">.Values.metricsScraper.image.repository</span><span class="nv"> </span><span class="s">}}:{{</span><span class="nv"> </span><span class="s">.Values.metricsScraper.image.tag</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.image.pullPolicy</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .Values.metricsScraper.args</span> <span class="pi">}}</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toYaml . | nindent 10</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8000</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">scheme</span><span class="pi">:</span> <span class="s">HTTP</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8000</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.livenessProbe.initialDelaySeconds</span> <span class="pi">}}</span> <span class="na">timeoutSeconds</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.livenessProbe.timeoutSeconds</span> <span class="pi">}}</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/tmp</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tmp-volume</span> <span class="pi">{{</span><span class="nv">- if .Values.metricsScraper.containerSecurityContext</span> <span class="pi">}}</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toYaml .Values.metricsScraper.containerSecurityContext | nindent 10</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- else if .Values.containerSecurityContext</span><span class="pi">}}</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toYaml .Values.containerSecurityContext | nindent 10</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .Values.metricsScraper.resources</span> <span class="pi">}}</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toYaml . | nindent 10</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .Values.image.pullSecrets</span> <span class="pi">}}</span> <span class="na">imagePullSecrets</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- range .</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .Values.nodeSelector</span> <span class="pi">}}</span> <span class="na">nodeSelector</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toYaml . | nindent 8</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .Values.priorityClassName</span> <span class="pi">}}</span> <span class="na">priorityClassName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">.</span><span class="nv"> </span><span class="s">}}"</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-certs</span> <span class="na">secret</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.fullname" .</span> <span class="pi">}}</span><span class="s">-certs</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tmp-volume</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> <span class="pi">{{</span><span class="nv">- with .Values.extraVolumes</span> <span class="pi">}}</span> <span class="pi">{{</span> <span class="nv">toYaml . | nindent 6</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .Values.tolerations</span> <span class="pi">}}</span> <span class="na">tolerations</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toYaml . | nindent 8</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .Values.affinity</span> <span class="pi">}}</span> <span class="na">affinity</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toYaml . | nindent 8</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <p>Many Helm charts are full of 1:1 mappings between <code>values.yaml</code> properties and the target object's properties of the same type in the <code>/templates</code> files. Cases in point for the above Deployment are:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">{{</span><span class="nv">- with .Values.securityContext</span> <span class="pi">}}</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toYaml . | nindent 8</span> <span class="pi">}}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">{{</span><span class="nv">- with .Values.containerSecurityContext</span> <span class="pi">}}</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toYaml . | nindent 10</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">{{</span><span class="nv">- with .Values.metricsScraper.resources</span> <span class="pi">}}</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toYaml . | nindent 10</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">{{</span><span class="nv">- with .Values.image.pullSecrets</span> <span class="pi">}}</span> <span class="na">imagePullSecrets</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- range .</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">{{</span><span class="nv">- with .Values.nodeSelector</span> <span class="pi">}}</span> <span class="na">nodeSelector</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toYaml . | nindent 8</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <p>There are a couple of more but the point of 1:1 mappings should be clear. <br> Now here one of or maybe the major strength of HULL comes into play: setting any object property can be done directly without the need to write any repetitive boilerplate code in the sense of: </p> <blockquote> <p><em>if this value is provided in <code>values.yaml</code> do insert it here 'as is' in the template</em></p> </blockquote> <p>Using HULL all of the shown code blocks can be ignored for our conversion because we can configure the properties without any additional required action at configuration/deployment time if needed. No additional pull request needed to make them configurable, they are always accessible if changing them is required.</p> <h3> Automated <code>selector</code> population </h3> <p>Selectors for pods are automatically created by HULL and take the unique metadata combination of the labels:</p> <ul> <li><code>app.kubernetes.io/component: default</code></li> <li><code>app.kubernetes.io/instance: release-name</code></li> <li><code>app.kubernetes.io/name: kubernetes-dashboard</code></li> </ul> <p>into account. With these fields being autopopulated at the workload and pod label level nothing further needs to be specified.</p> <h3> Specifying the Pod <code>template</code> </h3> <p>These are the new and interesting aspects when investigating the Deployments pod specification we need to deal with:</p> <h4> The main container <code>name</code> </h4> <p>A quick note on the actual main container name which depends on the chart name in the original <code>kubernetes-dashboard</code> chart:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Chart.Name</span> <span class="pi">}}</span> </code></pre> </div> <p>Here the container name will always resort to <code>kubernetes-dashboard</code> but it may also be bound to some other value in the <code>values.yaml</code>. Since with HULL the name is derived by the container's key, changing the key in a system specific configuration would require to redefine all the containers content which is not desired. Hence you have to stick with the static defined container name <code>kubernetes-dashboard</code> in the HULL version of the chart but normally container names are of minimal importance to the Deployment.</p> <h4> The <code>imagePullSecrets</code> and <code>image.registry</code> feature </h4> <p>A word on <code>imagePullSecrets</code> though: it is very easy to configure and use them with HULL throughout all workloads which should be briefly highlighted. </p> <p>Firstly, HULL splits the image definition of containers into three parts which are concatenated to form the <code>image</code> value in the Pod spec:</p> <ul> <li><code>registry</code></li> <li><code>repository</code></li> <li><code>tag</code></li> </ul> <p>where the leading registry part is optional.</p> <p>Secondly there is a dedicated object type named <code>registry</code> where you can specify Docker Registry secrets. With dedicated <code>registry</code> fields in the <code>image</code> definition and the dedicated <code>registry</code> objects, HULL by default adds all <code>registry</code> objects that are created in HULL as <code>imagePullSecrets</code> to the pod specs so images are always pullable even if they are stored on a configured secured registry. If this behavior is undesired, you can disable this feature simply by setting <code>createImagePullSecretsFromRegistries</code> to false in the HULL configuration like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">hull</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="na">general</span><span class="pi">:</span> <span class="na">createImagePullSecretsFromRegistries</span><span class="pi">:</span> <span class="no">false</span> </code></pre> </div> <p>You can however combine this feature with the possibility to set all pods <code>registry</code> fields to a common value. This is allowed for either using a fixed registry <code>server</code> name (for which the Docker registry secret is deployed outside of the Helm chart) or for using the <code>server</code> defined in the first found registry secret that is configured in the same chart. </p> <p>To provide an example of a real life use case imagine you host all Docker images referenced in your Helm chart in one place - meaning in one Docker registry. Now you may want to switch Docker registry providers - and hence the endpoint - or you need to copy over all Docker images to an airgapped system and host them in a local secured registry such as <a href="https://github.com/goharbor/harbor">Harbor</a>. In both cases you may want to centrally change the registry servers address without having to configure each pod specs <code>imagePullSecrets</code> and each containers <code>image</code> individually.</p> <p>To use a static server name you can populate the <code>hull.config.general.defaultImageRegistryServer</code> field, this requires you to add the <code>imagePullSecrets</code> yourself to the pod specs. If you define the registry within the same chart you may just enable <code>hull.config.general.defaultImageRegistryToFirstRegistrySecretServer</code> and all is done automatically in terms of <code>imagePullSecrets</code> and <code>registry</code> population.</p> <p>Refer to the <a href="https://github.com/vidispine/hull/blob/main/hull/README.md#the-config-section">documentation</a> and the following <code>config</code> switches:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">hull</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="na">general</span><span class="pi">:</span> <span class="na">defaultImageRegistryServer</span><span class="pi">:</span> <span class="na">defaultImageRegistryToFirstRegistrySecretServer</span><span class="pi">:</span> </code></pre> </div> <p>for more details on how to work with this feature.</p> <h4> Dynamically creating <code>args</code> </h4> <p>The <code>args</code> section requires using a HULL transformation to create an array of arguments that match the dynamic nature of the argument construction.</p> <h4> Seperating out configuration to <code>hull.config.specific</code> </h4> <p>Multiple pod specific properties are referencing properties under the <code>.Values.metricsScraper</code> section in the original charts <code>values.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">{{</span><span class="nv">- if .Values.metricsScraper.enabled</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="s">--sidecar-host=http://127.0.0.1:8000</span> <span class="pi">{{</span><span class="nv">- else</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="s">--metrics-provider=none</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <p>and:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">{{</span><span class="nv">- if .Values.metricsScraper.enabled</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dashboard-metrics-scraper</span> <span class="na">image</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">.Values.metricsScraper.image.repository</span><span class="nv"> </span><span class="s">}}:{{</span><span class="nv"> </span><span class="s">.Values.metricsScraper.image.tag</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.image.pullPolicy</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .Values.metricsScraper.args</span> <span class="pi">}}</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toYaml . | nindent 10</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8000</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">scheme</span><span class="pi">:</span> <span class="s">HTTP</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8000</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.livenessProbe.initialDelaySeconds</span> <span class="pi">}}</span> <span class="na">timeoutSeconds</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Values.livenessProbe.timeoutSeconds</span> <span class="pi">}}</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/tmp</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tmp-volume</span> <span class="pi">{{</span><span class="nv">- if .Values.metricsScraper.containerSecurityContext</span> <span class="pi">}}</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toYaml .Values.metricsScraper.containerSecurityContext | nindent 10</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- else if .Values.containerSecurityContext</span><span class="pi">}}</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toYaml .Values.containerSecurityContext | nindent 10</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .Values.metricsScraper.resources</span> <span class="pi">}}</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toYaml . | nindent 10</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <p>Basically it boils down to an optional sidecar container <code>dashboard-metrics-scraper</code> which may be enabled at will. The relevant section in <code>values.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/values.yaml | <span class="nb">grep</span> <span class="s2">"metricsScraper"</span> <span class="nt">-B</span> 4 <span class="nt">-A</span> 17 </code></pre> </div> <p>looks as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="c1">## Metrics Scraper</span> <span class="c1">## Container to scrape, store, and retrieve a window of time from the Metrics Server.</span> <span class="c1">## refs: https://github.com/kubernetes-sigs/dashboard-metrics-scraper</span> <span class="na">metricsScraper</span><span class="pi">:</span> <span class="c1">## Wether to enable dashboard-metrics-scraper</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">image</span><span class="pi">:</span> <span class="na">repository</span><span class="pi">:</span> <span class="s">kubernetesui/metrics-scraper</span> <span class="na">tag</span><span class="pi">:</span> <span class="s">v1.0.7</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">{}</span> <span class="c1">## SecurityContext especially for the kubernetes dashboard metrics scraper container</span> <span class="c1">## If not set, the global containterSecurityContext values will define these values</span> <span class="c1"># containerSecurityContext:</span> <span class="c1"># allowPrivilegeEscalation: false</span> <span class="c1"># readOnlyRootFilesystem: true</span> <span class="c1"># runAsUser: 1001</span> <span class="c1"># runAsGroup: 2001</span> <span class="c1"># args:</span> <span class="c1"># - --log-level=info</span> <span class="c1"># - --logtostderr=true</span> </code></pre> </div> <p>To model this in your HULL chart you can just predefine the side car container and set <code>enabled: false</code> on it so it will behave the same as in the original chart. Regarding the reference in the <code>args</code> it can be hooked up with the <code>enabled</code> property. You may of course reference and specify the <code>metricsScraper.enabled</code> property in the <code>hull.config.specific</code> section to highlight the feature itself but it's not done in this tutorial. Most important for a proper Helm chart is to document the <code>values.yaml</code> appropriately as to how the <code>metricsScraper</code> can be enabled, for the sake of brevity documentation and comments on the <code>values.yaml</code> are generally omitted.</p> <p>Back to the pod specification, the <code>.Values.protocolHttp</code> property is also accessed multiple times too:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">{{</span><span class="nv">- if not .Values.protocolHttp</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="s">--auto-generate-certificates</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <p>and:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">{{</span><span class="nv">- if .Values.protocolHttp</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9090</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="pi">{{</span><span class="nv">- else</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">https</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8443</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <p>This property is suitable to be added in the <code>hull.config.specific</code> section to allow centrally switching to HTTP mode. Properties such as these can be considered custom more abstract properties that do not directly translate to one object property but control multiple aspects of maybe multiple objects even. Other properties are more concrete properties which are directly associated with an object property (e.g. <code>imagePullPolicy</code>, <code>affinity</code>, <code>tolerations</code>, ...)</p> <p>The custom abstract properties are best modeled somewhere under <code>hull.config.specific</code> but for the concrete ones are best defined at deploy time by the configurator of the chart, adding redirection to <code>hull.config.specific</code> can clutter the configurational transparency.</p> <p>But there are exceptions, e.g. consider a Helm chart allows to deploy it's application as either a Deployment or DaemonSet and shares a large amount of both objects configuration via a shared pod template definition:</p> <ul> <li> <p>if you aim for transparency it is best to define the properties directly on the DaemonSet and Deployment objects so the same property can have different values configured for both of them.</p> <blockquote> <p><em>Advantage here is that it is more straightforward to understand where each object's property value is defined if at all and how it can be changed.</em></p> <p><em>Disadvantage is that this weakens the likely intention to have the DaemonSet and Deployment as alike as possible since it allows to involuntarily have unwanted differences between them.</em></p> </blockquote> </li> <li> <p>if you aim for abstraction you should define all the properties that are being referenced from both Deployment and DaemonSet under the <code>hull.config.specific</code> section and reference the central values.</p> <blockquote> <p><em>Disadvantage is that it obfuscates where a properties value comes from more and requires much more effort to set up the chart.</em></p> <p><em>Advantages are that the intent of having DaemonSet and Deployment as much alike as possible is better fulfillable and it would still be possible to overwrite any individual property on object level if wanted.</em></p> </blockquote> </li> </ul> <h4> Putting it all together </h4> <p>Ok so first insert the new <code>hull.config.specific</code> property so it can be referenced to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sed</span> <span class="s1">'/^\s\s\s\sspecific/r'</span>&lt;<span class="o">(</span> <span class="nb">echo</span> <span class="s2">" protocolHttp: false"</span> <span class="o">)</span> <span class="nt">-i</span> <span class="nt">--</span> values.yaml </code></pre> </div> <p>Good, now when writing the Deployment spec default property values can be taken from the relevant fields in the original <code>values.yaml</code> where they are provided. For example, the <code>values.yaml</code> holds defaults for <code>securityContext</code>'s:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/values.yaml | <span class="nb">grep</span> <span class="s2">"securityContext"</span> <span class="nt">-B</span> 3 <span class="nt">-A</span> 12 </code></pre> </div> <p>of the pod and the main container and a commented out suggestion for the <code>metricsScraper</code> container:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="c1">## SecurityContext to be added to kubernetes dashboard pods</span> <span class="c1">## To disable set the following configuration to null:</span> <span class="c1"># securityContext: null</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">seccompProfile</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">RuntimeDefault</span> <span class="c1">## SecurityContext defaults for the kubernetes dashboard container and metrics scraper container</span> <span class="c1">## To disable set the following configuration to null:</span> <span class="c1"># containerSecurityContext: null</span> <span class="na">containerSecurityContext</span><span class="pi">:</span> <span class="na">allowPrivilegeEscalation</span><span class="pi">:</span> <span class="no">false</span> <span class="na">readOnlyRootFilesystem</span><span class="pi">:</span> <span class="no">true</span> <span class="na">runAsUser</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">runAsGroup</span><span class="pi">:</span> <span class="m">2001</span> <span class="s">--</span> <span class="s">## Maximum unavailable instances; ignored if there is no PodDisruptionBudget</span> <span class="s">maxUnavailable</span><span class="err">:</span> <span class="c1">## PodSecurityContext for pod level securityContext</span> <span class="c1"># securityContext:</span> <span class="c1"># runAsUser: 1001</span> <span class="c1"># runAsGroup: 2001</span> <span class="na">networkPolicy</span><span class="pi">:</span> <span class="c1"># Whether to create a network policy that allows/restricts access to the service</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="c1">## podSecurityPolicy for fine-grained authorization of pod creation and updates</span> <span class="na">podSecurityPolicy</span><span class="pi">:</span> <span class="c1"># Specifies whether a pod security policy should be created</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> </code></pre> </div> <p>Many more fields that have simple defaults in the <code>kubernetes-dashboard</code>'s <code>values.yaml</code> can be copied over to our new HULL based Deployment specification, amongst them <code>image</code>, <code>resources</code> and <code>imagePullSecrets</code>.</p> <p>Other YAML structures in the Deployment are mixtures of static content and templated parts, take a look at the original <code>args</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">--namespace={{ .Release.Namespace }}</span> <span class="pi">{{</span><span class="nv">- if not .Values.protocolHttp</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="s">--auto-generate-certificates</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.metricsScraper.enabled</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="s">--sidecar-host=http://127.0.0.1:8000</span> <span class="pi">{{</span><span class="nv">- else</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="s">--metrics-provider=none</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .Values.extraArgs</span> <span class="pi">}}</span> <span class="pi">{{</span> <span class="nv">toYaml . | nindent 10</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <p>or are build up completely based on templating decisions like the <code>ports</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">ports</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if .Values.protocolHttp</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9090</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="pi">{{</span><span class="nv">- else</span> <span class="pi">}}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">https</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8443</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <p>To replicate this behavior you can use the <code>_HT!</code> HULL transformation to completely model the arrays or dictionaries as desired or - in case of the simpler either/or decision for the <code>ports</code> - you can utilize hooking up the individual port definitions <code>enabled</code> property to a condition as shown next. HULL offers flexibility to model the configuration as you think it fits best.</p> <p>So this is a proposition for modeling the suggested Deployment spec for the <code>kubernetes-dashboard-hull</code> chart:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">' objects: deployment: dashboard: enabled: true replicas: 1 strategy: rollingUpdate: maxSurge: 0 maxUnavailable: 1 type: RollingUpdate pod: securityContext: seccompProfile: type: RuntimeDefault containers: dashboard: image: repository: kubernetesui/dashboard tag: v2.5.0 imagePullPolicy: IfNotPresent args: _HT![ {{- $p := (index . "$") }} "--namespace={{ $p.Release.Namespace }}", {{- if not $p.Values.hull.config.specific.protocolHttp }} "--auto-generate-certificates", {{- end }} {{- if $p.Values.hull.objects.deployment.dashboard.pod.containers.metricsscraper.enabled }} "--sidecar-host=http://127.0.0.1:8000", {{- else }} "--metrics-provider=none", {{- end }} ] ports: http: enabled: _HT?(index . "$").Values.hull.config.specific.protocolHttp containerPort: 9090 protocol: TCP https: enabled: _HT?(not (index . "$").Values.hull.config.specific.protocolHttp) containerPort: 8443 protocol: TCP volumeMounts: dashboard: name: kubernetes-dashboard-certs mountPath: /certs tmp: name: tmp-volume mountPath: /tmp livenessProbe: |- _HT!{ httpGet: { path: /, scheme: {{ (index . "$").Values.hull.config.specific.protocolHttp | ternary "HTTP" "HTTPS" }}, port: {{ (index . "$").Values.hull.config.specific.protocolHttp | ternary 9090 8443 }} } } initialDelaySeconds: 30 timeoutSeconds: 30 resources: requests: cpu: 100m memory: 200Mi limits: cpu: 2 memory: 200Mi securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 1001 runAsGroup: 2001 metricsscraper: enabled: false image: repository: kubernetesui/metrics-scraper tag: v1.0.7 imagePullPolicy: IfNotPresent ports: tcp: containerPort: 8000 protocol: TCP livenessProbe: httpGet: scheme: HTTP path: / port: 8000 initialDelaySeconds: 30 timeoutSeconds: 30 volumeMounts: tmp: name: tmp-volume mountPath: /tmp securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 1001 runAsGroup: 2001 volumes: kubernetes-dashboard-certs: secret: secretName: certs tmp-volume: emptyDir: {}'</span> <span class="o">&gt;&gt;</span> values.yaml </code></pre> </div> <p>Does it render as expected?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm template <span class="nt">-f</span> ../configs/disable-default-rbac.yaml <span class="nb">.</span> </code></pre> </div> <p>yields:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-dashboard</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">rollingUpdate</span><span class="pi">:</span> <span class="na">maxSurge</span><span class="pi">:</span> <span class="m">0</span> <span class="na">maxUnavailable</span><span class="pi">:</span> <span class="m">1</span> <span class="na">type</span><span class="pi">:</span> <span class="s">RollingUpdate</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">--namespace=default</span> <span class="pi">-</span> <span class="s">--auto-generate-certificates</span> <span class="pi">-</span> <span class="s">--metrics-provider=none</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">image</span><span class="pi">:</span> <span class="s">kubernetesui/dashboard:v2.5.0</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8443</span> <span class="na">scheme</span><span class="pi">:</span> <span class="s">HTTPS</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8443</span> <span class="na">name</span><span class="pi">:</span> <span class="s">https</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="m">2</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">200Mi</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">100m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">200Mi</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">allowPrivilegeEscalation</span><span class="pi">:</span> <span class="no">false</span> <span class="na">readOnlyRootFilesystem</span><span class="pi">:</span> <span class="no">true</span> <span class="na">runAsGroup</span><span class="pi">:</span> <span class="m">2001</span> <span class="na">runAsUser</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/certs</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-certs</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/tmp</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tmp-volume</span> <span class="na">imagePullSecrets</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">initContainers</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">seccompProfile</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">RuntimeDefault</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-certs</span> <span class="na">secret</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-certs</span> <span class="pi">-</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tmp-volume</span> </code></pre> </div> <p>Everything should be as expected. How about switching to HTTP and enabling the <code>metricsscraper</code> for a test?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: config: specific: protocolHttp: true objects: deployment: dashboard: pod: containers: metricsscraper: enabled: true'</span> <span class="o">&gt;</span> ../configs/enable-http-scraper.yaml <span class="se">\</span> <span class="o">&amp;&amp;</span> helm template <span class="nt">-f</span> ../configs/disable-default-rbac.yaml <span class="nt">-f</span> ../configs/enable-http-scraper.yaml <span class="nb">.</span> </code></pre> </div> <p>and you'll see that the <code>args</code>, <code>ports</code> and <code>livenessProbe</code> output has changed to reflect the change to the <code>protocolHttp</code> property and the <code>metricsscraper</code> container is activated:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-dashboard</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">rollingUpdate</span><span class="pi">:</span> <span class="na">maxSurge</span><span class="pi">:</span> <span class="m">0</span> <span class="na">maxUnavailable</span><span class="pi">:</span> <span class="m">1</span> <span class="na">type</span><span class="pi">:</span> <span class="s">RollingUpdate</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">--namespace=default</span> <span class="pi">-</span> <span class="s">--sidecar-host=http://127.0.0.1:8000</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">image</span><span class="pi">:</span> <span class="s">kubernetesui/dashboard:v2.5.0</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9090</span> <span class="na">scheme</span><span class="pi">:</span> <span class="s">HTTP</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9090</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="m">2</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">200Mi</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">100m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">200Mi</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">allowPrivilegeEscalation</span><span class="pi">:</span> <span class="no">false</span> <span class="na">readOnlyRootFilesystem</span><span class="pi">:</span> <span class="no">true</span> <span class="na">runAsGroup</span><span class="pi">:</span> <span class="m">2001</span> <span class="na">runAsUser</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/certs</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-certs</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/tmp</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tmp-volume</span> <span class="pi">-</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">image</span><span class="pi">:</span> <span class="s">kubernetesui/metrics-scraper:v1.0.7</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8000</span> <span class="na">scheme</span><span class="pi">:</span> <span class="s">HTTP</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">30</span> <span class="na">timeoutSeconds</span><span class="pi">:</span> <span class="m">30</span> <span class="na">name</span><span class="pi">:</span> <span class="s">metricsscraper</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8000</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tcp</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">allowPrivilegeEscalation</span><span class="pi">:</span> <span class="no">false</span> <span class="na">readOnlyRootFilesystem</span><span class="pi">:</span> <span class="no">true</span> <span class="na">runAsGroup</span><span class="pi">:</span> <span class="m">2001</span> <span class="na">runAsUser</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/tmp</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tmp-volume</span> <span class="na">imagePullSecrets</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">initContainers</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">seccompProfile</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">RuntimeDefault</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-certs</span> <span class="na">secret</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-certs</span> <span class="pi">-</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tmp-volume</span> </code></pre> </div> <h2> Wrap Up </h2> <p>Thanks for your interest, your <code>values.yaml</code> is supposed to look like this at this point:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">metrics-server</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">hull</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="na">specific</span><span class="pi">:</span> <span class="na">protocolHttp</span><span class="pi">:</span> <span class="no">false</span> <span class="na">rbac</span><span class="pi">:</span> <span class="na">clusterReadOnlyRole</span><span class="pi">:</span> <span class="no">false</span> <span class="na">clusterRoleMetrics</span><span class="pi">:</span> <span class="no">true</span> <span class="na">settings</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">pinnedCRDs</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">objects</span><span class="pi">:</span> <span class="na">deployment</span><span class="pi">:</span> <span class="na">dashboard</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">true</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">rollingUpdate</span><span class="pi">:</span> <span class="na">maxSurge</span><span class="pi">:</span> <span class="m">0</span> <span class="na">maxUnavailable</span><span class="pi">:</span> <span class="m">1</span> <span class="na">type</span><span class="pi">:</span> <span class="s">RollingUpdate</span> <span class="na">pod</span><span class="pi">:</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">seccompProfile</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">RuntimeDefault</span> <span class="na">containers</span><span class="pi">:</span> <span class="na">dashboard</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="na">repository</span><span class="pi">:</span> <span class="s">kubernetesui/dashboard</span> <span class="na">tag</span><span class="pi">:</span> <span class="s">v2.5.0</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> <span class="na">args</span><span class="pi">:</span> <span class="s">_HT![</span> <span class="s">{{- $p := (index . "$") }}</span> <span class="s">"--namespace={{ $p.Release.Namespace }}",</span> <span class="s">{{- if not $p.Values.hull.config.specific.protocolHttp }}</span> <span class="s">"--auto-generate-certificates",</span> <span class="s">{{- end }}</span> <span class="s">{{- if $p.Values.hull.objects.deployment.dashboard.pod.containers.metricsscraper.enabled }}</span> <span class="s">"--sidecar-host=http://127.0.0.1:8000",</span> <span class="s">{{- else }}</span> <span class="s">"--metrics-provider=none",</span> <span class="s">{{- end }}</span> <span class="s">]</span> <span class="na">ports</span><span class="pi">:</span> <span class="na">http</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">_HT?(index . "$").Values.hull.config.specific.protocolHttp</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9090</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">https</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">_HT?(not (index . "$").Values.hull.config.specific.protocolHttp)</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8443</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="na">dashboard</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-certs</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/certs</span> <span class="na">tmp</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tmp-volume</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/tmp</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="pi">|-</span> <span class="s">_HT!{</span> <span class="s">httpGet: {</span> <span class="s">path: /,</span> <span class="s">scheme: {{ (index . "$").Values.hull.config.specific.protocolHttp | ternary "HTTP" "HTTPS" }},</span> <span class="s">port: {{ (index . "$").Values.hull.config.specific.protocolHttp | ternary 9090 8443 }}</span> <span class="s">}</span> <span class="s">}</span> <span class="s">initialDelaySeconds: 30</span> <span class="s">timeoutSeconds: 30</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">100m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">200Mi</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="m">2</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">200Mi</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">allowPrivilegeEscalation</span><span class="pi">:</span> <span class="no">false</span> <span class="na">readOnlyRootFilesystem</span><span class="pi">:</span> <span class="no">true</span> <span class="na">runAsUser</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">runAsGroup</span><span class="pi">:</span> <span class="m">2001</span> <span class="na">metricsscraper</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">image</span><span class="pi">:</span> <span class="na">repository</span><span class="pi">:</span> <span class="s">kubernetesui/metrics-scraper</span> <span class="na">tag</span><span class="pi">:</span> <span class="s">v1.0.7</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> <span class="na">ports</span><span class="pi">:</span> <span class="na">tcp</span><span class="pi">:</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8000</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">scheme</span><span class="pi">:</span> <span class="s">HTTP</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8000</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">30</span> <span class="na">timeoutSeconds</span><span class="pi">:</span> <span class="m">30</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="na">tmp</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tmp-volume</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/tmp</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">allowPrivilegeEscalation</span><span class="pi">:</span> <span class="no">false</span> <span class="na">readOnlyRootFilesystem</span><span class="pi">:</span> <span class="no">true</span> <span class="na">runAsUser</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">runAsGroup</span><span class="pi">:</span> <span class="m">2001</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">kubernetes-dashboard-certs</span><span class="pi">:</span> <span class="na">secret</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">certs</span> <span class="na">tmp-volume</span><span class="pi">:</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> </code></pre> </div> <p>Again backup your finished <code>values.yaml</code> to the <code>values.tutorial-part.yaml</code> in case you want to modify, play around or start from scratch again with the <code>values.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cp </span>values.yaml values.tutorial-part.yaml </code></pre> </div> <p>and add in the objects things created in the previous tutorial:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sed</span> <span class="s1">'1,/objects:/d'</span> values.full.yaml <span class="o">&gt;</span> _tmp <span class="o">&amp;&amp;</span> <span class="nb">cp </span>values.yaml values.full.yaml <span class="o">&amp;&amp;</span> <span class="nb">cat </span>_tmp <span class="o">&gt;&gt;</span> values.full.yaml <span class="o">&amp;&amp;</span> <span class="nb">rm </span>_tmp </code></pre> </div> <p><a href="https://dev.to/gre9ory/hull-tutorial-06-writing-services-and-ingresses-27ba">Hope to see you in the next tutorial on Services and Ingresses!</a></p> HULL Tutorial 04: Configuring ServiceAccounts and RBAC gre9ory Tue, 31 May 2022 11:24:56 +0000 https://dev.to/gre9ory/hull-tutorial-04-configuring-serviceaccounts-and-rbac-153a https://dev.to/gre9ory/hull-tutorial-04-configuring-serviceaccounts-and-rbac-153a <h2> Preparation </h2> <p>After the ConfigMaps and Secrets tutorial part this part will look at the RBAC configuration side of <code>kubernetes-dashboard</code>'s Helm chart and check how it is transportable to the new HULL based <code>kubernetes-dashboard-hull</code> chart.</p> <p>Initially you should copy over our working chart from the last tutorial part to a new folder in the same manner as we did before. Go to your working directory and execute:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~/kubernetes-dashboard-hull <span class="o">&amp;&amp;</span> <span class="nb">cp</span> <span class="nt">-R</span> 03_configmaps_and_secrets/ 04_rbac <span class="o">&amp;&amp;</span> <span class="nb">cd </span>04_rbac/kubernetes-dashboard-hull </code></pre> </div> <p>From the <code>values.full.yaml</code>, the starting point for this tutorial part, only keep the <code>hull.config.specific</code> section for building upon in this chapter, the <code>hull.objects</code> section should be cleared for now since you will only add objects relevant to this tutorial section to it. At the end of this tutorial part the newly created objects and newly added <code>hull.config.specific</code> properties are added to the <code>values.full.yaml</code> with what was already created. This in turn will then serve as the next tutorial parts starting point.</p> <p>To delete the HULL objects from <code>values.full.yaml</code> and copy the rest of our <code>values.yaml</code> to the <code>values.yaml</code> type the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sed</span> <span class="s1">'/ objects:/Q'</span> values.full.yaml <span class="o">&gt;</span> values.yaml </code></pre> </div> <p>and verify the result in the new <code>values.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat </span>values.yaml </code></pre> </div> <p>to show only the <code>hull.config.specific</code> section:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">metrics-server</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">hull</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="na">specific</span><span class="pi">:</span> <span class="na">settings</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">pinnedCRDs</span><span class="pi">:</span> <span class="pi">{}</span> </code></pre> </div> <p>Let's get started on ServiceAccount configuration and role based access control!</p> <h2> Examining the existing RBAC objects </h2> <p>Execute the following command to first get an idea which RBAC objects are defined:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>find ../kubernetes-dashboard/templates <span class="nt">-type</span> f <span class="nt">-iregex</span> <span class="s1">'.*\(Role\|\role|\Account\|account\|rbac\|RBAC\).*'</span> | <span class="nb">sort</span> </code></pre> </div> <p>which reveals them all:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">../kubernetes-dashboard/templates/clusterrole-metrics.yaml</span> <span class="s">../kubernetes-dashboard/templates/clusterrole-readonly.yaml</span> <span class="s">../kubernetes-dashboard/templates/clusterrolebinding-metrics.yaml</span> <span class="s">../kubernetes-dashboard/templates/clusterrolebinding-readonly.yaml</span> <span class="s">../kubernetes-dashboard/templates/role.yaml</span> <span class="s">../kubernetes-dashboard/templates/rolebinding.yaml</span> <span class="s">../kubernetes-dashboard/templates/serviceaccount.yaml</span> </code></pre> </div> <p>In the previous tutorial part when you created the <code>kubernetes-dashboard-hull</code> chart you already had a glance at the default RBAC configuration that comes with HULL. So now is the time to adapt and tweak it so it matches the original Helm charts RBAC functionally as closely as possible.</p> <p>First check the ServiceAccount:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/templates/serviceaccount.yaml </code></pre> </div> <p>which is this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Copyright 2017 The Kubernetes Authors.</span> <span class="c1">#</span> <span class="c1"># Licensed under the Apache License, Version 2.0 (the "License");</span> <span class="c1"># you may not use this file except in compliance with the License.</span> <span class="c1"># You may obtain a copy of the License at</span> <span class="c1">#</span> <span class="c1"># http://www.apache.org/licenses/LICENSE-2.0</span> <span class="c1">#</span> <span class="c1"># Unless required by applicable law or agreed to in writing, software</span> <span class="c1"># distributed under the License is distributed on an "AS IS" BASIS,</span> <span class="c1"># WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span> <span class="c1"># See the License for the specific language governing permissions and</span> <span class="c1"># limitations under the License.</span> <span class="pi">{{</span> <span class="nv">if .Values.serviceAccount.create -</span><span class="pi">}}</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "kubernetes-dashboard.labels" . | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.commonLabels</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if .Values.commonAnnotations</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.serviceAccountName" .</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> </code></pre> </div> <p>The actual creation of the ServiceAccount name is deferred to a helper function in <code>_helpers.tpl</code> which we look at in more detail:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/templates/_helpers.tpl | <span class="nb">grep</span> <span class="s1">'kubernetes-dashboard\.serviceAccountName'</span> <span class="nt">-B</span> 4 <span class="nt">-A</span> 10 </code></pre> </div> <p>where the inherent logic becomes more apparent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">{{</span><span class="nv">/*</span> <span class="nv">Name of the service account to use</span> <span class="nv">*/</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- define "kubernetes-dashboard.serviceAccountName" -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.serviceAccount.create -</span><span class="pi">}}</span> <span class="pi">{{</span> <span class="nv">default (include "kubernetes-dashboard.fullname" .) .Values.serviceAccount.name</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- else -</span><span class="pi">}}</span> <span class="pi">{{</span> <span class="nv">default "default" .Values.serviceAccount.name</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> </code></pre> </div> <p>Now check the <code>values.yaml</code> section dealing with the <code>serviceAccount</code> configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/values.yaml | <span class="nb">grep</span> <span class="s1">'^serviceAccount'</span> <span class="nt">-B</span> 1 <span class="nt">-A</span> 6 </code></pre> </div> <p>for completing our examination of the <code>controller</code>s ServiceAccount configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">serviceAccount</span><span class="pi">:</span> <span class="c1"># Specifies whether a service account should be created</span> <span class="na">create</span><span class="pi">:</span> <span class="no">true</span> <span class="c1"># The name of the service account to use.</span> <span class="c1"># If not set and create is true, a name is generated using the fullname template</span> <span class="na">name</span><span class="pi">:</span> </code></pre> </div> <p>Now you should have garnered an impression of the ServiceAccount configuration options and relations which is actually a typical way to model this aspect in Helm charts. Let's look at how you can handle the ServiceAccount and RBAC aspects with HULL.</p> <p>A word in advance: while it is useful to omit rendering of the <code>default</code> ServiceAccount, Role and RoleBinding objects for the most part of this tutorial it does not make sense to do this when checking the RBAC configuration options that do involve them. Therefore during this turorial section the <code>-f ../configs/disable-default-rbac.yaml</code> parameter is not being set and thus the <code>default</code> RBAC objects and ServiceAccount are rendered. For the next tutorial part add the switch again to reduce output.</p> <h2> Choosing ServiceAccounts for pods in HULL </h2> <p>When breaking down the logic within function <code>kubernetes-dashboard.serviceAccountName</code> and the <code>serviceaccount.yaml</code>, the following four variants of handling ServiceAccount configuration and naming can be deduced (in <em>cursive</em> the conditions that apply to each variant): </p> <ol> <li> <p>create a new individual ServiceAccount for this chart named as <code>&lt;release-name&gt;-&lt;chart-name&gt;</code>.</p> <p><em>Settingwise this is done by enabling <code>serviceAccount.create</code> and not providing a <code>serviceAccount.name</code>).</em> </p> <blockquote> <p>This is the default in <code>kubernetes-dashboard</code>'s <code>values.yaml</code>.</p> </blockquote> </li> <li> <p>create a new individual ServiceAccount for this chart with a fixed provided name. </p> <p><em>Achieved by setting <code>serviceAccount.create</code> to <code>true</code> and providing a <code>serviceAccount.name</code>.</em></p> </li> <li> <p>use a given ServiceAccount with a fixed provided name. </p> <p><em>For this choice set <code>serviceAccount.create</code> to <code>false</code> and provide the full <code>serviceAccount.name</code> to use.</em></p> </li> <li> <p>use the Kubernetes default ServiceAccount simply named 'default'. </p> <p><em>Setting <code>serviceAccount.create</code> to <code>false</code> and not supplying a <code>serviceAccount.name</code> has this result.</em></p> </li> </ol> <p>Now within HULL the ServiceAccount for a pod is derived generally by the following rules:</p> <ol> <li>if no specific <code>serviceAccountName</code> property is set on the pod it is checked whether <code>hull.objects.serviceaccount.default.enabled</code> is <code>true</code> (defaults to <code>true</code>) and if so the chart and release specific default ServiceAccount is being used (which is named <code>&lt;release-name&gt;-&lt;chart-name&gt;-default</code>). A matching <code>default</code> Role and RoleBinding is also always created by default as was shown already.</li> </ol> <blockquote> <p>This is the default in HULL's <code>values.yaml</code></p> </blockquote> <ol> <li><p>if a specific <code>serviceAccountName</code> property is set on the pod it is used for that pod. Note that this field requires the exact full name to be set. So in case you want to create and use a ServiceAccount which is dynamically created within the same chart you need to use the fullname transformation (short form <code>_HT^</code>) from HULL to generate this name in place. For example to configure a ServiceAccount <code>myuser</code> for a pod use <code>serviceAccountName: _HT^myuser</code> which would by default produce <code>serviceAccountName: &lt;release-name&gt;-&lt;chart-name&gt;-myuser</code> in the rendered output. The fullname transformation <code>_HT^</code> was introduced in the last tutorial section.</p></li> <li><p>lastly if the release specific default ServiceAccount is disabled, the property <code>serviceAccountName</code> is not set which will default in Kubernetes to using the always existing Kubernetes standard ServiceAccount simply named 'default' - don't mistake it with the chart specific <code>default</code> ServiceAccount HULL creates!</p></li> </ol> <h3> Using the release specific default ServiceAccount </h3> <p>Comparing the logic between the <code>kubernetes-dashboard</code> and HULL based ServiceAccount handling you can first see that the default with HULL is very similar to the default in the original chart (case 1.). The only minor difference here is that the <code>-default</code> suffix is added to the newly created ServiceAccount by HULL.</p> <p>Using a test overlay file named <code>../configs/default-sa.yaml</code> you can produce this default case. For now a roughly sketched <code>dashboard</code> Deployment with a basic pod spec serves to allow setting the <code>serviceAccountName</code> property on an actual pod.</p> <blockquote> <p>Workloads such as the <code>dashboard</code> Deployment will be part of a later tutorial so you can only concentrate on the <code>serviceAccountName</code> property handling for now.</p> </blockquote> <p>Insert a first simple deployment with a pod's ServiceAccount to visualize the different variants:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: objects: deployment: dashboard: pod: containers: dashboard: image: repository: kubernetesui/dashboard tag: "v2.5.0"'</span> <span class="o">&gt;</span> ../configs/default-sa.yaml <span class="se">\</span> <span class="o">&amp;&amp;</span> helm template <span class="nt">-f</span> ../configs/default-sa.yaml <span class="nb">.</span> </code></pre> </div> <p>and you'll see the the charts <code>default</code> ServiceAccount being used for the pod (actually all pods if there were more and they were setup in the same way):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">[]</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-dashboard</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">image</span><span class="pi">:</span> <span class="s">kubernetesui/dashboard:v2.5.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">imagePullSecrets</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">initContainers</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">[]</span> </code></pre> </div> <p>So <code>serviceAccountName: release-name-kubernetes-dashboard-default</code> is used for the pod by default which is as intended. The <code>default</code> Role and RoleBindings are auto-created and available for more detailed RBAC configuration of the <code>default</code> ServiceAccount in case you choose to use RBAC. </p> <p>The other original cases 2. - 4. can be realized with HULL too by reconfiguring the chart at deploy time. How to do so will be examined next.</p> <h3> Using the Kubernetes 'default' ServiceAccount </h3> <p>When setting <code>hull.objects.serviceaccount.default.enabled</code> to <code>false</code> and not setting any <code>serviceAccountName</code> on pods, the Kubernetes standard ('default') account is used for all pods (matching original case 4.). If you don't want to have or use the <code>default</code> ServiceAccount at all in your applications Helm Chart but still use RBAC it makes sense to disable the <code>default</code> Role and RoleBindings as well so they do not point at a nonexisting ServiceAccount. Here we explicitly disable them in the upcoming examples if we don't need them for the particular example so there will be less output to interpret. Also, if you don't use RBAC at all, disabling the <code>hull.config.specific.rbac</code> setting will also prevent rendering of all (Cluster)Roles and (Cluster)RoleBindings.</p> <p>Create a pod using the standard Kubernetes 'default' ServiceAccount like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: objects: serviceaccount: default: enabled: false role: default: enabled: false rolebinding: default: enabled: false deployment: dashboard: pod: containers: dashboard: image: repository: kubernetesui/dashboard tag: "v2.5.0"'</span> <span class="o">&gt;</span> ../configs/k8s-default-sa.yaml <span class="se">\</span> <span class="o">&amp;&amp;</span> helm template <span class="nt">-f</span> ../configs/k8s-default-sa.yaml <span class="nb">.</span> </code></pre> </div> <p>and you'll find that no <code>default</code> ServiceAccount, Role or RoleBinding was created and no ServiceAccount is set on the pod so the 'default' one from Kubernetes is applied as intended:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-dashboard</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">image</span><span class="pi">:</span> <span class="s">kubernetesui/dashboard:v2.5.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">imagePullSecrets</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">initContainers</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">[]</span> </code></pre> </div> <h3> Using a ServiceAccount defined outside of Helm Chart </h3> <p>To produce the original case 3 where an externally defined ServiceAccount is put to use, setting explicit <code>serviceAccountName</code>'s on individual pods does the trick. It is up to you if you want to set the <code>default</code> ServiceAccount, Role or RoleBinding to disabled but let's do it here since we don't plan on using them elsewhere in this example and we can reduce <code>helm template</code> output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: objects: serviceaccount: default: enabled: false role: default: enabled: false rolebinding: default: enabled: false deployment: dashboard: pod: containers: dashboard: image: repository: kubernetesui/dashboard tag: "v2.5.0" serviceAccountName: my-external-cluster-sa'</span> <span class="o">&gt;</span> ../configs/external-sa.yaml <span class="se">\</span> <span class="o">&amp;&amp;</span> helm template <span class="nt">-f</span> ../configs/external-sa.yaml <span class="nb">.</span> </code></pre> </div> <p>yielding the result expected:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-dashboard</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">image</span><span class="pi">:</span> <span class="s">kubernetesui/dashboard:v2.5.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">imagePullSecrets</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">initContainers</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">my-external-cluster-sa</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">[]</span> </code></pre> </div> <p>The static name for the ServiceAccount was used. If you manage ServiceAccounts outside of the particular Helm chart this is a typical scenario.</p> <h3> Using release specific non-default ServiceAccounts </h3> <p>Last case to cover is case 2. where you may want to create one or more ServiceAccounts with the Helm chart release but intend to not use the <code>default</code> ServiceAccount anywhere. To emulate this, setting <code>hull.objects.serviceaccount.default.enabled</code> to <code>false</code> and creating one or more ServiceAccounts for RBAC assignment with the desired names is required.</p> <p>In terms of choosing the name for a ServiceAccount to be created and used in the pod spec there are two choices which are both covered by HULL. You may opt for creating ServiceAccount(s) with unique names that are release associated by dynamic naming or for creating ServiceAccount(s) with the exact names you want.</p> <h4> Specifying unique and non-default dynamic ServiceAccounts </h4> <p>To create a dynamic name (with pattern <code>&lt;release-name&gt;-&lt;chart-name&gt;-&lt;component-name&gt;</code>) it is required to apply a transformation on the <code>serviceAccountName</code> on the individual pods to include the dynamic prefix in the rendered result like in this example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: objects: serviceaccount: default: enabled: false other_sa: automountServiceAccountToken: true role: default: enabled: false rolebinding: default: enabled: false deployment: dashboard: pod: containers: dashboard: image: repository: kubernetesui/dashboard tag: "v2.5.0" serviceAccountName: _HT^other_sa'</span> <span class="o">&gt;</span> ../configs/internal-dynamic-sa.yaml <span class="se">\</span> <span class="o">&amp;&amp;</span> helm template <span class="nt">-f</span> ../configs/internal-dynamic-sa.yaml <span class="nb">.</span> </code></pre> </div> <p><code>_HT^</code> is used to create the release specific name with a given suffix (here <code>other_sa</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">automountServiceAccountToken</span><span class="pi">:</span> <span class="no">true</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">other_sa</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-other_sa</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-dashboard</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">image</span><span class="pi">:</span> <span class="s">kubernetesui/dashboard:v2.5.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">imagePullSecrets</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">initContainers</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-other_sa</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">[]</span> </code></pre> </div> <p>As you can see the name of the created ServiceAccount <code>name: release-name-kubernetes-dashboard-hull-other_sa</code> matches the pods <code>serviceAccountName: release-name-kubernetes-dashboard-hull-other_sa</code> exactly as intended. In this scenario you may want to proceed defining Role and RoleBindings as required for the <code>other_sa</code> ServiceAccount.</p> <h4> Specifying non-default static ServiceAccounts </h4> <p>The other alternative is to create a completely static ServiceAccount name (without the <code>&lt;release-name&gt;-&lt;chart-name&gt;-</code> prefix) and use this for the pod(s). For this you do not need the <code>makefullname</code>/<code>_HT^</code> transformation of the pods <code>serviceAccountName</code> to use the name as is but you additionally need add the <code>staticName: true</code> property to the ServiceAccount objects definition as in this example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: objects: serviceaccount: default: enabled: false other_sa: staticName: true automountServiceAccountToken: true role: default: enabled: false rolebinding: default: enabled: false deployment: dashboard: pod: containers: dashboard: image: repository: kubernetesui/dashboard tag: "v2.5.0" serviceAccountName: other_sa'</span> <span class="o">&gt;</span> ../configs/internal-static-sa.yaml <span class="se">\</span> <span class="o">&amp;&amp;</span> helm template <span class="nt">-f</span> ../configs/internal-static-sa.yaml <span class="nb">.</span> </code></pre> </div> <p>and find the statically named ServiceAccount configured for the pod:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">automountServiceAccountToken</span><span class="pi">:</span> <span class="no">true</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">other_sa</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">other_sa</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-dashboard</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">image</span><span class="pi">:</span> <span class="s">kubernetesui/dashboard:v2.5.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dashboard</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">imagePullSecrets</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">initContainers</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">other_sa</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">[]</span> </code></pre> </div> <blockquote> <p>The caveat to this approach is that you need to choose carefully which ServiceAccount name and object to create because it may already exist in the namespace as opposed to sticking with dynamic names only where object names are highly unique. If you choose a static name that already exists in the namespace that will cause problems at deploy time!</p> </blockquote> <p>Except for the default case of creating a dynamic and unique default ServiceAccount, the other ServiceAccount handling cases require little additional configuration. However, the HULL based configuration is transparent, explicit and flexible if special needs exist and the full flexibility of ServiceAccount management is needed to adapt to a given scenario. Otherwise providing pre-defined RBAC objects for the <code>default</code> ServiceAccount and using this ServiceAccount in the pods is likely sufficient configuration for smaller application deployments.</p> <h2> Defining a RoleBinding </h2> <p>Next up is adding more RBAC objects to the mix in form of the RoleBinding:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/templates/rolebinding.yaml </code></pre> </div> <p>which is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Copyright 2017 The Kubernetes Authors.</span> <span class="c1">#</span> <span class="c1"># Licensed under the Apache License, Version 2.0 (the "License");</span> <span class="c1"># you may not use this file except in compliance with the License.</span> <span class="c1"># You may obtain a copy of the License at</span> <span class="c1">#</span> <span class="c1"># http://www.apache.org/licenses/LICENSE-2.0</span> <span class="c1">#</span> <span class="c1"># Unless required by applicable law or agreed to in writing, software</span> <span class="c1"># distributed under the License is distributed on an "AS IS" BASIS,</span> <span class="c1"># WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span> <span class="c1"># See the License for the specific language governing permissions and</span> <span class="c1"># limitations under the License.</span> <span class="pi">{{</span> <span class="nv">if .Values.rbac.create -</span><span class="pi">}}</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.fullname" .</span> <span class="pi">}}</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "kubernetes-dashboard.labels" . | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.commonLabels</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if .Values.commonAnnotations</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.fullname" .</span> <span class="pi">}}</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.serviceAccountName" .</span> <span class="pi">}}</span> <span class="na">namespace</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Release.Namespace</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> </code></pre> </div> <p>In HULL RBAC is globally enabled by a <code>true</code>/<code>false</code> switch which is built into HULL as a predefined key at <code>hull.config.general.rbac</code>. If set to <code>true</code>, the RBAC related objects are rendered, if set to false they are just omitted from rendering. This mimics the behaviour that is very common in many popular Helm charts and is implemented by the conditional rendering switch here:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">{{</span> <span class="nv">if .Values.rbac.create -</span><span class="pi">}}</span> </code></pre> </div> <blockquote> <p>The recommendation is to always leave RBAC enabled in your clusters.</p> </blockquote> <p>From the above <code>cat</code> output you can see that the RoleBinding and referenced Role name are again dependent on the <code>kubernetes-dashboard.fullname</code> function and the ServiceAccount name is subject to the <code>kubernetes-dashboard.serviceAccountName</code> function examined earlier. Unless you need to or want to change the controllers ServiceAccount name from the default there is nothing to do here except having RBAC enabled to create a sufficient <code>default</code> RoleBinding in HULL looking like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> </code></pre> </div> <p>If you want to deviate from the default handling you can freely overwrite the <code>roleRef</code> and <code>subjects</code> as needed, the same techniques explained above do apply for the creation of object names.</p> <h2> Configuring Roles </h2> <p>Now for the Role:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/templates/role.yaml </code></pre> </div> <p>which returns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Copyright 2017 The Kubernetes Authors.</span> <span class="c1">#</span> <span class="c1"># Licensed under the Apache License, Version 2.0 (the "License");</span> <span class="c1"># you may not use this file except in compliance with the License.</span> <span class="c1"># You may obtain a copy of the License at</span> <span class="c1">#</span> <span class="c1"># http://www.apache.org/licenses/LICENSE-2.0</span> <span class="c1">#</span> <span class="c1"># Unless required by applicable law or agreed to in writing, software</span> <span class="c1"># distributed under the License is distributed on an "AS IS" BASIS,</span> <span class="c1"># WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span> <span class="c1"># See the License for the specific language governing permissions and</span> <span class="c1"># limitations under the License.</span> <span class="pi">{{</span> <span class="nv">if .Values.rbac.create -</span><span class="pi">}}</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.fullname" .</span> <span class="pi">}}</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "kubernetes-dashboard.labels" . | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.commonLabels</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if .Values.commonAnnotations</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">rules</span><span class="pi">:</span> <span class="c1"># Allow Dashboard to get, update and delete Dashboard exclusive secrets.</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">secrets"</span><span class="pi">]</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">kubernetes-dashboard-key-holder"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">kubernetes-dashboard-certs"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">kubernetes-dashboard-csrf"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">update"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">delete"</span><span class="pi">]</span> <span class="c1"># Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">configmaps"</span><span class="pi">]</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">kubernetes-dashboard-settings"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">update"</span><span class="pi">]</span> <span class="c1"># Allow Dashboard to get metrics.</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">services"</span><span class="pi">]</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">heapster"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">dashboard-metrics-scraper"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">proxy"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">services/proxy"</span><span class="pi">]</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">heapster"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">http:heapster:"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">https:heapster:"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">dashboard-metrics-scraper"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">http:dashboard-metrics-scraper"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">]</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> </code></pre> </div> <p>You can now use the <code>default</code> Role that comes with HULL in the standard scenario and add the <code>rules:</code> as shown here and look at interesting aspects afterwards:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">' objects: role: default: rules: secrets: apiGroups: - "" resources: - secrets resourceNames: _HT![ {{ include "hull.metadata.fullname" (dict "PARENT_CONTEXT" (index . "$") "COMPONENT" "certs") }}, "kubernetes-dashboard-csrf", "kubernetes-dashboard-key-holder" ] verbs: - get - update - delete configmaps: apiGroups: - "" resources: - configmaps resourceNames: _HT![ {{ include "hull.metadata.fullname" (dict "PARENT_CONTEXT" (index . "$") "COMPONENT" "settings") }} ] verbs: - get - update services: apiGroups: - "" resources: - services resourceNames: - "heapster" - "dashboard-metrics-scraper" verbs: - proxy services_proxy: apiGroups: - "" resources: - services/proxy resourceNames: - "heapster" - "http:heapster:" - "https:heapster:" - "dashboard-metrics-scraper" - "http:dashboard-metrics-scraper" verbs: - get'</span> <span class="o">&gt;&gt;</span> values.yaml </code></pre> </div> <p>The <code>services</code> and <code>services_proxy</code> part of this configuration is static mappings to services which are defined in the <code>metrics-server</code> subchart, no need to focus on them now. The usage of the <code>_HT!</code> transformations is interesting though: utilizing the full power of the <code>tpl</code> function an array is dynamically created in the compact flow style <code>[]</code> notation and the elements are individually processed. If you remember the part where the Secrets where created there was one with a dynamic name (<code>certs</code>) and two where a static name was demanded (<code>csrf</code> and <code>key-holder</code>). Therefore you can see in the above specification that the dynamic names are created using the <code>hull.metadata.fullname</code> function being called within the <code>_HT!</code> <code>tpl</code> transformation.</p> <p>The <code>hull.metadata.fullname</code> is also what is called internally when using the HULL transformation <code>hull.util.transformation.makefullname</code>/<code>_HT^</code>. Here you need to use it directly within the <code>tpl</code> function which is however also straightforward since it has a fixed signature of:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">include "hull.metadata.fullname" (dict "PARENT_CONTEXT" (index . "$") "COMPONENT" "&lt;COMPONENT&gt;")</span> </code></pre> </div> <p>and you only need to set the <code>&lt;COMPONENT&gt;</code> part to the objects key you are referring to.</p> <p>As a side note on the original template: be aware that the fact that the <code>certs</code> Secrets name is refered to as <code>kubernetes-dashboard-certs</code> - a static expression - with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">secrets"</span><span class="pi">]</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">kubernetes-dashboard-key-holder"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">kubernetes-dashboard-certs"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">kubernetes-dashboard-csrf"</span><span class="pi">]</span> </code></pre> </div> <p>is problematic. Looking back at the <code>name</code> specification of the <code>cert</code> Secret:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.fullname" .</span> <span class="pi">}}</span><span class="s">-certs</span> </code></pre> </div> <p>there is actually no guarantee that the Secrets name is constructed like this. Depending on overall chart configuration (<code>fullnameOverride</code>) the static reference to a dynamic name may be invalid and not point to the correct name of the <code>certs</code> Secret. So this is a "bug" in the sense that it can lead to a potentially unusable release. Due to the huge amount of manual template creation in the regular Helm workflow problems such as these arise often where different parts of the templates with overlapping concerns are not properly matched or updated together.</p> <blockquote> <p>Note that with the HULL object and reference handling this would not happen here since name generation (the object instance name and the reference name) is handled via the same <code>hull.metadata.fullname</code> function so the reference is always a stable one.</p> </blockquote> <p>Finally if you print the output of above:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm template <span class="nb">.</span> </code></pre> </div> <p>and review whether the desired outcome was rendered:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">release-name-kubernetes-dashboard-settings</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">configmaps</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">update</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">release-name-kubernetes-dashboard-certs</span> <span class="pi">-</span> <span class="s">kubernetes-dashboard-csrf</span> <span class="pi">-</span> <span class="s">kubernetes-dashboard-key-holder</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">secrets</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">update</span> <span class="pi">-</span> <span class="s">delete</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">heapster</span> <span class="pi">-</span> <span class="s">dashboard-metrics-scraper</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">services</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">proxy</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">heapster</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">http:heapster:'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">https:heapster:'</span> <span class="pi">-</span> <span class="s">dashboard-metrics-scraper</span> <span class="pi">-</span> <span class="s">http:dashboard-metrics-scraper</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">services/proxy</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> </code></pre> </div> <p>everything should be as intended. </p> <p>On to the last aspect of this tutorial part, the cluster-level RBAC objects!</p> <h2> Writing ClusterRole and ClusterRoleBindings </h2> <p>Structurally ClusterRole and ClusterRoleBinding objects are nearly identical to their "non-prefixed with Cluster" counterparts. </p> <h3> ClusterRoles </h3> <p>For the <a href="https://v1-18.docs.kubernetes.io/docs/reference/access-authn-authz/rbac/">ClusterRole/Role difference the Kubernetes documentation</a> states:</p> <blockquote> <p>A Role always sets permissions within a particular namespace; when you create a Role, you have to specify the namespace it belongs in.</p> </blockquote> <p>ClusterRole, by contrast, is a non-namespaced resource. The resources have different names (Role and ClusterRole) because a Kubernetes object always has to be either namespaced or not namespaced; it can't be both.</p> <p>Furthermore ClusterRole has an additional property <code>aggregationRule</code> which the Role object does not have.</p> <h3> ClusterRoleBinding </h3> <p>For the ClusterRoleBinding the <code>roleRef</code> needs to reference a global ClusterRole and not a Role.</p> <h3> Converting the existing Cluster-scope RBAC objects </h3> <p>Recaping the Cluster based RBAC objects:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>find ../kubernetes-dashboard/templates <span class="nt">-type</span> f <span class="nt">-iregex</span> <span class="s1">'.*\(ClusterRole\|\clusterrole\).*'</span> | <span class="nb">sort</span> </code></pre> </div> <p>you can see they fall into two "groups", the <code>metrics</code> and <code>readonly</code> objects:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">../kubernetes-dashboard/templates/clusterrole-metrics.yaml</span> <span class="s">../kubernetes-dashboard/templates/clusterrole-readonly.yaml</span> <span class="s">../kubernetes-dashboard/templates/clusterrolebinding-metrics.yaml</span> <span class="s">../kubernetes-dashboard/templates/clusterrolebinding-readonly.yaml</span> </code></pre> </div> <p>First convert the <code>readonly</code> objects from the <code>/templates</code> folder, starting with the ClusterRole:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/templates/clusterrole-readonly.yaml </code></pre> </div> <p>showing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Copyright 2017 The Kubernetes Authors.</span> <span class="c1">#</span> <span class="c1"># Licensed under the Apache License, Version 2.0 (the "License");</span> <span class="c1"># you may not use this file except in compliance with the License.</span> <span class="c1"># You may obtain a copy of the License at</span> <span class="c1">#</span> <span class="c1"># http://www.apache.org/licenses/LICENSE-2.0</span> <span class="c1">#</span> <span class="c1"># Unless required by applicable law or agreed to in writing, software</span> <span class="c1"># distributed under the License is distributed on an "AS IS" BASIS,</span> <span class="c1"># WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span> <span class="c1"># See the License for the specific language governing permissions and</span> <span class="c1"># limitations under the License.</span> <span class="pi">{{</span> <span class="nv">if .Values.rbac.clusterReadOnlyRole -</span><span class="pi">}}</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">template</span><span class="nv"> </span><span class="s">"kubernetes-dashboard.fullname" . }}-readonly"</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "kubernetes-dashboard.labels" . | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.commonLabels</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if .Values.commonAnnotations</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">configmaps</span> <span class="pi">-</span> <span class="s">endpoints</span> <span class="pi">-</span> <span class="s">persistentvolumeclaims</span> <span class="pi">-</span> <span class="s">pods</span> <span class="pi">-</span> <span class="s">replicationcontrollers</span> <span class="pi">-</span> <span class="s">replicationcontrollers/scale</span> <span class="pi">-</span> <span class="s">serviceaccounts</span> <span class="pi">-</span> <span class="s">services</span> <span class="pi">-</span> <span class="s">nodes</span> <span class="pi">-</span> <span class="s">persistentvolumeclaims</span> <span class="pi">-</span> <span class="s">persistentvolumes</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">bindings</span> <span class="pi">-</span> <span class="s">events</span> <span class="pi">-</span> <span class="s">limitranges</span> <span class="pi">-</span> <span class="s">namespaces/status</span> <span class="pi">-</span> <span class="s">pods/log</span> <span class="pi">-</span> <span class="s">pods/status</span> <span class="pi">-</span> <span class="s">replicationcontrollers/status</span> <span class="pi">-</span> <span class="s">resourcequotas</span> <span class="pi">-</span> <span class="s">resourcequotas/status</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">namespaces</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apps</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">daemonsets</span> <span class="pi">-</span> <span class="s">deployments</span> <span class="pi">-</span> <span class="s">deployments/scale</span> <span class="pi">-</span> <span class="s">replicasets</span> <span class="pi">-</span> <span class="s">replicasets/scale</span> <span class="pi">-</span> <span class="s">statefulsets</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">autoscaling</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">horizontalpodautoscalers</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">batch</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">cronjobs</span> <span class="pi">-</span> <span class="s">jobs</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">extensions</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">daemonsets</span> <span class="pi">-</span> <span class="s">deployments</span> <span class="pi">-</span> <span class="s">deployments/scale</span> <span class="pi">-</span> <span class="s">ingresses</span> <span class="pi">-</span> <span class="s">networkpolicies</span> <span class="pi">-</span> <span class="s">replicasets</span> <span class="pi">-</span> <span class="s">replicasets/scale</span> <span class="pi">-</span> <span class="s">replicationcontrollers/scale</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">policy</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">poddisruptionbudgets</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">networking.k8s.io</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">networkpolicies</span> <span class="pi">-</span> <span class="s">ingresses</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">storage.k8s.io</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">storageclasses</span> <span class="pi">-</span> <span class="s">volumeattachments</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">clusterrolebindings</span> <span class="pi">-</span> <span class="s">clusterroles</span> <span class="pi">-</span> <span class="s">roles</span> <span class="pi">-</span> <span class="s">rolebindings</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> </code></pre> </div> <p>The whole ClusterRole is only rendered given that <code>.Values.rbac.clusterReadOnlyRole</code> is true, looking at it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/values.yaml | <span class="nb">grep</span> <span class="s2">"clusterReadOnlyRole"</span> <span class="nt">-B</span> 13 <span class="nt">-A</span> 1 </code></pre> </div> <p>it comes with following description:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">rbac</span><span class="pi">:</span> <span class="c1"># Specifies whether namespaced RBAC resources (Role, Rolebinding) should be created</span> <span class="na">create</span><span class="pi">:</span> <span class="no">true</span> <span class="c1"># Specifies whether cluster-wide RBAC resources (ClusterRole, ClusterRolebinding) to access metrics should be created</span> <span class="c1"># Independent from rbac.create parameter.</span> <span class="na">clusterRoleMetrics</span><span class="pi">:</span> <span class="no">true</span> <span class="c1"># Start in ReadOnly mode.</span> <span class="c1"># Specifies whether cluster-wide RBAC resources (ClusterRole, ClusterRolebinding) with read only permissions to all resources listed inside the cluster should be created</span> <span class="c1"># Only dashboard-related Secrets and ConfigMaps will still be available for writing.</span> <span class="c1">#</span> <span class="c1"># The basic idea of the clusterReadOnlyRole</span> <span class="c1"># is not to hide all the secrets and sensitive data but more</span> <span class="c1"># to avoid accidental changes in the cluster outside the standard CI/CD.</span> <span class="c1">#</span> <span class="c1"># It is NOT RECOMMENDED to use this version in production.</span> <span class="c1"># Instead you should review the role and remove all potentially sensitive parts such as</span> <span class="c1"># access to persistentvolumes, pods/log etc.</span> <span class="c1">#</span> <span class="c1"># Independent from rbac.create parameter.</span> <span class="na">clusterReadOnlyRole</span><span class="pi">:</span> <span class="no">false</span> </code></pre> </div> <p>As expected, when checking the ClusterRoleBinding:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/templates/clusterrolebinding-readonly.yaml </code></pre> </div> <p>the same <code>{{ if .Values.rbac.clusterReadOnlyRole -}}</code> condition applies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Copyright 2017 The Kubernetes Authors.</span> <span class="c1">#</span> <span class="c1"># Licensed under the Apache License, Version 2.0 (the "License");</span> <span class="c1"># you may not use this file except in compliance with the License.</span> <span class="c1"># You may obtain a copy of the License at</span> <span class="c1">#</span> <span class="c1"># http://www.apache.org/licenses/LICENSE-2.0</span> <span class="c1">#</span> <span class="c1"># Unless required by applicable law or agreed to in writing, software</span> <span class="c1"># distributed under the License is distributed on an "AS IS" BASIS,</span> <span class="c1"># WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span> <span class="c1"># See the License for the specific language governing permissions and</span> <span class="c1"># limitations under the License.</span> <span class="pi">{{</span> <span class="nv">if .Values.rbac.clusterReadOnlyRole -</span><span class="pi">}}</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.fullname" .</span> <span class="pi">}}</span><span class="s">-readonly</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "kubernetes-dashboard.labels" . | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.commonLabels</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if .Values.commonAnnotations</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.fullname" .</span> <span class="pi">}}</span><span class="s">-readonly</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.serviceAccountName" .</span> <span class="pi">}}</span> <span class="na">namespace</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Release.Namespace</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <p>Thus it makes much sense to model the <code>rbac.clusterReadOnlyRole</code> switch in our <code>hull.config.specific</code> section so we can centrally disable and enable it. Otherwise nothing new or unexpected happens here so it is straightforward to convert this to a HULL based chart logic but before that check on the <code>metrics</code> components.</p> <p>Inspecting the <code>metrics</code> components you see that they behave the same way: rendering is controlled by a global switch <code>{{ if .Values.rbac.clusterRoleMetrics -}}</code> which is also contained in the last <code>cat</code> of <code>values.yaml</code> and the rest is similar mapping of rules to the ClusterRole and ClusterRoleBinding between the ClusterRole and the ServiceAccount:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/templates/clusterrole-metrics.yaml </code></pre> </div> <p>gives:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Copyright 2017 The Kubernetes Authors.</span> <span class="c1">#</span> <span class="c1"># Licensed under the Apache License, Version 2.0 (the "License");</span> <span class="c1"># you may not use this file except in compliance with the License.</span> <span class="c1"># You may obtain a copy of the License at</span> <span class="c1">#</span> <span class="c1"># http://www.apache.org/licenses/LICENSE-2.0</span> <span class="c1">#</span> <span class="c1"># Unless required by applicable law or agreed to in writing, software</span> <span class="c1"># distributed under the License is distributed on an "AS IS" BASIS,</span> <span class="c1"># WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span> <span class="c1"># See the License for the specific language governing permissions and</span> <span class="c1"># limitations under the License.</span> <span class="pi">{{</span> <span class="nv">if .Values.rbac.clusterRoleMetrics -</span><span class="pi">}}</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">template</span><span class="nv"> </span><span class="s">"kubernetes-dashboard.fullname" . }}-metrics"</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "kubernetes-dashboard.labels" . | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.commonLabels</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if .Values.commonAnnotations</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">rules</span><span class="pi">:</span> <span class="c1"># Allow Metrics Scraper to get metrics from the Metrics server</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">metrics.k8s.io"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">pods"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">nodes"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">list"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">watch"</span><span class="pi">]</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <p>and:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/templates/clusterrolebinding-metrics.yaml </code></pre> </div> <p>gives:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Copyright 2017 The Kubernetes Authors.</span> <span class="c1">#</span> <span class="c1"># Licensed under the Apache License, Version 2.0 (the "License");</span> <span class="c1"># you may not use this file except in compliance with the License.</span> <span class="c1"># You may obtain a copy of the License at</span> <span class="c1">#</span> <span class="c1"># http://www.apache.org/licenses/LICENSE-2.0</span> <span class="c1">#</span> <span class="c1"># Unless required by applicable law or agreed to in writing, software</span> <span class="c1"># distributed under the License is distributed on an "AS IS" BASIS,</span> <span class="c1"># WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span> <span class="c1"># See the License for the specific language governing permissions and</span> <span class="c1"># limitations under the License.</span> <span class="pi">{{</span> <span class="nv">if .Values.rbac.clusterRoleMetrics -</span><span class="pi">}}</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">template</span><span class="nv"> </span><span class="s">"kubernetes-dashboard.fullname" . }}-metrics"</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "kubernetes-dashboard.labels" . | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.commonLabels</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if .Values.commonAnnotations</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.fullname" .</span> <span class="pi">}}</span><span class="s">-metrics</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.serviceAccountName" .</span> <span class="pi">}}</span> <span class="na">namespace</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Release.Namespace</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <p>In terms of converting this, first add in the new "global/specific" <code>rbac.clusterReadOnlyRole</code> and <code>rbac.clusterRoleMetrics</code> parameters to our <code>hull.config.specific</code> section:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sed</span> <span class="s1">'/^\s\s\s\sspecific/r'</span>&lt;<span class="o">(</span> <span class="nb">echo</span> <span class="s2">" rbac:"</span> <span class="nb">echo</span> <span class="s2">" clusterReadOnlyRole: false"</span> <span class="nb">echo</span> <span class="s2">" clusterRoleMetrics: true"</span> <span class="o">)</span> <span class="nt">-i</span> <span class="nt">--</span> values.yaml </code></pre> </div> <p>and then add the <code>readonly</code> ClusterRole and ClusterRoleBinding with the enabled switch bound to the <code>clusterReadOnlyRole</code> condition and the <code>metrics</code> ClusterRole and ClusterRoleBinding with the enabled switch bound to the <code>clusterRoleMetrics</code> condition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">' clusterrole: readonly: enabled: _HT?(index . "$").Values.hull.config.specific.rbac.clusterReadOnlyRole rules: cluster_objects: apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - pods - replicationcontrollers - replicationcontrollers/scale - serviceaccounts - services - nodes - persistentvolumeclaims - persistentvolumes verbs: - get - list - watch statuses: apiGroups: - "" resources: - bindings - events - limitranges - namespaces/status - pods/log - pods/status - replicationcontrollers/status - resourcequotas - resourcequotas/status verbs: - get - list - watch namespaces: apiGroups: - "" resources: - namespaces verbs: - get - list - watch apps: apiGroups: - apps resources: - daemonsets - deployments - deployments/scale - replicasets - replicasets/scale - statefulsets verbs: - get - list - watch autoscaling: apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - get - list - watch jobs: apiGroups: - batch resources: - cronjobs - jobs verbs: - get - list - watch extensions: apiGroups: - extensions resources: - daemonsets - deployments - deployments/scale - ingresses - networkpolicies - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - get - list - watch pdb: apiGroups: - policy resources: - poddisruptionbudgets verbs: - get - list - watch network: apiGroups: - networking.k8s.io resources: - networkpolicies - ingresses verbs: - get - list - watch storage: apiGroups: - storage.k8s.io resources: - storageclasses - volumeattachments verbs: - get - list - watch rbac: apiGroups: - rbac.authorization.k8s.io resources: - clusterrolebindings - clusterroles - roles - rolebindings verbs: - get - list - watch metrics: enabled: _HT?(index . "$").Values.hull.config.specific.rbac.clusterRoleMetrics rules: metrics: apiGroups: - "metrics.k8s.io" resources: - pods - nodes verbs: - get - list - watch clusterrolebinding: readonly: enabled: _HT?(index . "$").Values.hull.config.specific.rbac.clusterReadOnlyRole roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: _HT^readonly subjects: - namespace: _HT!{{ (index . "$").Release.Namespace }} kind: ServiceAccount name: _HT^default metrics: enabled: _HT?(index . "$").Values.hull.config.specific.rbac.clusterRoleMetrics roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: _HT^metrics subjects: - namespace: _HT!{{ (index . "$").Release.Namespace }} kind: ServiceAccount name: _HT^default'</span> <span class="o">&gt;&gt;</span> values.yaml </code></pre> </div> <p>If you want to check the new objects out, you can enable them both:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: config: specific: rbac: clusterReadOnlyRole: true'</span> <span class="o">&gt;</span> ../configs/enable-cluster-role.yaml <span class="se">\</span> <span class="o">&amp;&amp;</span> helm template <span class="nt">-f</span> ../configs/enable-cluster-role.yaml <span class="nb">.</span> </code></pre> </div> <p>and examine it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">metrics</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-metrics</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">metrics.k8s.io</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pods</span> <span class="pi">-</span> <span class="s">nodes</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">readonly</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-readonly</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apps</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">daemonsets</span> <span class="pi">-</span> <span class="s">deployments</span> <span class="pi">-</span> <span class="s">deployments/scale</span> <span class="pi">-</span> <span class="s">replicasets</span> <span class="pi">-</span> <span class="s">replicasets/scale</span> <span class="pi">-</span> <span class="s">statefulsets</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">autoscaling</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">horizontalpodautoscalers</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">configmaps</span> <span class="pi">-</span> <span class="s">endpoints</span> <span class="pi">-</span> <span class="s">persistentvolumeclaims</span> <span class="pi">-</span> <span class="s">pods</span> <span class="pi">-</span> <span class="s">replicationcontrollers</span> <span class="pi">-</span> <span class="s">replicationcontrollers/scale</span> <span class="pi">-</span> <span class="s">serviceaccounts</span> <span class="pi">-</span> <span class="s">services</span> <span class="pi">-</span> <span class="s">nodes</span> <span class="pi">-</span> <span class="s">persistentvolumeclaims</span> <span class="pi">-</span> <span class="s">persistentvolumes</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">extensions</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">daemonsets</span> <span class="pi">-</span> <span class="s">deployments</span> <span class="pi">-</span> <span class="s">deployments/scale</span> <span class="pi">-</span> <span class="s">ingresses</span> <span class="pi">-</span> <span class="s">networkpolicies</span> <span class="pi">-</span> <span class="s">replicasets</span> <span class="pi">-</span> <span class="s">replicasets/scale</span> <span class="pi">-</span> <span class="s">replicationcontrollers/scale</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">batch</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">cronjobs</span> <span class="pi">-</span> <span class="s">jobs</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">namespaces</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">networking.k8s.io</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">networkpolicies</span> <span class="pi">-</span> <span class="s">ingresses</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">policy</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">poddisruptionbudgets</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">clusterrolebindings</span> <span class="pi">-</span> <span class="s">clusterroles</span> <span class="pi">-</span> <span class="s">roles</span> <span class="pi">-</span> <span class="s">rolebindings</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">bindings</span> <span class="pi">-</span> <span class="s">events</span> <span class="pi">-</span> <span class="s">limitranges</span> <span class="pi">-</span> <span class="s">namespaces/status</span> <span class="pi">-</span> <span class="s">pods/log</span> <span class="pi">-</span> <span class="s">pods/status</span> <span class="pi">-</span> <span class="s">replicationcontrollers/status</span> <span class="pi">-</span> <span class="s">resourcequotas</span> <span class="pi">-</span> <span class="s">resourcequotas/status</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">storage.k8s.io</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">storageclasses</span> <span class="pi">-</span> <span class="s">volumeattachments</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">metrics</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-metrics</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-metrics</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">readonly</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-readonly</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-readonly</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">release-name-kubernetes-dashboard-settings</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">configmaps</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">update</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">release-name-kubernetes-dashboard-certs</span> <span class="pi">-</span> <span class="s">kubernetes-dashboard-csrf</span> <span class="pi">-</span> <span class="s">kubernetes-dashboard-key-holder</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">secrets</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">update</span> <span class="pi">-</span> <span class="s">delete</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">heapster</span> <span class="pi">-</span> <span class="s">dashboard-metrics-scraper</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">services</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">proxy</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">heapster</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">http:heapster:'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">https:heapster:'</span> <span class="pi">-</span> <span class="s">dashboard-metrics-scraper</span> <span class="pi">-</span> <span class="s">http:dashboard-metrics-scraper</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">services/proxy</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> </code></pre> </div> <h2> Wrap up </h2> <p>That is almost it for this tutorial part. If you want to compare the intended outcome with what you created, your <code>values.yaml</code> should look like this at this point:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">metrics-server</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">hull</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="na">specific</span><span class="pi">:</span> <span class="na">rbac</span><span class="pi">:</span> <span class="na">clusterReadOnlyRole</span><span class="pi">:</span> <span class="no">false</span> <span class="na">clusterRoleMetrics</span><span class="pi">:</span> <span class="no">true</span> <span class="na">settings</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">pinnedCRDs</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">objects</span><span class="pi">:</span> <span class="na">role</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="na">rules</span><span class="pi">:</span> <span class="na">secrets</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">secrets</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="s">_HT![</span> <span class="s">{{ include "hull.metadata.fullname" (dict "PARENT_CONTEXT" (index . "$") "COMPONENT" "certs") }},</span> <span class="s">"kubernetes-dashboard-csrf",</span> <span class="s">"kubernetes-dashboard-key-holder"</span> <span class="s">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">update</span> <span class="pi">-</span> <span class="s">delete</span> <span class="na">configmaps</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">configmaps</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="s">_HT![</span> <span class="s">{{ include "hull.metadata.fullname" (dict "PARENT_CONTEXT" (index . "$") "COMPONENT" "settings") }} ]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">update</span> <span class="na">services</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">services</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">heapster"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">dashboard-metrics-scraper"</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">proxy</span> <span class="na">services_proxy</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">services/proxy</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">heapster"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">http:heapster:"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">https:heapster:"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">dashboard-metrics-scraper"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">http:dashboard-metrics-scraper"</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="na">clusterrole</span><span class="pi">:</span> <span class="na">readonly</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">_HT?(index . "$").Values.hull.config.specific.rbac.clusterReadOnlyRole</span> <span class="na">rules</span><span class="pi">:</span> <span class="na">cluster_objects</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">configmaps</span> <span class="pi">-</span> <span class="s">endpoints</span> <span class="pi">-</span> <span class="s">persistentvolumeclaims</span> <span class="pi">-</span> <span class="s">pods</span> <span class="pi">-</span> <span class="s">replicationcontrollers</span> <span class="pi">-</span> <span class="s">replicationcontrollers/scale</span> <span class="pi">-</span> <span class="s">serviceaccounts</span> <span class="pi">-</span> <span class="s">services</span> <span class="pi">-</span> <span class="s">nodes</span> <span class="pi">-</span> <span class="s">persistentvolumeclaims</span> <span class="pi">-</span> <span class="s">persistentvolumes</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">statuses</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">bindings</span> <span class="pi">-</span> <span class="s">events</span> <span class="pi">-</span> <span class="s">limitranges</span> <span class="pi">-</span> <span class="s">namespaces/status</span> <span class="pi">-</span> <span class="s">pods/log</span> <span class="pi">-</span> <span class="s">pods/status</span> <span class="pi">-</span> <span class="s">replicationcontrollers/status</span> <span class="pi">-</span> <span class="s">resourcequotas</span> <span class="pi">-</span> <span class="s">resourcequotas/status</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">namespaces</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">namespaces</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">apps</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apps</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">daemonsets</span> <span class="pi">-</span> <span class="s">deployments</span> <span class="pi">-</span> <span class="s">deployments/scale</span> <span class="pi">-</span> <span class="s">replicasets</span> <span class="pi">-</span> <span class="s">replicasets/scale</span> <span class="pi">-</span> <span class="s">statefulsets</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">autoscaling</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">autoscaling</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">horizontalpodautoscalers</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">batch</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">cronjobs</span> <span class="pi">-</span> <span class="s">jobs</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">extensions</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">extensions</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">daemonsets</span> <span class="pi">-</span> <span class="s">deployments</span> <span class="pi">-</span> <span class="s">deployments/scale</span> <span class="pi">-</span> <span class="s">ingresses</span> <span class="pi">-</span> <span class="s">networkpolicies</span> <span class="pi">-</span> <span class="s">replicasets</span> <span class="pi">-</span> <span class="s">replicasets/scale</span> <span class="pi">-</span> <span class="s">replicationcontrollers/scale</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">pdb</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">policy</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">poddisruptionbudgets</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">network</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">networking.k8s.io</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">networkpolicies</span> <span class="pi">-</span> <span class="s">ingresses</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">storage</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">storage.k8s.io</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">storageclasses</span> <span class="pi">-</span> <span class="s">volumeattachments</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">rbac</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">clusterrolebindings</span> <span class="pi">-</span> <span class="s">clusterroles</span> <span class="pi">-</span> <span class="s">roles</span> <span class="pi">-</span> <span class="s">rolebindings</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">metrics</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">_HT?(index . "$").Values.hull.config.specific.rbac.clusterRoleMetrics</span> <span class="na">rules</span><span class="pi">:</span> <span class="na">metrics</span><span class="pi">:</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">metrics.k8s.io"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pods</span> <span class="pi">-</span> <span class="s">nodes</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="na">clusterrolebinding</span><span class="pi">:</span> <span class="na">readonly</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">_HT?(index . "$").Values.hull.config.specific.rbac.clusterReadOnlyRole</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">_HT^readonly</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">_HT!{{ (index . "$").Release.Namespace }}</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">_HT^default</span> <span class="na">metrics</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">_HT?(index . "$").Values.hull.config.specific.rbac.clusterRoleMetrics</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">_HT^metrics</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">_HT!{{ (index . "$").Release.Namespace }}</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">_HT^default</span> </code></pre> </div> <p>Backup your finished <code>values.yaml</code> to the <code>values.tutorial-part.yaml</code> in case you want to modify, play around or start from scratch again with the <code>values.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cp </span>values.yaml values.tutorial-part.yaml </code></pre> </div> <p>Lastly, we combine our previous results with the newly written ones. For this add the intermediate results to the <code>values.full.yaml</code>. Since we copied the <code>hull.config.specific</code> part in the beginning of this tutorial part we can just overwrite it with the one we expanded upon during this tutorial part. But the already existing <code>hull.objects</code> need to be merged with the newly defined ones so you can copy them first from <code>values.full.yaml</code> before appending them to the <code>values.yaml</code> content and saving the complete result as <code>values.full.yaml</code> again:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sed</span> <span class="s1">'1,/objects:/d'</span> values.full.yaml <span class="o">&gt;</span> _tmp <span class="o">&amp;&amp;</span> <span class="nb">cp </span>values.yaml values.full.yaml <span class="o">&amp;&amp;</span> <span class="nb">cat </span>_tmp <span class="o">&gt;&gt;</span> values.full.yaml <span class="o">&amp;&amp;</span> <span class="nb">rm </span>_tmp </code></pre> </div> <p>The result of this course can be downloaded <a href="https://github.com/vidispine/hull-tutorials/tree/test/dev-to/hull/04_rbac">here</a> for reference. </p> <p><strong>See you on the <a href="https://dev.to/gre9ory/hull-tutorial-05-defining-workload-objects-268l">next part of this series hopefully where you take a close look at defining workload objects via HULL</a>. Thanks for reading!</strong></p> HULL Tutorial 03: Integrating ConfigMaps and Secrets gre9ory Tue, 31 May 2022 11:24:38 +0000 https://dev.to/gre9ory/hull-tutorial-03-integrating-configmaps-and-secrets-47o1 https://dev.to/gre9ory/hull-tutorial-03-integrating-configmaps-and-secrets-47o1 <h2> Preparation </h2> <p>As a reminder, the goal of this tutorial series is to demonstrate how to build Helm charts based on the <a href="https://github.com/vidispine/hull">HULL library chart</a> by recreating the functionality of the original <code>kubernetes-dashboard</code> Helm chart with a HULL based chart from scratch. When you have followed the previous part of this tutorial <a href="https://dev.to/gre9ory/setup-a-helm-chart-based-on-hull-44i6-temp-slug-7198775">on setting up a HULL base chart</a> you have created a for now unconfigured Helm chart named <code>kubernetes-dashboard-hull</code> in the <code>02_setup</code> subfolder of your working directory (we assume that's <code>~/kubernetes-dashboard-hull</code> here). You can alternatively download the current chart state <a href="https://github.com/vidispine/hull-tutorials/tree/test/dev-to/hull/02_setup">here</a> and continue from there. Also you should have checked out and extracted the <code>kubernetes-dashboard</code> Helm chart to <code>kubernetes-dashboard</code> in your working directory because examining it will be frequently required.</p> <p>Start by inspecting the current state of the project with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~/kubernetes-dashboard-hull <span class="o">&amp;&amp;</span> <span class="nb">ls </span>02_setup/kubernetes-dashboard<span class="k">*</span> </code></pre> </div> <p>which should be giving you:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">02_setup/kubernetes-dashboard</span><span class="pi">:</span> <span class="s">Chart.lock Chart.yaml README.md charts templates values.yaml</span> <span class="na">02_setup/kubernetes-dashboard-hull</span><span class="pi">:</span> <span class="s">Chart.lock Chart.yaml charts templates values.yaml</span> </code></pre> </div> <p>To continue you should make a copy for our new tutorial Part and leave the current state result untouched:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cp</span> <span class="nt">-R</span> 02_setup/ 03_configmaps_and_secrets </code></pre> </div> <p>Ok, now you can change to our freshly copied <code>kubernetes-dashboard-hull</code> chart directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>03_configmaps_and_secrets/kubernetes-dashboard-hull </code></pre> </div> <p>and start adding things to our Helm chart!</p> <h2> Analyzing the existing ConfigMaps </h2> <p>It is time to start moving the objects from the original to our new chart and focus on ConfigMaps and Secrets as a first step.</p> <p>When checking the <code>kubernetes-dashboard</code>'s <code>templates</code> folder with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>find ../kubernetes-dashboard/templates <span class="nt">-type</span> f <span class="nt">-iregex</span> <span class="s1">'.*\(configmap\|secret\).*'</span> | <span class="nb">sort</span> </code></pre> </div> <p>you can spot one ConfigMap and one Secret file each in there from the response:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">../kubernetes-dashboard/templates/configmap.yaml</span> <span class="s">../kubernetes-dashboard/templates/secret.yaml</span> </code></pre> </div> <p>Note that file naming of templates does not actually mean anything in terms of what may be contained in them but for our exercise the result above points in the right direction.</p> <p>You can proceed with getting the contents of the <code>templates/configmap.yaml</code> ConfigMap:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/templates/configmap.yaml </code></pre> </div> <p>shows this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Copyright 2017 The Kubernetes Authors.</span> <span class="c1">#</span> <span class="c1"># Licensed under the Apache License, Version 2.0 (the "License");</span> <span class="c1"># you may not use this file except in compliance with the License.</span> <span class="c1"># You may obtain a copy of the License at</span> <span class="c1">#</span> <span class="c1"># http://www.apache.org/licenses/LICENSE-2.0</span> <span class="c1">#</span> <span class="c1"># Unless required by applicable law or agreed to in writing, software</span> <span class="c1"># distributed under the License is distributed on an "AS IS" BASIS,</span> <span class="c1"># WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span> <span class="c1"># See the License for the specific language governing permissions and</span> <span class="c1"># limitations under the License.</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "kubernetes-dashboard.labels" . | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.commonLabels</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if .Values.commonAnnotations</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-settings</span> <span class="na">data</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- with .Values.settings</span> <span class="pi">}}</span> <span class="na">_global</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toJson . | quote</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .Values.pinnedCRDs</span> <span class="pi">}}</span> <span class="na">_pinnedCRD</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toJson . | quote</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <p>Starting from the top, first you can see that some labels are generated by an include of <code>kubernetes-dashboard.labels</code> helper function. In <a href="https://helm.sh/docs/chart_template_guide/named_templates/#partials-and-_-files">classic Helm charts such helper functions</a> are found usually in one or more <code>_*.tpl</code> helper files. The intention of the leading underscore in the name and the <code>.tpl</code> ending is to indicate these files do not contain objects that can be rendered but only helper functions.</p> <p>To get an overview of the helper functions you may display the <code>_*.tpl</code> file contents because we will need to get back to them frequently. Cat the files contents with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/templates/_<span class="k">*</span>.tpl </code></pre> </div> <p>to print the helper functions which are for the most part the typical assortment of a Helm charts helper functions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Copyright 2017 The Kubernetes Authors.</span> <span class="c1">#</span> <span class="c1"># Licensed under the Apache License, Version 2.0 (the "License");</span> <span class="c1"># you may not use this file except in compliance with the License.</span> <span class="c1"># You may obtain a copy of the License at</span> <span class="c1">#</span> <span class="c1"># http://www.apache.org/licenses/LICENSE-2.0</span> <span class="c1">#</span> <span class="c1"># Unless required by applicable law or agreed to in writing, software</span> <span class="c1"># distributed under the License is distributed on an "AS IS" BASIS,</span> <span class="c1"># WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span> <span class="c1"># See the License for the specific language governing permissions and</span> <span class="c1"># limitations under the License.</span> <span class="pi">{{</span><span class="nv">/* vim</span><span class="pi">:</span> <span class="nv">set filetype=mustache</span><span class="pi">:</span> <span class="err">*</span><span class="nv">/</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">/*</span> <span class="nv">Expand the name of the chart.</span> <span class="nv">*/</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- define "kubernetes-dashboard.name" -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">/*</span> <span class="nv">Create a default fully qualified app name.</span> <span class="nv">We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).</span> <span class="nv">If release name contains chart name it will be used as a full name.</span> <span class="nv">*/</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- define "kubernetes-dashboard.fullname" -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.fullnameOverride -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- else -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- $name</span> <span class="pi">:</span><span class="nv">= default .Chart.Name .Values.nameOverride -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if contains $name .Release.Name -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- .Release.Name | trunc 63 | trimSuffix "-" -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- else -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">/*</span> <span class="nv">Create chart name and version as used by the chart label.</span> <span class="nv">*/</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- define "kubernetes-dashboard.chart" -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">/*</span> <span class="nv">Common labels</span> <span class="nv">*/</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- define "kubernetes-dashboard.labels" -</span><span class="pi">}}</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "kubernetes-dashboard.name" .</span> <span class="pi">}}</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "kubernetes-dashboard.chart" .</span> <span class="pi">}}</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Release.Name</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Chart.AppVersion</span> <span class="pi">}}</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Chart.AppVersion | quote</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Release.Service</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">/*</span> <span class="nv">Common label selectors</span> <span class="nv">*/</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- define "kubernetes-dashboard.matchLabels" -</span><span class="pi">}}</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "kubernetes-dashboard.name" .</span> <span class="pi">}}</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Release.Name</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">/*</span> <span class="nv">Name of the service account to use</span> <span class="nv">*/</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- define "kubernetes-dashboard.serviceAccountName" -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.serviceAccount.create -</span><span class="pi">}}</span> <span class="pi">{{</span> <span class="nv">default (include "kubernetes-dashboard.fullname" .) .Values.serviceAccount.name</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- else -</span><span class="pi">}}</span> <span class="pi">{{</span> <span class="nv">default "default" .Values.serviceAccount.name</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> <span class="c1"># Copyright 2017 The Kubernetes Authors.</span> <span class="c1">#</span> <span class="c1"># Licensed under the Apache License, Version 2.0 (the "License");</span> <span class="c1"># you may not use this file except in compliance with the License.</span> <span class="c1"># You may obtain a copy of the License at</span> <span class="c1">#</span> <span class="c1"># http://www.apache.org/licenses/LICENSE-2.0</span> <span class="c1">#</span> <span class="c1"># Unless required by applicable law or agreed to in writing, software</span> <span class="c1"># distributed under the License is distributed on an "AS IS" BASIS,</span> <span class="c1"># WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span> <span class="c1"># See the License for the specific language governing permissions and</span> <span class="c1"># limitations under the License.</span> <span class="pi">{{</span><span class="nv">/* vim</span><span class="pi">:</span> <span class="nv">set filetype=mustache</span><span class="pi">:</span> <span class="err">*</span><span class="nv">/</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">/*</span> <span class="nv">Renders a value that contains template.</span> <span class="nv">Usage</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $)</span> <span class="pi">}}</span> <span class="err">*</span><span class="nv">/</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- define "common.tplvalues.render" -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if typeIs "string" .value</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- tpl .value .context</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- else</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- tpl (.value | toYaml) .context</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> </code></pre> </div> <p>As already demonstrated in the previous part of this tutorial series, all HULL-created objects do automatically get the standard Kubernetes metadata fields populated. There is no further necessity to work on the standard metadata of our objects for the conversion, HULL automatically creates metadata information that is equivalent to what happens in the <code>kubernetes-dashboard.labels</code> function that is part of every objects metadata label definition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">{{</span><span class="nv">/*</span> <span class="nv">Common labels</span> <span class="nv">*/</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- define "kubernetes-dashboard.labels" -</span><span class="pi">}}</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "kubernetes-dashboard.name" .</span> <span class="pi">}}</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "kubernetes-dashboard.chart" .</span> <span class="pi">}}</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Release.Name</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Chart.AppVersion</span> <span class="pi">}}</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Chart.AppVersion | quote</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Release.Service</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> </code></pre> </div> <p>So that is covered. After the standard labels have been set here:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">{{</span><span class="nv">- include "kubernetes-dashboard.labels" . | nindent 4</span> <span class="pi">}}</span> </code></pre> </div> <p>there comes an optional block where additional common labels may be set:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">{{</span><span class="nv">- if .Values.commonLabels</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <p>The definition of <code>common.tplvalues.render</code> can be found above where you checked the helper functions, anyway here it is again:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Copyright 2017 The Kubernetes Authors.</span> <span class="c1">#</span> <span class="c1"># Licensed under the Apache License, Version 2.0 (the "License");</span> <span class="c1"># you may not use this file except in compliance with the License.</span> <span class="c1"># You may obtain a copy of the License at</span> <span class="c1">#</span> <span class="c1"># http://www.apache.org/licenses/LICENSE-2.0</span> <span class="c1">#</span> <span class="c1"># Unless required by applicable law or agreed to in writing, software</span> <span class="c1"># distributed under the License is distributed on an "AS IS" BASIS,</span> <span class="c1"># WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span> <span class="c1"># See the License for the specific language governing permissions and</span> <span class="c1"># limitations under the License.</span> <span class="pi">{{</span><span class="nv">/* vim</span><span class="pi">:</span> <span class="nv">set filetype=mustache</span><span class="pi">:</span> <span class="err">*</span><span class="nv">/</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">/*</span> <span class="nv">Renders a value that contains template.</span> <span class="nv">Usage</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $)</span> <span class="pi">}}</span> <span class="err">*</span><span class="nv">/</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- define "common.tplvalues.render" -</span><span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if typeIs "string" .value</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- tpl .value .context</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- else</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- tpl (.value | toYaml) .context</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end -</span><span class="pi">}}</span> </code></pre> </div> <p>What happens here is pretty simple actually: when a string is passed as <code>value</code> the value is subjected to the <code>tpl</code> function, for anything else (dictionaries, arrays) the Go object is converted to a YAML block before being subjected to <code>tpl</code>.</p> <p>At this point you may check the reference to <code>.Values.commonLabels</code> which is defined in the <code>values.yaml</code> with cat and a little context around the hits:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/values.yaml | <span class="nb">grep</span> <span class="s2">"commonLabels"</span> <span class="nt">-B</span> 1 <span class="nt">-A</span> 4 </code></pre> </div> <p>which reveals:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="c1">## @param commonLabels Labels to add to all deployed objects</span> <span class="c1">##</span> <span class="na">commonLabels</span><span class="pi">:</span> <span class="pi">{}</span> <span class="c1">## @param commonAnnotations Annotations to add to all deployed objects</span> <span class="c1">##</span> <span class="na">commonAnnotations</span><span class="pi">:</span> <span class="pi">{}</span> </code></pre> </div> <p>So with all pieces put together, with <code>commonLabels</code> being a dictionary the function would insert any key value pairs that may be defined in <code>commonLabels</code> into the <code>labels</code> section of the ConfigMap. With HULL, further metadata such as the <code>commonLabels</code> here can be added at the global level, the object type level or at object instance level. You will see this in use in a minute.</p> <p>In terms of the <code>annotations</code> it is the same procedure here with the <code>commonAnnotations</code> as with the <code>commonLabels</code> so no need to check this any closer.</p> <p>Now focus on the ConfigMaps <code>data</code> section:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">data</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- with .Values.settings</span> <span class="pi">}}</span> <span class="na">_global</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toJson . | quote</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .Values.pinnedCRDs</span> <span class="pi">}}</span> <span class="na">_pinnedCRD</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toJson . | quote</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <p>For storing the <code>_global</code> and <code>_pinnedCRD</code> data into the ConfigMap the YAML based data from the <code>values.yaml</code> fields <code>.Values.settings</code> and <code>.Values.pinnedCRDs</code> is converted to JSON. How to achieve that with HULL and without any templates is what will be explored next. This wraps up the inspection of this ConfigMap and the conversion to a HULL specification can begin.</p> <h2> Creating ConfigMaps with HULL </h2> <p>Time to get down to business by creating the first (and in our case only) ConfigMap in the HULL charts <code>values.yaml</code>. </p> <p>So to get started, copy or type in the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: objects: configmap: settings: data: _global: inline: "" _pinnedCRD: inline: ""'</span> <span class="o">&gt;&gt;</span> values.yaml </code></pre> </div> <p>to create the ConfigMap with empty entries in <code>values.yaml</code>. You can check the initial output with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm template <span class="nb">.</span> </code></pre> </div> <p>now containing the <code>settings</code> ConfigMap:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">_global</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">_pinnedCRD</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">settings</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-settings</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">[]</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> </code></pre> </div> <p>Right now the <code>settings</code> ConfigMaps data entries are intentionally just empty, this is the relevant excerpt from above output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">_global</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">_pinnedCRD</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">settings</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-settings</span> </code></pre> </div> <p>Before dealing with the proper population of the <code>data</code> entries as JSON content a brief detour for covering the built-in HULL metadata features is useful.</p> <h3> Adding Metdata to objects globally, on object type and object level </h3> <p>Say you want to add more metadata to your objects. For instance you may want to add further labels or annotations to all your objects (the <code>commonLabels</code> and <code>commonAnnotations</code> from the original chart) or only some of them. Maybe all ConfigMaps should have a particular metadata label or annotation. Or there is a set of custom metadata labels you want to associate on objects of different types which are to be grouped in some sense? All of this can be done conveniently with HULL!</p> <p>To start testing out configurational variations to the current <code>values.yaml</code> or enabling/disabling features it is time to bring in another (familiar) layer of configuration that enables performing our tests of the functionality and simulate system specific settings in addition to the <code>values.yaml</code> defaults. An 'external' or 'system specific' <code>values.yaml</code>' is required to vary the configuration on top of the defaults and see the effect on rendering outputs. Before any HULL related processing takes place, the contents of this external file are simply overlayed or merged entry by entry with the <code>values.yaml</code> structure when <a href="https://helm.sh/docs/chart_best_practices/values/#consider-how-users-will-use-your-values">applied with <code>-f &lt;file-path&gt;</code></a> to any <code>helm</code> command. Note that any data that is added via the <code>-f</code> switch has precedence over the <code>values.yaml</code> defaults (which is what you'd expect anyways).</p> <p>Start by creating a new <code>../configs</code> folder now to hold such 'external configurations' to be applied on top of our default <code>values.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> ../configs </code></pre> </div> <p>Add a first test configuration like this by adding sample labels to our ConfigMap and <code>default</code> object instances. First you write the overlay data for our test and then overlay it when <code>helm template</code>ing it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: config: general: metadata: labels: custom: label1: hello label2: global label3: labels!'</span><span class="o">&gt;</span> ../configs/global-custom-metadata.yaml<span class="se">\</span> <span class="o">&amp;&amp;</span> helm template <span class="nt">-f</span> ../configs/global-custom-metadata.yaml <span class="nb">.</span> </code></pre> </div> <p>and all objects have the shared labels attached as you can see from the output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">label1</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">label2</span><span class="pi">:</span> <span class="s">global</span> <span class="na">label3</span><span class="pi">:</span> <span class="s">labels!</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">_global</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">_pinnedCRD</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">settings</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">label1</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">label2</span><span class="pi">:</span> <span class="s">global</span> <span class="na">label3</span><span class="pi">:</span> <span class="s">labels!</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-settings</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">label1</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">label2</span><span class="pi">:</span> <span class="s">global</span> <span class="na">label3</span><span class="pi">:</span> <span class="s">labels!</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">[]</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">label1</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">label2</span><span class="pi">:</span> <span class="s">global</span> <span class="na">label3</span><span class="pi">:</span> <span class="s">labels!</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> </code></pre> </div> <p>If you'd want the labels only being attached to ConfigMap objects you can attach them to the HULL internal default ConfigMap object. All object types you can use in HULL support having a special default object (specified with key <code>_HULL_OBJECT_TYPE_DEFAULT_</code>) where you can attach default fields and values that are being inherited by all instances of that type. Individual instances may in turn overwrite them again specifically. Instances of <code>_HULL_OBJECT_TYPE_DEFAULT_</code> objects are of course never rendered, they only provide templates with default values for instances of the parent objects type.</p> <p>In practice create another test configuration to test objecttype level metadata population:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: objects: configmap: _HULL_OBJECT_TYPE_DEFAULT_: labels: label1: hello label2: objecttype label3: labels! another: data: {} and_another: data: {}'</span><span class="o">&gt;</span> ../configs/objecttype-custom-metadata.yaml <span class="se">\</span> <span class="o">&amp;&amp;</span> helm template <span class="nt">-f</span> ../configs/objecttype-custom-metadata.yaml <span class="nb">.</span> </code></pre> </div> <p>you can see that only the three specified ConfigMaps have the labels assigned now:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">and_another</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">label1</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">label2</span><span class="pi">:</span> <span class="s">objecttype</span> <span class="na">label3</span><span class="pi">:</span> <span class="s">labels!</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-and_another</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">another</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">label1</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">label2</span><span class="pi">:</span> <span class="s">objecttype</span> <span class="na">label3</span><span class="pi">:</span> <span class="s">labels!</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-another</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">_global</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">_pinnedCRD</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">settings</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">label1</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">label2</span><span class="pi">:</span> <span class="s">objecttype</span> <span class="na">label3</span><span class="pi">:</span> <span class="s">labels!</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-settings</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">[]</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> </code></pre> </div> <p>It is important to mention that object type defaults do not only apply to metadata, you can basically default any property value on the object definition with a value, for example to predefine a <code>data</code> entry that all ConfigMaps should have you could do the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: objects: configmap: _HULL_OBJECT_TYPE_DEFAULT_: labels: label1: hello label2: objecttype label3: labels! data: see: inline: "I am in every ConfigMap!" another: data: {} and_another: data: {}'</span><span class="o">&gt;</span> ../configs/objecttype-data-default.yaml <span class="se">\</span> <span class="o">&amp;&amp;</span> helm template <span class="nt">-f</span> ../configs/objecttype-data-default.yaml <span class="nb">.</span> </code></pre> </div> <p>and see it actually is in every ConfigMap:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">see</span><span class="pi">:</span> <span class="s">I am in every ConfigMap!</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">and_another</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">label1</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">label2</span><span class="pi">:</span> <span class="s">objecttype</span> <span class="na">label3</span><span class="pi">:</span> <span class="s">labels!</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-and_another</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">see</span><span class="pi">:</span> <span class="s">I am in every ConfigMap!</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">another</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">label1</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">label2</span><span class="pi">:</span> <span class="s">objecttype</span> <span class="na">label3</span><span class="pi">:</span> <span class="s">labels!</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-another</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">_global</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">_pinnedCRD</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">see</span><span class="pi">:</span> <span class="s">I am in every ConfigMap!</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">settings</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">label1</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">label2</span><span class="pi">:</span> <span class="s">objecttype</span> <span class="na">label3</span><span class="pi">:</span> <span class="s">labels!</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-settings</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">[]</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> </code></pre> </div> <p>Adding a dedicated label or annotation just to your <code>settings</code> ConfigMap is easy with this overlay configuration for example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: objects: configmap: _HULL_OBJECT_TYPE_DEFAULT_: labels: label1: hello label2: objecttype label3: labels! settings: labels: label4: I am a settings label! annotations: annotation: I am a settings annotation! another: data: {} and_another: data: {}'</span><span class="o">&gt;</span> ../configs/object-custom-metadata.yaml <span class="se">\</span> <span class="o">&amp;&amp;</span> helm template <span class="nt">-f</span> ../configs/object-custom-metadata.yaml <span class="nb">.</span> </code></pre> </div> <p>yielding added annotation on the <code>settings</code> ConfigMap:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">and_another</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">label1</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">label2</span><span class="pi">:</span> <span class="s">objecttype</span> <span class="na">label3</span><span class="pi">:</span> <span class="s">labels!</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-and_another</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">another</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">label1</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">label2</span><span class="pi">:</span> <span class="s">objecttype</span> <span class="na">label3</span><span class="pi">:</span> <span class="s">labels!</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-another</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">_global</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">_pinnedCRD</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">annotation</span><span class="pi">:</span> <span class="s">I am a settings annotation!</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">settings</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">label1</span><span class="pi">:</span> <span class="s">hello</span> <span class="na">label2</span><span class="pi">:</span> <span class="s">objecttype</span> <span class="na">label3</span><span class="pi">:</span> <span class="s">labels!</span> <span class="na">label4</span><span class="pi">:</span> <span class="s">I am a settings label!</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-settings</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">[]</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> </code></pre> </div> <p>As you already saw, HULL automatically creates a RBAC trinity of <code>default</code> ServiceAccount, Role and RoleBinding which can be put to use straight away and you saw how setting metadata on different hierarchical levels affected these object instances. However since there is gonna be a lot more of <code>helm template .</code> output to examine in the next tutorial parts it is recommended to turn off rendering the default RBAC instances and the ServiceAccount when it is not of concern. Using an overlay <code>values.yaml</code> like this one:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: objects: serviceaccount: default: enabled: false role: default: enabled: false rolebinding: default: enabled: false'</span><span class="o">&gt;</span> ../configs/disable-default-rbac.yaml </code></pre> </div> <p>is a good approach to disable the RBAC objects whenever they are not of interest. Whenever it is relevant for the topic of the tutorial however you can just switch RBAC objects on again and simply omit the <code>-f ../configs/disable-default-rbac.yaml</code> overlay.</p> <p>In the next part the focus is on populating the <code>data</code> section. For this we need to introduce a way to dynamically change the provided YAML contents to JSON while rendering. When explicitly not using any templates the question is how can you process the <code>values.yaml</code> contents dynamically before rendering?</p> <p>With <a href="https://github.com/vidispine/hull/blob/main/hull/doc/transformations.md">HULL transformations</a> you can. They provide the answer to this problem and they will be used wherever the need arises to model dynamic behavior for improving user experience.</p> <h2> Using HULL transformations </h2> <p>In the regular Helm workflow any templating expressions or other dynamic behavior is not tolerated within the <code>values.yaml</code> itself since it must at all times conform to the YAML specification. Templating expressions are only allowed and evaluated in the <code>templates</code> folder.</p> <p>The focus and main goal of creating HULL was to get rid of the need to model each simple 1:1 projection from <code>values.yaml</code> properties to Kubernetes object properties by providing direct access to all Kubernetes objects properties instead to only having to specify exactly what you want. This is solely achieved by configuration of the <code>values.yaml</code> and without any chart-specific custom templates in the <code>template</code> folder. Transformations in HULL put back the possibility to use template expressions for more complex projections which are driven from the <code>values.yaml</code> alone. But how is this done when Helm prohibits any templating expression in the <code>values.yaml</code>?</p> <p>Since within the HULL processing pipeline the whole <code>values.yaml</code> tree is traversed internally it enables the possibility to inject templating again into property value calculation by processing keywords that signal the use of a dynamic function (=<strong>transformation</strong>) and its parameters. The return value of the transformation then replaces the property value where the transformation was called. A caveat is that the specification and use of those functions must not invalidate the YAML (and JSON schema) of the <code>values.yaml</code>, otherwise Helm would not be happy about processing the <code>values.yaml</code>. For this reason the transformations themselves are wrapped as strings, dictionaries or arrays. </p> <p>For HULL to know that a property value requires transforming, special transformation triggers/keyword prefixes (<code>_HULL_TRANSFORMATION_</code> or any existing short forms of specific transformations such as <code>_HT?</code>, <code>_HT!</code>, <code>_HT*</code>, <code>_HT^</code> and <code>_HT&amp;</code>) signal the use of a transformation to determine the actual value to be rendered. More information about transformations and how to specify and use them can be found in the <a href="https://github.com/vidispine/hull/blob/main/hull/doc/transformations.md">HULL docs on transformations</a> but they are explored and utilized in this tutorial to a large degree to learn how to use them.</p> <h3> The <code>_HT?</code> transformation </h3> <p>The <code>_HT?</code> (or in long form <code>hull.util.transformation.bool</code> function) is a first simple transformation example albeit a useful one. It needs a templating expression as input which needs to resolve to a boolean value when computed. It can therefore be used to set any boolean property but it is mainly useful to determine whether a particular object should be rendered or not at deploy time depending on automated conditions. Rendering for all HULL objects is controlled via the boolean <code>enabled</code> property on the object instance, you can set it for each main object defined through HULL. By binding the <code>enabled</code> property's value to an arbitrary <code>hull.util.transformation.bool</code> function returning a boolean value you can dynamically enable and disable rendering of the object depending on other configurational input to your chart.</p> <p>To highlight the usage of transformations such as the <code>_HT?</code>, say for demo purposes you only want to render the <code>settings</code> ConfigMap in case its <code>_global</code> or <code>_pinnedCRD</code> entry has any content (meaning the <code>inline</code> property is not equal to an empty string). A built-in <code>hull.util.transformation.bool</code> transformation to be bound to the ConfigMaps <code>enabled</code> switch could look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">enabled</span><span class="pi">:</span> <span class="s">_HULL_TRANSFORMATION_&lt;&lt;&lt;NAME=hull.util.transformation.bool&gt;&gt;&gt;&lt;&lt;&lt;CONDITION=or (ne (index . "$").Values.hull.objects.configmap.settings.data._global.inline "") (ne (index . "$").Values.hull.objects.configmap.settings.data._pinnedCRD.inline "")&gt;&gt;&gt;</span> </code></pre> </div> <p>wherein you check that any of the <code>_global.inline</code> or the <code>_pinnedCRD</code> data section is not empty and only then render the ConfigMap. You can see that it is possible to use the well-known Go templating functionalities here, the only thing to keep in mind is that you cannot use the global <code>.</code> context (as in <code>.Values.someProperty</code>) but must use the expression <code>(index . "$")</code> instead to access the global context (as in <code>(index . "$").Values.someProperty</code>).</p> <p>To really save some typing in the future you should use the short form to built-in transformations. They can be viewed as a kind of macro that points to a specifc transformation and omit the argument naming because the transformation only has one argument whose value is supplied directly after the shortcut.</p> <p>The same transformation as above in short form looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">enabled</span><span class="pi">:</span> <span class="s">_HT?or (ne (index . "$").Values.hull.objects.configmap.settings.data._global.inline "") (ne (index . "$").Values.hull.objects.configmap.settings.data._pinnedCRD.inline "")</span> </code></pre> </div> <p>which minifies the call to the transformation and is way handier to type. Again please checkout the <a href="https://github.com/vidispine/hull/blob/main/hull/doc/transformations.md">HULL docs on transformations</a> for more information.</p> <p>Now test this out with a test config file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: objects: configmap: settings: enabled: _HT?or (ne (index . "$").Values.hull.objects.configmap.settings.data._global.inline "") (ne (index . "$").Values.hull.objects.configmap.settings.data._pinnedCRD.inline "")'</span><span class="o">&gt;</span> ../configs/bool-transformation-1.yaml <span class="se">\</span> <span class="o">&amp;&amp;</span> helm template <span class="nt">-f</span> ../configs/disable-default-rbac.yaml <span class="nt">-f</span> ../configs/bool-transformation-1.yaml <span class="nb">.</span> </code></pre> </div> <p>and see that the settings ConfigMap is not rendered:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> </code></pre> </div> <p>Since the <code>default</code> RBAC objects are also omitted via <code>-f ../configs/disable-default-rbac.yaml</code> the output is just empty.</p> <p>For the counter example, add some content to the <code>_global</code> entry:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: objects: configmap: settings: enabled: _HT?or (ne (index . "$").Values.hull.objects.configmap.settings.data._global.inline "") (ne (index . "$").Values.hull.objects.configmap.settings.data._pinnedCRD.inline "") data: _global: inline: "test"'</span><span class="o">&gt;</span> ../configs/bool-transformation-2.yaml <span class="se">\</span> <span class="o">&amp;&amp;</span> helm template <span class="nt">-f</span> ../configs/disable-default-rbac.yaml <span class="nt">-f</span> ../configs/bool-transformation-2.yaml <span class="nb">.</span> </code></pre> </div> <p>observe the ConfigMap back again in the output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">_global</span><span class="pi">:</span> <span class="s">test</span> <span class="na">_pinnedCRD</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">settings</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-settings</span> </code></pre> </div> <p>After this detour introducing the <code>hull.util.transformation.bool</code>/<code>_HT?</code> transformation in practice you can focus again on the transformation to JSON part. </p> <p>Recap the <code>data</code> section of the ConfigMap you want to convert:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">data</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- with .Values.settings</span> <span class="pi">}}</span> <span class="na">_global</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toJson . | quote</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- with .Values.pinnedCRDs</span> <span class="pi">}}</span> <span class="na">_pinnedCRD</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">toJson . | quote</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <p>You can see there is a redirection to the source of the entries values (<code>.Values.settings</code> and <code>.Values.pinnedCRDs</code>) where the data is defined and processed here in the template. To mimic this you need to add a similar redirection within <code>values.yaml</code> from which data is being read when processing <code>_global</code> and <code>_pinnedCRD</code> and then a function to convert it on rendering.</p> <p>A similar use case is when individual properties are logically referenced in multiple places (1:n relations) within <code>values.yaml</code> it is best to define the actual data in a 'single source of truth' fashion, like it is done in the original Helm chart concept with the <code>.Values.settings</code> and <code>.Values.pinnedCRDs</code> fields being referencable basically everywhere in the templates.</p> <p>With HULL you can do this too and there is a clearly defined place in the HULL concept for such properties that need to be referenced multiple distinct times for object creation or transformation in the <code>hull.objects</code> section: the <code>hull.config.specific</code> dictionary. This <code>hull.config.specific</code> section is specifically intended for this purpose of adding central configuration data that is either singled out for convenient documentation, highlighting and configuration or being used in multiple places within the chart. You can think of this section resembling one of the functions of the <code>values.yaml</code> itself within the classic Helm chart approach, namely to centralize access to configuration values. Technically the <code>hull.config</code> section is processed before the <code>hull.objects</code> section and hence properties defined here and their values (even if derived by a HULL transformation!) are always available for referencing to when defining the objects in the <code>hull.objects</code> section.</p> <p>To cover the dynamic nature of the JSON transformation you can utilize the <code>hull.util.transformation.tpl</code> transformation.</p> <h3> Enter the <code>_HT!</code> transformation </h3> <p>There are some convenience transformations like the <code>hull.util.transformation.bool</code> transformation within HULL but by far the most powerful and flexible is the HULL <code>hull.util.transformation.tpl</code> or <code>_HT!</code> transformation. It executes the Helm <code>tpl</code> function on a given string providing full range of Go templating capabilities as would be the case with Go templating expressions within template files.</p> <p>Using the <code>hull.util.transformation.tpl</code> transformation you can return different datatypes that are expected for the property's values you apply it on:</p> <ul> <li>string</li> <li>int</li> <li>bool</li> <li>array/list</li> <li>dictionary/map</li> </ul> <p>An important aspect to keep in mind when producing arrays and dictionaries with the HULL <code>hull.util.transformation.tpl</code> transformation is to use <a href="https://cloudslang-docs.readthedocs.io/en/latest/overview/yaml_overview.html#indentation-scoping"><code>flow</code> style YAML</a> to define the transformation result. This style reduces syntax problems (mostly due to indendation) appearing with the <code>block</code> style YAML that is more typically used when dealing with Helm and Kubernetes. Check the next example on how flow style YAML looks like (it is more similar to JSON and does not rely on correct indentation).</p> <p>To create the <code>_global</code> and <code>_pinnedCRD</code> sections in the ConfigMap first insert into the existing <code>values.yaml</code> the <code>config.specific</code> block which holds the <code>settings</code> and <code>pinnedCRDs</code> data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sed</span> <span class="s1">'/^hull/r'</span>&lt;<span class="o">(</span> <span class="nb">echo</span> <span class="s2">" config:"</span> <span class="nb">echo</span> <span class="s2">" specific:"</span> <span class="nb">echo</span> <span class="s2">" settings: {}"</span> <span class="nb">echo</span> <span class="s2">" pinnedCRDs: {}"</span> <span class="o">)</span> <span class="nt">-i</span> <span class="nt">--</span> values.yaml </code></pre> </div> <p>Time to add the <code>tpl</code> transformations to create the JSON content from the now created and referenced sections. The <code>hull.util.transformation.tpl</code>'s short form <code>_HT!</code> is being used and in the <code>tpl</code> argument you do a <code>toJson | quote</code> on the source data as in the original source ConfigMap. The result of this operation is returned as the <code>data</code> properties values.</p> <h3> Adding ConfigMap and Secret contents via <code>inline</code> specification in <code>values.yaml</code> </h3> <p>You likely noticed that within the ConfigMap files <code>data</code> section the actual values for <code>data</code> keys were directly embedded in the <code>values.yaml</code> via the <code>inline</code> property. This is a handy way to be able to specify shorter contents right in place where the ConfigMap is defined.</p> <p>Add the first JSON transformation via an <code>inline</code> specification:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sed</span> <span class="s1">'0,/inline: ""/{s/inline: ""/inline: _HT!{{ toJson (index . "$").Values.hull.config.specific.settings | quote }}/}'</span> <span class="nt">-i</span> <span class="nt">--</span> values.yaml </code></pre> </div> <p>updating your <code>values.yaml</code> to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">metrics-server</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">hull</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="na">specific</span><span class="pi">:</span> <span class="na">settings</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">pinnedCRDs</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">objects</span><span class="pi">:</span> <span class="na">configmap</span><span class="pi">:</span> <span class="na">settings</span><span class="pi">:</span> <span class="na">data</span><span class="pi">:</span> <span class="na">_global</span><span class="pi">:</span> <span class="na">inline</span><span class="pi">:</span> <span class="s">_HT!{{ toJson (index . "$").Values.hull.config.specific.settings | quote }}</span> <span class="na">_pinnedCRD</span><span class="pi">:</span> <span class="na">inline</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> </code></pre> </div> <p>Test it out with some YAML content to convert to JSON:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: config: specific: settings: settings_one: a_string: Some config setting a_number: 333 settings_two: a_boolean: true'</span><span class="o">&gt;</span> ../configs/inline-transformation.yaml <span class="se">\</span> <span class="o">&amp;&amp;</span> helm template <span class="nt">-f</span> ../configs/disable-default-rbac.yaml <span class="nt">-f</span> ../configs/inline-transformation.yaml <span class="nb">.</span> </code></pre> </div> <p>and check out the JSON content in the ConfigMap:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">_global</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{"settings_one":{"a_number":333,"a_string":"Some</span><span class="nv"> </span><span class="s">config</span><span class="nv"> </span><span class="s">setting"},"settings_two":{"a_boolean":true}}'</span> <span class="na">_pinnedCRD</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">settings</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-settings</span> </code></pre> </div> <h3> Adding ConfigMap and Secret contents via <code>path</code> specification from external files </h3> <p>Alternatively to the <code>inline</code> method you can specify the path to an external file to import content from via usage of the <code>path</code> property and omitting the <code>inline</code> property. It is really simple, just provide a relative path to a file and it will be rendered as a ConfigMap (or Secret) <code>data:</code> entry. This is useful if you have larger contents like from configuration files which you don't want to clutter your <code>values.yaml</code> with. Dynamically computed content of ConfigMap or Secret entries due to usage of template expressions is well suited for supplying it from external files. Especially if you'd have large configuration file like content with many templating expressions it is cleaner to provide the file as external content to not clutter the <code>values.yaml</code> unnecessarily.</p> <p>Using an external file here for the <code>_pinnedCRD</code> key allows to directly highlight the difference to the <code>inline</code> handling of the <code>settings</code> key via HULL because functionally the same is happening. As a Bonus you can compare the HULL transformation syntax to the regular templating expression syntax as you can use it within an externally imported file, the HULL transformations do not apply to externally imported files but only within the <code>values.yaml</code> tree!</p> <p>Now you can import the second JSON transformation content via specifying it in an external file to highlight this feature. First add the external file like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>files </code></pre> </div> <p>and echo same templating instruction as above into the file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'{{ toJson .Values.hull.config.specific.pinnedCRDs }}'</span> <span class="o">&gt;</span> files/pinnedCRDs </code></pre> </div> <p>Lastly add the external file as a source replacing the former <code>inline</code> directive:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sed</span> <span class="s1">'0,/inline: ""/{s/inline: ""/path: files\/pinnedCRDs/}'</span> <span class="nt">-i</span> <span class="nt">--</span> values.yaml </code></pre> </div> <p>Then see if this way of handling data works too:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: config: specific: pinnedCRDs: another: dicionary: test'</span> <span class="o">&gt;</span> ../configs/path-transformation.yaml <span class="se">\</span> <span class="o">&amp;&amp;</span> helm template <span class="nt">-f</span> ../configs/disable-default-rbac.yaml <span class="nt">-f</span> ../configs/path-transformation.yaml <span class="nb">.</span> </code></pre> </div> <p>you can again see it does actually produces the JSON content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">_global</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{}'</span> <span class="na">_pinnedCRD</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{"another":{"dicionary":"test"}}'</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">settings</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-settings</span> </code></pre> </div> <p>That's it. You have learned how you can start to leverage the power of transformations - particularly the <code>hull.util.transformation.tpl</code> transformation - to improve chart creation and configuration! Done with the ConfigMap and onto the Secret!</p> <h2> Specifying Secrets with HULL </h2> <p>Conveniently creating secrets with HULL is exactly the same process as creating ConfigMaps, all required Base64 encoding is done automatically under the hood even when using the <code>inline</code> functionality.</p> <p>Do take a look at the existing Secret file in the <code>kubernetes-dashboard</code> chart by typing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> ../kubernetes-dashboard/templates/secret.yaml </code></pre> </div> <p>which gives:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Copyright 2017 The Kubernetes Authors.</span> <span class="c1">#</span> <span class="c1"># Licensed under the Apache License, Version 2.0 (the "License");</span> <span class="c1"># you may not use this file except in compliance with the License.</span> <span class="c1"># You may obtain a copy of the License at</span> <span class="c1">#</span> <span class="c1"># http://www.apache.org/licenses/LICENSE-2.0</span> <span class="c1">#</span> <span class="c1"># Unless required by applicable law or agreed to in writing, software</span> <span class="c1"># distributed under the License is distributed on an "AS IS" BASIS,</span> <span class="c1"># WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span> <span class="c1"># See the License for the specific language governing permissions and</span> <span class="c1"># limitations under the License.</span> <span class="c1"># kubernetes-dashboard-certs</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- include "kubernetes-dashboard.labels" . | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.commonLabels</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- if .Values.commonAnnotations</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.fullname" .</span> <span class="pi">}}</span><span class="s">-certs</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="nn">---</span> <span class="c1"># kubernetes-dashboard-csrf</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "kubernetes-dashboard.labels" . | nindent 4</span> <span class="pi">}}</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-csrf</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="nn">---</span> <span class="c1"># kubernetes-dashboard-key-holder</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "kubernetes-dashboard.labels" . | nindent 4</span> <span class="pi">}}</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-key-holder</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> </code></pre> </div> <p>Interestingly and uncommonly you'll find three secrets without any <code>data</code> entries pre-specified or even the possibility to specify them in the chart. You'll also notice that the <code>csrf</code> and <code>key-holder</code> secrets have static names set while the name of the <code>certs</code> secret is dynamically calulated:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">...</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">template "kubernetes-dashboard.fullname" .</span> <span class="pi">}}</span><span class="s">-certs</span> <span class="nn">...</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-csrf</span> <span class="nn">...</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-key-holder</span> <span class="nn">...</span> </code></pre> </div> <p>This is likely because the Kubernetes Dashboard application is bound tightly to the Kubernetes world and the application itself accesses the secrets by their static names internally as indicated <a href="https://github.com/kubernetes/dashboard/blob/fe4b5fc1f4851136e868f52dbd78299b0529da79/src/app/backend/client/api/types.go#L33">here</a>. In order to be able to address them by their static names you need to keep their names static too. The default naming behavior for objects in HULL is to create a dynamic name for objects. But you can always opt to create objects with a fixed/static name instead. You only need to add the <code>staticName: true</code> property to the object definition and the object name matches exactly the key name.</p> <p>Check this out by adding the Secrets with empty content now to our <code>values.yaml</code> configuration with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">' secret: certs: data: {} kubernetes-dashboard-csrf: data: {} staticName: true kubernetes-dashboard-key-holder: data: {} staticName: true'</span> <span class="o">&gt;&gt;</span> values.yaml <span class="se">\</span> <span class="o">&amp;&amp;</span> helm template <span class="nt">-f</span> ../configs/disable-default-rbac.yaml <span class="nb">.</span> </code></pre> </div> <p>and the Secrets have been created with the differing naming schemes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">certs</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-certs</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-csrf</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-csrf</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-key-holder</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-key-holder</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">_global</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{}'</span> <span class="na">_pinnedCRD</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{}'</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">settings</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-settings</span> </code></pre> </div> <p>In the same vein it is a good time to discuss a transformation that allows to create dynamic names from a static string in other places of charts where objects are being refered to by name and not where they themselves are being named.</p> <h3> Utilizing the <code>hull.util.transformation.makefullname</code>/<code>_HT^</code> transformation to produce chart specific dynamic names </h3> <p>As touched upon, a common scenario when writing Helm charts is to produce dynamic names for all the Helm charts objects. Regularly the dynamic name consists of a static object name part and a dynamic prefix where the chart and/or release name is prefixed, e.g. assume the static instance name is <code>settings</code>, the chart name <code>my-application</code> and the release name <code>my-release</code> and you may get <code>my-application-my-release-settings</code> as a name for a ConfigMap maybe.</p> <p>The reasoning behind these dynamic names is that they are supposed to be unique: even when you deploy one chart twice in the same namespace you would have to give the releases individual names, otherwise Helm would fail since it does not allow two releases with the same name in a single namespace. Even though it would be easy to produce counter examples this suffices in the practical world to have no naming clashes of objects managed via Helm charts.</p> <p>Another configuration option commonly offered in Helm charts is to allow the user to specify a so-called <code>fullnameOverride</code> which then replaces the <code>my-application-my-release</code> prefix with a static prefix of your choosing. While this raises the chance of object instance name collisions obviously it can help with object names becoming unnecessarily long (there is a length cap of at most 63 chars for object names in Kubernetes).</p> <p>By default all objects that HULL creates and manages have a unique dynamic name and there clearly defined places in Kubernetes object specifications where you address another object of a known and fixed type and there it suffices to supply just the object key name and HULL automatically converts it to the full dynamic name on rendering.</p> <p>The places where dynamic names are created from key names automatically are:</p> <ul> <li> <code>horizontalpodautoscaler</code>: <ul> <li>the <code>scaleTargetRef.name</code> </li> </ul> </li> <li> <code>ingress</code>: <ul> <li>the <code>tls.secretName</code> </li> <li>the <code>backend.service.name</code> </li> </ul> </li> <li> <code>container</code>: <ul> <li>the <code>env.valueFrom.configMapKeyRef</code> </li> <li>the <code>env.valueFrom.secretKeyRef</code> </li> <li>the <code>envFrom.configMapRef</code> </li> <li>the <code>envFrom.secretRef</code> </li> </ul> </li> <li> <code>volume</code>: <ul> <li>the <code>configMap.name</code> </li> <li>the <code>secret.secretName</code> </li> <li>the <code>persistentVolumeClaim.claimName</code> </li> </ul> </li> </ul> <p>In all these places you can simply use the key of the instance you address and HULL will by default create a dynamic name. However, if it is not a dynamic name you want to reference to you can always add <code>staticName: true</code> next to the property holding the instance name and the value will not be modified on rendering. Examples of this in use will follow.</p> <p>However in some other situations you may also need to reference a Kubernetes object (created within the same chart) by its name and it is not as clear in advance that the value is a reference to a Kubernetes object by name. Think the configuration of RoleBindings, <a href="https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-example">here is the Kubernetes documentation example of this</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="c1"># This role binding allows "jane" to read pods in the "default" namespace.</span> <span class="c1"># You need to already have a Role named "pod-reader" in that namespace.</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">read-pods</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">subjects</span><span class="pi">:</span> <span class="c1"># You can specify more than one "subject"</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">User</span> <span class="na">name</span><span class="pi">:</span> <span class="s">jane</span> <span class="c1"># "name" is case sensitive</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="c1"># "roleRef" specifies the binding to a Role / ClusterRole</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="c1">#this must be Role or ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pod-reader</span> <span class="c1"># this must match the name of the Role or ClusterRole you wish to bind to</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> </code></pre> </div> <p>If <code>pod-reader</code> would be created within the Helm chart the RoleBinding is defined in you need the capability to enforce a dynamic name in the <code>roleRef</code>. This is where the <code>_HT^</code> transformation steps in to help you out by providing the same dynamic naming mechanism explained above. You only need to feed it the key name and it will produce a dynamic fullname based on the key name and the charts configuration. If you want to use the <code>fullnameOverride</code> functionality you can also specify the <code>fullnameOverride</code> under the <code>hull.config.general.fullnameOverride</code> configuration property and it will be respected in the creation of all dynamic names. This will be put to good use in the tutorial part on RBAC configuration (where there is a lot of referencing of object instances by name) so the example can be skipped here and left for later.</p> <p>Besides the <code>_HT!</code>, <code>_HT?</code> and <code>_HT^</code> transformations there is one more helpful transformation that concludes the out-of-the-box transformations that HULL provides: the <code>hull.util.transformation.get</code>/<code>_HT*</code> get transformation.</p> <h3> Getting values with the <code>hull.util.transformation.get</code>/<code>_HT*</code> transformation </h3> <p>Similar to the <code>_HT?</code> transformation you can utilize the <code>_HT*</code> transformation to directly get a value via the dot notation path to the source of the reference. When using <code>_HT*</code> you can specify the path to the value to get relative to the <code>.Values</code> dictionary that means you explicitly don't specify any <code>.Values</code> or <code>(index . "$").Values</code> prefix. This works for referenced values of string, integer and boolean types and even for arrays or dictionaries.</p> <p>Remember the metadata setting usecase where you may want to apply a given set of labels to all objects of a particular 'group'? With <code>_HT*</code> this now becomes possible as in the next example.</p> <p>By now you have defined a <code>settings</code> ConfigMap and the three Secrets <code>certs</code>, <code>kubernetes-dashboard-csrf</code> and <code>kubernetes-dashboard-key-holder</code>. Say the <code>settings</code> ConfigMap and the <code>certs</code> Secret should be grouped by a common set of labels indicating they are relevant for cluster-level configuration. Additionally the <code>kubernetes-dashboard-csrf</code> and <code>kubernetes-dashboard-key-holder</code> Secrets are to be marked as relevant on application-level. This is not required for the chart conversion but may serve as a fictional grouping example. </p> <p>Now in this demo sketch the shared labels under <code>hull.config.specific</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'hull: config: specific: labels: configuration: cluster: configuration: "true" relevancy: cluster-level application: configuration: "true" relevancy: application-level objects: configmap: settings: labels: _HT*hull.config.specific.labels.configuration.cluster secret: certs: labels: _HT*hull.config.specific.labels.configuration.cluster kubernetes-dashboard-csrf: labels: _HT*hull.config.specific.labels.configuration.application kubernetes-dashboard-key-holder: labels: _HT*hull.config.specific.labels.configuration.application'</span><span class="o">&gt;</span> ../configs/get-transformation.yaml <span class="se">\</span> <span class="o">&amp;&amp;</span> helm template <span class="nt">-f</span> ../configs/disable-default-rbac.yaml <span class="nt">-f</span> ../configs/get-transformation.yaml <span class="nb">.</span> </code></pre> </div> <p>we have successfully grouped objects by a shared set of labels:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">certs</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">configuration</span><span class="pi">:</span> <span class="no">true</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">relevancy</span><span class="pi">:</span> <span class="s">cluster-level</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-certs</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-csrf</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">configuration</span><span class="pi">:</span> <span class="no">true</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">relevancy</span><span class="pi">:</span> <span class="s">application-level</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-csrf</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-key-holder</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">configuration</span><span class="pi">:</span> <span class="no">true</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">relevancy</span><span class="pi">:</span> <span class="s">application-level</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-key-holder</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">data</span><span class="pi">:</span> <span class="na">_global</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{}'</span> <span class="na">_pinnedCRD</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{}'</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">settings</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">configuration</span><span class="pi">:</span> <span class="no">true</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">relevancy</span><span class="pi">:</span> <span class="s">cluster-level</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-settings</span> </code></pre> </div> <h2> Wrap up </h2> <p>This concludes the subject of handling ConfigMaps and Secrets within HULL. Along the way you have learned about HULL transformations which put powerful templating into the <code>values.yaml</code> processing. At this point feel free to play around with the already created example files in the <code>config</code> folder and check if you get the expected output rendered. Of course you can also create new ones for testing the functionality!</p> <p>Your <code>values.yaml</code> should at this stage look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat </span>values.yaml </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">metrics-server</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="no">false</span> <span class="na">hull</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="na">specific</span><span class="pi">:</span> <span class="na">settings</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">pinnedCRDs</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">objects</span><span class="pi">:</span> <span class="na">configmap</span><span class="pi">:</span> <span class="na">settings</span><span class="pi">:</span> <span class="na">data</span><span class="pi">:</span> <span class="na">_global</span><span class="pi">:</span> <span class="na">inline</span><span class="pi">:</span> <span class="s">_HT!{{ toJson (index . "$").Values.hull.config.specific.settings | quote }}</span> <span class="na">_pinnedCRD</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">files/pinnedCRDs</span> <span class="na">secret</span><span class="pi">:</span> <span class="na">certs</span><span class="pi">:</span> <span class="na">data</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">kubernetes-dashboard-csrf</span><span class="pi">:</span> <span class="na">data</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">staticName</span><span class="pi">:</span> <span class="no">true</span> <span class="na">kubernetes-dashboard-key-holder</span><span class="pi">:</span> <span class="na">data</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">staticName</span><span class="pi">:</span> <span class="no">true</span> </code></pre> </div> <p>Pretty compact. The 80 lines of configuration in the original <code>kubernetes-dashboard</code> chart that were spent to define the ConfigMap and the Secrets were reduced to 20 and that is even excluding the relevant lines from the original <code>values.yaml</code>. That means a reduction of more than half of the lines of code that require maintenance. Yet at the same time you are gaining the full possibility to overwrite any objects property. When working on the workload objects (Deployments, DaemonSet and Jobs) this reduction of the code to be maintained is even more visible and you will see that you need roughly half the code lines then to achieve even more than what is possible with the original chart.</p> <p>Now is the right time to store your current <code>values.yaml</code> as <code>values.tutorial-part.yaml</code> in the charts folder:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cp </span>values.yaml values.tutorial-part.yaml </code></pre> </div> <p>This file is supposed to hold the individual outcome of each tutorial part from now on, concentrating on the aspects that are in focus of the respective tutorial part. </p> <p>Additionally a <code>values.full.yaml</code> will from now on be maintained and will be built upon in each tutorial part and become the final complete <code>values.yaml</code> for the chart. Basically it represents the outcome of the whole tutorial series. Within this constantly growing file all intermediate tutorial results are being added. For this first tutorial where first objects were created it is the same as the <code>values.intermediate.yaml</code> obviously but starting from the next tutorial part it will grow further. So at this time just copy the <code>values.yaml</code> too:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cp </span>values.yaml values.full.yaml </code></pre> </div> <p>By backing up your progress this way the 'working' <code>values.yaml</code> can be reset or modified for each tutorial part to limit the output to look at (since we do not require all objects that were created so far each time) but only those in focus of a tutorial part.</p> <p>Otherwise that is the end of this tutorial part, the outcome of it is found <a href="https://github.com/vidispine/hull-tutorials/tree/test/dev-to/hull/03_configmaps_and_secrets">here</a>. <a href="https://dev.to/gre9ory/hull-tutorial-04-configuring-serviceaccounts-and-rbac-153a">The next tutorial looks at configuration of ServiceAccounts and RBAC matters</a>.</p> <p><strong>Thanks for reading and hopefully you found it useful and/or interesting!</strong></p> HULL Tutorial 02: Setting up a Helm Chart based on HULL gre9ory Tue, 31 May 2022 11:24:11 +0000 https://dev.to/gre9ory/hull-tutorial-02-setting-up-a-helm-chart-based-on-hull-md2 https://dev.to/gre9ory/hull-tutorial-02-setting-up-a-helm-chart-based-on-hull-md2 <h2> Introduction </h2> <p>This article series will go step by step through building a Helm Chart based on the HULL library. To allow a good comparison with the traditional Helm chart creation process and for educational purposes the goal is to rewrite the <code>kubernetes-dashboard</code> Helm chart in it's latest version that exists at time of writing (<a href="https://artifacthub.io/packages/helm/k8s-dashboard/kubernetes-dashboard/5.2.0">which is version 5.2.0</a>).</p> <p>You may ask why the <code>kubernetes-dashboard</code> Helm chart? For a number of reasons this is an interesing topic for this tutorial:</p> <ul> <li>the <code>kubernetes-dashboard</code> Helm chart is most likely one of the most frequently downloaded and used Helm chart around the globe. Many people interact with it daily and may have a deeper understanding of its structure</li> <li>it has a medium complexity which makes the goal of translating it to a HULL based chart on the one hand has the power of showcasing the real-life applicability of the HULL library to Helm chart creation and on the other hand is doable with a reasonable amount of effort</li> <li>lastly, a deep dive into such a commonly used Helm Chart may still offer interesting insights to you if you are new-ish to understanding Helm chart mechanics or want to get to learn the <code>kubernetes-dashboard</code>'s particular charts architecture better</li> </ul> <h2> Getting Helm </h2> <p>Before you can get started you need to make sure you have a <a href="https://helm.sh/docs/intro/install/">fresh Helm version installed</a>. Then open up a Linux terminal of your choice and when you type in:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm version </code></pre> </div> <p>the output should be similar to this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">version.BuildInfo{Version:"v3.6.3", GitCommit:"d506314abfb5d21419df8c7e7e68012379db2354", GitTreeState:"clean", GoVersion:"go1.16.5"}</span> </code></pre> </div> <p>Now you are good to go!</p> <h2> Creating the test project </h2> <p>First switch to your working directory, eg. <code>home</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~ </code></pre> </div> <p>and there create a directory for our project and first tutorial part and switch to it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>kubernetes-dashboard-hull <span class="o">&amp;&amp;</span> <span class="nb">mkdir </span>kubernetes-dashboard-hull/02_setup <span class="o">&amp;&amp;</span> <span class="nb">cd </span>kubernetes-dashboard-hull/02_setup </code></pre> </div> <h2> Getting the original <code>kubernetes-dashboard</code> chart </h2> <p>For reference and analysis you can download a copy of the original <code>kubernetes-dashboard</code> helm chart and extract it like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-L</span> https://kubernetes.github.io/dashboard/kubernetes-dashboard-5.2.0.tgz <span class="nt">-o</span> kubernetes-dashboard.tgz <span class="o">&amp;&amp;</span> <span class="nb">tar</span> <span class="nt">-xvzf</span> kubernetes-dashboard.tgz <span class="nt">-C</span> <span class="nb">.</span> <span class="o">&amp;&amp;</span> <span class="nb">rm </span>kubernetes-dashboard.tgz </code></pre> </div> <p>To check if it was succesful list the <code>kubernetes-dashboard</code> folder:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">ls</span> <span class="nt">-R</span> kubernetes-dashboard </code></pre> </div> <p>and you should see all the extracted files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">kubernetes-dashboard</span><span class="pi">:</span> <span class="s">Chart.lock Chart.yaml README.md charts templates values.yaml</span> <span class="na">kubernetes-dashboard/charts</span><span class="pi">:</span> <span class="s">metrics-server</span> <span class="na">kubernetes-dashboard/charts/metrics-server</span><span class="pi">:</span> <span class="s">Chart.yaml README.md ci templates values.yaml</span> <span class="na">kubernetes-dashboard/charts/metrics-server/ci</span><span class="pi">:</span> <span class="s">ci-values.yaml</span> <span class="na">kubernetes-dashboard/charts/metrics-server/templates</span><span class="pi">:</span> <span class="s">NOTES.txt apiservice.yaml clusterrole.yaml clusterrolebinding.yaml pdb.yaml rolebinding.yaml serviceaccount.yaml</span> <span class="s">_helpers.tpl clusterrole-aggregated-reader.yaml clusterrolebinding-auth-delegator.yaml deployment.yaml psp.yaml service.yaml</span> <span class="na">kubernetes-dashboard/templates</span><span class="pi">:</span> <span class="s">NOTES.txt clusterrole-metrics.yaml clusterrolebinding-readonly.yaml ingress.yaml psp.yaml secret.yaml servicemonitor.yaml</span> <span class="s">_helpers.tpl clusterrole-readonly.yaml configmap.yaml networkpolicy.yaml role.yaml service.yaml</span> <span class="s">_tplvalues.tpl clusterrolebinding-metrics.yaml deployment.yaml pdb.yaml rolebinding.yaml serviceaccount.yaml</span> </code></pre> </div> <h2> Setting up a HULL Chart </h2> <p>Good, now proceed by creating a new empty HULL based Helm chart. <a href="https://github.com/vidispine/hull/blob/main/hull/doc/setup.md">The steps are documented here</a> but you will create it from scratch here to understand what is needed.</p> <p>One way to get started is by using the <a href="https://helm.sh/docs/helm/helm_create/#helm"><code>helm create</code></a> command to create the folder structure for an empty Helm chart. Run this command to create our <code>kubernetes-dashboard-hull</code> Helm chart:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm create kubernetes-dashboard-hull </code></pre> </div> <p>should produce this answer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">Creating kubernetes-dashboard-hull</span> </code></pre> </div> <p>That should have created a folder <code>kubernetes-dashboard-hull</code> with the usual required and example Helm chart files in there. Switch to the folder and examine the contents:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>kubernetes-dashboard-hull <span class="o">&amp;&amp;</span> <span class="nb">ls</span> <span class="nt">-R</span> </code></pre> </div> <p>to find the default files for a new scaffolded Helm chart:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">.</span><span class="pi">:</span> <span class="s">Chart.yaml charts templates values.yaml</span> <span class="na">./charts</span><span class="pi">:</span> <span class="na">./templates</span><span class="pi">:</span> <span class="s">NOTES.txt _helpers.tpl deployment.yaml hpa.yaml ingress.yaml service.yaml serviceaccount.yaml tests</span> <span class="na">./templates/tests</span><span class="pi">:</span> <span class="s">test-connection.yaml</span> </code></pre> </div> <p>Delete examples and tests in the <code>/templates</code> folder, nothing besides the <code>hull.yaml</code> is needed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">rm</span> <span class="nt">-rf</span> templates/<span class="k">*</span> <span class="o">&amp;&amp;</span> <span class="nb">ls</span> <span class="nt">-R</span> </code></pre> </div> <p>shows this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">.</span><span class="pi">:</span> <span class="s">Chart.yaml charts templates values.yaml</span> <span class="na">./charts</span><span class="pi">:</span> <span class="na">./templates</span><span class="pi">:</span> </code></pre> </div> <p>Additionally empty the <code>values.yaml</code> with the example data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">''</span> <span class="o">&gt;</span> values.yaml </code></pre> </div> <p>Now edit the mandatory <code>Chart.yaml</code> which is updated to reflect the original charts information. Furthermore add the HULL library as requirement which is necessary to be able to use HULL.</p> <h3> Choosing a HULL version </h3> <p>When choosing a HULL version for this, it is recommended that HULLs <code>major.minor</code> version must at least match the <code>kubeVersion</code> field otherwise the API version of objects created by HULL may be yet unknown to the clusters API version. Each HULL release branch is aligned with a specific Kubernetes version such as <code>1.21</code>, <code>1.22</code>, <code>1.23</code> and so on. The objects that HULL renders out will always be of the latest API version of the given object type that matches the HULL librarys version. So when an API is upgraded from beta to stable in a Kubernetes version jump, the latter HULL version will create objects with the stable API version and the former will create the beta API versioned objects. It is recommended to leave the <code>kubeVersion</code> set at <code>1.21.0</code> for this example so you will be able to work against any Kubernetes cluster with a version of <code>1.21.0</code> or above.</p> <p>Replace <code>1.23.3</code> below with the <a href="https://github.com/vidispine/hull/releases">latest available HULL version</a> and match the <code>kubeVersion</code> accordingly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'apiVersion: v2 appVersion: 2.5.0 dependencies: - condition: metrics-server.enabled name: metrics-server repository: https://kubernetes-sigs.github.io/metrics-server/ version: 3.5.0 - name: hull version: "1.23.3" repository: "https://vidispine.github.io/hull" description: General-purpose web UI for Kubernetes clusters home: https://github.com/kubernetes/dashboard icon: https://raw.githubusercontent.com/kubernetes/kubernetes/master/logo/logo.svg keywords: - kubernetes - dashboard kubeVersion: "&gt;=1.21.0-0" maintainers: - email: cdesaintmartin@wiremind.fr name: desaintmartin name: kubernetes-dashboard sources: - https://github.com/kubernetes/dashboard version: 5.2.0'</span> <span class="o">&gt;</span> Chart.yaml </code></pre> </div> <p>Before starting work on the <code>values.yaml</code> you should download the HULL library by the Helm way of <a href="https://helm.sh/docs/helm/helm_dependency_update/">updating Chart dependencies</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm dependency update </code></pre> </div> <p>to download the HULL chart from the GitHub hosted HelmChart repository and the other subchart <code>metrics-server</code> which you can optionally co-deploy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">Getting updates for unmanaged Helm repositories...</span> <span class="s">...Successfully got an update from the "https://kubernetes-sigs.github.io/metrics-server/" chart repository</span> <span class="s">...Successfully got an update from the "https://vidispine.github.io/hull" chart repository</span> <span class="s">Saving 2 charts</span> <span class="s">Downloading metrics-server from repo https://kubernetes-sigs.github.io/metrics-server/</span> <span class="s">Downloading hull from repo https://vidispine.github.io/hull</span> <span class="s">Deleting outdated charts</span> </code></pre> </div> <p>Great, one tiny thing left before you can start defining the objects of our <code>kubernetes-dashboard-hull</code> Chart: copy over the <code>hull.yaml</code> from the now locally downloaded subchart to the main charts template folder. Without this step, nothing can be rendered via HULL since the <code>hull.yaml</code> contains the logic to convert <code>values.yaml</code> object definitions to rendered YAML files. We can do this with a one-liner where we extract the packaged HULL tgz file from the <code>/charts</code> directory to a local <code>temp</code> directory, copy over the <code>hull.yaml</code> and clean up the temp directory afterwards:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>_tmp <span class="o">&amp;&amp;</span> <span class="nb">tar</span> <span class="nt">-xvzf</span> charts/hull-1.23.3.tgz <span class="nt">-C</span> _tmp <span class="o">&amp;&amp;</span> <span class="nb">cp </span>_tmp/hull/hull.yaml templates/hull.yaml <span class="o">&amp;&amp;</span> <span class="nb">rm</span> <span class="nt">-rf</span> _tmp </code></pre> </div> <p>prints out the temporarily extracted files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">hull/Chart.yaml</span> <span class="s">hull/Chart.lock</span> <span class="s">hull/values.yaml</span> <span class="s">hull/values.schema.json</span> <span class="s">hull/templates/_metadata.tpl</span> <span class="s">hull/templates/_metadata_annotations.tpl</span> <span class="s">hull/templates/_metadata_chartref.tpl</span> <span class="s">hull/templates/_metadata_fullname.tpl</span> <span class="s">hull/templates/_metadata_header.tpl</span> <span class="s">hull/templates/_metadata_labels.tpl</span> <span class="s">hull/templates/_metadata_name.tpl</span> <span class="s">hull/templates/_objects.tpl</span> <span class="s">hull/templates/_objects_base_plain.tpl</span> <span class="s">hull/templates/_objects_base_pod.tpl</span> <span class="s">hull/templates/_objects_base_rbac.tpl</span> <span class="s">hull/templates/_objects_base_role.tpl</span> <span class="s">hull/templates/_objects_base_spec.tpl</span> <span class="s">hull/templates/_objects_base_webhook.tpl</span> <span class="s">hull/templates/_objects_configmap.tpl</span> <span class="s">hull/templates/_objects_cronjob.tpl</span> <span class="s">hull/templates/_objects_horizontalpodautoscaler.tpl</span> <span class="s">hull/templates/_objects_ingress.tpl</span> <span class="s">hull/templates/_objects_pod.tpl</span> <span class="s">hull/templates/_objects_pod_container.tpl</span> <span class="s">hull/templates/_objects_pod_volume.tpl</span> <span class="s">hull/templates/_objects_registry.tpl</span> <span class="s">hull/templates/_objects_secret.tpl</span> <span class="s">hull/templates/_objects_service.tpl</span> <span class="s">hull/templates/_util.tpl</span> <span class="s">hull/templates/_util_transformations.tpl</span> <span class="s">hull/.helmignore</span> <span class="s">hull/CHANGELOG.md</span> <span class="s">hull/LICENSE</span> <span class="s">hull/README.md</span> <span class="s">hull/doc/architecture.md</span> <span class="s">hull/doc/development.md</span> <span class="s">hull/doc/json_schema_validation.md</span> <span class="s">hull/doc/objects_base.md</span> <span class="s">hull/doc/objects_configmaps_secrets.md</span> <span class="s">hull/doc/objects_customresource.md</span> <span class="s">hull/doc/objects_horizontalpodautoscaler.md</span> <span class="s">hull/doc/objects_ingress.md</span> <span class="s">hull/doc/objects_pod.md</span> <span class="s">hull/doc/objects_registry.md</span> <span class="s">hull/doc/objects_role.md</span> <span class="s">hull/doc/objects_service.md</span> <span class="s">hull/doc/objects_webhook.md</span> <span class="s">hull/doc/setup.md</span> <span class="s">hull/doc/transformations.md</span> <span class="s">hull/files/examples/authservice_values.yaml</span> <span class="s">hull/files/examples/medialogger_values.yaml</span> <span class="s">hull/files/scripts/HullChart.ps1</span> <span class="s">hull/files/scripts/SetChartVersion.ps1</span> <span class="s">hull/files/scripts/SetYamlValues.ps1</span> <span class="s">hull/files/templates/hull-clusterrole.yaml</span> <span class="s">hull/files/templates/hull-clusterrolebinding.yaml</span> <span class="s">hull/files/templates/hull-configmap.yaml</span> <span class="s">hull/files/templates/hull-cronjob.yaml</span> <span class="s">hull/files/templates/hull-customresource.yaml</span> <span class="s">hull/files/templates/hull-daemonset.yaml</span> <span class="s">hull/files/templates/hull-deployment.yaml</span> <span class="s">hull/files/templates/hull-endpoints.yaml</span> <span class="s">hull/files/templates/hull-horizontalpodautoscaler.yaml</span> <span class="s">hull/files/templates/hull-ingress.yaml</span> <span class="s">hull/files/templates/hull-ingressclass.yaml</span> <span class="s">hull/files/templates/hull-job.yaml</span> <span class="s">hull/files/templates/hull-mutatingwebhookconfiguration.yaml</span> <span class="s">hull/files/templates/hull-networkpolicy.yaml</span> <span class="s">hull/files/templates/hull-persistentvolume.yaml</span> <span class="s">hull/files/templates/hull-persistentvolumeclaim.yaml</span> <span class="s">hull/files/templates/hull-poddisruptionbudget.yaml</span> <span class="s">hull/files/templates/hull-podsecuritypolicy.yaml</span> <span class="s">hull/files/templates/hull-priorityclass.yaml</span> <span class="s">hull/files/templates/hull-registry.yaml</span> <span class="s">hull/files/templates/hull-resourcequota.yaml</span> <span class="s">hull/files/templates/hull-role.yaml</span> <span class="s">hull/files/templates/hull-rolebinding.yaml</span> <span class="s">hull/files/templates/hull-secret.yaml</span> <span class="s">hull/files/templates/hull-service.yaml</span> <span class="s">hull/files/templates/hull-serviceaccount.yaml</span> <span class="s">hull/files/templates/hull-servicemonitor.yaml</span> <span class="s">hull/files/templates/hull-statefulset.yaml</span> <span class="s">hull/files/templates/hull-storageclass.yaml</span> <span class="s">hull/files/templates/hull-validatingwebhookconfiguration.yaml</span> <span class="s">hull/hull.yaml</span> </code></pre> </div> <p>Now check if the <code>hull.yaml</code> was copied correctly to the <code>templates</code> folder:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat </span>templates/hull.yaml </code></pre> </div> <p>should return:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">{{</span><span class="nv">- include "hull.objects.prepare.all" (dict "HULL_ROOT_KEY" "hull" "ROOT_CONTEXT" $)</span> <span class="pi">}}</span> </code></pre> </div> <h3> Inspecting default RBAC settings </h3> <p>Fantastic, all in place! If everything went right up to here you can take a first look at what HULL does by default in an otherwise unconfigured Helm chart. For this you can have Helm render out the YAMLs to <code>stdout</code> where you can study them instead of directly deploying objects to a cluster. <a href="https://helm.sh/docs/helm/helm_template/"><code>helm template</code> is the command used for this rendering</a>. If you have an error complaining about version incompatibility you have to update your Helm installation so that <code>helm template</code> runs against a new API version.</p> <p>Go on by templating out what we have in our "empty" chart so far:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm template <span class="nb">.</span> </code></pre> </div> <p>giving us an unexpected amount of objects:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/charts/metrics-server/templates/serviceaccount.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-metrics-server</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">metrics-server-3.5.0</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">metrics-server</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.5.0"</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/charts/metrics-server/templates/clusterrole-aggregated-reader.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">system:metrics-server-aggregated-reader</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">metrics-server-3.5.0</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">metrics-server</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.5.0"</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">rbac.authorization.k8s.io/aggregate-to-admin</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">rbac.authorization.k8s.io/aggregate-to-edit</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">rbac.authorization.k8s.io/aggregate-to-view</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">metrics.k8s.io</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pods</span> <span class="pi">-</span> <span class="s">nodes</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/charts/metrics-server/templates/clusterrole.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">system:release-name-metrics-server</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">metrics-server-3.5.0</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">metrics-server</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.5.0"</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pods</span> <span class="pi">-</span> <span class="s">nodes</span> <span class="pi">-</span> <span class="s">nodes/stats</span> <span class="pi">-</span> <span class="s">namespaces</span> <span class="pi">-</span> <span class="s">configmaps</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get</span> <span class="pi">-</span> <span class="s">list</span> <span class="pi">-</span> <span class="s">watch</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/charts/metrics-server/templates/clusterrolebinding-auth-delegator.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-metrics-server:system:auth-delegator</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">metrics-server-3.5.0</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">metrics-server</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.5.0"</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">system:auth-delegator</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-metrics-server</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/charts/metrics-server/templates/clusterrolebinding.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">system:release-name-metrics-server</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">metrics-server-3.5.0</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">metrics-server</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.5.0"</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">system:release-name-metrics-server</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-metrics-server</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">[]</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/charts/metrics-server/templates/rolebinding.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-metrics-server-auth-reader</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kube-system</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">metrics-server-3.5.0</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">metrics-server</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.5.0"</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">extension-apiserver-authentication-reader</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-metrics-server</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/charts/metrics-server/templates/service.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-metrics-server</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">metrics-server-3.5.0</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">metrics-server</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.5.0"</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">https</span> <span class="na">port</span><span class="pi">:</span> <span class="m">443</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">https</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">metrics-server</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/charts/metrics-server/templates/deployment.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-metrics-server</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">metrics-server-3.5.0</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">metrics-server</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.5.0"</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">metrics-server</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">metrics-server</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">release-name-metrics-server</span> <span class="na">priorityClassName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">system-cluster-critical"</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">metrics-server</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">allowPrivilegeEscalation</span><span class="pi">:</span> <span class="no">false</span> <span class="na">readOnlyRootFilesystem</span><span class="pi">:</span> <span class="no">true</span> <span class="na">runAsNonRoot</span><span class="pi">:</span> <span class="no">true</span> <span class="na">runAsUser</span><span class="pi">:</span> <span class="m">1000</span> <span class="na">image</span><span class="pi">:</span> <span class="s">k8s.gcr.io/metrics-server/metrics-server:v0.5.0</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">--cert-dir=/tmp</span> <span class="pi">-</span> <span class="s">--secure-port=4443</span> <span class="pi">-</span> <span class="s">--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname</span> <span class="pi">-</span> <span class="s">--kubelet-use-node-status-port</span> <span class="pi">-</span> <span class="s">--metric-resolution=15s</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">https</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">4443</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">3</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/livez</span> <span class="na">port</span><span class="pi">:</span> <span class="s">https</span> <span class="na">scheme</span><span class="pi">:</span> <span class="s">HTTPS</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">0</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">3</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/readyz</span> <span class="na">port</span><span class="pi">:</span> <span class="s">https</span> <span class="na">scheme</span><span class="pi">:</span> <span class="s">HTTPS</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">20</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tmp</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/tmp</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tmp</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/charts/metrics-server/templates/apiservice.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apiregistration.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">APIService</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">v1beta1.metrics.k8s.io</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">metrics-server-3.5.0</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">metrics-server</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.5.0"</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">group</span><span class="pi">:</span> <span class="s">metrics.k8s.io</span> <span class="na">groupPriorityMinimum</span><span class="pi">:</span> <span class="m">100</span> <span class="na">insecureSkipTLSVerify</span><span class="pi">:</span> <span class="no">true</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-metrics-server</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v1beta1</span> <span class="na">versionPriority</span><span class="pi">:</span> <span class="m">100</span> </code></pre> </div> <p>Hmm, quite a lot of objects. This is because the templating command rendered both the HULL default RBAC objects as well as the <code>metrics-server</code> subchart default objects. Since we did not explicitly enable the deployment of the <code>metrics-server</code> subchart this may be considered a Helm bug, however let us just disable the <code>metrics-server</code> chart deployment for this tutorial by typing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'metrics-server: enabled: false'</span> <span class="o">&gt;</span> values.yaml </code></pre> </div> <p>Editing the <code>values.yaml</code> has the direct effect on the output that <code>metrics-server</code> subchart deployment is disabled. Now the <code>helm template .</code> output should only contain the HULL objects which are created by default. </p> <p>You can verify this by entering again:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm template <span class="nb">.</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">[]</span> <span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> </code></pre> </div> <p>There is already a lot you can gather from this output. One thing you may ask is: why are there already objects created while I haven't even defined anything yet? That's because by default, HULL will render a 'default' set of RBAC objects which you can use and fine-tune for your application. The objects that are automatically created are:</p> <ul> <li>a default ServiceAccount with name <code>&lt;release-name&gt;-&lt;chart-name&gt;-default</code> which is preconfigured for all pods as the <code>serviceAccountName</code> to use</li> <li>a default Role with name <code>&lt;release-name&gt;-&lt;chart-name&gt;-default</code> which initially has no rules but you can easily add them as needed</li> <li>a default RoleBinding with name <code>&lt;release-name&gt;-&lt;chart-name&gt;-default</code> that connects the <code>&lt;release-name&gt;-&lt;chart-name&gt;-default</code> Role with the <code>&lt;release-name&gt;-&lt;chart-name&gt;-default</code> ServiceAccount</li> </ul> <p>This is like RBAC bootstraping which you can build upon easily - but you may have different needs so if this setup does not fit your usecase, you can disable this default set of RBAC objects and specify different RBAC objects more tailored to your needs. The investigation of options for RBAC configuration are the subject of an upcoming tutorial in this series.</p> <p>However, while using RBAC is the default with HULL you can also optionally turn off the rendering of RBAC objects all together if that is what you want (of course not recommended :) ). HULL offers the following chart global switch to opt out of RBAC and if <code>false</code> RBAC related objects will not be rendered anymore:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">hull</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="na">general</span><span class="pi">:</span> <span class="na">rbac</span><span class="pi">:</span> <span class="no">false</span> </code></pre> </div> <h3> Inspecting the autogenerated metadata </h3> <p>Another standout aspect here is the autogenerated metadata for all objects which adheres to the <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/">best practice Kubernetes metadata definition</a> and <a href="https://helm.sh/docs/chart_best_practices/labels/#standard-labels">Helm's recommendation on the subject matter</a>. Using HULL you get this default metadata created without you having to do anything and on top of this it is easy to <a href="https://github.com/vidispine/hull/tree/main/hull#advanced-example">enrich all objects or objects of a particular type or just individual objects with metadata even further</a> which is also covered in the remainder of this tutorial. </p> <p>For example, check out the <code>metadata</code> block of the ServiceAccount that was rendered:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Source: kubernetes-dashboard/templates/hull.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/component</span><span class="pi">:</span> <span class="s">default</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="s">release-name</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">Helm</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">kubernetes-dashboard</span> <span class="na">app.kubernetes.io/part-of</span><span class="pi">:</span> <span class="s">undefined</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="s">2.5.0</span> <span class="na">helm.sh/chart</span><span class="pi">:</span> <span class="s">kubernetes-dashboard-5.2.0</span> <span class="na">name</span><span class="pi">:</span> <span class="s">release-name-kubernetes-dashboard-default</span> </code></pre> </div> <p>Autogenerating standard metadata and being able to define inheritable metadata is a convenience feature that enforces uniformity of objects and thus simplifies operations on them.</p> <h2> Wrap up </h2> <p>That's it for Part 2, <a href="https://dev.to/gre9ory/hull-tutorial-03-integrating-configmaps-and-secrets-47o1">Part 3 looks at ConfigMaps and Secrets</a> and you will add your first custom objects to the <code>kubernetes-dashboard-hull</code> Helm chart! You can check out the complete code created so far as the outcome of this Part 2 <a href="https://github.com/vidispine/hull-tutorials/tree/test/dev-to/kubernetes-dashboard-hull/02_setup">here</a>.</p> <p>Thanks a lot for reading! Hope to see you in Part 3!</p> HULL Tutorial 01: Introducing HULL, the Helm Universal Layer Library gre9ory Tue, 31 May 2022 11:23:28 +0000 https://dev.to/gre9ory/hull-tutorial-01-introducing-hull-the-helm-universal-layer-library-4njb https://dev.to/gre9ory/hull-tutorial-01-introducing-hull-the-helm-universal-layer-library-4njb <h2> Introduction </h2> <p>The goal of this series of articles is to introduce the features and explain the functionality of the Helm Universal Layer Library - in short HULL. It is a Helm library chart which can help in efficiently creating and managing applications in Kubernetes. The HULL project is open source and you can find it on GitHub:</p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev.to%2Fassets%2Fgithub-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/vidispine" rel="noopener noreferrer"> vidispine </a> / <a href="https://github.com/vidispine/hull" rel="noopener noreferrer"> hull </a> </h2> <h3> The incredible HULL - Helm Uniform Layer Library - is a Helm library chart to improve Helm chart based workflows </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">HULL - Helm Uniform Layer Library</h1> </div> <p>This repository contains the HULL Helm library chart. It is designed to ease building, maintaining and configuring Kubernetes objects in Helm charts and can be added to any Helm chart as an addon to enhance functionality without any risk of breaking existing Helm chart configurations.</p> <p>The chart itself and all documentation related to it can be found in the <a href="https://github.com/vidispine/hullhull" rel="noopener noreferrer"><code>hull</code></a> folder which is the root folder of the HULL library helm chart.</p> <p>The Kubernetes API JSON Schemas are stored in the <a href="https://github.com/vidispine/hullkubernetes-json-schema" rel="noopener noreferrer"><code>kubernetes-json-schema</code></a> folder.</p> <p><a href="https://dev.azure.com/arvato-systems-dmm/VPMS3%20CrossCutting/_build/latest?definitionId=589&amp;branchName=release-1.31" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/d40d44427a6810903971e7bcda6e9be3548172968aee204f05a10cd2c1eb6537/68747470733a2f2f6465762e617a7572652e636f6d2f61727661746f2d73797374656d732d646d6d2f56504d533325323043726f737343757474696e672f5f617069732f6275696c642f7374617475732f48554c4c2f766964697370696e652e68756c6c2e72656c656173653f6272616e63684e616d653d72656c656173652d312e3331" alt="Build Status"></a></p> <p>Below is the HULL charts <a href="https://github.com/vidispine/hull/hull/README.md" rel="noopener noreferrer"><code>README.md</code></a>:</p> <blockquote> <p>Abstractions need to be maintained - Kelsey Hightower</p> </blockquote> <div class="markdown-heading"> <h2 class="heading-element">Introduction</h2> </div> <p>One major design aspect of <a href="https://helm.sh" rel="nofollow noopener noreferrer">Helm</a> is that it forces the user to create individual abstractions of the Kubernetes configuration of applications. For each individual Helm Chart that is realized in form of YAML templates in a <a href="https://helm.sh/docs/topics/charts/" rel="nofollow noopener noreferrer">Helm charts</a> <code>/templates</code> folder. These template files, containing…</p> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/vidispine/hull" rel="noopener noreferrer">View on GitHub</a></div> </div> <p>If you are unfamiliar with the terms Helm and Kubernetes a brief introduction will follow. However if you have no experience with Kubernetes and Helm it is recommended to study and get practical experience first before proceeding with the tutorials because some familarity with the concepts is required to follow the article(s). </p> <p><a href="https://kubernetes.io" rel="noopener noreferrer">Kubernetes</a> is the defacto standard in modern application deployment and management, especially in the cloud. <a href="https://helm.sh" rel="noopener noreferrer">Helm</a> is a wide-spread tool for packaging and managing Kubernetes applications in form of so-called Helm Charts. Helm supports the concept of 'Library' charts which in itself do not contain deployable objects but only helper funcions to foster Helm chart creation and configuration. HULL falls into this category and can be thought of as an extension or plugin to Helm.</p> <p>Before getting started with creating a real-life HULL based Helm chart step-by-step in the next articles of this series, some light shall be shed on the concept of HULL and how it affects the Helm Chart based workflow in this introduction. Feel free to skip to the next article in the series if you like to start more practically. Yet it is recommended read on to have an idea why you might want to use HULL (or why not).</p> <h2> Chart design with Helm </h2> <p>Kubernetes objects are typically defined as YAML files and submitting these YAML files to the Kubernetes API (for example via <a href="https://kubernetes.io/docs/tasks/tools/#kubectl" rel="noopener noreferrer">kubectl</a> commands) will create them as entities in the Kubernetes cluster. An application normally will consist of multiple objects such as Deployments, ConfigMaps, Ingresses and so on. Helm expects all the YAML files it needs to deploy to be created in the <a href="https://helm.sh/docs/chart_template_guide/getting_started/" rel="noopener noreferrer"><code>/templates</code> folder</a> of a Helm chart which is to be deployed.</p> <p>Building a Helm chart now starts at defining which Kubernetes objects need to be created and which means to adapt them need to be provided in order to be able to run your application under a variety of conditions. Helm charts need to be deployable to different environments such as development, staging or production where different endpoints, credentials, resource sizings etc. all need to be configurable. Or simply think about cloud versus on premise systems where different rules apply in terms of networking, load balancing and scaling. All these aspects need to be tweakable in your applications Helm chart if your application is intended for wide-spread usability.</p> <p>With plain Helm, technically all objects that may be created under a certain scenario need to be scaffolded in the <code>/templates</code> folder in form of Kubernetes YAML files. To exactly control the logic of which files need to be deployed and which values need to be modified in a particular system, Helm integrates a templating language (<a href="https://helm.sh/docs/chart_template_guide/function_list/" rel="noopener noreferrer">Go templating in this case</a>). Using templating expressions in the Kubernetes YAML files it becomes possible to influence the templating logic and produce valid Kubernetes YAML files for a particular scenario (given that the scenario was considered when designing the chart).</p> <p>The external source for controling the templating logic is in the first step the so-called <a href="https://helm.sh/docs/chart_template_guide/values_files/" rel="noopener noreferrer"><code>values.yaml</code> file</a> which is contained in each Helm chart. It serves multiple purposes in reality:</p> <ul> <li>provide reasonable defaults that should satisfy most system needs → defaulting </li> <li>provide an overview of the configuration options a particular Helm chart aims to implement → documentation purpose</li> </ul> <p>The <code>values.yaml</code> should never be modified itself on deployment for a particular system, it is a static artifact which itself can be modified by overlaying a system-specific configuration file that holds the deviations from the defaults which are required for a particular deployment scenario. Technically the additional system-specific configuration file must match the YAML structure of the <code>values.yaml</code> so its content can be merged with that of the <code>values.yaml</code>. It is even possible to provide multiple system-specific configuration files which will be merged in a defined order. The overlaying configuration files always have precedence over the defaults naturally.</p> <p>For visualization consider some example mappings of a fictitious Helm chart with one deployment and a configmap in the <code>/templates</code> folder:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fax7ahsixjmxl2kx12l0z.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fax7ahsixjmxl2kx12l0z.png" alt="Regular Helm Chart Workflow"></a></p> <p>The following can be deduced from the example shown above:</p> <ul> <li>the more objects my application requires the more template files need to be created</li> <li>with each template file a significant amount of boilerplate YAML structure needs to be created</li> <li>the more aspects of objects that require controlling, the more mappings need to be manually defined</li> <li>there is no fixed naming relation between source values in <code>values.yaml</code> and the targeted values in the templates.</li> </ul> <h3> The Good </h3> <h4> Flexibility </h4> <p>The most positive aspects of the above outlined approach is full flexibility in defining what the mappings shall do. Hence it is possible to control aspects of:</p> <ul> <li>multiple objects with a single configuration value (1:n)</li> <li>single objects with a combination of multiple configuration values (n:1)</li> <li>multiple objects with combination of multiple configuration values (n:n)</li> </ul> <p>Basically anything is possible but must be explicitly realized by writing the templating logic - even the most simple 1:1 projections. Each Helm chart has in that sense its own individual API which can be tailored towards the usage of the application. </p> <h3> The Bad </h3> <h4> Implementation </h4> <p>While the Helm mapping flexibility shines when complex application configurations are required, it cannot on the other hand work without existance of explicit mappings. Considering that within a regular Helm chart typically a significant number of the implemented mappings are rather simple 1:1 mappings between <code>values.yaml</code> properties and single object fields involving no further logic, the Helm mapping approach adds a noticeable overhead to chart writing. For each mapping or projection, template files for the objects need to be created, the templating logic needs to be inserted correctly and the <code>values.yaml</code> needs to be updated to indicate the mappable property and the underlying logic needs to be documented.</p> <h4> Maintenance </h4> <p>As seen there is a significant amount of manual caretaking required when developing and maintaining a Helm chart this way. Consider a real life Helm chart having dozens of objects with hundreds of YAML lines where many mapped values in the templates may need configuring. Furthermore often configurable options on objects are left out initially because they are either not as relevant as others to the chart creator or out of laziness. If someone needs to configure such an option for his deployment scenario the chart needs to be adapted by either submitting a pull request, local forking or any other similar method.</p> <h4> Intransparency </h4> <p>From the perspective of someone who is proficient with Kubernetes it is often unnecessarily unclear how to achieve the desired Kubernetes object configuration without inspection of the mappings between <code>values.yaml</code> and the templates. In this sense, each Helm chart has its own unique API which requires analysis to understand the effects configuration changes in <code>values.yaml</code> have on the templates. The documentation of this interface, the <code>values.yaml</code> comments, often lack in explaining the effects that setting a specific property has on the generated templates. Meanwhile certain conventions have been established that can be found in multiple charts but there is no guarantee that an identical named property in <code>values.yaml</code> will have the same effect in different charts.</p> <h2> What is the difference when using HULL? </h2> <p><a href="https://github.com/vidispine/hull" rel="noopener noreferrer">The HULL library Helm chart</a> provides a single common interface to specifying Kubernetes objects within Helm Charts. The interface itself is based on the Kubernetes API schema itself which is integrated as a JSON schema in the HULL chart. Since all objects are defined directly in the values.yaml under the <code>hull</code> key there is no need to create and maintain custom template files when creating objects with HULL, everything happens in the <code>values.yaml</code>.</p> <p>The following diagram sketches how the <code>myapp</code> Helm chart would be built and processed when using HULL:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhqt7p05knbxyw6jygind.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhqt7p05knbxyw6jygind.png" alt="HULL Helm Chart Workflow"></a></p> <p>Being able to directly manipulate any object's property is advantageous in getting rid of the need for implementing explicit mappings, but it would alone not be sufficient to model more complex aspects such as the mentioned 1:n, n:1 or n:n mappings. To cater for this, HULL integrates a unique mechanism called <a href="https://github.com/vidispine/hull/blob/main/hull/doc/transformations.md" rel="noopener noreferrer">HULL transformations</a> to also allow integrating Go Templating expressions into the <code>values.yaml</code> itself without violating the constraint that the <code>values.yaml</code> file must be valid YAML.</p> <p>This means you bascially have the same toolset available as with the regular Helm chart workflow but you can restrict yourself to only model configurational relations where it is useful or required. There is no need to model all exposed object properties explicitly, resulting in the amount of code to maintain within a Helm chart to be reduced drastically. Depending on application structure more than 50% of overall lines of configuration code can be saved when building a Helm chart with HULL.</p> <h3> So why would you want to choose using HULL? </h3> <p>The strengths of the HULL based approach are:</p> <ul> <li><p>having less work when creating or maintaing a larger number of Helm charts since HULL based charts reduce the 'boilerplating' of template files to a minimum. Only explicitly model what you actually want or need to model explicitly saves time and effort in chart creation.</p></li> <li><p>giving the chart users the full flexibility to configure all aspects of any Kubernetes objects right away without having to patch an existing Helm chart.</p></li> <li><p>providing convenience features that simplify common tasks in the context of Helm chart creation. Automatic creation of extensive metadata is done without additional effort and including external files is done within a few lines of configuration.</p></li> </ul> <p>So whenever you either maintain many not overly complex Helm charts and want to have a fully flexible, maintanable, documented and common interface to all of them, HULL may be the right choice for you.</p> <p>If on the other hand you manage a single or small number of Helm chart(s) for your company to be deployed to a limited number of environments you might not benefit as much from building charts around HULL though because the benefit pays of when you have to scale the chart creation process.</p> <h2> Wrap Up </h2> <p>Thanks for reading and hoping this sparked your interest. If you'd like to please <a href="https://dev.to/gre9ory/hull-tutorial-02-setting-up-a-helm-chart-based-on-hull-md2">proceed with the tutorial on chart building with HULL</a> where the popular <a href="https://artifacthub.io/packages/helm/k8s-dashboard/kubernetes-dashboard" rel="noopener noreferrer"><code>kubernetes-dashboard</code> Helm chart</a> is being 'reinterpreted' using HULL to showcase its applicability to real life use cases!</p> kubernetes devops helm