diff --git a/infra/helm/scc-monitoring/README.md b/infra/helm/scc-monitoring/README.md new file mode 100644 index 000000000..a0134aaa8 --- /dev/null +++ b/infra/helm/scc-monitoring/README.md @@ -0,0 +1,13 @@ +# 모니터링 Chart 배포 + +secret 을 helm value 혹은 ENV 로 주입하여 배포되도록 하려고 했으나 마땅한 방법이 없어서 일단 --set 옵션으로 배포합니다. + +```bash +helm --namespace scc-monitoring \ + -f values.yaml \ + upgrade --install scc-monitoring ./ \ + --set openobserve-collector.exporters."otlphttp/openobserve".endpoint={secret.yaml 참조} \ + --set openobserve-collector.exporters."otlphttp/openobserve".headers.Authorization="{secret.yaml 참조}" \ + --set openobserve-collector.exporters."otlphttp/openobserve_k8s_events".endpoint={secret.yaml 참조} \ + --set openobserve-collector.exporters."otlphttp/openobserve_k8s_events".headers.Authorization="{secret.yaml 참조}" +``` \ No newline at end of file diff --git a/infra/helm/scc-monitoring/templates/configmap-for-secret.yaml b/infra/helm/scc-monitoring/templates/configmap-for-secret.yaml deleted file mode 100644 index 24c1b5f8b..000000000 --- a/infra/helm/scc-monitoring/templates/configmap-for-secret.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "scc-monitoring.fullname" . }}-for-secret - labels: - {{- include "scc-monitoring.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-weight": "10" -data: - secret-raw.yaml: |- -{{ printf "%s/secret.yaml" .Values.filesDir | .Files.Get | indent 4 }} diff --git a/infra/helm/scc-monitoring/templates/deploy-secret-job.yaml b/infra/helm/scc-monitoring/templates/deploy-secret-job.yaml deleted file mode 100644 index f8422fc80..000000000 --- a/infra/helm/scc-monitoring/templates/deploy-secret-job.yaml +++ /dev/null @@ -1,68 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "scc-monitoring.fullname" . }}-deploy-secret-job - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-weight": "20" -spec: - template: - spec: - serviceAccountName: {{ include "scc-monitoring.serviceAccountName" . }}-deploy-secret - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - containers: - - name: {{ .Chart.Name }} - image: "mozilla/sops:v3-alpine" - imagePullPolicy: IfNotPresent - command: ["/bin/sh"] - args: - - -c - - |- - wget "https://dl.k8s.io/release/$(wget https://dl.k8s.io/release/stable.txt -O-)/bin/linux/amd64/kubectl" && - chmod u+x kubectl && - wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq && - chmod +x /usr/bin/yq && - mkdir secret && - sops -d /app/conf/secret-raw.yaml > secret/secret.yaml && - echo 'apiVersion: v1 - kind: Secret - metadata: - name: scc-monitoring-secret - namespace: scc-monitoring - type: Opaque - stringData: {}' > scc-monitoring-secret.yaml && - yq -i ".stringData += $(yq secret/secret.yaml -o json)" scc-monitoring-secret.yaml && - ./kubectl apply -f scc-monitoring-secret.yaml -# ./kubectl create secret generic {{ include "scc-monitoring.fullname" . }}-secret --from-file=secret/secret.yaml --dry-run=client -o yaml | ./kubectl apply -f - -# TODO: kubectl을 이미지에 미리 깔아놓기 - env: - - name: AWS_STS_REGIONAL_ENDPOINTS - value: regional - - name: AWS_REGION - value: ap-northeast-2 - - name: AWS_ROLE_ARN - value: "{{ .Values.deploySecret.awsRoleArn }}" - - name: AWS_WEB_IDENTITY_TOKEN_FILE - value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token - volumeMounts: - - name: aws-iam-token - mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount - readOnly: true - - name: config-volume - mountPath: /app/conf - readOnly: true - volumes: - - name: aws-iam-token - projected: - defaultMode: 420 - sources: - - serviceAccountToken: - audience: sts.amazonaws.com - expirationSeconds: 86400 - path: token - - name: config-volume - configMap: - name: {{ include "scc-monitoring.fullname" . }}-for-secret - restartPolicy: Never - backoffLimit: 3 diff --git a/infra/helm/scc-monitoring/templates/deploy-secret-serviceaccount.yaml b/infra/helm/scc-monitoring/templates/deploy-secret-serviceaccount.yaml deleted file mode 100644 index 6cefbbd5b..000000000 --- a/infra/helm/scc-monitoring/templates/deploy-secret-serviceaccount.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "scc-monitoring.serviceAccountName" . }}-deploy-secret - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-weight": "10" ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: create-secrets - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-weight": "10" -rules: - - apiGroups: [""] # "" indicates the core API group - resources: ["secrets"] - verbs: ["create", "patch", "get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: create-secrets-to-{{ include "scc-monitoring.serviceAccountName" . }}-deploy-secret - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-weight": "10" -subjects: - - kind: ServiceAccount - name: {{ include "scc-monitoring.serviceAccountName" . }}-deploy-secret -roleRef: - kind: Role - name: create-secrets - apiGroup: rbac.authorization.k8s.io diff --git a/infra/terraform/scc/iam.tf b/infra/terraform/scc/iam.tf index c0b0d4386..ad9d19b8b 100644 --- a/infra/terraform/scc/iam.tf +++ b/infra/terraform/scc/iam.tf @@ -58,7 +58,6 @@ data "aws_iam_policy_document" "scc_deploy_secret" { values = [ "system:serviceaccount:scc:scc-server-deploy-secret", "system:serviceaccount:scc-redash:scc-redash-deploy-secret", - "system:serviceaccount:scc-monitoring:scc-monitoring-deploy-secret", ] } }