| # Deploy MetalLB |
| |
| local kube = import "../../../kube/kube.libsonnet"; |
| |
| local bindServiceAccountClusterRole(sa, cr) = kube.ClusterRoleBinding(cr.metadata.name) { |
| roleRef: { |
| apiGroup: "rbac.authorization.k8s.io", |
| kind: "ClusterRole", |
| name: cr.metadata.name, |
| }, |
| subjects: [ |
| { |
| kind: "ServiceAccount", |
| name: sa.metadata.name, |
| namespace: sa.metadata.namespace, |
| }, |
| ], |
| }; |
| |
| { |
| Environment: { |
| local env = self, |
| local cfg = env.cfg, |
| cfg:: { |
| namespace: "metallb-system", |
| namespaceCreate: true, |
| }, |
| |
| ns: if cfg.namespaceCreate then kube.Namespace(cfg.namespace), |
| |
| saController: kube.ServiceAccount("controller") { |
| metadata+: { |
| namespace: cfg.namespace, |
| }, |
| }, |
| |
| saSpeaker: kube.ServiceAccount("speaker") { |
| metadata+: { |
| namespace: cfg.namespace, |
| }, |
| }, |
| |
| crController: kube.ClusterRole("%s:controller" % cfg.namespace) { |
| rules: [ |
| { |
| apiGroups: [""], |
| resources: ["services"], |
| verbs: ["get", "list", "watch", "update"], |
| }, |
| { |
| apiGroups: [""], |
| resources: ["services/status"], |
| verbs: ["update"], |
| }, |
| { |
| apiGroups: [""], |
| resources: ["events"], |
| verbs: ["create", "patch"], |
| }, |
| ], |
| }, |
| |
| crbController: bindServiceAccountClusterRole(env.saController, env.crController), |
| |
| crSpeaker: kube.ClusterRole("%s:speaker" % cfg.namespace) { |
| rules: [ |
| { |
| apiGroups: [""], |
| resources: ["services", "endpoints", "nodes"], |
| verbs: ["get", "list", "watch"], |
| }, |
| ], |
| }, |
| |
| crbSpeaker: bindServiceAccountClusterRole(env.saSpeaker, env.crSpeaker), |
| |
| roleWatcher: kube.Role("config-watcher") { |
| metadata+: { |
| namespace: cfg.namespace, |
| }, |
| rules: [ |
| { |
| apiGroups: [""], |
| resources: ["configmaps"], |
| verbs: ["get", "list", "watch"], |
| }, |
| { |
| apiGroups: [""], |
| resources: ["events"], |
| verbs: ["create"], |
| }, |
| ], |
| }, |
| |
| rbWatcher: kube.RoleBinding("config-watcher") { |
| metadata+: { |
| namespace: cfg.namespace, |
| }, |
| subjects: [ |
| { kind: "ServiceAccount", name: env.saController.metadata.name }, |
| { kind: "ServiceAccount", name: env.saSpeaker.metadata.name }, |
| ], |
| roleRef: { |
| apiGroup: "rbac.authorization.k8s.io", |
| kind: "Role", |
| name: env.roleWatcher.metadata.name, |
| }, |
| }, |
| }, |
| } |