apache · mluds · Jul 27, 2020 · Jan 4, 2021 · Feb 5, 2021 · Feb 16, 2021
diff --git a/helm/openwhisk/configMapFiles/dockerLogin/dockerLogin.sh b/helm/openwhisk/configMapFiles/dockerLogin/dockerLogin.sh
@@ -0,0 +1 @@
+docker login $RUNTIMES_REGISTRY -u $RUNTIMES_REGISTRY_USERNAME -p $RUNTIMES_REGISTRY_PASSWORD
diff --git a/helm/openwhisk/configMapFiles/genCerts/gencerts.sh b/helm/openwhisk/configMapFiles/genCerts/gencerts.sh
@@ -19,7 +19,18 @@ if kubectl get secret $NGINX_CERT_SECRET; then
     echo "using existing $NGINX_CERT_SECRET secret"
 else
     echo "generating new $NGINX_CERT_SECRET secret"
-    genssl.sh "*.$WHISK_API_HOST_NAME" server /cert-gen
-    kubectl create secret tls $NGINX_CERT_SECRET --cert=/cert-gen/openwhisk-server-cert.pem --key=/cert-gen/openwhisk-server-key.pem
+
+    until genssl.sh "*.$WHISK_API_HOST_NAME" server /cert-gen
+    do
+        echo "Network not ready yet"
+        sleep 1
+    done
+
+    until kubectl create secret tls $NGINX_CERT_SECRET --cert=/cert-gen/openwhisk-server-cert.pem --key=/cert-gen/openwhisk-server-key.pem
+    do
+        echo "Network not ready yet"
+        sleep 1
+    done
 fi
 
+exit 0
diff --git a/helm/openwhisk/configMapFiles/initCouchDB/initdb.sh b/helm/openwhisk/configMapFiles/initCouchDB/initdb.sh
@@ -16,7 +16,11 @@
 #
 
 # Clone OpenWhisk to get the ansible playbooks needed to initialize CouchDB
-git clone https://github.com/apache/openwhisk /openwhisk
+until git clone https://github.com/apache/openwhisk /openwhisk
+do
+    echo "Network not ready yet"
+    sleep 1
+done
 pushd /openwhisk
     git checkout $OW_GIT_TAG_OPENWHISK
 popd
@@ -87,3 +91,4 @@ echo "Creating ow_kube_couchdb_initialized_marker database"
 curl --silent -X PUT -u "$COUCHDB_USER:$COUCHDB_PASSWORD" $DB_PROTOCOL://$DB_HOST:$DB_PORT/ow_kube_couchdb_initialized_marker || exit 1
 
 echo "successfully initialized CouchDB for OpenWhisk"
+exit 0
diff --git a/helm/openwhisk/configMapFiles/installPackages/myTask.sh b/helm/openwhisk/configMapFiles/installPackages/myTask.sh
@@ -24,7 +24,11 @@ export PROVIDER_DB_URL=$PROVIDER_DB_PROTOCOL://$PROVIDER_DB_USERNAME:$PROVIDER_D
 #####
 
 # Clone openwhisk repo to get installRouteMgmt.sh and core/routemgmt
-git clone https://github.com/apache/openwhisk openwhisk
+until git clone https://github.com/apache/openwhisk openwhisk
+do
+    echo "Network not ready yet"
+    sleep 1
+done
 pushd openwhisk
     git checkout $OW_GIT_TAG_OPENWHISK
     rm -f /openwhisk/ansible/files/auth.guest /openwhisk/ansible/files/auth.whisk.system

diff --git a/helm/openwhisk/templates/apigateway-pod.yaml b/helm/openwhisk/templates/apigateway-pod.yaml
@@ -56,6 +56,10 @@ spec:
             containerPort: {{ .Values.apigw.mgmtPort }}
           - name: api
             containerPort: {{ .Values.apigw.apiPort }}
+{{- if .Values.apigw.resources }}
+          resources:
+{{ toYaml .Values.apigw.resources | indent 12 }}
+{{- end }}
           env:
           - name: "REDIS_HOST"
             value: "{{ include "openwhisk.redis_host" . }}"
@@ -71,3 +75,9 @@ spec:
               configMapKeyRef:
                 name: {{ .Release.Name }}-whisk.config
                 key: whisk_internal_api_host_url
+{{- if .Values.apigw.secure }}
+          securityContext:
+            capabilities:
+              drop:
+                - all
+{{- end }}
diff --git a/helm/openwhisk/templates/controller-pod.yaml b/helm/openwhisk/templates/controller-pod.yaml
@@ -35,11 +35,14 @@ spec:
         name: {{ .Release.Name }}-controller
 {{ include "openwhisk.label_boilerplate" . | indent 8 }}
 
-      {{- if .Values.metrics.prometheusEnabled }}
       annotations:
+      {{- if .Values.metrics.prometheusEnabled }}
         prometheus.io/scrape: 'true'
         prometheus.io/port:   '{{ .Values.controller.port }}'
       {{- end }}
+      {{- if .Values.controller.secure }}
+        seccomp.security.alpha.kubernetes.io/pod: localhost/controller.json
+      {{- end }}
 
     spec:
       serviceAccountName: {{ .Release.Name }}-core
@@ -79,6 +82,11 @@ spec:
 {{- if .Values.controller.lean }}
         securityContext:
           privileged: true
+{{- else if .Values.controller.secure }}
+        securityContext:
+          capabilities:
+            drop:
+              - all
 {{- end }}
         command: ["/bin/bash", "-c", "/init.sh `hostname | awk -F '-' '{print $NF}'`"]
         ports:
@@ -107,6 +115,10 @@ spec:
           initialDelaySeconds: {{ .Values.probes.controller.readinessProbe.initialDelaySeconds }}
           periodSeconds: {{ .Values.probes.controller.readinessProbe.periodSeconds }}
           timeoutSeconds: {{ .Values.probes.controller.readinessProbe.timeoutSeconds }}
+{{- if .Values.controller.resources }}
+        resources:
+{{ toYaml .Values.controller.resources | indent 10 }}
+{{- end }}
         env:
         - name: "PORT"
           value: {{ .Values.controller.port | quote }}

diff --git a/helm/openwhisk/templates/frontdoor-secrets.yaml b/helm/openwhisk/templates/frontdoor-secrets.yaml
@@ -25,7 +25,7 @@ metadata:
 {{ include "openwhisk.label_boilerplate" . | indent 4 }}
 type: {{ .Values.whisk.ingress.tls.secrettype | quote }}
 data:
-  tls.crt: {{ .Values.whisk.ingress.tls.crt }}
-  tls.key: {{ .Values.whisk.ingress.tls.key }}
+  tls.crt: {{ .Values.whisk.ingress.tls.crt | b64enc }}
+  tls.key: {{ .Values.whisk.ingress.tls.key | b64enc }}
 {{- end}}
 {{- end }}
diff --git a/helm/openwhisk/templates/invoker-pod.yaml b/helm/openwhisk/templates/invoker-pod.yaml
@@ -43,12 +43,14 @@ spec:
       labels:
         name: {{ .Release.Name }}-invoker
 {{ include "openwhisk.label_boilerplate" . | indent 8 }}
-
-      {{- if .Values.metrics.prometheusEnabled }}
       annotations:
+      {{- if .Values.metrics.prometheusEnabled }}
         prometheus.io/scrape: 'true'
         prometheus.io/port:   '{{ .Values.invoker.port }}'
       {{- end }}
+      {{- if .Values.invoker.secure }}
+        seccomp.security.alpha.kubernetes.io/pod: localhost/invoker.json
+      {{- end }}
 
     spec:
 {{- if eq .Values.invoker.containerFactory.impl "kubernetes" }}
@@ -83,10 +85,17 @@ spec:
       - name: invoker
         image: "{{- .Values.docker.registry.name -}}{{- .Values.invoker.imageName -}}:{{- .Values.invoker.imageTag -}}"
         imagePullPolicy: {{ .Values.invoker.imagePullPolicy | quote }}
+        command:
+          - /bin/bash
+          - -c
+          -
 {{- if and (eq .Values.invoker.containerFactory.impl "docker") .Values.invoker.containerFactory.networkConfig.dns.inheritInvokerConfig }}
-        command: [ "/bin/bash", "-c", ". /invoker-scripts/configureDNS.sh && /init.sh --uniqueName $INVOKER_NAME" ]
-{{- else }}
-        command: [ "/bin/bash", "-c", "/init.sh --uniqueName $INVOKER_NAME" ]
+            . /invoker-scripts/configureDNS.sh &&
+{{- end }}
+            /init.sh --uniqueName $INVOKER_NAME
+{{- if .Values.invoker.resources }}
+        resources:
+{{ toYaml .Values.invoker.resources | indent 10 }}
 {{- end }}
         env:
           - name: "PORT"
@@ -211,8 +220,33 @@ spec:
             value: "{{ .Values.akka.actorSystemTerminateTimeout }}"
           - name: "CONFIG_whisk_runtime_delete_timeout"
             value: "{{ .Values.invoker.runtimeDeleteTimeout }}"
+{{- if ne .Values.docker.registry.name "" }}
+          - name: "RUNTIMES_REGISTRY"
+            value: "{{- .Values.docker.registry.name -}}"
+          - name: "RUNTIMES_REGISTRY_USERNAME"
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Release.Name }}-docker.registry.auth
+                key: docker_registry_username
+          - name: "RUNTIMES_REGISTRY_PASSWORD"
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Release.Name }}-docker.registry.auth
+                key: docker_registry_password
+{{- end }}
         ports:
         - name: invoker
           containerPort: {{ .Values.invoker.port }}
+{{- if .Values.invoker.secure }}
+        securityContext:
+          capabilities:
+            drop:
+              - all
+            add:
+              - SYS_ADMIN
+{{- range .Values.invoker.extraCaps }}
+              - {{ . }}
+{{- end }}
+{{- end }}
 {{ include "openwhisk.invoker.volume_mounts" . }}
 {{- end }}
diff --git a/helm/openwhisk/templates/kafka-pod.yaml b/helm/openwhisk/templates/kafka-pod.yaml
@@ -73,7 +73,10 @@ spec:
         ports:
         - containerPort: {{ .Values.kafka.port }}
           name: kafka
-
+{{- if .Values.kafka.resources }}
+        resources:
+{{ toYaml .Values.kafka.resources | indent 10 }}
+{{- end }}
         livenessProbe:
           tcpSocket:
             port: {{ .Values.kafka.port }}

diff --git a/helm/openwhisk/templates/nginx-pod.yaml b/helm/openwhisk/templates/nginx-pod.yaml
@@ -76,6 +76,10 @@ spec:
           containerPort: {{ .Values.nginx.httpPort }}
         - name: https
           containerPort: {{ .Values.nginx.httpsPort }}
+{{- if .Values.nginx.resources }}
+        resources:
+{{ toYaml .Values.nginx.resources | indent 10 }}
+{{- end }}
         volumeMounts:
         - name: nginx-conf
           mountPath: "/etc/nginx/nginx.conf"

diff --git a/helm/openwhisk/templates/redis-pod.yaml b/helm/openwhisk/templates/redis-pod.yaml
@@ -87,4 +87,8 @@ spec:
           ports:
           - name: redis
             containerPort: {{ .Values.redis.port }}
+{{- if .Values.redis.resources }}
+          resources:
+{{ toYaml .Values.redis.resources | indent 12 }}
+{{- end }}
 {{ end }}