hotfix: add cmd once for generate tls cert after helm installed (#657)

* hotfix: add cmd once for generate tls cert after helm installed * hotfix: update scale * hotfix: update scale * hotfix: fix bugs * hotfix: print * feat: add role for get cidr * feat: add --image options for cmd once * feat: add role watch pod * feat: filter api-server
2025-12-24 11:51:13 +08:00 · 2025-06-26 11:08:42 +08:00
parent 4021480ad5
commit f14d074417
11 changed files with 235 additions and 97 deletions
--- a/charts/kubevpn/templates/job.yaml
+++ b/charts/kubevpn/templates/job.yaml
@@ -32,42 +32,7 @@ spec:
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command:
-            - /bin/bash
-            - -c
-          args:
-            - |2-
-
-              echo "Label namespace {{ include "kubevpn.namespace" . }}"
-              kubectl label ns {{ include "kubevpn.namespace" . }} ns={{ include "kubevpn.namespace" . }}
-
-              echo "Generating https certificate"
-              openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -subj "/CN={{ include "kubevpn.fullname" . }}.{{ include "kubevpn.namespace" . }}" -addext "subjectAltName=DNS:{{ include "kubevpn.fullname" . }}.{{ include "kubevpn.namespace" . }}.svc.cluster.local,DNS:{{ include "kubevpn.fullname" . }}.{{ include "kubevpn.namespace" . }}.svc,DNS:{{ include "kubevpn.fullname" . }}.{{ include "kubevpn.namespace" . }},DNS:localhost,IP:127.0.0.1" -keyout server.key -out server.crt
-
-              export TLS_CRT=$(cat server.crt | base64 | tr -d '\n')
-              echo "Patch mutatingwebhookconfigurations {{ include "kubevpn.fullname" . }}.{{ include "kubevpn.namespace" . }}"
-              kubectl patch mutatingwebhookconfigurations {{ include "kubevpn.fullname" . }}.{{ include "kubevpn.namespace" . }} -p "{\"webhooks\":[{\"name\":\"{{ include "kubevpn.fullname" . }}.naison.io\",\"sideEffects\":\"None\",\"admissionReviewVersions\":[\"v1\", \"v1beta1\"],\"clientConfig\":{\"service\":{\"namespace\":\"{{ include "kubevpn.namespace" . }}\",\"name\":\"{{ include "kubevpn.fullname" . }}\"},\"caBundle\":\"$TLS_CRT\"}}]}"
-
-              export TLS_KEY=$(cat server.key | base64 | tr -d '\n')
-              echo "Patch secret {{ include "kubevpn.fullname" . }}"
-              kubectl patch secret {{ include "kubevpn.fullname" . }} -n {{ include "kubevpn.namespace" . }} -p "{\"data\":{\"tls_key\":\"$TLS_KEY\",\"tls_crt\":\"$TLS_CRT\"}}"
-
-              echo "Restart the pods..."
-              kubectl scale -n {{ include "kubevpn.namespace" . }} --replicas=0 deployment/{{ include "kubevpn.fullname" . }}
-              kubectl scale -n {{ include "kubevpn.namespace" . }} --replicas=1 deployment/{{ include "kubevpn.fullname" . }}
-
-              export POOLS=$(kubectl get cm {{ include "kubevpn.fullname" . }} -n {{ include "kubevpn.namespace" . }} -o jsonpath='{.data.IPv4_POOLS}')
-              if [[ -z "${POOLS// }" ]];then
-                echo "Cidr is empty"
-                echo "Get pod cidr..."
-                export POD_CIDR=$(kubectl get nodes -o jsonpath='{.items[*].spec.podCIDR}' | tr -s '\n' ' ')
-                echo "Get service cidr..."
-                export SVC_CIDR=$(echo '{"apiVersion":"v1","kind":"Service","metadata":{"name":"kubevpn-get-svc-cidr-{{ include "kubevpn.namespace" . }}", "namespace": "{{ include "kubevpn.namespace" . }}"},"spec":{"clusterIP":"1.1.1.1","ports":[{"port":443}]}}' | kubectl apply -f - 2>&1 | sed 's/.*valid IPs is //')
-                echo "Pod cidr: $POD_CIDR, service cidr: $SVC_CIDR"
-                echo "Patch configmap {{ include "kubevpn.fullname" . }}"
-                kubectl patch configmap {{ include "kubevpn.fullname" . }} -n {{ include "kubevpn.namespace" . }} -p "{\"data\":{\"IPv4_POOLS\":\"$POD_CIDR $SVC_CIDR\"}}"
-              else
-                echo "Cidr is NOT empty"
-              fi
-
-              echo "Done~"
-              exit 0
+            - kubevpn
+            - once
+            - --image
+            - "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
--- a/charts/kubevpn/templates/role.yaml
+++ b/charts/kubevpn/templates/role.yaml
@@ -21,10 +21,10 @@ rules:
      - delete
  - apiGroups: [ "" ]
    resources: [ "namespaces" ]
-    resourceNames: ["{{ include "kubevpn.namespace" . }}"]
+    resourceNames: [{{ include "kubevpn.namespace" . }}]
    verbs:
      - get
-      - patch
+      - update
  - apiGroups: [ "apps" ]
    resources: [ "deployments/scale", "deployments" ]
    resourceNames:
@@ -43,6 +43,25 @@ rules:
      - get
      - update
      - patch
+      - list
+  # for get network cidr
+  - apiGroups:
+      - ""
+    resources:
+      - pods/exec
+    verbs:
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - pods/log
+    verbs:
+      - list
+      - get
+      - create
+      - delete
+      - watch

 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -59,7 +78,7 @@ rules:
    verbs:
      - get
      - list
-      - patch
+      - update
  - apiGroups:
      - ""
    resources:
@@ -67,4 +86,11 @@ rules:
    verbs:
      - get
      - list
-      - watch
+      - watch
+  # for get network cidr
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - list