From 0d118bf046288c0f4deb2a4bf1fecfc44b04839a Mon Sep 17 00:00:00 2001 From: Piotr Ryba <55996264+prryb@users.noreply.github.com> Date: Tue, 27 Apr 2021 15:36:09 +0200 Subject: [PATCH] Fix WATCH_NAMESPACE in helm chart (#547) * Fix WATCH_NAMESPACE in helm chart When applying the chart, the operator will now watch the correct namespace. This required changes in roles and role bindings so that the operator has access to both namespaces. * Use Role instead of ClusterRole Mitigates the risk of restrictions in creating ClusterRole in multitenant k8s clusters. * Update configuration-as-code version to 1.47 --- chart/jenkins-operator/templates/_role.yaml | 132 ++++++++++++++++++ .../jenkins-operator/templates/operator.yaml | 4 +- chart/jenkins-operator/templates/role.yaml | 132 +----------------- .../templates/role_binding.yaml | 22 ++- chart/jenkins-operator/values.yaml | 2 +- 5 files changed, 158 insertions(+), 134 deletions(-) create mode 100644 chart/jenkins-operator/templates/_role.yaml diff --git a/chart/jenkins-operator/templates/_role.yaml b/chart/jenkins-operator/templates/_role.yaml new file mode 100644 index 00000000..ed34150b --- /dev/null +++ b/chart/jenkins-operator/templates/_role.yaml @@ -0,0 +1,132 @@ +{{ define "jenkins-operator.role" }} +{{ $namespace := . }} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: jenkins-operator + namespace: {{ $namespace }} +rules: + - apiGroups: + - "" + resources: + - services + - configmaps + - secrets + verbs: + - get + - create + - update + - list + - watch + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - '*' + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - create + - update + - list + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - get + - create + - update + - list + - watch + - apiGroups: + - "" + resources: + - pods/portforward + verbs: + - create + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - pods + - pods/exec + verbs: + - "*" + - apiGroups: + - "" + resources: + - events + verbs: + - get + - watch + - list + - create + - patch + - apiGroups: + - apps + resourceNames: + - jenkins-operator + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - jenkins.io + resources: + - '*' + verbs: + - '*' + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - apiGroups: + - "route.openshift.io" + resources: + - routes + verbs: + - get + - list + - watch + - create + - update + - apiGroups: + - "image.openshift.io" + resources: + - imagestreams + verbs: + - get + - list + - watch + - apiGroups: + - "build.openshift.io" + resources: + - builds + - buildconfigs + verbs: + - get + - list + - watch +{{ end }} \ No newline at end of file diff --git a/chart/jenkins-operator/templates/operator.yaml b/chart/jenkins-operator/templates/operator.yaml index ca3af6a9..ffc1c7cf 100644 --- a/chart/jenkins-operator/templates/operator.yaml +++ b/chart/jenkins-operator/templates/operator.yaml @@ -34,9 +34,7 @@ spec: args: [] env: - name: WATCH_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace + value: {{ .Values.jenkins.namespace }} - name: POD_NAME valueFrom: fieldRef: diff --git a/chart/jenkins-operator/templates/role.yaml b/chart/jenkins-operator/templates/role.yaml index cc15fdd0..f3c31553 100644 --- a/chart/jenkins-operator/templates/role.yaml +++ b/chart/jenkins-operator/templates/role.yaml @@ -1,128 +1,4 @@ ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: jenkins-operator -rules: - - apiGroups: - - "" - resources: - - services - - configmaps - - secrets - verbs: - - get - - create - - update - - list - - watch - - apiGroups: - - apps - resources: - - deployments - - daemonsets - - replicasets - - statefulsets - verbs: - - '*' - - apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - create - - update - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - get - - create - - update - - list - - watch - - apiGroups: - - "" - resources: - - pods/portforward - verbs: - - create - - apiGroups: - - "" - resources: - - pods/log - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - pods - - pods/exec - verbs: - - "*" - - apiGroups: - - "" - resources: - - events - verbs: - - get - - watch - - list - - create - - patch - - apiGroups: - - apps - resourceNames: - - jenkins-operator - resources: - - deployments/finalizers - verbs: - - update - - apiGroups: - - jenkins.io - resources: - - '*' - verbs: - - '*' - - apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get - - list - - watch - - apiGroups: - - "route.openshift.io" - resources: - - routes - verbs: - - get - - list - - watch - - create - - update - - apiGroups: - - "image.openshift.io" - resources: - - imagestreams - verbs: - - get - - list - - watch - - apiGroups: - - "build.openshift.io" - resources: - - builds - - buildconfigs - verbs: - - get - - list - - watch +{{ template "jenkins-operator.role" .Release.Namespace }} +{{ if ne .Release.Namespace .Values.jenkins.namespace }} +{{ template "jenkins-operator.role" .Values.jenkins.namespace }} +{{ end }} \ No newline at end of file diff --git a/chart/jenkins-operator/templates/role_binding.yaml b/chart/jenkins-operator/templates/role_binding.yaml index 8224b7c1..23817139 100644 --- a/chart/jenkins-operator/templates/role_binding.yaml +++ b/chart/jenkins-operator/templates/role_binding.yaml @@ -3,10 +3,28 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: jenkins-operator + namespace: {{ .Release.Namespace }} subjects: -- kind: ServiceAccount - name: jenkins-operator + - kind: ServiceAccount + name: jenkins-operator + namespace: {{ .Release.Namespace }} roleRef: kind: Role name: jenkins-operator apiGroup: rbac.authorization.k8s.io +{{ if ne .Release.Namespace .Values.jenkins.namespace }} +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: jenkins-operator + namespace: {{ .Values.jenkins.namespace }} +subjects: + - kind: ServiceAccount + name: jenkins-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: jenkins-operator + apiGroup: rbac.authorization.k8s.io +{{ end }} \ No newline at end of file diff --git a/chart/jenkins-operator/values.yaml b/chart/jenkins-operator/values.yaml index e27c0ba8..363296c1 100644 --- a/chart/jenkins-operator/values.yaml +++ b/chart/jenkins-operator/values.yaml @@ -73,7 +73,7 @@ jenkins: # - name: job-dsl # version: "1.77" # - name: configuration-as-code - # version: "1.46" + # version: "1.47" # - name: kubernetes-credentials-provider # version: 0.15 basePlugins: