From 65bc574cb8e482a59edcd28e670262464e8123e9 Mon Sep 17 00:00:00 2001 From: Sig00rd Date: Wed, 11 Aug 2021 14:49:53 +0200 Subject: [PATCH] Helm chart: Fix role and rb templates for case with jenkins ns being empty string (#624) --- chart/jenkins-operator/templates/role.yaml | 17 +++++-- .../templates/role_binding.yaml | 46 ++++++++++--------- 2 files changed, 38 insertions(+), 25 deletions(-) diff --git a/chart/jenkins-operator/templates/role.yaml b/chart/jenkins-operator/templates/role.yaml index f3c31553..07bdec63 100644 --- a/chart/jenkins-operator/templates/role.yaml +++ b/chart/jenkins-operator/templates/role.yaml @@ -1,4 +1,15 @@ -{{ template "jenkins-operator.role" .Release.Namespace }} -{{ if ne .Release.Namespace .Values.jenkins.namespace }} -{{ template "jenkins-operator.role" .Values.jenkins.namespace }} +{{ if eq .Values.jenkins.namespace "" }} +{{- /* +# This is a special case when .Values.jenkins.namespace is equal to empty +# string which leads to WATCH_NAMESPACE env of jenkins-operator to be set to +# empty string and leads to operator actually watching all namespaces. In this +# case we need to create clusterrole and clusterrolebinding instead of role and +# rolebinding +*/ -}} + {{- template "jenkins-operator.role" .Values.jenkins.namespace }} +{{ else }} + {{- template "jenkins-operator.role" .Release.Namespace }} + {{- if ne .Release.Namespace .Values.jenkins.namespace -}} + {{- template "jenkins-operator.role" .Values.jenkins.namespace }} + {{- end }} {{ end }} \ No newline at end of file diff --git a/chart/jenkins-operator/templates/role_binding.yaml b/chart/jenkins-operator/templates/role_binding.yaml index 879af247..c36b6a2a 100644 --- a/chart/jenkins-operator/templates/role_binding.yaml +++ b/chart/jenkins-operator/templates/role_binding.yaml @@ -1,3 +1,25 @@ +{{ if eq .Values.jenkins.namespace "" }} +{{- /* +# This is a special case when .Values.jenkins.namespace is equal to empty +# string which leads to WATCH_NAMESPACE env of jenkins-operator to be set to +# empty string and leads to operator actually watching all namespaces. In this +# case we need to create clusterrole and clusterrolebinding instead of role and +# rolebinding +*/ -}} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: jenkins-operator +subjects: + - kind: ServiceAccount + name: jenkins-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: jenkins-operator + apiGroup: rbac.authorization.k8s.io +{{ else }} --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -12,28 +34,7 @@ roleRef: kind: Role name: jenkins-operator apiGroup: rbac.authorization.k8s.io -{{ if eq .Values.jenkins.namespace "" }} -{{- /* -# This is a special case when .Values.jenkins.namespace is equal to empty -# string which leads to WATCH_NAMESPACE env of jenkins-operator to be set to -# empty string and leads to operator actually watching all namespaces. In this -# case we need to create clusterrole and clusterrolebinding instead of role and -# rolebinding -*/}} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: jenkins-operator -subjects: - - kind: ServiceAccount - name: jenkins-operator - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: jenkins-operator - apiGroup: rbac.authorization.k8s.io -{{ else if ne .Release.Namespace .Values.jenkins.namespace }} +{{ if ne .Release.Namespace .Values.jenkins.namespace }} --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -49,3 +50,4 @@ roleRef: name: jenkins-operator apiGroup: rbac.authorization.k8s.io {{ end }} +{{ end }}