From aedc2aff5975c081b46d3ed36167765b548edf7b Mon Sep 17 00:00:00 2001 From: Oleksandr Kovalchuk Date: Tue, 10 Aug 2021 12:36:53 +0300 Subject: [PATCH] Add handling of empty WATCH_NAMESPACE value of jenkins.namespace (#609) * Add note that jenkins.namespace also affects jenkins-operator resources * Add handling of empty WATCH_NAMESPACE value of jenkins.namespace If jenkins.namespace is set to "", it leads to WATCH_NAMESPACE environment value of Jenkins Operator itself to be set to "", which leads that operator watches all namespaces (see https://github.com/jenkinsci/kubernetes-operator/issues/77#issuecomment-523727092). This case requires custom handling: instead of creating role and role_binding we need to create clusterrole and clusterrolebinding with the required permissions. * Bump chart version * Fix grammar as suggested by @Sig00rd Co-authored-by: Sig00rd --- chart/jenkins-operator/templates/_role.yaml | 6 +++-- .../templates/role_binding.yaml | 25 +++++++++++++++++-- chart/jenkins-operator/values.yaml | 3 ++- 3 files changed, 29 insertions(+), 5 deletions(-) diff --git a/chart/jenkins-operator/templates/_role.yaml b/chart/jenkins-operator/templates/_role.yaml index 9ff46064..4da31d4e 100644 --- a/chart/jenkins-operator/templates/_role.yaml +++ b/chart/jenkins-operator/templates/_role.yaml @@ -1,11 +1,13 @@ {{ define "jenkins-operator.role" }} {{ $namespace := . }} --- -kind: Role +kind: {{ if eq $namespace "" }}ClusterRole{{ else }}Role{{ end }} apiVersion: rbac.authorization.k8s.io/v1 metadata: name: jenkins-operator +{{- if ne $namespace "" }} namespace: {{ $namespace }} +{{- end }} rules: - apiGroups: - apps @@ -171,4 +173,4 @@ rules: - get - list - watch -{{ end }} \ No newline at end of file +{{ end }} diff --git a/chart/jenkins-operator/templates/role_binding.yaml b/chart/jenkins-operator/templates/role_binding.yaml index 23817139..879af247 100644 --- a/chart/jenkins-operator/templates/role_binding.yaml +++ b/chart/jenkins-operator/templates/role_binding.yaml @@ -12,7 +12,28 @@ roleRef: kind: Role name: jenkins-operator apiGroup: rbac.authorization.k8s.io -{{ if ne .Release.Namespace .Values.jenkins.namespace }} +{{ if eq .Values.jenkins.namespace "" }} +{{- /* +# This is a special case when .Values.jenkins.namespace is equal to empty +# string which leads to WATCH_NAMESPACE env of jenkins-operator to be set to +# empty string and leads to operator actually watching all namespaces. In this +# case we need to create clusterrole and clusterrolebinding instead of role and +# rolebinding +*/}} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: jenkins-operator +subjects: + - kind: ServiceAccount + name: jenkins-operator + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: jenkins-operator + apiGroup: rbac.authorization.k8s.io +{{ else if ne .Release.Namespace .Values.jenkins.namespace }} --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -27,4 +48,4 @@ roleRef: kind: Role name: jenkins-operator apiGroup: rbac.authorization.k8s.io -{{ end }} \ No newline at end of file +{{ end }} diff --git a/chart/jenkins-operator/values.yaml b/chart/jenkins-operator/values.yaml index 60c992cd..dac2d691 100644 --- a/chart/jenkins-operator/values.yaml +++ b/chart/jenkins-operator/values.yaml @@ -18,6 +18,7 @@ jenkins: # namespace is the namespace where the resources will be deployed # It's not recommended to use default namespace # Create new namespace for jenkins (called e.g. jenkins) + # Note: this affects roles and rolebindings for jenkins operator itself namespace: default # labels are injected into metadata labels field @@ -139,7 +140,7 @@ jenkins: # slave Jenkins service # See https://jenkinsci.github.io/kubernetes-operator/docs/getting-started/latest/schema/#github.com/jenkinsci/kubernetes-operator/pkg/apis/jenkins/v1alpha2.Service for details #slaveService: - + # LivenessProbe for Jenkins Master pod livenessProbe: failureThreshold: 12