public_git
/
kubernetes-operator
mirror of https://github.com/jenkinsci/kubernetes-operator.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Add handling of empty WATCH_NAMESPACE value of jenkins.namespace (#609) 

* Add note that jenkins.namespace also affects jenkins-operator resources

* Add handling of empty WATCH_NAMESPACE value of jenkins.namespace

If jenkins.namespace is set to "", it leads to WATCH_NAMESPACE
environment value of Jenkins Operator itself to be set to "", which
leads that operator watches all namespaces (see
https://github.com/jenkinsci/kubernetes-operator/issues/77#issuecomment-523727092).
This case requires custom handling: instead of creating role and
role_binding we need to create clusterrole and clusterrolebinding with
the required permissions.

* Bump chart version

* Fix grammar as suggested by @Sig00rd

Co-authored-by: Sig00rd <sz.fugas@gmail.com>
This commit is contained in:
Oleksandr Kovalchuk 2021-08-10 12:36:53 +03:00 committed by GitHub
parent 2d1a67afb9
commit aedc2aff59
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 29 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
chart/jenkins-operator/templates/_role.yaml
View File

@ -1,11 +1,13 @@
{{ define "jenkins-operator.role" }} {{ define "jenkins-operator.role" }}
{{ $namespace := . }} {{ $namespace := . }}
--- ---
kind: Role kind: {{ if eq $namespace "" }}ClusterRole{{ else }}Role{{ end }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: jenkins-operator name: jenkins-operator
{{- if ne $namespace "" }}
namespace: {{ $namespace }} namespace: {{ $namespace }}
{{- end }}
rules: rules:
- apiGroups: - apiGroups:
- apps - apps

23
chart/jenkins-operator/templates/role_binding.yaml
View File

@ -12,7 +12,28 @@ roleRef:
kind: Role kind: Role
name: jenkins-operator name: jenkins-operator
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
{{ if ne .Release.Namespace .Values.jenkins.namespace }} {{ if eq .Values.jenkins.namespace "" }}
{{- /*
# This is a special case when .Values.jenkins.namespace is equal to empty
# string which leads to WATCH_NAMESPACE env of jenkins-operator to be set to
# empty string and leads to operator actually watching all namespaces. In this
# case we need to create clusterrole and clusterrolebinding instead of role and
# rolebinding
*/}}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jenkins-operator
subjects:
- kind: ServiceAccount
name: jenkins-operator
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: jenkins-operator
apiGroup: rbac.authorization.k8s.io
{{ else if ne .Release.Namespace .Values.jenkins.namespace }}
--- ---
kind: RoleBinding kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1

1
chart/jenkins-operator/values.yaml
View File

@ -18,6 +18,7 @@ jenkins:
# namespace is the namespace where the resources will be deployed # namespace is the namespace where the resources will be deployed
# It's not recommended to use default namespace # It's not recommended to use default namespace
# Create new namespace for jenkins (called e.g. jenkins) # Create new namespace for jenkins (called e.g. jenkins)
# Note: this affects roles and rolebindings for jenkins operator itself
namespace: default namespace: default
# labels are injected into metadata labels field # labels are injected into metadata labels field