Add handling of empty WATCH_NAMESPACE value of jenkins.namespace (#609)

* Add note that jenkins.namespace also affects jenkins-operator resources * Add handling of empty WATCH_NAMESPACE value of jenkins.namespace If jenkins.namespace is set to "", it leads to WATCH_NAMESPACE environment value of Jenkins Operator itself to be set to "", which leads that operator watches all namespaces (see https://github.com/jenkinsci/kubernetes-operator/issues/77#issuecomment-523727092). This case requires custom handling: instead of creating role and role_binding we need to create clusterrole and clusterrolebinding with the required permissions. * Bump chart version * Fix grammar as suggested by @Sig00rd Co-authored-by: Sig00rd <sz.fugas@gmail.com>
2021-08-10 12:36:53 +03:00 · 2021-08-10 12:36:53 +03:00 · aedc2aff59
parent 2d1a67afb9
commit aedc2aff59
3 changed files with 29 additions and 5 deletions
--- a/chart/jenkins-operator/templates/_role.yaml
+++ b/chart/jenkins-operator/templates/_role.yaml
@ -1,11 +1,13 @@
 {{ define "jenkins-operator.role" }}
 {{ $namespace := . }}
 ---
-kind: Role
+kind: {{ if eq $namespace "" }}ClusterRole{{ else }}Role{{ end }}
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: jenkins-operator
+{{- if ne $namespace "" }}
  namespace: {{ $namespace }}
+{{- end }}
 rules:
  - apiGroups:
      - apps
@ -171,4 +173,4 @@ rules:
      - get
      - list
      - watch
-{{ end }}
+{{ end }}
--- a/chart/jenkins-operator/templates/role_binding.yaml
+++ b/chart/jenkins-operator/templates/role_binding.yaml
@ -12,7 +12,28 @@ roleRef:
  kind: Role
  name: jenkins-operator
  apiGroup: rbac.authorization.k8s.io
-{{ if ne .Release.Namespace .Values.jenkins.namespace }}
+{{ if eq .Values.jenkins.namespace "" }}
+{{- /*
+# This is a special case when .Values.jenkins.namespace is equal to empty
+# string which leads to WATCH_NAMESPACE env of jenkins-operator to be set to
+# empty string and leads to operator actually watching all namespaces. In this
+# case we need to create clusterrole and clusterrolebinding instead of role and
+# rolebinding
+*/}}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: jenkins-operator
+subjects:
+  - kind: ServiceAccount
+    name: jenkins-operator
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: jenkins-operator
+  apiGroup: rbac.authorization.k8s.io
+{{ else if ne .Release.Namespace .Values.jenkins.namespace }}
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@ -27,4 +48,4 @@ roleRef:
  kind: Role
  name: jenkins-operator
  apiGroup: rbac.authorization.k8s.io
-{{ end }}
+{{ end }}
--- a/chart/jenkins-operator/values.yaml
+++ b/chart/jenkins-operator/values.yaml
@ -18,6 +18,7 @@ jenkins:
  # namespace is the namespace where the resources will be deployed
  # It's not recommended to use default namespace
  # Create new namespace for jenkins (called e.g. jenkins)
+  # Note: this affects roles and rolebindings for jenkins operator itself
  namespace: default

  # labels are injected into metadata labels field
@ -139,7 +140,7 @@ jenkins:
  # slave Jenkins service
  # See https://jenkinsci.github.io/kubernetes-operator/docs/getting-started/latest/schema/#github.com/jenkinsci/kubernetes-operator/pkg/apis/jenkins/v1alpha2.Service for details
  #slaveService:
-  
+
  # LivenessProbe for Jenkins Master pod
  livenessProbe:
    failureThreshold: 12