Sonobuoy: allow multiple simultaneous chart installations

Manually set Namespace for Sonobuoy's config.json.

Sonobuoy's bug forcing heptio-sonobuoy namespace [1] usage only does not
impact this Helm chart because the config.json is directly controlled
by the `values.yaml` and not Sonobuoy's CLI.

Now multiple instances of this chart may exist at once by specifying
unique namespaces at helm install time.

Modify Sonobuoy test script to install two instances of Sonobuoy Helm
chart. Also install readonly serviceaccount to verify it will work with
more than one instance simultaneously.

[1] https://github.com/heptio/sonobuoy/issues/420

Change-Id: I6d4ecfb812a4312af13abf1e265de495e27967f9
This commit is contained in:
Dustin Specker 2019-02-11 10:04:35 -06:00
parent 40c8ca5dfc
commit 8c614d4ffd
5 changed files with 26 additions and 12 deletions

View File

@ -19,11 +19,13 @@ limitations under the License.
{{- $serviceAccountName := "sonobuoy-serviceaccount" }}
{{ tuple $envAll "sonobuoy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
{{ $controllerName := printf "%s-%s" .Release.Namespace $serviceAccountName }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ $serviceAccountName }}
name: {{ $controllerName | quote }}
rules:
- apiGroups:
- '*'
@ -35,11 +37,11 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ $serviceAccountName }}-heptio-sonobuoy
name: {{ $controllerName | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $serviceAccountName }}
name: {{ $controllerName | quote }}
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}

View File

@ -18,6 +18,9 @@ limitations under the License.
{{- if empty .Values.conf.sonobuoy.WorkerImage -}}
{{- $_ := set .Values.conf.sonobuoy "WorkerImage" .Values.images.tags.sonobuoy_api -}}
{{- end -}}
{{- if empty .Values.conf.sonobuoy.Namespace -}}
{{- $_ := set .Values.conf.sonobuoy "Namespace" .Release.Namespace -}}
{{- end -}}
---
apiVersion: v1
kind: Secret

View File

@ -59,13 +59,13 @@ may be referenced to list pods, etc.
{{- if .Values.manifests.serviceaccount_readonly }}
{{- $envAll := . }}
{{- $serviceAccountName := "sonobuoy-readonly-serviceaccount" }}
{{ tuple $envAll "sonobuoy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
{{- $controllerName := printf "%s-%s" $envAll.Release.Namespace "sonobuoy-readonly-serviceaccount" }}
{{ tuple $envAll "sonobuoy" $controllerName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: sonobuoy-readonly-clusterrole
name: {{ $controllerName | quote }}
rules:
- apiGroups:
- "*"
@ -79,24 +79,24 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: sonobuoy-readonly-clusterrolebinding
name: {{ $controllerName | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: sonobuoy-readonly-clusterrole
name: {{ $controllerName | quote }}
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
name: {{ $controllerName | quote }}
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: {{ $serviceAccountName }}-token-secret
name: sonobuoy-readonly-serviceaccount-token-secret
namespace: {{ .Release.Namespace }}
annotations:
kubernetes.io/service-account.name: {{ $serviceAccountName }}
kubernetes.io/service-account.name: {{ $controllerName }}
{{/*
post-install hook is required to cause ServiceAccount to be deployed
before creating a secret token for it. By default helm deploys secrets

View File

@ -126,6 +126,8 @@ conf:
Limits:
PodLogs:
SizeLimitBytes: 10000
# NOTE: the Namespace should not be defined and is set in sonobuoy-etc
Namespace: null
# NOTE: the WorkerImage should not be defined and is set in sonobuoy-etc
WorkerImage: null
ImagePullPolicy: IfNotPresent

View File

@ -19,5 +19,12 @@ set -xe
helm dependency update sonobuoy
helm upgrade --install sonobuoy sonobuoy \
--namespace=heptio-sonobuoy \
--set endpoints.identity.namespace=openstack
--set endpoints.identity.namespace=openstack \
--set manifests.serviceaccount_readonly=true
helm test sonobuoy
helm upgrade --install another-sonobuoy sonobuoy \
--namespace=sonobuoy \
--set endpoints.identity.namespace=openstack \
--set manifests.serviceaccount_readonly=true
helm test another-sonobuoy