From 8c614d4ffd99cefdd186c776c469acd61f2bd757 Mon Sep 17 00:00:00 2001 From: Dustin Specker Date: Mon, 11 Feb 2019 10:04:35 -0600 Subject: [PATCH] Sonobuoy: allow multiple simultaneous chart installations Manually set Namespace for Sonobuoy's config.json. Sonobuoy's bug forcing heptio-sonobuoy namespace [1] usage only does not impact this Helm chart because the config.json is directly controlled by the `values.yaml` and not Sonobuoy's CLI. Now multiple instances of this chart may exist at once by specifying unique namespaces at helm install time. Modify Sonobuoy test script to install two instances of Sonobuoy Helm chart. Also install readonly serviceaccount to verify it will work with more than one instance simultaneously. [1] https://github.com/heptio/sonobuoy/issues/420 Change-Id: I6d4ecfb812a4312af13abf1e265de495e27967f9 --- sonobuoy/templates/pod-api.yaml | 8 +++++--- sonobuoy/templates/secret-etc.yaml | 3 +++ sonobuoy/templates/serviceaccount-readonly.yaml | 16 ++++++++-------- sonobuoy/values.yaml | 2 ++ tools/gate/scripts/sonobuoy.sh | 9 ++++++++- 5 files changed, 26 insertions(+), 12 deletions(-) diff --git a/sonobuoy/templates/pod-api.yaml b/sonobuoy/templates/pod-api.yaml index 9b119da2..f1ab849d 100644 --- a/sonobuoy/templates/pod-api.yaml +++ b/sonobuoy/templates/pod-api.yaml @@ -19,11 +19,13 @@ limitations under the License. {{- $serviceAccountName := "sonobuoy-serviceaccount" }} {{ tuple $envAll "sonobuoy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} + +{{ $controllerName := printf "%s-%s" .Release.Namespace $serviceAccountName }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ $serviceAccountName }} + name: {{ $controllerName | quote }} rules: - apiGroups: - '*' @@ -35,11 +37,11 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ $serviceAccountName }}-heptio-sonobuoy + name: {{ $controllerName | quote }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ $serviceAccountName }} + name: {{ $controllerName | quote }} subjects: - kind: ServiceAccount name: {{ $serviceAccountName }} diff --git a/sonobuoy/templates/secret-etc.yaml b/sonobuoy/templates/secret-etc.yaml index 96045aec..e08fcd26 100644 --- a/sonobuoy/templates/secret-etc.yaml +++ b/sonobuoy/templates/secret-etc.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- if empty .Values.conf.sonobuoy.WorkerImage -}} {{- $_ := set .Values.conf.sonobuoy "WorkerImage" .Values.images.tags.sonobuoy_api -}} {{- end -}} +{{- if empty .Values.conf.sonobuoy.Namespace -}} +{{- $_ := set .Values.conf.sonobuoy "Namespace" .Release.Namespace -}} +{{- end -}} --- apiVersion: v1 kind: Secret diff --git a/sonobuoy/templates/serviceaccount-readonly.yaml b/sonobuoy/templates/serviceaccount-readonly.yaml index e0b1b566..2604523c 100644 --- a/sonobuoy/templates/serviceaccount-readonly.yaml +++ b/sonobuoy/templates/serviceaccount-readonly.yaml @@ -59,13 +59,13 @@ may be referenced to list pods, etc. {{- if .Values.manifests.serviceaccount_readonly }} {{- $envAll := . }} -{{- $serviceAccountName := "sonobuoy-readonly-serviceaccount" }} -{{ tuple $envAll "sonobuoy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +{{- $controllerName := printf "%s-%s" $envAll.Release.Namespace "sonobuoy-readonly-serviceaccount" }} +{{ tuple $envAll "sonobuoy" $controllerName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: sonobuoy-readonly-clusterrole + name: {{ $controllerName | quote }} rules: - apiGroups: - "*" @@ -79,24 +79,24 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: sonobuoy-readonly-clusterrolebinding + name: {{ $controllerName | quote }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: sonobuoy-readonly-clusterrole + name: {{ $controllerName | quote }} subjects: - kind: ServiceAccount - name: {{ $serviceAccountName }} + name: {{ $controllerName | quote }} namespace: {{ .Release.Namespace }} --- apiVersion: v1 kind: Secret type: kubernetes.io/service-account-token metadata: - name: {{ $serviceAccountName }}-token-secret + name: sonobuoy-readonly-serviceaccount-token-secret namespace: {{ .Release.Namespace }} annotations: - kubernetes.io/service-account.name: {{ $serviceAccountName }} + kubernetes.io/service-account.name: {{ $controllerName }} {{/* post-install hook is required to cause ServiceAccount to be deployed before creating a secret token for it. By default helm deploys secrets diff --git a/sonobuoy/values.yaml b/sonobuoy/values.yaml index e272cedb..fb7dd423 100644 --- a/sonobuoy/values.yaml +++ b/sonobuoy/values.yaml @@ -126,6 +126,8 @@ conf: Limits: PodLogs: SizeLimitBytes: 10000 + # NOTE: the Namespace should not be defined and is set in sonobuoy-etc + Namespace: null # NOTE: the WorkerImage should not be defined and is set in sonobuoy-etc WorkerImage: null ImagePullPolicy: IfNotPresent diff --git a/tools/gate/scripts/sonobuoy.sh b/tools/gate/scripts/sonobuoy.sh index cc8272bb..d8929351 100755 --- a/tools/gate/scripts/sonobuoy.sh +++ b/tools/gate/scripts/sonobuoy.sh @@ -19,5 +19,12 @@ set -xe helm dependency update sonobuoy helm upgrade --install sonobuoy sonobuoy \ --namespace=heptio-sonobuoy \ - --set endpoints.identity.namespace=openstack + --set endpoints.identity.namespace=openstack \ + --set manifests.serviceaccount_readonly=true helm test sonobuoy + +helm upgrade --install another-sonobuoy sonobuoy \ + --namespace=sonobuoy \ + --set endpoints.identity.namespace=openstack \ + --set manifests.serviceaccount_readonly=true +helm test another-sonobuoy