Sonobuoy: allow multiple simultaneous chart installations
Manually set Namespace for Sonobuoy's config.json. Sonobuoy's bug forcing heptio-sonobuoy namespace [1] usage only does not impact this Helm chart because the config.json is directly controlled by the `values.yaml` and not Sonobuoy's CLI. Now multiple instances of this chart may exist at once by specifying unique namespaces at helm install time. Modify Sonobuoy test script to install two instances of Sonobuoy Helm chart. Also install readonly serviceaccount to verify it will work with more than one instance simultaneously. [1] https://github.com/heptio/sonobuoy/issues/420 Change-Id: I6d4ecfb812a4312af13abf1e265de495e27967f9
This commit is contained in:
parent
40c8ca5dfc
commit
8c614d4ffd
|
@ -19,11 +19,13 @@ limitations under the License.
|
|||
|
||||
{{- $serviceAccountName := "sonobuoy-serviceaccount" }}
|
||||
{{ tuple $envAll "sonobuoy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
|
||||
{{ $controllerName := printf "%s-%s" .Release.Namespace $serviceAccountName }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ $serviceAccountName }}
|
||||
name: {{ $controllerName | quote }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- '*'
|
||||
|
@ -35,11 +37,11 @@ rules:
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ $serviceAccountName }}-heptio-sonobuoy
|
||||
name: {{ $controllerName | quote }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ $serviceAccountName }}
|
||||
name: {{ $controllerName | quote }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $serviceAccountName }}
|
||||
|
|
|
@ -18,6 +18,9 @@ limitations under the License.
|
|||
{{- if empty .Values.conf.sonobuoy.WorkerImage -}}
|
||||
{{- $_ := set .Values.conf.sonobuoy "WorkerImage" .Values.images.tags.sonobuoy_api -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.sonobuoy.Namespace -}}
|
||||
{{- $_ := set .Values.conf.sonobuoy "Namespace" .Release.Namespace -}}
|
||||
{{- end -}}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
|
|
|
@ -59,13 +59,13 @@ may be referenced to list pods, etc.
|
|||
{{- if .Values.manifests.serviceaccount_readonly }}
|
||||
{{- $envAll := . }}
|
||||
|
||||
{{- $serviceAccountName := "sonobuoy-readonly-serviceaccount" }}
|
||||
{{ tuple $envAll "sonobuoy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
{{- $controllerName := printf "%s-%s" $envAll.Release.Namespace "sonobuoy-readonly-serviceaccount" }}
|
||||
{{ tuple $envAll "sonobuoy" $controllerName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: sonobuoy-readonly-clusterrole
|
||||
name: {{ $controllerName | quote }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "*"
|
||||
|
@ -79,24 +79,24 @@ rules:
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: sonobuoy-readonly-clusterrolebinding
|
||||
name: {{ $controllerName | quote }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: sonobuoy-readonly-clusterrole
|
||||
name: {{ $controllerName | quote }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $serviceAccountName }}
|
||||
name: {{ $controllerName | quote }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: kubernetes.io/service-account-token
|
||||
metadata:
|
||||
name: {{ $serviceAccountName }}-token-secret
|
||||
name: sonobuoy-readonly-serviceaccount-token-secret
|
||||
namespace: {{ .Release.Namespace }}
|
||||
annotations:
|
||||
kubernetes.io/service-account.name: {{ $serviceAccountName }}
|
||||
kubernetes.io/service-account.name: {{ $controllerName }}
|
||||
{{/*
|
||||
post-install hook is required to cause ServiceAccount to be deployed
|
||||
before creating a secret token for it. By default helm deploys secrets
|
||||
|
|
|
@ -126,6 +126,8 @@ conf:
|
|||
Limits:
|
||||
PodLogs:
|
||||
SizeLimitBytes: 10000
|
||||
# NOTE: the Namespace should not be defined and is set in sonobuoy-etc
|
||||
Namespace: null
|
||||
# NOTE: the WorkerImage should not be defined and is set in sonobuoy-etc
|
||||
WorkerImage: null
|
||||
ImagePullPolicy: IfNotPresent
|
||||
|
|
|
@ -19,5 +19,12 @@ set -xe
|
|||
helm dependency update sonobuoy
|
||||
helm upgrade --install sonobuoy sonobuoy \
|
||||
--namespace=heptio-sonobuoy \
|
||||
--set endpoints.identity.namespace=openstack
|
||||
--set endpoints.identity.namespace=openstack \
|
||||
--set manifests.serviceaccount_readonly=true
|
||||
helm test sonobuoy
|
||||
|
||||
helm upgrade --install another-sonobuoy sonobuoy \
|
||||
--namespace=sonobuoy \
|
||||
--set endpoints.identity.namespace=openstack \
|
||||
--set manifests.serviceaccount_readonly=true
|
||||
helm test another-sonobuoy
|
||||
|
|
Loading…
Reference in New Issue