summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDustin Specker <dustin.specker@att.com>2019-02-11 10:04:35 -0600
committerDustin Specker <dustin.specker@att.com>2019-02-26 14:23:36 +0000
commit8c614d4ffd99cefdd186c776c469acd61f2bd757 (patch)
treed0463d402e7dfbce4bb58f1e7bea9d4a42617ba2
parent40c8ca5dfc84a0ff152c86981fd06b0c3de07b81 (diff)
Sonobuoy: allow multiple simultaneous chart installations
Manually set Namespace for Sonobuoy's config.json. Sonobuoy's bug forcing heptio-sonobuoy namespace [1] usage only does not impact this Helm chart because the config.json is directly controlled by the `values.yaml` and not Sonobuoy's CLI. Now multiple instances of this chart may exist at once by specifying unique namespaces at helm install time. Modify Sonobuoy test script to install two instances of Sonobuoy Helm chart. Also install readonly serviceaccount to verify it will work with more than one instance simultaneously. [1] https://github.com/heptio/sonobuoy/issues/420 Change-Id: I6d4ecfb812a4312af13abf1e265de495e27967f9
Notes
Notes (review): Code-Review+1: Jeffrey Williams <jw2610@att.com> Code-Review+1: Bryan Strassner <strassner.bryan@gmail.com> Code-Review+1: Doug Schveninger <ds6901@att.com> Code-Review+2: Steve Wilkerson <wilkers.steve@gmail.com> Code-Review+2: Tin Lam <tin@irrational.io> Workflow+1: Tin Lam <tin@irrational.io> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Sat, 02 Mar 2019 03:20:14 +0000 Reviewed-on: https://review.openstack.org/636167 Project: openstack/openstack-helm-addons Branch: refs/heads/master
-rw-r--r--sonobuoy/templates/pod-api.yaml8
-rw-r--r--sonobuoy/templates/secret-etc.yaml3
-rw-r--r--sonobuoy/templates/serviceaccount-readonly.yaml16
-rw-r--r--sonobuoy/values.yaml2
-rwxr-xr-xtools/gate/scripts/sonobuoy.sh9
5 files changed, 26 insertions, 12 deletions
diff --git a/sonobuoy/templates/pod-api.yaml b/sonobuoy/templates/pod-api.yaml
index 9b119da..f1ab849 100644
--- a/sonobuoy/templates/pod-api.yaml
+++ b/sonobuoy/templates/pod-api.yaml
@@ -19,11 +19,13 @@ limitations under the License.
19 19
20{{- $serviceAccountName := "sonobuoy-serviceaccount" }} 20{{- $serviceAccountName := "sonobuoy-serviceaccount" }}
21{{ tuple $envAll "sonobuoy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} 21{{ tuple $envAll "sonobuoy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
22
23{{ $controllerName := printf "%s-%s" .Release.Namespace $serviceAccountName }}
22--- 24---
23apiVersion: rbac.authorization.k8s.io/v1 25apiVersion: rbac.authorization.k8s.io/v1
24kind: ClusterRole 26kind: ClusterRole
25metadata: 27metadata:
26 name: {{ $serviceAccountName }} 28 name: {{ $controllerName | quote }}
27rules: 29rules:
28- apiGroups: 30- apiGroups:
29 - '*' 31 - '*'
@@ -35,11 +37,11 @@ rules:
35apiVersion: rbac.authorization.k8s.io/v1 37apiVersion: rbac.authorization.k8s.io/v1
36kind: ClusterRoleBinding 38kind: ClusterRoleBinding
37metadata: 39metadata:
38 name: {{ $serviceAccountName }}-heptio-sonobuoy 40 name: {{ $controllerName | quote }}
39roleRef: 41roleRef:
40 apiGroup: rbac.authorization.k8s.io 42 apiGroup: rbac.authorization.k8s.io
41 kind: ClusterRole 43 kind: ClusterRole
42 name: {{ $serviceAccountName }} 44 name: {{ $controllerName | quote }}
43subjects: 45subjects:
44- kind: ServiceAccount 46- kind: ServiceAccount
45 name: {{ $serviceAccountName }} 47 name: {{ $serviceAccountName }}
diff --git a/sonobuoy/templates/secret-etc.yaml b/sonobuoy/templates/secret-etc.yaml
index 96045ae..e08fcd2 100644
--- a/sonobuoy/templates/secret-etc.yaml
+++ b/sonobuoy/templates/secret-etc.yaml
@@ -18,6 +18,9 @@ limitations under the License.
18{{- if empty .Values.conf.sonobuoy.WorkerImage -}} 18{{- if empty .Values.conf.sonobuoy.WorkerImage -}}
19{{- $_ := set .Values.conf.sonobuoy "WorkerImage" .Values.images.tags.sonobuoy_api -}} 19{{- $_ := set .Values.conf.sonobuoy "WorkerImage" .Values.images.tags.sonobuoy_api -}}
20{{- end -}} 20{{- end -}}
21{{- if empty .Values.conf.sonobuoy.Namespace -}}
22{{- $_ := set .Values.conf.sonobuoy "Namespace" .Release.Namespace -}}
23{{- end -}}
21--- 24---
22apiVersion: v1 25apiVersion: v1
23kind: Secret 26kind: Secret
diff --git a/sonobuoy/templates/serviceaccount-readonly.yaml b/sonobuoy/templates/serviceaccount-readonly.yaml
index e0b1b56..2604523 100644
--- a/sonobuoy/templates/serviceaccount-readonly.yaml
+++ b/sonobuoy/templates/serviceaccount-readonly.yaml
@@ -59,13 +59,13 @@ may be referenced to list pods, etc.
59{{- if .Values.manifests.serviceaccount_readonly }} 59{{- if .Values.manifests.serviceaccount_readonly }}
60{{- $envAll := . }} 60{{- $envAll := . }}
61 61
62{{- $serviceAccountName := "sonobuoy-readonly-serviceaccount" }} 62{{- $controllerName := printf "%s-%s" $envAll.Release.Namespace "sonobuoy-readonly-serviceaccount" }}
63{{ tuple $envAll "sonobuoy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} 63{{ tuple $envAll "sonobuoy" $controllerName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
64--- 64---
65apiVersion: rbac.authorization.k8s.io/v1 65apiVersion: rbac.authorization.k8s.io/v1
66kind: ClusterRole 66kind: ClusterRole
67metadata: 67metadata:
68 name: sonobuoy-readonly-clusterrole 68 name: {{ $controllerName | quote }}
69rules: 69rules:
70- apiGroups: 70- apiGroups:
71 - "*" 71 - "*"
@@ -79,24 +79,24 @@ rules:
79apiVersion: rbac.authorization.k8s.io/v1 79apiVersion: rbac.authorization.k8s.io/v1
80kind: ClusterRoleBinding 80kind: ClusterRoleBinding
81metadata: 81metadata:
82 name: sonobuoy-readonly-clusterrolebinding 82 name: {{ $controllerName | quote }}
83roleRef: 83roleRef:
84 apiGroup: rbac.authorization.k8s.io 84 apiGroup: rbac.authorization.k8s.io
85 kind: ClusterRole 85 kind: ClusterRole
86 name: sonobuoy-readonly-clusterrole 86 name: {{ $controllerName | quote }}
87subjects: 87subjects:
88- kind: ServiceAccount 88- kind: ServiceAccount
89 name: {{ $serviceAccountName }} 89 name: {{ $controllerName | quote }}
90 namespace: {{ .Release.Namespace }} 90 namespace: {{ .Release.Namespace }}
91--- 91---
92apiVersion: v1 92apiVersion: v1
93kind: Secret 93kind: Secret
94type: kubernetes.io/service-account-token 94type: kubernetes.io/service-account-token
95metadata: 95metadata:
96 name: {{ $serviceAccountName }}-token-secret 96 name: sonobuoy-readonly-serviceaccount-token-secret
97 namespace: {{ .Release.Namespace }} 97 namespace: {{ .Release.Namespace }}
98 annotations: 98 annotations:
99 kubernetes.io/service-account.name: {{ $serviceAccountName }} 99 kubernetes.io/service-account.name: {{ $controllerName }}
100 {{/* 100 {{/*
101 post-install hook is required to cause ServiceAccount to be deployed 101 post-install hook is required to cause ServiceAccount to be deployed
102 before creating a secret token for it. By default helm deploys secrets 102 before creating a secret token for it. By default helm deploys secrets
diff --git a/sonobuoy/values.yaml b/sonobuoy/values.yaml
index e272ced..fb7dd42 100644
--- a/sonobuoy/values.yaml
+++ b/sonobuoy/values.yaml
@@ -126,6 +126,8 @@ conf:
126 Limits: 126 Limits:
127 PodLogs: 127 PodLogs:
128 SizeLimitBytes: 10000 128 SizeLimitBytes: 10000
129 # NOTE: the Namespace should not be defined and is set in sonobuoy-etc
130 Namespace: null
129 # NOTE: the WorkerImage should not be defined and is set in sonobuoy-etc 131 # NOTE: the WorkerImage should not be defined and is set in sonobuoy-etc
130 WorkerImage: null 132 WorkerImage: null
131 ImagePullPolicy: IfNotPresent 133 ImagePullPolicy: IfNotPresent
diff --git a/tools/gate/scripts/sonobuoy.sh b/tools/gate/scripts/sonobuoy.sh
index cc8272b..d892935 100755
--- a/tools/gate/scripts/sonobuoy.sh
+++ b/tools/gate/scripts/sonobuoy.sh
@@ -19,5 +19,12 @@ set -xe
19helm dependency update sonobuoy 19helm dependency update sonobuoy
20helm upgrade --install sonobuoy sonobuoy \ 20helm upgrade --install sonobuoy sonobuoy \
21 --namespace=heptio-sonobuoy \ 21 --namespace=heptio-sonobuoy \
22 --set endpoints.identity.namespace=openstack 22 --set endpoints.identity.namespace=openstack \
23 --set manifests.serviceaccount_readonly=true
23helm test sonobuoy 24helm test sonobuoy
25
26helm upgrade --install another-sonobuoy sonobuoy \
27 --namespace=sonobuoy \
28 --set endpoints.identity.namespace=openstack \
29 --set manifests.serviceaccount_readonly=true
30helm test another-sonobuoy