From 98059c5bfcf55605aa8bd66a4d263a99ab6ea0a4 Mon Sep 17 00:00:00 2001 From: Joaci Morais Date: Wed, 24 Jul 2024 15:33:18 -0300 Subject: [PATCH] Fixed conflict due role configuration Fixed conflict when user tries to apply more than two apps that uses this same secret-observer helm. The apps oidc-auth-apps and intel-device-plugins-operator wasn't being applied simultaneously on the same system due clusterrole configuration, only one of them could be applied at a time, the solution was to change ClusterRole and ClusterRoleBinding from secret-observer to be namespace specific Role and Rolebindings, each will have permission to operate on objects in their own namespaces. Test Plan: PASS: Build an ISO successfully. PASS: Deploy a SX. PASS: Apply the oidc-auth-apps that is present in the deployed system, the oidc-auth-apps should be successfully installed and on applied state, also check if oidc-secret-observer is present in the installed helm charts using the "helm list -A" command. PASS: Apply the intel-device-plugins-operator, the app should be successfully installed and on applied state. Both oidc-auth-apps and intel-device-plugins-operator should be in applied state and functional. PASS: Apply first intel-device-plugins-operator and then oidc, check if both apps have been applied Story: 2011085 Task: 50692 Change-Id: I274237a9e20874ff562d785474147944cefc0983 Signed-off-by: Joaci Morais --- .../templates/{clusterrole.yaml => role.yaml} | 9 +++++---- .../{clusterrolebinding.yaml => rolebinding.yaml} | 13 +++++++------ .../helm-charts/secret-observer/values.yaml | 4 ++-- 3 files changed, 14 insertions(+), 12 deletions(-) rename secret-observer/secret-observer/helm-charts/secret-observer/templates/{clusterrole.yaml => role.yaml} (63%) rename secret-observer/secret-observer/helm-charts/secret-observer/templates/{clusterrolebinding.yaml => rolebinding.yaml} (59%) diff --git a/secret-observer/secret-observer/helm-charts/secret-observer/templates/clusterrole.yaml b/secret-observer/secret-observer/helm-charts/secret-observer/templates/role.yaml similarity index 63% rename from secret-observer/secret-observer/helm-charts/secret-observer/templates/clusterrole.yaml rename to secret-observer/secret-observer/helm-charts/secret-observer/templates/role.yaml index 33827a3..9b4f3a4 100644 --- a/secret-observer/secret-observer/helm-charts/secret-observer/templates/clusterrole.yaml +++ b/secret-observer/secret-observer/helm-charts/secret-observer/templates/role.yaml @@ -1,16 +1,17 @@ {{/* # -# Copyright (c) 2021-2022 Wind River Systems, Inc. +# Copyright (c) 2021-2024 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # */}} -{{- if .Values.clusterRole.create }} +{{- if .Values.Role.create }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: - name: secret-observer-cr + namespace: "{{ .Values.namespace }}" + name: secret-observer-r labels: app: secret-observer release: "{{ .Release.Name }}" diff --git a/secret-observer/secret-observer/helm-charts/secret-observer/templates/clusterrolebinding.yaml b/secret-observer/secret-observer/helm-charts/secret-observer/templates/rolebinding.yaml similarity index 59% rename from secret-observer/secret-observer/helm-charts/secret-observer/templates/clusterrolebinding.yaml rename to secret-observer/secret-observer/helm-charts/secret-observer/templates/rolebinding.yaml index 7b97ff8..77aa588 100644 --- a/secret-observer/secret-observer/helm-charts/secret-observer/templates/clusterrolebinding.yaml +++ b/secret-observer/secret-observer/helm-charts/secret-observer/templates/rolebinding.yaml @@ -1,22 +1,23 @@ {{/* # -# Copyright (c) 2021 Wind River Systems, Inc. +# Copyright (c) 2021-2024 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # */}} -{{- if .Values.clusterRoleBinding.create }} +{{- if .Values.RoleBinding.create }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: + namespace: "{{ .Values.namespace }}" labels: release: "{{ .Release.Name }}" - name: secret-observer-crb + name: secret-observer-rb roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: secret-observer-cr + kind: Role + name: secret-observer-r subjects: - kind: ServiceAccount name: secret-observer diff --git a/secret-observer/secret-observer/helm-charts/secret-observer/values.yaml b/secret-observer/secret-observer/helm-charts/secret-observer/values.yaml index f32a32c..9de9fb0 100644 --- a/secret-observer/secret-observer/helm-charts/secret-observer/values.yaml +++ b/secret-observer/secret-observer/helm-charts/secret-observer/values.yaml @@ -8,10 +8,10 @@ image: docker.io/curlimages/curl imageTag: 8.8.0 namespace: default -clusterRoleBinding: +RoleBinding: create: true -clusterRole: +Role: create: true serviceAccount: