starlingx/helm-charts
Code Issues Proposed changes

Fixed conflict due role configuration

Browse Source 
Fixed conflict when user tries to apply more than two apps that uses
this same secret-observer helm. The apps oidc-auth-apps and
intel-device-plugins-operator wasn't being applied simultaneously on
the same system due clusterrole configuration, only one of them could
be applied at a time, the solution was to change ClusterRole and
ClusterRoleBinding from secret-observer to be namespace specific
Role and Rolebindings, each will have permission to operate on
objects in their own namespaces.

Test Plan:
PASS: Build an ISO successfully.
PASS: Deploy a SX.
PASS: Apply the oidc-auth-apps that is present in the
      deployed system, the oidc-auth-apps should be successfully
      installed and on applied state, also check if
      oidc-secret-observer is present in the installed helm charts
      using the "helm list -A" command.
PASS: Apply the intel-device-plugins-operator, the app should be
      successfully installed and on applied state. Both
      oidc-auth-apps and intel-device-plugins-operator should be in
      applied state and functional.
PASS: Apply first intel-device-plugins-operator and then oidc, check
      if both apps have been applied

Story: 2011085
Task: 50692

Change-Id: I274237a9e20874ff562d785474147944cefc0983
Signed-off-by: Joaci Morais <Joaci.deMorais@windriver.com>
This commit is contained in:
Joaci Morais 2024-07-24 15:33:18 -03:00
parent b546c75352
commit 98059c5bfc
3 changed files with 14 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
secret-observer/secret-observer/helm-charts/secret-observer/templates/clusterrole.yaml → secret-observer/secret-observer/helm-charts/secret-observer/templates/role.yaml
View File

@ -1,16 +1,17 @@
{{/* {{/*
# #
# Copyright (c) 2021-2022 Wind River Systems, Inc. # Copyright (c) 2021-2024 Wind River Systems, Inc.
# #
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
# #
*/}} */}}
{{- if .Values.clusterRole.create }} {{- if .Values.Role.create }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: Role
metadata: metadata:
name: secret-observer-cr namespace: "{{ .Values.namespace }}"
name: secret-observer-r
labels: labels:
app: secret-observer app: secret-observer
release: "{{ .Release.Name }}" release: "{{ .Release.Name }}"

13
secret-observer/secret-observer/helm-charts/secret-observer/templates/clusterrolebinding.yaml → secret-observer/secret-observer/helm-charts/secret-observer/templates/rolebinding.yaml
View File

@ -1,22 +1,23 @@
{{/* {{/*
# #
# Copyright (c) 2021 Wind River Systems, Inc. # Copyright (c) 2021-2024 Wind River Systems, Inc.
# #
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
# #
*/}} */}}
{{- if .Values.clusterRoleBinding.create }} {{- if .Values.RoleBinding.create }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: RoleBinding
metadata: metadata:
namespace: "{{ .Values.namespace }}"
labels: labels:
release: "{{ .Release.Name }}" release: "{{ .Release.Name }}"
name: secret-observer-crb name: secret-observer-rb
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: Role
name: secret-observer-cr name: secret-observer-r
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: secret-observer name: secret-observer

4
secret-observer/secret-observer/helm-charts/secret-observer/values.yaml
View File

@ -8,10 +8,10 @@ image: docker.io/curlimages/curl
imageTag: 8.8.0 imageTag: 8.8.0
namespace: default namespace: default
clusterRoleBinding: RoleBinding:
create: true create: true
clusterRole: Role:
create: true create: true
serviceAccount: serviceAccount: