Browse Source

Sonobuoy: allow multiple simultaneous chart installations

Manually set Namespace for Sonobuoy's config.json.

Sonobuoy's bug forcing heptio-sonobuoy namespace [1] usage only does not
impact this Helm chart because the config.json is directly controlled
by the `values.yaml` and not Sonobuoy's CLI.

Now multiple instances of this chart may exist at once by specifying
unique namespaces at helm install time.

Modify Sonobuoy test script to install two instances of Sonobuoy Helm
chart. Also install readonly serviceaccount to verify it will work with
more than one instance simultaneously.

[1] https://github.com/heptio/sonobuoy/issues/420

Change-Id: I6d4ecfb812a4312af13abf1e265de495e27967f9
changes/67/636167/10
Dustin Specker 4 months ago
parent
commit
8c614d4ffd

+ 5
- 3
sonobuoy/templates/pod-api.yaml View File

@@ -19,11 +19,13 @@ limitations under the License.
19 19
 
20 20
 {{- $serviceAccountName := "sonobuoy-serviceaccount" }}
21 21
 {{ tuple $envAll "sonobuoy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
22
+
23
+{{ $controllerName := printf "%s-%s" .Release.Namespace $serviceAccountName }}
22 24
 ---
23 25
 apiVersion: rbac.authorization.k8s.io/v1
24 26
 kind: ClusterRole
25 27
 metadata:
26
-  name: {{ $serviceAccountName }}
28
+  name: {{ $controllerName | quote }}
27 29
 rules:
28 30
 - apiGroups:
29 31
   - '*'
@@ -35,11 +37,11 @@ rules:
35 37
 apiVersion: rbac.authorization.k8s.io/v1
36 38
 kind: ClusterRoleBinding
37 39
 metadata:
38
-  name: {{ $serviceAccountName }}-heptio-sonobuoy
40
+  name: {{ $controllerName | quote }}
39 41
 roleRef:
40 42
   apiGroup: rbac.authorization.k8s.io
41 43
   kind: ClusterRole
42
-  name: {{ $serviceAccountName }}
44
+  name: {{ $controllerName | quote }}
43 45
 subjects:
44 46
 - kind: ServiceAccount
45 47
   name: {{ $serviceAccountName }}

+ 3
- 0
sonobuoy/templates/secret-etc.yaml View File

@@ -18,6 +18,9 @@ limitations under the License.
18 18
 {{- if empty .Values.conf.sonobuoy.WorkerImage -}}
19 19
 {{- $_ := set .Values.conf.sonobuoy "WorkerImage" .Values.images.tags.sonobuoy_api -}}
20 20
 {{- end -}}
21
+{{- if empty .Values.conf.sonobuoy.Namespace -}}
22
+{{- $_ := set .Values.conf.sonobuoy "Namespace" .Release.Namespace -}}
23
+{{- end -}}
21 24
 ---
22 25
 apiVersion: v1
23 26
 kind: Secret

+ 8
- 8
sonobuoy/templates/serviceaccount-readonly.yaml View File

@@ -59,13 +59,13 @@ may be referenced to list pods, etc.
59 59
 {{- if .Values.manifests.serviceaccount_readonly }}
60 60
 {{- $envAll := . }}
61 61
 
62
-{{- $serviceAccountName := "sonobuoy-readonly-serviceaccount" }}
63
-{{ tuple $envAll "sonobuoy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
62
+{{- $controllerName := printf "%s-%s" $envAll.Release.Namespace "sonobuoy-readonly-serviceaccount" }}
63
+{{ tuple $envAll "sonobuoy" $controllerName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
64 64
 ---
65 65
 apiVersion: rbac.authorization.k8s.io/v1
66 66
 kind: ClusterRole
67 67
 metadata:
68
-  name: sonobuoy-readonly-clusterrole
68
+  name: {{ $controllerName | quote }}
69 69
 rules:
70 70
 - apiGroups:
71 71
   - "*"
@@ -79,24 +79,24 @@ rules:
79 79
 apiVersion: rbac.authorization.k8s.io/v1
80 80
 kind: ClusterRoleBinding
81 81
 metadata:
82
-  name: sonobuoy-readonly-clusterrolebinding
82
+  name: {{ $controllerName | quote }}
83 83
 roleRef:
84 84
   apiGroup: rbac.authorization.k8s.io
85 85
   kind: ClusterRole
86
-  name: sonobuoy-readonly-clusterrole
86
+  name: {{ $controllerName | quote }}
87 87
 subjects:
88 88
 - kind: ServiceAccount
89
-  name: {{ $serviceAccountName }}
89
+  name: {{ $controllerName | quote }}
90 90
   namespace: {{ .Release.Namespace }}
91 91
 ---
92 92
 apiVersion: v1
93 93
 kind: Secret
94 94
 type: kubernetes.io/service-account-token
95 95
 metadata:
96
-  name: {{ $serviceAccountName }}-token-secret
96
+  name: sonobuoy-readonly-serviceaccount-token-secret
97 97
   namespace: {{ .Release.Namespace }}
98 98
   annotations:
99
-    kubernetes.io/service-account.name: {{ $serviceAccountName }}
99
+    kubernetes.io/service-account.name: {{ $controllerName }}
100 100
     {{/*
101 101
     post-install hook is required to cause ServiceAccount to be deployed
102 102
     before creating a secret token for it. By default helm deploys secrets

+ 2
- 0
sonobuoy/values.yaml View File

@@ -126,6 +126,8 @@ conf:
126 126
     Limits:
127 127
       PodLogs:
128 128
         SizeLimitBytes: 10000
129
+    # NOTE: the Namespace should not be defined and is set in sonobuoy-etc
130
+    Namespace: null
129 131
     # NOTE: the WorkerImage should not be defined and is set in sonobuoy-etc
130 132
     WorkerImage: null
131 133
     ImagePullPolicy: IfNotPresent

+ 8
- 1
tools/gate/scripts/sonobuoy.sh View File

@@ -19,5 +19,12 @@ set -xe
19 19
 helm dependency update sonobuoy
20 20
 helm upgrade --install sonobuoy sonobuoy \
21 21
     --namespace=heptio-sonobuoy \
22
-    --set endpoints.identity.namespace=openstack
22
+    --set endpoints.identity.namespace=openstack \
23
+    --set manifests.serviceaccount_readonly=true
23 24
 helm test sonobuoy
25
+
26
+helm upgrade --install another-sonobuoy sonobuoy \
27
+    --namespace=sonobuoy \
28
+    --set endpoints.identity.namespace=openstack \
29
+    --set manifests.serviceaccount_readonly=true
30
+helm test another-sonobuoy

Loading…
Cancel
Save