diff --git a/elasticsearch/templates/object-bucket-claim.yaml b/elasticsearch/templates/object-bucket-claim.yaml index f53a0a2b32..749e8f0b6d 100644 --- a/elasticsearch/templates/object-bucket-claim.yaml +++ b/elasticsearch/templates/object-bucket-claim.yaml @@ -17,7 +17,7 @@ limitations under the License. apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: elasticsearch-dependencies-objectbucket + name: "elasticsearch-dependencies-objectbucket" namespace: {{ .Release.Namespace }} rules: - apiGroups: @@ -31,12 +31,12 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: elasticsearch-dependencies-objectbucket + name: "elasticsearch-dependencies-objectbucket" namespace: {{ .Release.Namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: elasticsearch-dependencies-objectbucket + name: "elasticsearch-dependencies-objectbucket" subjects: - kind: ServiceAccount name: create-elasticsearch-templates @@ -44,6 +44,35 @@ subjects: - kind: ServiceAccount name: verify-repositories namespace: {{ .Release.Namespace }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: "cluster-elasticsearch-dependencies-objectbucket" +rules: + - apiGroups: + - 'objectbucket.io' + resources: + - objectbuckets + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: "cluster-elasticsearch-dependencies-objectbucket" +subjects: + - kind: ServiceAccount + name: create-elasticsearch-templates + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: verify-repositories + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: "cluster-elasticsearch-dependencies-objectbucket" + apiGroup: rbac.authorization.k8s.io {{- range $bucket := .Values.storage.s3.buckets }} # When using this Rook CRD, not only bucket will be created, diff --git a/releasenotes/notes/elasticseach-625bc83028513f08.yaml b/releasenotes/notes/elasticseach-625bc83028513f08.yaml new file mode 100644 index 0000000000..acee9e47aa --- /dev/null +++ b/releasenotes/notes/elasticseach-625bc83028513f08.yaml @@ -0,0 +1,7 @@ +--- +elasticsearch: + - | + Properly configure RBAC for create-elasticsearch-templates + and verify-repositories service accounts. This ensures they have + the necessary permissions to access ObjectBucket cluster resources. +... diff --git a/tools/deployment/logging/elasticsearch.sh b/tools/deployment/logging/elasticsearch.sh index c2933d20d7..fbb2a59cd0 100755 --- a/tools/deployment/logging/elasticsearch.sh +++ b/tools/deployment/logging/elasticsearch.sh @@ -163,14 +163,10 @@ manifests: job_s3_bucket: false object_bucket_claim: true -# FIXME: The kubernetes-entrypoint image used by default -# quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal -# can not lookup for global (w/o namespace) custom resources -# but ObjectBucket CRs are global and we have them as dependencies -# for two elasticsearch jobs. images: tags: - dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 + dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_jammy + EOF : ${OSH_HELM_REPO:="../openstack-helm"} diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 23e2bdf908..87e6aa703a 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -47,10 +47,7 @@ - openstack-helm-compute-kit-ovn-2025-2-ubuntu_noble # 1 node + 3 nodes - openstack-helm-skyline-2025-2-ubuntu_noble # 3 nodes # Infra jobs - # NOTE(kozhukalov): Temporarily disabled to unblock CI. - # These job is currently broken due to outdated kubernetes-entrypoint images - # used in elasticsearch deployment. - # - openstack-helm-logging + - openstack-helm-logging - openstack-helm-monitoring - openstack-helm-metacontroller gate: