Merge "Covering the case when rgw endpoint is in another namespace"

2025-09-23 17:00:51 +00:00
parent d16f061a56 8d586e3e36
commit 344314dd38
3 changed files with 22 additions and 6 deletions
--- a/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
+++ b/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -15,15 +15,16 @@ limitations under the License.
 {{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
 {{- $envAll := index . 0 -}}
 {{- $deps := index . 1 -}}
-{{- $saName := index . 2 | replace "_" "-" }}
-{{- $saNamespace := index . 3 -}}
+{{- $namespace := index . 2 -}}
+{{- $saName := index . 3 | replace "_" "-" }}
+{{- $saNamespace := index . 4 -}}
 {{- $releaseName := $envAll.Release.Name }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ $releaseName }}-{{ $saName }}
-  namespace: {{ $saNamespace }}
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+  namespace: {{ $namespace }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
@@ -37,7 +38,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
-  namespace: {{ $saNamespace }}
+  namespace: {{ $namespace }}
 rules:
  - apiGroups:
      - ""
--- a/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
+++ b/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -70,6 +70,6 @@ imagePullSecrets:
 {{- $_ := unset $allNamespace $randomKey }}
 {{- range $ns, $vv := $allNamespace }}
 {{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
-{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- tuple $envAll $resourceList $ns $saName $saNamespace | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
 {{- end -}}
 {{- end -}}
--- a/releasenotes/notes/helm-toolkit-e84e695df114929d.yaml
+++ b/releasenotes/notes/helm-toolkit-e84e695df114929d.yaml
@@ -0,0 +1,15 @@
+---
+helm-toolkit:
+  - |
+    Corrected helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount to
+    cover the case when service account must have access to endpoint in
+    different namespace. In that case Role/Binding are getting created
+    in that endpoint namespace, but now rolebinding will be point to
+    the service account in the original namespace, which is $.Release.Namespace.
+    This was tested with elasticsearch chart where
+    s3.clients.local-rgw-elasticsearch.settings.endpoint was pointing to
+    another namespace. With whose changes job-s3-user was able to detect
+    availability of that enpoint. Before changes init container had this error in the logs:
+    Resolving dependency Service rook-ceph-rgw-default in namespace ceph failed: endpoints "rook-ceph-rgw-default" is forbidden: User
+    "system:serviceaccount:osh-infra:elasticsearch-s3-user" cannot get resource "endpoints" in API group "" in the namespace "ceph"
+...