From 8d586e3e361e85711936bfac23c03079d4fe3732 Mon Sep 17 00:00:00 2001 From: Alexey Odinokov Date: Thu, 18 Sep 2025 17:24:44 -0500 Subject: [PATCH] Covering the case when rgw endpoint is in another namespace we need to create role/binding in rgw namespace, but give access to the service account which is part of namespace of elastic Change-Id: I17961315db7453246c45849cb731a818781531ce Signed-off-by: Alexey Odinokov --- .../snippets/_kubernetes_pod_rbac_roles.tpl | 11 ++++++----- .../_kubernetes_pod_rbac_serviceaccount.tpl | 2 +- .../notes/helm-toolkit-e84e695df114929d.yaml | 15 +++++++++++++++ 3 files changed, 22 insertions(+), 6 deletions(-) create mode 100644 releasenotes/notes/helm-toolkit-e84e695df114929d.yaml diff --git a/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl index 90a7a65173..36a61da360 100644 --- a/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl +++ b/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl @@ -15,15 +15,16 @@ limitations under the License. {{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}} {{- $envAll := index . 0 -}} {{- $deps := index . 1 -}} -{{- $saName := index . 2 | replace "_" "-" }} -{{- $saNamespace := index . 3 -}} +{{- $namespace := index . 2 -}} +{{- $saName := index . 3 | replace "_" "-" }} +{{- $saNamespace := index . 4 -}} {{- $releaseName := $envAll.Release.Name }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ $releaseName }}-{{ $saName }} - namespace: {{ $saNamespace }} + name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }} + namespace: {{ $namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -37,7 +38,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }} - namespace: {{ $saNamespace }} + namespace: {{ $namespace }} rules: - apiGroups: - "" diff --git a/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl index bc2045e5f2..c391136032 100644 --- a/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl +++ b/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl @@ -70,6 +70,6 @@ imagePullSecrets: {{- $_ := unset $allNamespace $randomKey }} {{- range $ns, $vv := $allNamespace }} {{- $resourceList := (splitList "," (trimSuffix "," $vv)) }} -{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }} +{{- tuple $envAll $resourceList $ns $saName $saNamespace | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }} {{- end -}} {{- end -}} diff --git a/releasenotes/notes/helm-toolkit-e84e695df114929d.yaml b/releasenotes/notes/helm-toolkit-e84e695df114929d.yaml new file mode 100644 index 0000000000..2b8b964990 --- /dev/null +++ b/releasenotes/notes/helm-toolkit-e84e695df114929d.yaml @@ -0,0 +1,15 @@ +--- +helm-toolkit: + - | + Corrected helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount to + cover the case when service account must have access to endpoint in + different namespace. In that case Role/Binding are getting created + in that endpoint namespace, but now rolebinding will be point to + the service account in the original namespace, which is $.Release.Namespace. + This was tested with elasticsearch chart where + s3.clients.local-rgw-elasticsearch.settings.endpoint was pointing to + another namespace. With whose changes job-s3-user was able to detect + availability of that enpoint. Before changes init container had this error in the logs: + Resolving dependency Service rook-ceph-rgw-default in namespace ceph failed: endpoints "rook-ceph-rgw-default" is forbidden: User + "system:serviceaccount:osh-infra:elasticsearch-s3-user" cannot get resource "endpoints" in API group "" in the namespace "ceph" +...