openstack/openstack-helm
Code Issues Proposed changes

Covering the case when rgw endpoint is in another namespace

Browse Source 
we need to create role/binding in rgw namespace, but
give access to the service account which is part of
namespace of elastic

Change-Id: I17961315db7453246c45849cb731a818781531ce
Signed-off-by: Alexey Odinokov <aodinokov@mirantis.com>
This commit is contained in:
Alexey Odinokov
2025-09-18 17:24:44 -05:00
committed by Alexey
parent f91aa01d58
commit 8d586e3e36
3 changed files with 22 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
View File

@@ -15,15 +15,16 @@ limitations under the License.
{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}} {{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
{{- $envAll := index . 0 -}} {{- $envAll := index . 0 -}}
{{- $deps := index . 1 -}} {{- $deps := index . 1 -}}
{{- $saName := index . 2 | replace "_" "-" }} {{- $namespace := index . 2 -}}
{{- $saNamespace := index . 3 -}} {{- $saName := index . 3 | replace "_" "-" }}
{{- $saNamespace := index . 4 -}}
{{- $releaseName := $envAll.Release.Name }} {{- $releaseName := $envAll.Release.Name }}
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: {{ $releaseName }}-{{ $saName }} name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
namespace: {{ $saNamespace }} namespace: {{ $namespace }}
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: Role
@@ -37,7 +38,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }} name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
namespace: {{ $saNamespace }} namespace: {{ $namespace }}
rules: rules:
- apiGroups: - apiGroups:
- "" - ""

2
helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
View File

@@ -70,6 +70,6 @@ imagePullSecrets:
{{- $_ := unset $allNamespace $randomKey }} {{- $_ := unset $allNamespace $randomKey }}
{{- range $ns, $vv := $allNamespace }} {{- range $ns, $vv := $allNamespace }}
{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }} {{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }} {{- tuple $envAll $resourceList $ns $saName $saNamespace | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}

15
releasenotes/notes/helm-toolkit-e84e695df114929d.yaml Normal file
View File

@@ -0,0 +1,15 @@
---
helm-toolkit:
- |
Corrected helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount to
cover the case when service account must have access to endpoint in
different namespace. In that case Role/Binding are getting created
in that endpoint namespace, but now rolebinding will be point to
the service account in the original namespace, which is $.Release.Namespace.
This was tested with elasticsearch chart where
s3.clients.local-rgw-elasticsearch.settings.endpoint was pointing to
another namespace. With whose changes job-s3-user was able to detect
availability of that enpoint. Before changes init container had this error in the logs:
Resolving dependency Service rook-ceph-rgw-default in namespace ceph failed: endpoints "rook-ceph-rgw-default" is forbidden: User
"system:serviceaccount:osh-infra:elasticsearch-s3-user" cannot get resource "endpoints" in API group "" in the namespace "ceph"
...