Ensure proper service account for webhook rolebindings (#735)

Fixed an issue where deploying the Helm chart with a custom service account caused the operator to fail. This update ensures the correct service account is used for setting up the cluster role binding in the webhook config. --------- Signed-off-by: Matt Spilchen <[email protected]>
vertica · Mar 14, 2024 · 3b9803c · 3b9803c
1 parent 698623b
commit 3b9803c
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 2 deletions.
diff --git a/changes/unreleased/Fixed-20240313-220015.yaml b/changes/unreleased/Fixed-20240313-220015.yaml
@@ -0,0 +1,5 @@
+kind: Fixed
+body: Ensure proper service account for webhook rolebindings
+time: 2024-03-13T22:00:15.723292524-03:00
+custom:
+  Issue: "735"
diff --git a/helm-charts/verticadb-operator/tests/serviceaccount-rolebinding_test.yaml b/helm-charts/verticadb-operator/tests/serviceaccount-rolebinding_test.yaml
@@ -0,0 +1,18 @@
+suite: ServiceAccount tests
+templates:
+  - verticadb-operator-manager-clusterrolebinding-crb.yaml
+  - verticadb-operator-webhook-config-crb.yaml
+  - verticadb-operator-proxy-rolebinding-crb.yaml
+  - verticadb-operator-metrics-reader-crb.yaml
+  - verticadb-operator-leader-election-rolebinding-rb.yaml
+tests:
+  - it: should include the serviceaccount name when an override is set
+    set:
+      serviceAccountNameOverride: special-override-sa
+      prometheus:
+        expose: "EnableWithAuthProxy"
+        createProxyRBAC: true
+    asserts:
+      - equal:
+          path: subjects[0].name
+          value: special-override-sa
diff --git a/scripts/template-helm-chart.sh b/scripts/template-helm-chart.sh
@@ -95,7 +95,8 @@ for f in  \
     verticadb-operator-leader-election-rolebinding-rb.yaml \
     verticadb-operator-proxy-rolebinding-crb.yaml \
     verticadb-operator-metrics-reader-crb.yaml \
-    verticadb-operator-manager-clusterrolebinding-crb.yaml
+    verticadb-operator-manager-clusterrolebinding-crb.yaml \
+    verticadb-operator-webhook-config-crb.yaml
 do
     perl -i -0777 -pe 's/kind: ServiceAccount\n.*name: .*/kind: ServiceAccount\n  name: {{ include "vdb-op.serviceAccount" . }}/g' $TEMPLATE_DIR/$f
 done

diff --git a/tests/e2e-leg-5/metrics-auth-proxy-cert/05-assert.yaml b/tests/e2e-leg-5/metrics-auth-proxy-cert/05-assert.yaml
@@ -32,3 +32,16 @@ apiVersion: v1
 kind: Service
 metadata:
   name: verticadb-operator-metrics-service
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: special-sa
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: verticadb-operator-webhook-config
+subjects:
+- kind: ServiceAccount
+  name: special-sa
diff --git a/tests/e2e-leg-5/metrics-auth-proxy-cert/05-deploy-operator.yaml b/tests/e2e-leg-5/metrics-auth-proxy-cert/05-deploy-operator.yaml
@@ -15,4 +15,4 @@ apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 commands:
   - command: sh -c "cd ../../.. && make undeploy-operator || true"
-  - command: sh -c "cd ../../.. && make deploy-operator DEPLOY_WITH=helm NAMESPACE=$NAMESPACE HELM_OVERRIDES='--set prometheus.tlsSecret=custom-cert,prometheus.expose=EnableWithAuthProxy'"
+  - command: sh -c "cd ../../.. && make deploy-operator DEPLOY_WITH=helm NAMESPACE=$NAMESPACE HELM_OVERRIDES='--set prometheus.tlsSecret=custom-cert,prometheus.expose=EnableWithAuthProxy,serviceAccountNameOverride=special-sa'"