From 3b9803c95d55f129c4b346c44e851b198b240927 Mon Sep 17 00:00:00 2001 From: spilchen Date: Thu, 14 Mar 2024 14:16:20 -0300 Subject: [PATCH] Ensure proper service account for webhook rolebindings (#735) Fixed an issue where deploying the Helm chart with a custom service account caused the operator to fail. This update ensures the correct service account is used for setting up the cluster role binding in the webhook config. --------- Signed-off-by: Matt Spilchen --- changes/unreleased/Fixed-20240313-220015.yaml | 5 +++++ .../tests/serviceaccount-rolebinding_test.yaml | 18 ++++++++++++++++++ scripts/template-helm-chart.sh | 3 ++- .../metrics-auth-proxy-cert/05-assert.yaml | 13 +++++++++++++ .../05-deploy-operator.yaml | 2 +- 5 files changed, 39 insertions(+), 2 deletions(-) create mode 100644 changes/unreleased/Fixed-20240313-220015.yaml create mode 100644 helm-charts/verticadb-operator/tests/serviceaccount-rolebinding_test.yaml diff --git a/changes/unreleased/Fixed-20240313-220015.yaml b/changes/unreleased/Fixed-20240313-220015.yaml new file mode 100644 index 000000000..a7b2d8419 --- /dev/null +++ b/changes/unreleased/Fixed-20240313-220015.yaml @@ -0,0 +1,5 @@ +kind: Fixed +body: Ensure proper service account for webhook rolebindings +time: 2024-03-13T22:00:15.723292524-03:00 +custom: + Issue: "735" diff --git a/helm-charts/verticadb-operator/tests/serviceaccount-rolebinding_test.yaml b/helm-charts/verticadb-operator/tests/serviceaccount-rolebinding_test.yaml new file mode 100644 index 000000000..c170de487 --- /dev/null +++ b/helm-charts/verticadb-operator/tests/serviceaccount-rolebinding_test.yaml @@ -0,0 +1,18 @@ +suite: ServiceAccount tests +templates: + - verticadb-operator-manager-clusterrolebinding-crb.yaml + - verticadb-operator-webhook-config-crb.yaml + - verticadb-operator-proxy-rolebinding-crb.yaml + - verticadb-operator-metrics-reader-crb.yaml + - verticadb-operator-leader-election-rolebinding-rb.yaml +tests: + - it: should include the serviceaccount name when an override is set + set: + serviceAccountNameOverride: special-override-sa + prometheus: + expose: "EnableWithAuthProxy" + createProxyRBAC: true + asserts: + - equal: + path: subjects[0].name + value: special-override-sa diff --git a/scripts/template-helm-chart.sh b/scripts/template-helm-chart.sh index 5b69accd2..2f4a8ed98 100755 --- a/scripts/template-helm-chart.sh +++ b/scripts/template-helm-chart.sh @@ -95,7 +95,8 @@ for f in \ verticadb-operator-leader-election-rolebinding-rb.yaml \ verticadb-operator-proxy-rolebinding-crb.yaml \ verticadb-operator-metrics-reader-crb.yaml \ - verticadb-operator-manager-clusterrolebinding-crb.yaml + verticadb-operator-manager-clusterrolebinding-crb.yaml \ + verticadb-operator-webhook-config-crb.yaml do perl -i -0777 -pe 's/kind: ServiceAccount\n.*name: .*/kind: ServiceAccount\n name: {{ include "vdb-op.serviceAccount" . }}/g' $TEMPLATE_DIR/$f done diff --git a/tests/e2e-leg-5/metrics-auth-proxy-cert/05-assert.yaml b/tests/e2e-leg-5/metrics-auth-proxy-cert/05-assert.yaml index 64cc27c4c..58f1560c0 100644 --- a/tests/e2e-leg-5/metrics-auth-proxy-cert/05-assert.yaml +++ b/tests/e2e-leg-5/metrics-auth-proxy-cert/05-assert.yaml @@ -32,3 +32,16 @@ apiVersion: v1 kind: Service metadata: name: verticadb-operator-metrics-service +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: special-sa +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: verticadb-operator-webhook-config +subjects: +- kind: ServiceAccount + name: special-sa diff --git a/tests/e2e-leg-5/metrics-auth-proxy-cert/05-deploy-operator.yaml b/tests/e2e-leg-5/metrics-auth-proxy-cert/05-deploy-operator.yaml index 3210a968f..159938529 100644 --- a/tests/e2e-leg-5/metrics-auth-proxy-cert/05-deploy-operator.yaml +++ b/tests/e2e-leg-5/metrics-auth-proxy-cert/05-deploy-operator.yaml @@ -15,4 +15,4 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: - command: sh -c "cd ../../.. && make undeploy-operator || true" - - command: sh -c "cd ../../.. && make deploy-operator DEPLOY_WITH=helm NAMESPACE=$NAMESPACE HELM_OVERRIDES='--set prometheus.tlsSecret=custom-cert,prometheus.expose=EnableWithAuthProxy'" + - command: sh -c "cd ../../.. && make deploy-operator DEPLOY_WITH=helm NAMESPACE=$NAMESPACE HELM_OVERRIDES='--set prometheus.tlsSecret=custom-cert,prometheus.expose=EnableWithAuthProxy,serviceAccountNameOverride=special-sa'"