Merge branch 'main' into em/add-explicit-enabled-for-script-pod-clusterrole

Author: eddymoulton

.changeset/lovely-states-pay.md

@@ -0,0 +1,5 @@
+---
+"kubernetes-agent": minor
+---
+
+Add globals for targetNamespaces

charts/kubernetes-agent/README.md

@@ -123,6 +123,7 @@ The Kubernetes agent is optionally installed alongside the Kubernetes agent, [re
 | global.serverApiUrl | string | `""` | This is overridden by agent.serverUrl if both are set |
 | global.serverCertificate | string | `""` | This is overridden by agent.serverCertificate if both are set |
 | global.serverCertificateSecretName | string | `""` | This is overridden by agent.serverCertificateSecretName if both are set |
+| global.targetNamespaces | list | Uses a ClusterRoleBinding to allow the service account to run in any namespace | This is overridden by scriptPods.serviceAccount.targetNamespaces if both are set |
 
 ### Persistence
 

charts/kubernetes-agent/templates/_helpers.tpl

@@ -304,4 +304,16 @@ The server API url - the global is used unless overridden by the value in values
 {{- else if .Values.global.serverApiUrl }}
 {{- .Values.global.serverApiUrl }}
 {{- end }}
+{{- end }}
+
+{{/*
+The target namespaces - the global is used unless overridden by the value in values.yaml
+Returns the list as JSON array (use fromJsonArray to deserialize)
+*/}}
+{{- define "kubernetes-agent.targetNamespaces" -}}
+{{- if gt (len .Values.scriptPods.serviceAccount.targetNamespaces) 0 }}
+{{- .Values.scriptPods.serviceAccount.targetNamespaces | toJson }}
+{{- else }}
+{{- .Values.global.targetNamespaces | toJson }}
+{{- end }}
 {{- end }}

charts/kubernetes-agent/templates/auto-upgrader-rolebindings.yaml

@@ -2,6 +2,7 @@
 {{- $autoUpgraderServiceAccountName := include "kubernetes-agent.autoUpgraderServiceAccountName" . -}}
 {{- $autoUpgraderSelfRoleName := include "kubernetes-agent.autoUpgraderSelfRoleName" . -}}
 {{- $autoUpgraderTargetRoleName := include "kubernetes-agent.autoUpgraderTargetRoleName" . -}}
+{{- $targetNamespaces := include "kubernetes-agent.targetNamespaces" . | fromJsonArray -}}
 
 # RoleBinding for managing the agent in its own namespace
 ---
@@ -19,9 +20,9 @@ roleRef:
   name: {{ $autoUpgraderSelfRoleName }}
   apiGroup: rbac.authorization.k8s.io
 
-{{- if .Values.scriptPods.serviceAccount.targetNamespaces }}
+{{- if not (empty $targetNamespaces) }}
 # RoleBindings for managing script pod roles/rolebindings in target namespaces
-{{- range $targetNamespace := $.Values.scriptPods.serviceAccount.targetNamespaces }}
+{{- range $targetNamespace := $targetNamespaces }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/kubernetes-agent/templates/auto-upgrader-roles.yaml

@@ -1,6 +1,7 @@
 {{- if .Values.scriptPods.serviceAccount.useNamespacedRoles }}
 {{- $autoUpgraderSelfRoleName := include "kubernetes-agent.autoUpgraderSelfRoleName" . -}}
 {{- $autoUpgraderTargetRoleName := include "kubernetes-agent.autoUpgraderTargetRoleName" . -}}
+{{- $targetNamespaces := include "kubernetes-agent.targetNamespaces" . | fromJsonArray -}}
 
 # Role for managing the agent in its own namespace
 ---
@@ -18,9 +19,9 @@ rules:
   verbs: ["*"]
 {{- end }}
 
-{{- if .Values.scriptPods.serviceAccount.targetNamespaces }}
+{{- if not (empty $targetNamespaces) }}
 # Roles for managing script pod roles/rolebindings in target namespaces
-{{- range $targetNamespace := $.Values.scriptPods.serviceAccount.targetNamespaces }}
+{{- range $targetNamespace := $targetNamespaces }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role

charts/kubernetes-agent/templates/pod-clusterbinding.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.scriptPods.serviceAccount.clusterRole.enabled (empty .Values.scriptPods.serviceAccount.targetNamespaces) (not .Values.agent.worker.enabled) (not .Values.scriptPods.serviceAccount.useNamespacedRoles) }}
+{{- if  and .Values.scriptPods.serviceAccount.clusterRole.enabled (empty (include "kubernetes-agent.targetNamespaces" . | fromJsonArray)) (not .Values.agent.worker.enabled) (not .Values.scriptPods.serviceAccount.useNamespacedRoles) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:

charts/kubernetes-agent/templates/pod-rolebindings.yaml

@@ -2,10 +2,11 @@
 {{- $podServiceAccountFullName := include "kubernetes-agent.scriptPodServiceAccountFullName" . -}}
 {{- $podClusterRoleName := include "kubernetes-agent.scriptPodClusterRoleName" . -}}
 {{- $podRoleName := include "kubernetes-agent.scriptPodRoleName" . -}}
-{{- $podDeleterClusterRoleName := include "kubernetes-agent.scriptPodDeleterClusterRoleName" . -}}  
+{{- $podDeleterClusterRoleName := include "kubernetes-agent.scriptPodDeleterClusterRoleName" . -}}
+{{- $targetNamespaces := include "kubernetes-agent.targetNamespaces" . | fromJsonArray -}}
 
 {{- if .Values.agent.deploymentTarget.enabled }}
-{{- range $targetNamespace := $.Values.scriptPods.serviceAccount.targetNamespaces }}
+{{- range $targetNamespace := $targetNamespaces }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -25,7 +26,7 @@ roleRef:
   name: {{ $podClusterRoleName }}
   {{- end }}
   apiGroup: rbac.authorization.k8s.io
-{{- end -}}
+{{- end }}
 {{- end -}}
 {{- if and .Values.persistence.nfs.watchdog.enabled (not (include "kubernetes-agent.useCustomPvc" .)) }}
 ---

charts/kubernetes-agent/templates/pod-roles.yaml

@@ -16,9 +16,10 @@ rules:
 {{- $podServiceAccountName := include "kubernetes-agent.scriptPodServiceAccountName" . -}}
 {{- $podServiceAccountFullName := include "kubernetes-agent.scriptPodServiceAccountFullName" . -}}
 {{- $podRoleName := include "kubernetes-agent.scriptPodRoleName" . -}}
+{{- $targetNamespaces := include "kubernetes-agent.targetNamespaces" . | fromJsonArray -}}
 
-{{- if and .Values.scriptPods.serviceAccount.useNamespacedRoles .Values.scriptPods.serviceAccount.targetNamespaces }}
-{{- range $targetNamespace := $.Values.scriptPods.serviceAccount.targetNamespaces }}
+{{- if and .Values.scriptPods.serviceAccount.useNamespacedRoles (not (empty $targetNamespaces)) }}
+{{- range $targetNamespace := $targetNamespaces }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role

charts/kubernetes-agent/tests/__snapshot__/targetnamespaces-global_test.yaml.snap

@@ -0,0 +1,29 @@
+matches snapshot with global targetNamespaces:
+  1: |
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: octopus-agent-scripts-RELEASE-NAME-binding
+      namespace: global-ns-1
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: ClusterRole
+      name: octopus-agent-scripts-RELEASE-NAME-role
+    subjects:
+      - kind: ServiceAccount
+        name: octopus-agent-scripts
+        namespace: NAMESPACE
+  2: |
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: octopus-agent-scripts-RELEASE-NAME-deleter-binding
+      namespace: NAMESPACE
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: ClusterRole
+      name: octopus-agent-scripts-RELEASE-NAME-delete-role
+    subjects:
+      - kind: ServiceAccount
+        name: octopus-agent-scripts
+        namespace: NAMESPACE

charts/kubernetes-agent/tests/targetnamespaces-global_test.yaml

@@ -0,0 +1,162 @@
+suite: "global targetNamespaces"
+templates:
+- templates/pod-rolebindings.yaml
+- templates/pod-roles.yaml
+- templates/auto-upgrader-rolebindings.yaml
+- templates/auto-upgrader-roles.yaml
+tests:
+- it: "uses global targetNamespaces when local is not set"
+  set:
+    global:
+      targetNamespaces: ["global-ns-1", "global-ns-2"]
+    scriptPods:
+      serviceAccount:
+        targetNamespaces: []
+    agent.deploymentTarget.enabled: true
+    persistence.nfs.watchdog.enabled: false
+  template: templates/pod-rolebindings.yaml
+  asserts:
+  - hasDocuments:
+      count: 2
+  - equal:
+      path: metadata.namespace
+      value: global-ns-1
+    documentIndex: 0
+  - equal:
+      path: metadata.namespace
+      value: global-ns-2
+    documentIndex: 1
+
+- it: "local targetNamespaces override global"
+  set:
+    global:
+      targetNamespaces: ["global-ns-1", "global-ns-2"]
+    scriptPods:
+      serviceAccount:
+        targetNamespaces: ["local-ns-1", "local-ns-2", "local-ns-3"]
+    agent.deploymentTarget.enabled: true
+    persistence.nfs.watchdog.enabled: false
+  template: templates/pod-rolebindings.yaml
+  asserts:
+  - hasDocuments:
+      count: 3
+  - equal:
+      path: metadata.namespace
+      value: local-ns-1
+    documentIndex: 0
+  - equal:
+      path: metadata.namespace
+      value: local-ns-2
+    documentIndex: 1
+  - equal:
+      path: metadata.namespace
+      value: local-ns-3
+    documentIndex: 2
+
+- it: "creates no rolebindings when both global and local are empty"
+  set:
+    global:
+      targetNamespaces: []
+    scriptPods:
+      serviceAccount:
+        targetNamespaces: []
+    agent.deploymentTarget.enabled: true
+  template: templates/pod-rolebindings.yaml
+  asserts:
+  - hasDocuments:
+      count: 1
+
+- it: "global targetNamespaces work with namespace-scoped roles"
+  set:
+    global:
+      targetNamespaces: ["global-ns-1", "global-ns-2"]
+    scriptPods:
+      serviceAccount:
+        targetNamespaces: []
+        useNamespacedRoles: true
+  template: templates/pod-roles.yaml
+  asserts:
+  - hasDocuments:
+      count: 2
+  - equal:
+      path: kind
+      value: Role
+    documentIndex: 0
+  - equal:
+      path: metadata.namespace
+      value: global-ns-1
+    documentIndex: 0
+  - equal:
+      path: metadata.namespace
+      value: global-ns-2
+    documentIndex: 1
+
+- it: "global targetNamespaces work with auto-upgrader rolebindings"
+  set:
+    global:
+      targetNamespaces: ["global-ns-1", "global-ns-2"]
+    scriptPods:
+      serviceAccount:
+        targetNamespaces: []
+        useNamespacedRoles: true
+  template: templates/auto-upgrader-rolebindings.yaml
+  asserts:
+  - hasDocuments:
+      count: 3
+  - equal:
+      path: kind
+      value: RoleBinding
+    documentIndex: 0
+  - matchRegex:
+      path: metadata.name
+      pattern: self-binding$
+    documentIndex: 0
+  - equal:
+      path: metadata.namespace
+      value: global-ns-1
+    documentIndex: 1
+  - equal:
+      path: metadata.namespace
+      value: global-ns-2
+    documentIndex: 2
+
+- it: "global targetNamespaces work with auto-upgrader roles"
+  set:
+    global:
+      targetNamespaces: ["global-ns-1", "global-ns-2"]
+    scriptPods:
+      serviceAccount:
+        targetNamespaces: []
+        useNamespacedRoles: true
+  template: templates/auto-upgrader-roles.yaml
+  asserts:
+  - hasDocuments:
+      count: 3
+  - equal:
+      path: kind
+      value: Role
+    documentIndex: 0
+  - matchRegex:
+      path: metadata.name
+      pattern: self-role$
+    documentIndex: 0
+  - equal:
+      path: metadata.namespace
+      value: global-ns-1
+    documentIndex: 1
+  - equal:
+      path: metadata.namespace
+      value: global-ns-2
+    documentIndex: 2
+
+- it: "matches snapshot with global targetNamespaces"
+  set:
+    global:
+      targetNamespaces: ["global-ns-1"]
+    scriptPods:
+      serviceAccount:
+        targetNamespaces: []
+    agent.deploymentTarget.enabled: true
+  template: templates/pod-rolebindings.yaml
+  asserts:
+  - matchSnapshot: {}