From dea46828bf70568adb856868eb16b31b8716bec2 Mon Sep 17 00:00:00 2001 From: mewa Date: Tue, 30 May 2023 09:53:02 +0200 Subject: [PATCH 1/2] Chart: Fix cluster-wide RBAC naming clash when using multiNamespace mode and the same release name in multiple namespaces --- chart/templates/rbac/pod-launcher-role.yaml | 7 ++++++- chart/templates/rbac/pod-launcher-rolebinding.yaml | 10 ++++++++-- chart/templates/rbac/pod-log-reader-role.yaml | 7 ++++++- chart/templates/rbac/pod-log-reader-rolebinding.yaml | 10 ++++++++-- .../rbac/security-context-constraint-rolebinding.yaml | 7 ++++++- 5 files changed, 34 insertions(+), 7 deletions(-) diff --git a/chart/templates/rbac/pod-launcher-role.yaml b/chart/templates/rbac/pod-launcher-role.yaml index 90d5125974d2c..12fd87f4c9f1e 100644 --- a/chart/templates/rbac/pod-launcher-role.yaml +++ b/chart/templates/rbac/pod-launcher-role.yaml @@ -28,15 +28,20 @@ kind: Role {{- end }} apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ .Release.Name }}-pod-launcher-role {{- if not .Values.multiNamespaceMode }} + name: {{ .Release.Name }}-pod-launcher-role namespace: "{{ .Release.Namespace }}" + {{- else }} + name: {{ .Release.Name }}-{{ .Release.Namespace }}-pod-launcher-role {{- end }} labels: tier: airflow release: {{ .Release.Name }} chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" heritage: {{ .Release.Service }} + {{- if .Values.multiNamespaceMode }} + namespace: "{{ .Release.Namespace }}" + {{- end }} {{- with .Values.labels }} {{- toYaml . | nindent 4 }} {{- end }} diff --git a/chart/templates/rbac/pod-launcher-rolebinding.yaml b/chart/templates/rbac/pod-launcher-rolebinding.yaml index 50820c8e2a4cd..2209310d63b35 100644 --- a/chart/templates/rbac/pod-launcher-rolebinding.yaml +++ b/chart/templates/rbac/pod-launcher-rolebinding.yaml @@ -32,13 +32,18 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: {{- if not .Values.multiNamespaceMode }} namespace: "{{ .Release.Namespace }}" - {{- end }} name: {{ .Release.Name }}-pod-launcher-rolebinding + {{- else }} + name: {{ .Release.Name }}-{{ .Release.Namespace }}-pod-launcher-rolebinding + {{- end }} labels: tier: airflow release: {{ .Release.Name }} chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" heritage: {{ .Release.Service }} + {{- if .Values.multiNamespaceMode }} + namespace: "{{ .Release.Namespace }}" + {{- end }} {{- with .Values.labels }} {{- toYaml . | nindent 4 }} {{- end }} @@ -46,10 +51,11 @@ roleRef: apiGroup: rbac.authorization.k8s.io {{- if .Values.multiNamespaceMode }} kind: ClusterRole + name: {{ .Release.Name }}-{{ .Release.Namespace }}-pod-launcher-role {{- else }} kind: Role - {{- end }} name: {{ .Release.Name }}-pod-launcher-role + {{- end }} subjects: {{- if has .Values.executor $schedulerLaunchExecutors }} - kind: ServiceAccount diff --git a/chart/templates/rbac/pod-log-reader-role.yaml b/chart/templates/rbac/pod-log-reader-role.yaml index 407b5cab3d756..719a0e31af40b 100644 --- a/chart/templates/rbac/pod-log-reader-role.yaml +++ b/chart/templates/rbac/pod-log-reader-role.yaml @@ -28,15 +28,20 @@ kind: Role {{- end }} apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ .Release.Name }}-pod-log-reader-role {{- if not .Values.multiNamespaceMode }} + name: {{ .Release.Name }}-pod-log-reader-role namespace: "{{ .Release.Namespace }}" + {{- else }} + name: {{ .Release.Name }}-{{ .Release.Namespace}}-pod-log-reader-role {{- end }} labels: tier: airflow release: {{ .Release.Name }} chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" heritage: {{ .Release.Service }} + {{- if .Values.multiNamespaceMode }} + namespace: "{{ .Release.Namespace }}" + {{- end }} {{- with .Values.labels }} {{- toYaml . | nindent 4 }} {{- end }} diff --git a/chart/templates/rbac/pod-log-reader-rolebinding.yaml b/chart/templates/rbac/pod-log-reader-rolebinding.yaml index 5c85b490d21cb..13755288476ff 100644 --- a/chart/templates/rbac/pod-log-reader-rolebinding.yaml +++ b/chart/templates/rbac/pod-log-reader-rolebinding.yaml @@ -30,13 +30,18 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: {{- if not .Values.multiNamespaceMode }} namespace: "{{ .Release.Namespace }}" - {{- end }} name: {{ .Release.Name }}-pod-log-reader-rolebinding + {{- else }} + name: {{ .Release.Name }}-{{ .Release.Namespace }}-pod-log-reader-rolebinding + {{- end }} labels: tier: airflow release: {{ .Release.Name }} chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" heritage: {{ .Release.Service }} + {{- if .Values.multiNamespaceMode }} + namespace: "{{ .Release.Namespace }}" + {{- end }} {{- with .Values.labels }} {{- toYaml . | nindent 4 }} {{- end }} @@ -44,10 +49,11 @@ roleRef: apiGroup: rbac.authorization.k8s.io {{- if .Values.multiNamespaceMode }} kind: ClusterRole + name: {{ .Release.Name }}-{{ .Release.Namespace }}-pod-log-reader-role {{- else }} kind: Role - {{- end }} name: {{ .Release.Name }}-pod-log-reader-role + {{- end }} subjects: {{- if .Values.webserver.allowPodLogReading }} - kind: ServiceAccount diff --git a/chart/templates/rbac/security-context-constraint-rolebinding.yaml b/chart/templates/rbac/security-context-constraint-rolebinding.yaml index 2ed0c37f05b3b..6992e02e29e4e 100644 --- a/chart/templates/rbac/security-context-constraint-rolebinding.yaml +++ b/chart/templates/rbac/security-context-constraint-rolebinding.yaml @@ -30,14 +30,19 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: {{- if not .Values.multiNamespaceMode }} + name: {{ .Release.Name }}-scc-rolebinding namespace: "{{ .Release.Namespace }}" + {{- else }} + name: {{ .Release.Name }}-{{ .Release.Namespace }}-scc-rolebinding {{- end }} - name: {{ .Release.Name }}-scc-rolebinding labels: tier: airflow release: {{ .Release.Name }} chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" heritage: {{ .Release.Service }} + {{- if .Values.multiNamespaceMode }} + namespace: "{{ .Release.Namespace }}" + {{- end }} {{- with .Values.labels }} {{- toYaml . | nindent 4 }} {{- end }} From 567b8fa5b3b4ef556ef4b82f11a8d3c3b434e9d6 Mon Sep 17 00:00:00 2001 From: mewa Date: Tue, 30 May 2023 14:50:26 +0200 Subject: [PATCH 2/2] Add 31613 newsfragment --- newsfragments/31613.fix.rst | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 newsfragments/31613.fix.rst diff --git a/newsfragments/31613.fix.rst b/newsfragments/31613.fix.rst new file mode 100644 index 0000000000000..541f827c984c6 --- /dev/null +++ b/newsfragments/31613.fix.rst @@ -0,0 +1,6 @@ +Helm chart only fix: `ClusterRole`s and `ClusterRoleBinding`s created when `multiNamespaceMode` is enabled now have unique names. +* `{{ .Release.Name }}-pod-launcher-role` has been renamed to `{{ .Release.Name }}-{{ .Release.Namespace }}-pod-launcher-role` +* `{{ .Release.Name }}-pod-launcher-rolebinding` has been renamed to `{{ .Release.Name }}-{{ .Release.Namespace }}-pod-launcher-rolebinding` +* `{{ .Release.Name }}-pod-log-reader-role` has been renamed to `{{ .Release.Name }}-{{ .Release.Namespace }}-pod-log-reader-role` +* `{{ .Release.Name }}-pod-log-reader-rolebinding` has been renamed to `{{ .Release.Name }}-{{ .Release.Namespace }}-pod-log-reader-rolebinding` +* `{{ .Release.Name }}-scc-rolebinding` has been renamed to `{{ .Release.Name }}-{{ .Release.Namespace }}-scc-rolebinding`