Rename cluster-wide resources to use namespace as prefix

apache · Mar 5, 2024 · 8c913ff · 8c913ff
1 parent dfa6993
commit 8c913ff
Show file tree

Hide file tree

Showing 9 changed files with 26 additions and 26 deletions.
diff --git a/chart/newsfragments/37197.significant.rst b/chart/newsfragments/37197.significant.rst
@@ -1,8 +1,8 @@
 Fixed name clashes when using multiple Airflow deployments in ``multiNamespaceMode`` across several namespaces.
 
 ``ClusterRole``s and ``ClusterRoleBinding``s created when ``multiNamespaceMode`` is enabled have been renamed to ensure unique names:
-* ``{{ include "airflow.fullname" . }}-pod-launcher-role`` has been renamed to ``{{ include "airflow.fullname" . }}-{{ .Release.Namespace }}-pod-launcher-role``
-* ``{{ include "airflow.fullname" . }}-pod-launcher-rolebinding`` has been renamed to ``{{ include "airflow.fullname" . }}-{{ .Release.Namespace }}-pod-launcher-rolebinding``
-* ``{{ include "airflow.fullname" . }}-pod-log-reader-role`` has been renamed to ``{{ include "airflow.fullname" . }}-{{ .Release.Namespace }}-pod-log-reader-role``
-* ``{{ include "airflow.fullname" . }}-pod-log-reader-rolebinding`` has been renamed to ``{{ include "airflow.fullname" . }}-{{ .Release.Namespace }}-pod-log-reader-rolebinding``
-* ``{{ include "airflow.fullname" . }}-scc-rolebinding`` has been renamed to ``{{ include "airflow.fullname" . }}-{{ .Release.Namespace }}-scc-rolebinding``
+* ``{{ include "airflow.fullname" . }}-pod-launcher-role`` has been renamed to ``{{ .Release.Namespace }}-{{ include "airflow.fullname" . }}-pod-launcher-role``
+* ``{{ include "airflow.fullname" . }}-pod-launcher-rolebinding`` has been renamed to ``{{ .Release.Namespace }}-{{ include "airflow.fullname" . }}-pod-launcher-rolebinding``
+* ``{{ include "airflow.fullname" . }}-pod-log-reader-role`` has been renamed to ``{{ .Release.Namespace }}-{{ include "airflow.fullname" . }}-pod-log-reader-role``
+* ``{{ include "airflow.fullname" . }}-pod-log-reader-rolebinding`` has been renamed to ``{{ .Release.Namespace }}-{{ include "airflow.fullname" . }}-pod-log-reader-rolebinding``
+* ``{{ include "airflow.fullname" . }}-scc-rolebinding`` has been renamed to ``{{ .Release.Namespace }}-{{ include "airflow.fullname" . }}-scc-rolebinding``
diff --git a/chart/templates/rbac/pod-launcher-role.yaml b/chart/templates/rbac/pod-launcher-role.yaml
@@ -32,7 +32,7 @@ metadata:
   name: {{ include "airflow.fullname" . }}-pod-launcher-role
   namespace: "{{ .Release.Namespace }}"
   {{- else }}
-  name: {{ include "airflow.fullname" . }}-{{ .Release.Namespace }}-pod-launcher-role
+  name: {{ .Release.Namespace }}-{{ include "airflow.fullname" . }}-pod-launcher-role
   {{- end }}
   labels:
     tier: airflow

diff --git a/chart/templates/rbac/pod-launcher-rolebinding.yaml b/chart/templates/rbac/pod-launcher-rolebinding.yaml
@@ -34,7 +34,7 @@ metadata:
   namespace: "{{ .Release.Namespace }}"
   name: {{ include "airflow.fullname" . }}-pod-launcher-rolebinding
   {{- else }}
-  name: {{ include "airflow.fullname" . }}-{{ .Release.Namespace }}-pod-launcher-rolebinding
+  name: {{ .Release.Namespace }}-{{ include "airflow.fullname" . }}-pod-launcher-rolebinding
   {{- end }}
   labels:
     tier: airflow
@@ -51,7 +51,7 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
   {{- if .Values.multiNamespaceMode }}
   kind: ClusterRole
-  name: {{ include "airflow.fullname" . }}-{{ .Release.Namespace }}-pod-launcher-role
+  name: {{ .Release.Namespace }}-{{ include "airflow.fullname" . }}-pod-launcher-role
   {{- else }}
   kind: Role
   name: {{ include "airflow.fullname" . }}-pod-launcher-role

diff --git a/chart/templates/rbac/pod-log-reader-role.yaml b/chart/templates/rbac/pod-log-reader-role.yaml
@@ -32,7 +32,7 @@ metadata:
   name: {{ include "airflow.fullname" . }}-pod-log-reader-role
   namespace: "{{ .Release.Namespace }}"
   {{- else }}
-  name: {{ include "airflow.fullname" . }}-{{ .Release.Namespace}}-pod-log-reader-role
+  name: {{ .Release.Namespace }}-{{ include "airflow.fullname" . }}-pod-log-reader-role
   {{- end }}
   labels:
     tier: airflow

diff --git a/chart/templates/rbac/pod-log-reader-rolebinding.yaml b/chart/templates/rbac/pod-log-reader-rolebinding.yaml
@@ -32,7 +32,7 @@ metadata:
   namespace: "{{ .Release.Namespace }}"
   name: {{ include "airflow.fullname" . }}-pod-log-reader-rolebinding
   {{- else }}
-  name: {{ include "airflow.fullname" . }}-{{ .Release.Namespace }}-pod-log-reader-rolebinding
+  name: {{ .Release.Namespace }}-{{ include "airflow.fullname" . }}-pod-log-reader-rolebinding
   {{- end }}
   labels:
     tier: airflow
@@ -49,7 +49,7 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
   {{- if .Values.multiNamespaceMode }}
   kind: ClusterRole
-  name: {{ include "airflow.fullname" . }}-{{ .Release.Namespace }}-pod-log-reader-role
+  name: {{ .Release.Namespace }}-{{ include "airflow.fullname" . }}-pod-log-reader-role
   {{- else }}
   kind: Role
   name: {{ include "airflow.fullname" . }}-pod-log-reader-role

diff --git a/chart/templates/rbac/security-context-constraint-rolebinding.yaml b/chart/templates/rbac/security-context-constraint-rolebinding.yaml
@@ -33,7 +33,7 @@ metadata:
   name: {{ include "airflow.fullname" . }}-scc-rolebinding
   namespace: "{{ .Release.Namespace }}"
   {{- else }}
-  name: {{ include "airflow.fullname" . }}-{{ .Release.Namespace }}-scc-rolebinding
+  name: {{ .Release.Namespace }}-{{ include "airflow.fullname" . }}-scc-rolebinding
   {{- end }}
   labels:
     tier: airflow

diff --git a/helm_tests/airflow_aux/test_pod_launcher_role.py b/helm_tests/airflow_aux/test_pod_launcher_role.py
@@ -56,14 +56,14 @@ def test_pod_launcher_role(self, executor, rbac, allow, expected_accounts):
             (
                 True,
                 "namespace",
-                "release-name-namespace-pod-launcher-role",
-                "release-name-namespace-pod-launcher-rolebinding",
+                "namespace-release-name-pod-launcher-role",
+                "namespace-release-name-pod-launcher-rolebinding",
             ),
             (
                 True,
                 "other-ns",
-                "release-name-other-ns-pod-launcher-role",
-                "release-name-other-ns-pod-launcher-rolebinding",
+                "other-ns-release-name-pod-launcher-role",
+                "other-ns-release-name-pod-launcher-rolebinding",
             ),
             (False, "namespace", "release-name-pod-launcher-role", "release-name-pod-launcher-rolebinding"),
         ],
@@ -95,8 +95,8 @@ def test_pod_launcher_rolebinding_multi_namespace(
     @pytest.mark.parametrize(
         "multiNamespaceMode, namespace, expectedRole",
         [
-            (True, "namespace", "release-name-namespace-pod-launcher-role"),
-            (True, "other-ns", "release-name-other-ns-pod-launcher-role"),
+            (True, "namespace", "namespace-release-name-pod-launcher-role"),
+            (True, "other-ns", "other-ns-release-name-pod-launcher-role"),
             (False, "namespace", "release-name-pod-launcher-role"),
         ],
     )

diff --git a/helm_tests/security/test_rbac_pod_log_reader.py b/helm_tests/security/test_rbac_pod_log_reader.py
@@ -71,14 +71,14 @@ def test_pod_log_reader_role(self, triggerer, webserver, expected):
             (
                 True,
                 "namespace",
-                "release-name-namespace-pod-log-reader-role",
-                "release-name-namespace-pod-log-reader-rolebinding",
+                "namespace-release-name-pod-log-reader-role",
+                "namespace-release-name-pod-log-reader-rolebinding",
             ),
             (
                 True,
                 "other-ns",
-                "release-name-other-ns-pod-log-reader-role",
-                "release-name-other-ns-pod-log-reader-rolebinding",
+                "other-ns-release-name-pod-log-reader-role",
+                "other-ns-release-name-pod-log-reader-rolebinding",
             ),
             (
                 False,
@@ -115,8 +115,8 @@ def test_pod_log_reader_rolebinding_multi_namespace(
     @pytest.mark.parametrize(
         "multiNamespaceMode, namespace, expectedRole",
         [
-            (True, "namespace", "release-name-namespace-pod-log-reader-role"),
-            (True, "other-ns", "release-name-other-ns-pod-log-reader-role"),
+            (True, "namespace", "namespace-release-name-pod-log-reader-role"),
+            (True, "other-ns", "other-ns-release-name-pod-log-reader-role"),
             (False, "namespace", "release-name-pod-log-reader-role"),
         ],
     )

diff --git a/helm_tests/security/test_scc_rolebinding.py b/helm_tests/security/test_scc_rolebinding.py
@@ -65,8 +65,8 @@ def test_create_scc(self, rbac_enabled, scc_enabled, created):
     @pytest.mark.parametrize(
         "rbac_enabled,scc_enabled,created,namespace,expected_name",
         [
-            (True, True, True, "default", "release-name-default-scc-rolebinding"),
-            (True, True, True, "other-ns", "release-name-other-ns-scc-rolebinding"),
+            (True, True, True, "default", "default-release-name-scc-rolebinding"),
+            (True, True, True, "other-ns", "other-ns-release-name-scc-rolebinding"),
         ],
     )
     def test_create_scc_multinamespace(self, rbac_enabled, scc_enabled, created, namespace, expected_name):