[v13] helm: Add conditional RBAC/ServiceAccount to `teleport-kube-age…

…nt` post-delete hook (#27637) * helm: Add conditional RBAC/ServiceAccount to post-delete hook * Add unit tests * Remove unnecessary documentIndex * Template service account name * Additional fixes for service account name * Add unit test for default case * Order isn't important * Fix documentIndex * Remove blanket snapshots and tidy up documentIndex * Clean up comments on documentIndex * Snapshot update for v13
gravitational · Jun 9, 2023 · fa4c2fa · fa4c2fa
1 parent c8ec0a4
commit fa4c2fa
Show file tree

Hide file tree

Showing 4 changed files with 324 additions and 4 deletions.
diff --git a/examples/chart/teleport-kube-agent/templates/_helpers.tpl b/examples/chart/teleport-kube-agent/templates/_helpers.tpl
@@ -17,6 +17,14 @@ if serviceAccount is not defined or serviceAccount.name is empty, use .Release.N
 {{- coalesce .Values.serviceAccount.name .Values.serviceAccountName .Release.Name -}}
 {{- end -}}
 
+{{/*
+Create the name of the service account to use for the post-delete hook
+if serviceAccount is not defined or serviceAccount.name is empty, use .Release.Name-delete-hook
+*/}}
+{{- define "teleport-kube-agent.deleteHookServiceAccountName" -}}
+{{- coalesce .Values.serviceAccount.name .Values.serviceAccountName (printf "%s-delete-hook" .Release.Name) -}}
+{{- end -}}
+
 {{- define "teleport-kube-agent.version" -}}
 {{- if .Values.teleportVersionOverride -}}
   {{- .Values.teleportVersionOverride -}}

diff --git a/examples/chart/teleport-kube-agent/templates/delete_hook.yaml b/examples/chart/teleport-kube-agent/templates/delete_hook.yaml
@@ -1,13 +1,16 @@
+{{- if .Values.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .Release.Name }}-delete-hook
+  name: {{ template "teleport-kube-agent.deleteHookServiceAccountName" . }}
   namespace: {{ .Release.Namespace }}
   annotations:
     "helm.sh/hook": post-delete
     "helm.sh/hook-weight": "-4"
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 ---
+{{- end }}
+{{- if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -40,6 +43,7 @@ subjects:
   name: {{ .Release.Name }}-delete-hook
   namespace: {{ .Release.Namespace }}
 ---
+{{- end }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -61,7 +65,7 @@ spec:
 {{- if .Values.priorityClassName }}
       priorityClassName: {{ .Values.priorityClassName }}
 {{- end }}
-      serviceAccountName: {{ .Release.Name }}-delete-hook
+      serviceAccountName: {{ template "teleport-kube-agent.deleteHookServiceAccountName" . }}
       restartPolicy: OnFailure
 {{- if .Values.tolerations }}
       tolerations:

diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap
@@ -1,3 +1,150 @@
+should create ServiceAccount for post-delete hook by default:
+  1: |
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      annotations:
+        helm.sh/hook: post-delete
+        helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+        helm.sh/hook-weight: "-4"
+      name: RELEASE-NAME-delete-hook
+      namespace: NAMESPACE
+? should inherit ServiceAccount name from values and not create serviceAccount if
+  serviceAccount.create is false and serviceAccount.name is set
+: 1: |
+    containers:
+    - args:
+      - kube-state
+      - delete
+      command:
+      - teleport
+      env:
+      - name: KUBE_NAMESPACE
+        valueFrom:
+          fieldRef:
+            fieldPath: metadata.namespace
+      - name: RELEASE_NAME
+        value: RELEASE-NAME
+      image: public.ecr.aws/gravitational/teleport-distroless:13.1.0
+      imagePullPolicy: IfNotPresent
+      name: post-delete-job
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+          - all
+        readOnlyRootFilesystem: true
+        runAsNonRoot: true
+        runAsUser: 9807
+    restartPolicy: OnFailure
+    serviceAccountName: lint-serviceaccount
+should not create ServiceAccount for post-delete hook if serviceAccount.create is false:
+  1: |
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      annotations:
+        helm.sh/hook: post-delete
+        helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+        helm.sh/hook-weight: "-3"
+      name: RELEASE-NAME-delete-hook
+      namespace: NAMESPACE
+    rules:
+    - apiGroups:
+      - ""
+      resources:
+      - secrets
+      verbs:
+      - get
+      - delete
+      - list
+  2: |
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      annotations:
+        helm.sh/hook: post-delete
+        helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+        helm.sh/hook-weight: "-2"
+      name: RELEASE-NAME-delete-hook
+      namespace: NAMESPACE
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: Role
+      name: RELEASE-NAME-delete-hook
+    subjects:
+    - kind: ServiceAccount
+      name: RELEASE-NAME-delete-hook
+      namespace: NAMESPACE
+  3: |
+    apiVersion: batch/v1
+    kind: Job
+    metadata:
+      annotations:
+        helm.sh/hook: post-delete
+        helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+        helm.sh/hook-weight: "-1"
+      name: RELEASE-NAME-delete-hook
+      namespace: NAMESPACE
+    spec:
+      template:
+        metadata:
+          name: RELEASE-NAME-delete-hook
+        spec:
+          containers:
+          - args:
+            - kube-state
+            - delete
+            command:
+            - teleport
+            env:
+            - name: KUBE_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: RELEASE_NAME
+              value: RELEASE-NAME
+            image: public.ecr.aws/gravitational/teleport-distroless:13.1.0
+            imagePullPolicy: IfNotPresent
+            name: post-delete-job
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - all
+              readOnlyRootFilesystem: true
+              runAsNonRoot: true
+              runAsUser: 9807
+          restartPolicy: OnFailure
+          serviceAccountName: lint-serviceaccount
+should not create ServiceAccount, Role or RoleBinding for post-delete hook if serviceAccount.create and rbac.create are false:
+  1: |
+    containers:
+    - args:
+      - kube-state
+      - delete
+      command:
+      - teleport
+      env:
+      - name: KUBE_NAMESPACE
+        valueFrom:
+          fieldRef:
+            fieldPath: metadata.namespace
+      - name: RELEASE_NAME
+        value: RELEASE-NAME
+      image: public.ecr.aws/gravitational/teleport-distroless:13.1.0
+      imagePullPolicy: IfNotPresent
+      name: post-delete-job
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+          - all
+        readOnlyRootFilesystem: true
+        runAsNonRoot: true
+        runAsUser: 9807
+    restartPolicy: OnFailure
+    serviceAccountName: lint-serviceaccount
 should set nodeSelector in post-delete hook:
   1: |
     containers:

diff --git a/examples/chart/teleport-kube-agent/tests/job_test.yaml b/examples/chart/teleport-kube-agent/tests/job_test.yaml
@@ -5,9 +5,27 @@ templates:
 release:
   upgrade: true
 tests:
+  - it: should create ServiceAccount, Role, RoleBinding and Job for post-delete hook by default
+    template: delete_hook.yaml
+    values:
+      - ../.lint/backwards-compatibility.yaml
+    assets:
+      - containsDocument:
+          kind: ServiceAccount
+          apiVersion: v1
+      - containsDocument:
+          kind: Role
+          apiVersion: rbac.authorization.k8s.io/v1
+      - containsDocument:
+          kind: RoleBinding
+          apiVersion: rbac.authorization.k8s.io/v1
+      - containsDocument:
+          kind: Job
+          apiVersion: batch/v1
+
   - it: should set securityContext in post-delete hook
     template: delete_hook.yaml
-    # first 3 items are ServiceAccount, Role, RoleBinding, 3rd (zero-indexed) is the Job
+    # documentIndex: 0=ServiceAccount 1=Role 2=RoleBinding 3=Job
     documentIndex: 3
     values:
       - ../.lint/backwards-compatibility.yaml
@@ -34,7 +52,7 @@ tests:
 
   - it: should set nodeSelector in post-delete hook
     template: delete_hook.yaml
-    # first 3 items are ServiceAccount, Role, RoleBinding, 3rd (zero-indexed) is the Job
+    # documentIndex: 0=ServiceAccount 1=Role 2=RoleBinding 3=Job
     documentIndex: 3
     values:
       - ../.lint/node-selector.yaml
@@ -45,3 +63,146 @@ tests:
             gravitational.io/k8s-role: node
       - matchSnapshot:
           path: spec.template.spec
+
+  - it: should create ServiceAccount for post-delete hook by default
+    template: delete_hook.yaml
+    # documentIndex: 0=ServiceAccount 1=Role 2=RoleBinding 3=Job
+    documentIndex: 0
+    values:
+      - ../.lint/backwards-compatibility.yaml
+    asserts:
+      - containsDocument:
+          kind: ServiceAccount
+          apiVersion: v1
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-delete-hook
+      - matchSnapshot:
+        path: spec.template.spec
+
+  - it: should create ServiceAccount for post-delete hook with a custom name if serviceAccount.name is set and serviceAccount.create is true
+    template: delete_hook.yaml
+    # documentIndex: 0=ServiceAccount 1=Role 2=RoleBinding 3=Job
+    documentIndex: 0
+    values:
+      - ../.lint/backwards-compatibility.yaml
+    set:
+      serviceAccount:
+        create: true
+        name: lint-serviceaccount
+    asserts:
+      - containsDocument:
+          kind: ServiceAccount
+          apiVersion: v1
+      - equal:
+          path: metadata.name
+          value: lint-serviceaccount
+
+  - it: should create Role for post-delete hook by default
+    template: delete_hook.yaml
+    values:
+      - ../.lint/backwards-compatibility.yaml
+    asserts:
+      - containsDocument:
+          kind: Role
+          apiVersion: rbac.authorization.k8s.io/v1
+
+  - it: should create RoleBinding for post-delete hook by default
+    template: delete_hook.yaml
+    values:
+      - ../.lint/backwards-compatibility.yaml
+    asserts:
+      - containsDocument:
+          kind: RoleBinding
+          apiVersion: rbac.authorization.k8s.io/v1
+
+  - it: should not create ServiceAccount for post-delete hook if serviceAccount.create is false
+    template: delete_hook.yaml
+    values:
+      - ../.lint/backwards-compatibility.yaml
+    set:
+      serviceAccount:
+        create: false
+        name: lint-serviceaccount
+    asserts:
+      - not: true
+        containsDocument:
+          kind: ServiceAccount
+          apiVersion: v1
+      - matchSnapshot:
+        path: spec.template.spec
+
+  - it: should inherit ServiceAccount name from values and not create serviceAccount if serviceAccount.create is false and serviceAccount.name is set
+    template: delete_hook.yaml
+    values:
+      - ../.lint/backwards-compatibility.yaml
+    set:
+      serviceAccount:
+        create: false
+        name: lint-serviceaccount
+    asserts:
+      - not: true
+        containsDocument:
+          kind: ServiceAccount
+          apiVersion: v1
+      # ServiceAccount is not created in this mode
+      # documentIndex: 0=Role 1=RoleBinding 2=Job
+      - documentIndex: 2
+        equal:
+          path: spec.template.spec.serviceAccountName
+          value: lint-serviceaccount
+      - documentIndex: 2
+        matchSnapshot:
+          path: spec.template.spec
+
+  - it: should not create Role for post-delete hook if rbac.create is false
+    template: delete_hook.yaml
+    values:
+      - ../.lint/backwards-compatibility.yaml
+    set:
+      rbac:
+        create: false
+    asserts:
+      - not: true
+        containsDocument:
+          kind: Role
+          apiVersion: rbac.authorization.k8s.io/v1
+
+  - it: should not create RoleBinding for post-delete hook if rbac.create is false
+    template: delete_hook.yaml
+    values:
+      - ../.lint/backwards-compatibility.yaml
+    set:
+      rbac:
+        create: false
+    asserts:
+      - not: true
+        containsDocument:
+          kind: RoleBinding
+          apiVersion: rbac.authorization.k8s.io/v1
+
+  - it: should not create ServiceAccount, Role or RoleBinding for post-delete hook if serviceAccount.create and rbac.create are false
+    template: delete_hook.yaml
+    values:
+      - ../.lint/backwards-compatibility.yaml
+    set:
+      rbac:
+        create: false
+      serviceAccount:
+        create: false
+        name: lint-serviceaccount
+    asserts:
+      - not: true
+        containsDocument:
+          kind: ServiceAccount
+          apiVersion: v1
+      - not: true
+        containsDocument:
+          kind: Role
+          apiVersion: rbac.authorization.k8s.io/v1
+      - not: true
+        containsDocument:
+          kind: RoleBinding
+          apiVersion: rbac.authorization.k8s.io/v1
+      - matchSnapshot:
+          path: spec.template.spec