Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v13] helm: Add conditional RBAC/ServiceAccount to teleport-kube-agent post-delete hook #27637

Merged
merged 11 commits into from
Jun 9, 2023
Merged

[v13] helm: Add conditional RBAC/ServiceAccount to teleport-kube-agent post-delete hook #27637

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
caa3e61
helm: Add conditional RBAC/ServiceAccount to post-delete hook
webvictim Jun 5, 2023
631a42e
Add unit tests
webvictim Jun 5, 2023
9d52af9
Remove unnecessary documentIndex
webvictim Jun 5, 2023
7e99ee7
Template service account name
webvictim Jun 6, 2023
1494523
Additional fixes for service account name
webvictim Jun 6, 2023
2bcc4b9
Add unit test for default case
webvictim Jun 6, 2023
0d90d22
Order isn't important
webvictim Jun 6, 2023
8fc5a05
Fix documentIndex
webvictim Jun 6, 2023
765e00e
Remove blanket snapshots and tidy up documentIndex
webvictim Jun 8, 2023
edcde39
Clean up comments on documentIndex
webvictim Jun 8, 2023
cc4eb0d
Snapshot update for v13
webvictim Jun 9, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 8 additions & 0 deletions examples/chart/teleport-kube-agent/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,14 @@ if serviceAccount is not defined or serviceAccount.name is empty, use .Release.N
{{- coalesce .Values.serviceAccount.name .Values.serviceAccountName .Release.Name -}}
{{- end -}}

{{/*
Create the name of the service account to use for the post-delete hook
if serviceAccount is not defined or serviceAccount.name is empty, use .Release.Name-delete-hook
*/}}
{{- define "teleport-kube-agent.deleteHookServiceAccountName" -}}
{{- coalesce .Values.serviceAccount.name .Values.serviceAccountName (printf "%s-delete-hook" .Release.Name) -}}
{{- end -}}

{{- define "teleport-kube-agent.version" -}}
{{- if .Values.teleportVersionOverride -}}
{{- .Values.teleportVersionOverride -}}
Expand Down
8 changes: 6 additions & 2 deletions examples/chart/teleport-kube-agent/templates/delete_hook.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,16 @@
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Release.Name }}-delete-hook
name: {{ template "teleport-kube-agent.deleteHookServiceAccountName" . }}
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "-4"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
---
{{- end }}
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
Expand Down Expand Up @@ -40,6 +43,7 @@ subjects:
name: {{ .Release.Name }}-delete-hook
namespace: {{ .Release.Namespace }}
---
{{- end }}
apiVersion: batch/v1
kind: Job
metadata:
Expand All @@ -61,7 +65,7 @@ spec:
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
serviceAccountName: {{ .Release.Name }}-delete-hook
serviceAccountName: {{ template "teleport-kube-agent.deleteHookServiceAccountName" . }}
restartPolicy: OnFailure
{{- if .Values.tolerations }}
tolerations:
Expand Down
147 changes: 147 additions & 0 deletions examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,150 @@
should create ServiceAccount for post-delete hook by default:
1: |
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
helm.sh/hook: post-delete
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "-4"
name: RELEASE-NAME-delete-hook
namespace: NAMESPACE
? should inherit ServiceAccount name from values and not create serviceAccount if
serviceAccount.create is false and serviceAccount.name is set
: 1: |
containers:
- args:
- kube-state
- delete
command:
- teleport
env:
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.1.0
imagePullPolicy: IfNotPresent
name: post-delete-job
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
restartPolicy: OnFailure
serviceAccountName: lint-serviceaccount
should not create ServiceAccount for post-delete hook if serviceAccount.create is false:
1: |
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
helm.sh/hook: post-delete
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "-3"
name: RELEASE-NAME-delete-hook
namespace: NAMESPACE
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- delete
- list
2: |
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
helm.sh/hook: post-delete
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "-2"
name: RELEASE-NAME-delete-hook
namespace: NAMESPACE
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: RELEASE-NAME-delete-hook
subjects:
- kind: ServiceAccount
name: RELEASE-NAME-delete-hook
namespace: NAMESPACE
3: |
apiVersion: batch/v1
kind: Job
metadata:
annotations:
helm.sh/hook: post-delete
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "-1"
name: RELEASE-NAME-delete-hook
namespace: NAMESPACE
spec:
template:
metadata:
name: RELEASE-NAME-delete-hook
spec:
containers:
- args:
- kube-state
- delete
command:
- teleport
env:
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.1.0
imagePullPolicy: IfNotPresent
name: post-delete-job
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
restartPolicy: OnFailure
serviceAccountName: lint-serviceaccount
should not create ServiceAccount, Role or RoleBinding for post-delete hook if serviceAccount.create and rbac.create are false:
1: |
containers:
- args:
- kube-state
- delete
command:
- teleport
env:
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELEASE_NAME
value: RELEASE-NAME
image: public.ecr.aws/gravitational/teleport-distroless:13.1.0
imagePullPolicy: IfNotPresent
name: post-delete-job
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
restartPolicy: OnFailure
serviceAccountName: lint-serviceaccount
should set nodeSelector in post-delete hook:
1: |
containers:
Expand Down
165 changes: 163 additions & 2 deletions examples/chart/teleport-kube-agent/tests/job_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,27 @@ templates:
release:
upgrade: true
tests:
- it: should create ServiceAccount, Role, RoleBinding and Job for post-delete hook by default
template: delete_hook.yaml
values:
- ../.lint/backwards-compatibility.yaml
assets:
- containsDocument:
kind: ServiceAccount
apiVersion: v1
- containsDocument:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
- containsDocument:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
- containsDocument:
kind: Job
apiVersion: batch/v1

- it: should set securityContext in post-delete hook
template: delete_hook.yaml
# first 3 items are ServiceAccount, Role, RoleBinding, 3rd (zero-indexed) is the Job
# documentIndex: 0=ServiceAccount 1=Role 2=RoleBinding 3=Job
documentIndex: 3
values:
- ../.lint/backwards-compatibility.yaml
Expand All @@ -34,7 +52,7 @@ tests:

- it: should set nodeSelector in post-delete hook
template: delete_hook.yaml
# first 3 items are ServiceAccount, Role, RoleBinding, 3rd (zero-indexed) is the Job
# documentIndex: 0=ServiceAccount 1=Role 2=RoleBinding 3=Job
documentIndex: 3
values:
- ../.lint/node-selector.yaml
Expand All @@ -45,3 +63,146 @@ tests:
gravitational.io/k8s-role: node
- matchSnapshot:
path: spec.template.spec

- it: should create ServiceAccount for post-delete hook by default
template: delete_hook.yaml
# documentIndex: 0=ServiceAccount 1=Role 2=RoleBinding 3=Job
documentIndex: 0
values:
- ../.lint/backwards-compatibility.yaml
asserts:
- containsDocument:
kind: ServiceAccount
apiVersion: v1
- equal:
path: metadata.name
value: RELEASE-NAME-delete-hook
- matchSnapshot:
path: spec.template.spec

- it: should create ServiceAccount for post-delete hook with a custom name if serviceAccount.name is set and serviceAccount.create is true
template: delete_hook.yaml
# documentIndex: 0=ServiceAccount 1=Role 2=RoleBinding 3=Job
documentIndex: 0
values:
- ../.lint/backwards-compatibility.yaml
set:
serviceAccount:
create: true
name: lint-serviceaccount
asserts:
- containsDocument:
kind: ServiceAccount
apiVersion: v1
- equal:
path: metadata.name
value: lint-serviceaccount

- it: should create Role for post-delete hook by default
template: delete_hook.yaml
values:
- ../.lint/backwards-compatibility.yaml
asserts:
- containsDocument:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1

- it: should create RoleBinding for post-delete hook by default
template: delete_hook.yaml
values:
- ../.lint/backwards-compatibility.yaml
asserts:
- containsDocument:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1

- it: should not create ServiceAccount for post-delete hook if serviceAccount.create is false
template: delete_hook.yaml
values:
- ../.lint/backwards-compatibility.yaml
set:
serviceAccount:
create: false
name: lint-serviceaccount
asserts:
- not: true
containsDocument:
kind: ServiceAccount
apiVersion: v1
- matchSnapshot:
path: spec.template.spec

- it: should inherit ServiceAccount name from values and not create serviceAccount if serviceAccount.create is false and serviceAccount.name is set
template: delete_hook.yaml
values:
- ../.lint/backwards-compatibility.yaml
set:
serviceAccount:
create: false
name: lint-serviceaccount
asserts:
- not: true
containsDocument:
kind: ServiceAccount
apiVersion: v1
# ServiceAccount is not created in this mode
# documentIndex: 0=Role 1=RoleBinding 2=Job
- documentIndex: 2
equal:
path: spec.template.spec.serviceAccountName
value: lint-serviceaccount
- documentIndex: 2
matchSnapshot:
path: spec.template.spec

- it: should not create Role for post-delete hook if rbac.create is false
template: delete_hook.yaml
values:
- ../.lint/backwards-compatibility.yaml
set:
rbac:
create: false
asserts:
- not: true
containsDocument:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1

- it: should not create RoleBinding for post-delete hook if rbac.create is false
template: delete_hook.yaml
values:
- ../.lint/backwards-compatibility.yaml
set:
rbac:
create: false
asserts:
- not: true
containsDocument:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1

- it: should not create ServiceAccount, Role or RoleBinding for post-delete hook if serviceAccount.create and rbac.create are false
template: delete_hook.yaml
values:
- ../.lint/backwards-compatibility.yaml
set:
rbac:
create: false
serviceAccount:
create: false
name: lint-serviceaccount
asserts:
- not: true
containsDocument:
kind: ServiceAccount
apiVersion: v1
- not: true
containsDocument:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
- not: true
containsDocument:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
- matchSnapshot:
path: spec.template.spec