From eceb6242c390944968827430038e96764c162735 Mon Sep 17 00:00:00 2001 From: Grace Do Date: Fri, 13 Oct 2023 18:39:42 -0700 Subject: [PATCH 1/4] Revert "fix: used dedicated clusterrole for kcore hooks (#1635)" This reverts commit 6d2c1f300f5659268662390ccfdf319961388687. --- .../post_install_kommandercore_hook.yaml | 24 ++------------- .../pre_upgrade_kommandercore_hook.yaml | 30 +------------------ 2 files changed, 3 insertions(+), 51 deletions(-) diff --git a/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml b/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml index 0308741e0..7964d197f 100644 --- a/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml +++ b/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml @@ -10,27 +10,6 @@ metadata: "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ .Chart.Name }}-installation - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -rules: - - apiGroups: - - dkp.d2iq.io - resources: - - kommandercores - verbs: - - get - - list - - watch - - create - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ .Chart.Name }}-installation @@ -41,11 +20,12 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ .Chart.Name }}-installation + name: cluster-admin subjects: - kind: ServiceAccount name: {{ .Chart.Name }}-installation namespace: {{ .Release.Namespace }} + --- apiVersion: v1 kind: ConfigMap diff --git a/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml b/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml index 6b3ba83e8..417e66e11 100644 --- a/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml +++ b/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml @@ -11,34 +11,6 @@ metadata: "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ .Chart.Name }}-pre-upgrade - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -rules: - - apiGroups: - - dkp.d2iq.io - - helm.toolkit.fluxcd.io - resources: - - kommandercores - - helmreleases - verbs: - - get - - list - - watch - - apiGroups: - - dkp.d2iq.io - resources: - - kommandercores - - kommandercores/status - verbs: - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ .Chart.Name }}-pre-upgrade @@ -49,7 +21,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ .Chart.Name }}-pre-upgrade + name: cluster-admin subjects: - kind: ServiceAccount name: {{ .Chart.Name }}-pre-upgrade From e867c54fc67fd36d0b0846cfdb6400a713ba7946 Mon Sep 17 00:00:00 2001 From: Grace Do Date: Fri, 13 Oct 2023 18:39:50 -0700 Subject: [PATCH 2/4] Revert "feat: patch kcore status to kommander ver pre upgrade (#1608)" This reverts commit 585e249c1822526b88b9f1a714241aa10fc251bb. --- .../post_install_kommandercore_hook.yaml | 4 +- .../pre_upgrade_kommandercore_hook.yaml | 93 ------------------- 2 files changed, 2 insertions(+), 95 deletions(-) delete mode 100644 charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml diff --git a/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml b/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml index 7964d197f..ad8f844d6 100644 --- a/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml +++ b/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml @@ -7,7 +7,7 @@ metadata: annotations: "helm.sh/hook": post-install "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-delete-policy": before-hook-creation --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -16,7 +16,7 @@ metadata: annotations: "helm.sh/hook": post-install "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-delete-policy": before-hook-creation roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml b/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml deleted file mode 100644 index 417e66e11..000000000 --- a/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml +++ /dev/null @@ -1,93 +0,0 @@ ---- -# TODO: remove this job in 2.8 -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ .Chart.Name }}-pre-upgrade - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ .Chart.Name }}-pre-upgrade - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - name: {{ .Chart.Name }}-pre-upgrade - namespace: {{ .Release.Namespace }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Chart.Name }}-pre-upgrade - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -data: - pre_process_kcore.sh: |- - #!/bin/bash - set -eo pipefail - - kcore_status=$(kubectl get kommandercore kommander-core -o jsonpath='{.status}') - # do nothing if the .status field is already populated - if [ -n "$kcore_status" ]; then - exit 0 - fi - - # get the version of kommander before upgrade - KOMMANDER_VERSION_PREUPGRADE=$(kubectl get helmrelease -n kommander kommander -o jsonpath='{.status.lastAppliedRevision}') - cat < kcore_patch.yaml - apiVersion: dkp.d2iq.io/v1alpha1 - kind: KommanderCore - metadata: - name: kommander-core - status: - version: $KOMMANDER_VERSION_PREUPGRADE - EOF - - kubectl patch kommandercore kommander-core --subresource='status' --type='merge' --patch-file kcore_patch.yaml ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ .Chart.Name }}-pre-upgrade - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": pre-upgrade - "helm.sh/hook-weight": "0" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -spec: - template: - spec: - serviceAccountName: {{ .Chart.Name }}-pre-upgrade - {{- if .Values.priorityClassName }} - priorityClassName: "{{ .Values.priorityClassName }}" - {{- end }} - containers: - - name: {{ .Chart.Name }}-pre-upgrade - image: "{{ .Values.kubetools.image.repository | default "mesosphere/kommander2-kubetools" }}:{{ .Values.kubetools.image.tag }}" - command: ["/bin/bash","-c"] - args: ["/bin/scripts/pre_process_kcore.sh"] - volumeMounts: - - name: script - mountPath: /bin/scripts - volumes: - - name: script - configMap: - defaultMode: 0770 - name: {{ .Chart.Name }}-pre-upgrade - restartPolicy: OnFailure ---- From 6201ad8acb5ef768d90aca8a9ef07a77e97861d2 Mon Sep 17 00:00:00 2001 From: York Chen Date: Mon, 25 Sep 2023 15:36:43 -0400 Subject: [PATCH 3/4] fix: use dedicated clusterrole for kcore hooks --- .../post_install_kommandercore_hook.yaml | 22 +++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml b/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml index ad8f844d6..3363b5561 100644 --- a/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml +++ b/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml @@ -10,6 +10,25 @@ metadata: "helm.sh/hook-delete-policy": before-hook-creation --- apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Chart.Name }}-installation + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +rules: + - apiGroups: + - dkp.d2iq.io + resources: + - kommandercores + verbs: + - get + - list + - watch + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ .Chart.Name }}-installation @@ -20,12 +39,11 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: cluster-admin + name: {{ .Chart.Name }}-installation subjects: - kind: ServiceAccount name: {{ .Chart.Name }}-installation namespace: {{ .Release.Namespace }} - --- apiVersion: v1 kind: ConfigMap From 628e9992f71bb447a1005baaa66e3d8a1bf421ae Mon Sep 17 00:00:00 2001 From: York Chen Date: Wed, 4 Oct 2023 17:31:42 -0400 Subject: [PATCH 4/4] chore: add patch & update for post install job --- .../templates/post_install_kommandercore_hook.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml b/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml index 3363b5561..0308741e0 100644 --- a/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml +++ b/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml @@ -7,7 +7,7 @@ metadata: annotations: "helm.sh/hook": post-install "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": before-hook-creation + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -27,6 +27,8 @@ rules: - list - watch - create + - patch + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -35,7 +37,7 @@ metadata: annotations: "helm.sh/hook": post-install "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": before-hook-creation + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole