From 16afdaaf4ae56179d0f725ae9f9e9ae96709f042 Mon Sep 17 00:00:00 2001 From: odubajDT <93584209+odubajDT@users.noreply.github.com> Date: Fri, 19 Apr 2024 12:19:51 +0200 Subject: [PATCH] fix: introduce missing Role into keptn-cert-manager helm charts (#3435) Signed-off-by: odubajDT --- .../.helm-tests/certificates-only/result.yaml | 47 +++++++++- .../scripts/.helm-tests/default/result.yaml | 82 ++++++++++++++-- .../.helm-tests/lifecycle-only/result.yaml | 35 +++++-- .../lifecycle-with-certs/result.yaml | 82 ++++++++++++++-- .../local-global-precedence/result.yaml | 94 +++++++++++++++++-- .../metrics-with-certs/result.yaml | 47 +++++++++- ...ificate-operator-leader-election-rbac.yaml | 46 ++++++++- .../config/rbac/leader_election_role.yaml | 4 +- .../rbac/leader_election_role_binding.yaml | 2 +- .../pkg/certificates/watcher_test.go | 40 +++++++- ...ml => scheduler-leader-election-rbac.yaml} | 25 ++++- .../config/rbac/leader_election_role.yaml | 2 +- .../rbac/leader_election_role_binding.yaml | 4 +- 13 files changed, 465 insertions(+), 45 deletions(-) rename lifecycle-operator/chart/templates/{leader-election-rbac.yaml => scheduler-leader-election-rbac.yaml} (54%) diff --git a/.github/scripts/.helm-tests/certificates-only/result.yaml b/.github/scripts/.helm-tests/certificates-only/result.yaml index 095bbd8ee7..0d2050299d 100644 --- a/.github/scripts/.helm-tests/certificates-only/result.yaml +++ b/.github/scripts/.helm-tests/certificates-only/result.yaml @@ -90,6 +90,51 @@ subjects: name: 'certificate-operator' namespace: 'helmtests' --- +# Source: keptn/charts/certManager/templates/certificate-operator-leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: certificate-operator-leader-election-role + namespace: "helmtests" + labels: + app.kubernetes.io/instance: keptn-test + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager + app.kubernetes.io/version: v2.1.1 + helm.sh/chart: cert-manager-0.2.3 +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- # Source: keptn/charts/certManager/templates/certificate-operator-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -140,7 +185,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: 'leader-election-role' + name: 'certificate-operator-leader-election-role' subjects: - kind: ServiceAccount name: 'certificate-operator' diff --git a/.github/scripts/.helm-tests/default/result.yaml b/.github/scripts/.helm-tests/default/result.yaml index e21fafa074..7baf0e82fb 100644 --- a/.github/scripts/.helm-tests/default/result.yaml +++ b/.github/scripts/.helm-tests/default/result.yaml @@ -14719,6 +14719,51 @@ subjects: name: 'metrics-operator' namespace: 'helmtests' --- +# Source: keptn/charts/certManager/templates/certificate-operator-leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: certificate-operator-leader-election-role + namespace: "helmtests" + labels: + app.kubernetes.io/instance: keptn-test + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager + app.kubernetes.io/version: v2.1.1 + helm.sh/chart: cert-manager-0.2.3 +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- # Source: keptn/charts/certManager/templates/certificate-operator-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -14751,16 +14796,13 @@ rules: - patch - update --- -# Source: keptn/charts/lifecycleOperator/templates/leader-election-rbac.yaml +# Source: keptn/charts/lifecycleOperator/templates/lifecycle-operator-leader-election-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: leader-election-role + name: lifecycle-operator-leader-election-role namespace: "helmtests" labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: certificate-operator - app.kubernetes.io/part-of: keptn app.kubernetes.io/instance: keptn-test app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: lifecycle-operator @@ -14799,13 +14841,16 @@ rules: - create - patch --- -# Source: keptn/charts/lifecycleOperator/templates/lifecycle-operator-leader-election-rbac.yaml +# Source: keptn/charts/lifecycleOperator/templates/scheduler-leader-election-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: lifecycle-operator-leader-election-role + name: keptn-scheduler-leader-election-role namespace: "helmtests" labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: scheduler + app.kubernetes.io/part-of: keptn app.kubernetes.io/instance: keptn-test app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: lifecycle-operator @@ -14907,7 +14952,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: 'leader-election-role' + name: 'certificate-operator-leader-election-role' subjects: - kind: ServiceAccount name: 'certificate-operator' @@ -15000,6 +15045,27 @@ subjects: name: 'lifecycle-operator' namespace: 'helmtests' --- +# Source: keptn/charts/lifecycleOperator/templates/scheduler-leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: keptn-scheduler-leader-election-rolebinding + namespace: "helmtests" + labels: + app.kubernetes.io/instance: keptn-test + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: lifecycle-operator + app.kubernetes.io/version: v0.9.2 + helm.sh/chart: lifecycle-operator-0.2.3 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'keptn-scheduler-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'keptn-scheduler' + namespace: 'helmtests' +--- # Source: keptn/charts/metricsOperator/templates/metrics-operator-leader-election-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/.github/scripts/.helm-tests/lifecycle-only/result.yaml b/.github/scripts/.helm-tests/lifecycle-only/result.yaml index 85f5b33afe..6daae1cda4 100644 --- a/.github/scripts/.helm-tests/lifecycle-only/result.yaml +++ b/.github/scripts/.helm-tests/lifecycle-only/result.yaml @@ -11637,16 +11637,13 @@ subjects: name: 'lifecycle-operator' namespace: 'helmtests' --- -# Source: keptn/charts/lifecycleOperator/templates/leader-election-rbac.yaml +# Source: keptn/charts/lifecycleOperator/templates/lifecycle-operator-leader-election-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: leader-election-role + name: lifecycle-operator-leader-election-role namespace: "helmtests" labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: certificate-operator - app.kubernetes.io/part-of: keptn app.kubernetes.io/instance: keptn-test app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: lifecycle-operator @@ -11685,13 +11682,16 @@ rules: - create - patch --- -# Source: keptn/charts/lifecycleOperator/templates/lifecycle-operator-leader-election-rbac.yaml +# Source: keptn/charts/lifecycleOperator/templates/scheduler-leader-election-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: lifecycle-operator-leader-election-role + name: keptn-scheduler-leader-election-role namespace: "helmtests" labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: scheduler + app.kubernetes.io/part-of: keptn app.kubernetes.io/instance: keptn-test app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: lifecycle-operator @@ -11793,6 +11793,27 @@ subjects: name: 'lifecycle-operator' namespace: 'helmtests' --- +# Source: keptn/charts/lifecycleOperator/templates/scheduler-leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: keptn-scheduler-leader-election-rolebinding + namespace: "helmtests" + labels: + app.kubernetes.io/instance: keptn-test + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: lifecycle-operator + app.kubernetes.io/version: v0.9.2 + helm.sh/chart: lifecycle-operator-0.2.3 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'keptn-scheduler-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'keptn-scheduler' + namespace: 'helmtests' +--- # Source: keptn/charts/lifecycleOperator/templates/lifecycle-operator-metrics-service.yaml apiVersion: v1 kind: Service diff --git a/.github/scripts/.helm-tests/lifecycle-with-certs/result.yaml b/.github/scripts/.helm-tests/lifecycle-with-certs/result.yaml index 0f4b4bb2b8..f83a11c147 100644 --- a/.github/scripts/.helm-tests/lifecycle-with-certs/result.yaml +++ b/.github/scripts/.helm-tests/lifecycle-with-certs/result.yaml @@ -11728,6 +11728,51 @@ subjects: name: 'lifecycle-operator' namespace: 'helmtests' --- +# Source: keptn/charts/certManager/templates/certificate-operator-leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: certificate-operator-leader-election-role + namespace: "helmtests" + labels: + app.kubernetes.io/instance: keptn-test + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager + app.kubernetes.io/version: v2.1.1 + helm.sh/chart: cert-manager-0.2.3 +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- # Source: keptn/charts/certManager/templates/certificate-operator-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -11760,16 +11805,13 @@ rules: - patch - update --- -# Source: keptn/charts/lifecycleOperator/templates/leader-election-rbac.yaml +# Source: keptn/charts/lifecycleOperator/templates/lifecycle-operator-leader-election-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: leader-election-role + name: lifecycle-operator-leader-election-role namespace: "helmtests" labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: certificate-operator - app.kubernetes.io/part-of: keptn app.kubernetes.io/instance: keptn-test app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: lifecycle-operator @@ -11808,13 +11850,16 @@ rules: - create - patch --- -# Source: keptn/charts/lifecycleOperator/templates/lifecycle-operator-leader-election-rbac.yaml +# Source: keptn/charts/lifecycleOperator/templates/scheduler-leader-election-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: lifecycle-operator-leader-election-role + name: keptn-scheduler-leader-election-role namespace: "helmtests" labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: scheduler + app.kubernetes.io/part-of: keptn app.kubernetes.io/instance: keptn-test app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: lifecycle-operator @@ -11871,7 +11916,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: 'leader-election-role' + name: 'certificate-operator-leader-election-role' subjects: - kind: ServiceAccount name: 'certificate-operator' @@ -11964,6 +12009,27 @@ subjects: name: 'lifecycle-operator' namespace: 'helmtests' --- +# Source: keptn/charts/lifecycleOperator/templates/scheduler-leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: keptn-scheduler-leader-election-rolebinding + namespace: "helmtests" + labels: + app.kubernetes.io/instance: keptn-test + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: lifecycle-operator + app.kubernetes.io/version: v0.9.2 + helm.sh/chart: lifecycle-operator-0.2.3 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'keptn-scheduler-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'keptn-scheduler' + namespace: 'helmtests' +--- # Source: keptn/charts/lifecycleOperator/templates/lifecycle-operator-metrics-service.yaml apiVersion: v1 kind: Service diff --git a/.github/scripts/.helm-tests/local-global-precedence/result.yaml b/.github/scripts/.helm-tests/local-global-precedence/result.yaml index 64bf02ec7b..89be25164d 100644 --- a/.github/scripts/.helm-tests/local-global-precedence/result.yaml +++ b/.github/scripts/.helm-tests/local-global-precedence/result.yaml @@ -14927,6 +14927,57 @@ subjects: name: 'metrics-operator' namespace: 'helmtests' --- +# Source: keptn/charts/certManager/templates/certificate-operator-leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: certificate-operator-leader-election-role + namespace: "helmtests" + annotations: + globalAnnotation1: test1 + globalAnnotation2: test2 + test-annotation: local + labels: + app.kubernetes.io/instance: keptn-test + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager + app.kubernetes.io/version: v2.1.1 + globalLabel1: test1 + globalLabel2: test2 + helm.sh/chart: cert-manager-0.2.3 +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- # Source: keptn/charts/certManager/templates/certificate-operator-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -14965,20 +15016,17 @@ rules: - patch - update --- -# Source: keptn/charts/lifecycleOperator/templates/leader-election-rbac.yaml +# Source: keptn/charts/lifecycleOperator/templates/lifecycle-operator-leader-election-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: leader-election-role + name: lifecycle-operator-leader-election-role namespace: "helmtests" annotations: globalAnnotation1: test1 globalAnnotation2: test2 test-annotation: local labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: certificate-operator - app.kubernetes.io/part-of: keptn app.kubernetes.io/instance: keptn-test app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: lifecycle-operator @@ -15019,17 +15067,20 @@ rules: - create - patch --- -# Source: keptn/charts/lifecycleOperator/templates/lifecycle-operator-leader-election-rbac.yaml +# Source: keptn/charts/lifecycleOperator/templates/scheduler-leader-election-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: lifecycle-operator-leader-election-role + name: keptn-scheduler-leader-election-role namespace: "helmtests" annotations: globalAnnotation1: test1 globalAnnotation2: test2 test-annotation: local labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: scheduler + app.kubernetes.io/part-of: keptn app.kubernetes.io/instance: keptn-test app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: lifecycle-operator @@ -15148,7 +15199,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: 'leader-election-role' + name: 'certificate-operator-leader-election-role' subjects: - kind: ServiceAccount name: 'certificate-operator' @@ -15265,6 +15316,33 @@ subjects: name: 'lifecycle-operator' namespace: 'helmtests' --- +# Source: keptn/charts/lifecycleOperator/templates/scheduler-leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: keptn-scheduler-leader-election-rolebinding + namespace: "helmtests" + annotations: + globalAnnotation1: test1 + globalAnnotation2: test2 + test-annotation: local + labels: + app.kubernetes.io/instance: keptn-test + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: lifecycle-operator + app.kubernetes.io/version: v0.9.2 + globalLabel1: test1 + globalLabel2: test2 + helm.sh/chart: lifecycle-operator-0.2.3 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'keptn-scheduler-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'keptn-scheduler' + namespace: 'helmtests' +--- # Source: keptn/charts/metricsOperator/templates/metrics-operator-leader-election-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/.github/scripts/.helm-tests/metrics-with-certs/result.yaml b/.github/scripts/.helm-tests/metrics-with-certs/result.yaml index 563f59d59f..43fdfbbf9d 100644 --- a/.github/scripts/.helm-tests/metrics-with-certs/result.yaml +++ b/.github/scripts/.helm-tests/metrics-with-certs/result.yaml @@ -3081,6 +3081,51 @@ subjects: name: 'metrics-operator' namespace: 'helmtests' --- +# Source: keptn/charts/certManager/templates/certificate-operator-leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: certificate-operator-leader-election-role + namespace: "helmtests" + labels: + app.kubernetes.io/instance: keptn-test + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager + app.kubernetes.io/version: v2.1.1 + helm.sh/chart: cert-manager-0.2.3 +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- # Source: keptn/charts/certManager/templates/certificate-operator-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -3176,7 +3221,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: 'leader-election-role' + name: 'certificate-operator-leader-election-role' subjects: - kind: ServiceAccount name: 'certificate-operator' diff --git a/keptn-cert-manager/chart/templates/certificate-operator-leader-election-rbac.yaml b/keptn-cert-manager/chart/templates/certificate-operator-leader-election-rbac.yaml index 9dfc9d7aa9..ca6dd83aac 100644 --- a/keptn-cert-manager/chart/templates/certificate-operator-leader-election-rbac.yaml +++ b/keptn-cert-manager/chart/templates/certificate-operator-leader-election-rbac.yaml @@ -1,4 +1,48 @@ apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: certificate-operator-leader-election-role + namespace: {{ .Release.Namespace | quote }} + {{- $annotations := include "common.annotations" (dict "context" .) }} + {{- with $annotations }} + annotations: {{- . -}} + {{- end }} + labels: +{{- include "common.labels.standard" ( dict "context" . ) | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: certificate-operator-leader-election-rolebinding @@ -16,7 +60,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: 'leader-election-role' + name: 'certificate-operator-leader-election-role' subjects: - kind: ServiceAccount name: 'certificate-operator' diff --git a/keptn-cert-manager/config/rbac/leader_election_role.yaml b/keptn-cert-manager/config/rbac/leader_election_role.yaml index 94a7aaea76..5cec925f62 100644 --- a/keptn-cert-manager/config/rbac/leader_election_role.yaml +++ b/keptn-cert-manager/config/rbac/leader_election_role.yaml @@ -4,12 +4,12 @@ kind: Role metadata: labels: app.kubernetes.io/name: role - app.kubernetes.io/instance: leader-election-role + app.kubernetes.io/instance: certificate-operator-leader-election-role app.kubernetes.io/component: rbac app.kubernetes.io/created-by: certificate-operator app.kubernetes.io/part-of: keptn app.kubernetes.io/managed-by: kustomize - name: leader-election-role + name: certificate-operator-leader-election-role rules: - apiGroups: - "" diff --git a/keptn-cert-manager/config/rbac/leader_election_role_binding.yaml b/keptn-cert-manager/config/rbac/leader_election_role_binding.yaml index bebc070765..927f0ab051 100644 --- a/keptn-cert-manager/config/rbac/leader_election_role_binding.yaml +++ b/keptn-cert-manager/config/rbac/leader_election_role_binding.yaml @@ -12,7 +12,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: leader-election-role + name: certificate-operator-leader-election-role subjects: - kind: ServiceAccount name: certificate-operator diff --git a/keptn-cert-manager/pkg/certificates/watcher_test.go b/keptn-cert-manager/pkg/certificates/watcher_test.go index ae3dd0cca1..378c9b077c 100644 --- a/keptn-cert-manager/pkg/certificates/watcher_test.go +++ b/keptn-cert-manager/pkg/certificates/watcher_test.go @@ -21,6 +21,30 @@ import ( ) const CACERT = `-----BEGIN CERTIFICATE----- +MIIBrzCCAVmgAwIBAgIUH/zWlPkTXVBcu2zOvUy/NV1hCKkwDQYJKoZIhvcNAQEL +BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM +GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA0MTgwOTEzMDdaFw0zNDA0 +MTYwOTEzMDdaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwXDANBgkqhkiG9w0BAQEF +AANLADBIAkEAyLJjXFVA0DzUVSJy+ANqe+tXki2MsWgm+cbYkpBMLJMKhhwnv6vW +Hxwsh5MZNwAmSoprINGb7i6Ub2OhjpVq0QIDAQABoyEwHzAdBgNVHQ4EFgQUtwGr +j5axZSNJo6o1mP7L09axxIIwDQYJKoZIhvcNAQELBQADQQDIJGtVIgsg0J3e5QRf +LZ21sKKY+xzeG5yy90ao8QMWX9CqCpZncprE1MJijkG7paCFq6Bh22g6xTZYYJ1m +yG/y +-----END CERTIFICATE-----` + +const CAKEY = `-----BEGIN PRIVATE KEY----- +MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEAyLJjXFVA0DzUVSJy ++ANqe+tXki2MsWgm+cbYkpBMLJMKhhwnv6vWHxwsh5MZNwAmSoprINGb7i6Ub2Oh +jpVq0QIDAQABAkANdxJ9hmbD0eD5GUeXZjtFtyN39kBjQraiuXmcU7wYnWJ9OyaB +jsKkWlv9vx1stbMSYzlSQepDRYVcKL6AgGexAiEA7EwLkpiWT41/IwIIoYVQNgMN +Q/n8ltO47ecFljF1G6UCIQDZbm1JXYF068xo0vglnKl9HK3I69cHA4hrVww0ZUha +vQIgIDy7s3NHxnCqcK89WDPk3omKDMUVNcqKx0ImW/hBXtUCIQCvrMgCCdmp9UaP +vz0dbomGe6ByARMYKKOVTpyezOJ75QIgNqihb0lQbzEceTo6S2bQakDH7dH4Eydd +hMfh5Ml1u3o= +-----END PRIVATE KEY-----` + +const OUTDATED_CACERT = `-----BEGIN CERTIFICATE----- MIICPTCCAeKgAwIBAgIRAMIV/0UqFGHgKSYOWBdx/KcwCgYIKoZIzj0EAwIwczEL MAkGA1UEBhMCQVQxCzAJBgNVBAgTAktMMRMwEQYDVQQHEwpLbGFnZW5mdXJ0MQ4w DAYDVQQKEwVLZXB0bjEZMBcGA1UECxMQTGlmZWN5Y2xlVG9vbGtpdDEXMBUGA1UE @@ -36,7 +60,7 @@ ow49D22Gsrh7YM+vmTQCIQDU1L5IT0Zz+bdIyFSsDnEUXZDeydNv56DoSLh+358Y aw== -----END CERTIFICATE-----` -const CAKEY = `-----BEGIN PRIVATE KEY----- +const OUTDATED_CAKEY = `-----BEGIN PRIVATE KEY----- MHcCAQEEII5SAqBxINKatksyu2mTvLZZhfEOpNinYJDwlQjkfreboAoGCCqGSM49 AwEHoUQDQgAE/EA/glMl/ArP8/fZ1e7J9WLuSKdA95tJjAX+BEBRw3R0ICLoafFs jY5eVxTSC4PMde/dVGHcRfZ+I2zNx8poJg== @@ -86,6 +110,18 @@ var emptySecret = v1.Secret{ }, } +var outdatedSecret = v1.Secret{ + TypeMeta: metav1.TypeMeta{}, + ObjectMeta: metav1.ObjectMeta{ + Namespace: "default", + Name: "my-cert", + }, + Data: map[string][]byte{ + ServerCert: []byte(OUTDATED_CACERT), + ServerKey: []byte(OUTDATED_CAKEY), + }, +} + var goodSecret = v1.Secret{ TypeMeta: metav1.TypeMeta{}, ObjectMeta: metav1.ObjectMeta{ @@ -254,7 +290,7 @@ func TestCertificateWatcher_updateCertificatesFromSecret(t *testing.T) { }, { name: "outdated certificate found, nothing in dir", - apiReader: newFakeClient(&emptySecret), + apiReader: newFakeClient(&outdatedSecret), certificateDirectory: t.TempDir(), namespace: "default", certificateSecretName: "my-cert", diff --git a/lifecycle-operator/chart/templates/leader-election-rbac.yaml b/lifecycle-operator/chart/templates/scheduler-leader-election-rbac.yaml similarity index 54% rename from lifecycle-operator/chart/templates/leader-election-rbac.yaml rename to lifecycle-operator/chart/templates/scheduler-leader-election-rbac.yaml index e5e864d162..67ecb01087 100644 --- a/lifecycle-operator/chart/templates/leader-election-rbac.yaml +++ b/lifecycle-operator/chart/templates/scheduler-leader-election-rbac.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: leader-election-role + name: keptn-scheduler-leader-election-role namespace: {{ .Release.Namespace | quote }} {{- $annotations := include "common.annotations" (dict "context" .) }} {{- with $annotations }} @@ -9,7 +9,7 @@ metadata: {{- end }} labels: app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: certificate-operator + app.kubernetes.io/created-by: scheduler app.kubernetes.io/part-of: keptn {{- include "common.labels.standard" ( dict "context" . ) | nindent 4 }} rules: @@ -43,4 +43,23 @@ rules: - events verbs: - create - - patch \ No newline at end of file + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: keptn-scheduler-leader-election-rolebinding + namespace: {{ .Release.Namespace | quote }} + {{- with $annotations }} + annotations: {{- . -}} + {{- end }} + labels: +{{- include "common.labels.standard" ( dict "context" . ) | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'keptn-scheduler-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'keptn-scheduler' + namespace: '{{ .Release.Namespace }}' diff --git a/scheduler/config/rbac/leader_election_role.yaml b/scheduler/config/rbac/leader_election_role.yaml index 9221419fae..ff348c020e 100644 --- a/scheduler/config/rbac/leader_election_role.yaml +++ b/scheduler/config/rbac/leader_election_role.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: leader-election-role + name: keptn-scheduler-leader-election-role rules: - apiGroups: - "" diff --git a/scheduler/config/rbac/leader_election_role_binding.yaml b/scheduler/config/rbac/leader_election_role_binding.yaml index c865d51bf3..d323b56849 100644 --- a/scheduler/config/rbac/leader_election_role_binding.yaml +++ b/scheduler/config/rbac/leader_election_role_binding.yaml @@ -1,11 +1,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: scheduler-leader-election-rolebinding + name: keptn-scheduler-leader-election-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: leader-election-role + name: keptn-scheduler-leader-election-role subjects: - kind: ServiceAccount name: controller-manager