Use MANIFEST_PRINT_RBAC_NAMESPACED to generate clickhouse-operator files

This replaces the `ClusterRole` with a `Role` only for posthog namespace. If the clickhouse-operator is only deployed into a single namespace, it only needs access to this namespace and not the whole cluster.
PostHog · Nov 24, 2022 · 3d69ee7 · 3d69ee7
1 parent 5a61f35
commit 3d69ee7
Show file tree

Hide file tree

Showing 7 changed files with 38 additions and 37 deletions.
diff --git a/...ates/clickhouse-operator/clusterrole.yaml → ...g/templates/clickhouse-operator/role.yaml b/...ates/clickhouse-operator/clusterrole.yaml → ...g/templates/clickhouse-operator/role.yaml
@@ -2,16 +2,16 @@
 # Template Parameters:
 #
 # NAMESPACE={{ .Values.clickhouse.namespace | default .Release.Namespace }}
-# COMMENT=#
-# ROLE_KIND=ClusterRole
-# ROLE_NAME=clickhouse-operator-{{ .Values.clickhouse.namespace | default .Release.Namespace }}
-# ROLE_BINDING_KIND=ClusterRoleBinding
-# ROLE_BINDING_NAME=clickhouse-operator-{{ .Values.clickhouse.namespace | default .Release.Namespace }}
+# COMMENT=
+# ROLE_KIND=Role
+# ROLE_NAME=clickhouse-operator
+# ROLE_BINDING_KIND=RoleBinding
+# ROLE_BINDING_NAME=clickhouse-operator
 #
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
-  name: clickhouse-operator-{{ .Values.clickhouse.namespace | default .Release.Namespace }}
+  name: clickhouse-operator
   namespace: {{ .Values.clickhouse.namespace | default .Release.Namespace }}
   labels:
     clickhouse.altinity.com/chop: 0.18.4

diff --git a/...ickhouse-operator/clusterrolebinding.yaml → ...ates/clickhouse-operator/rolebinding.yaml b/...ickhouse-operator/clusterrolebinding.yaml → ...ates/clickhouse-operator/rolebinding.yaml
@@ -2,16 +2,16 @@
 # Setup ClusterRoleBinding between ClusterRole and ServiceAccount.
 # ClusterRoleBinding is namespace-less and must have unique name
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
-  name: clickhouse-operator-{{ .Values.clickhouse.namespace | default .Release.Namespace }}
+  name: clickhouse-operator
   namespace: {{ .Values.clickhouse.namespace | default .Release.Namespace }}
   labels:
     clickhouse.altinity.com/chop: 0.18.4
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: clickhouse-operator-{{ .Values.clickhouse.namespace | default .Release.Namespace }}
+  kind: Role
+  name: clickhouse-operator
 subjects:
 - kind: ServiceAccount
   name: clickhouse-operator

diff --git a/...erator/__snapshot__/clusterrole.yaml.snap → ...ouse-operator/__snapshot__/role.yaml.snap b/...erator/__snapshot__/clusterrole.yaml.snap → ...ouse-operator/__snapshot__/role.yaml.snap
@@ -1,11 +1,11 @@
 the manifest should match the snapshot when using default values:
   1: |
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: ClusterRole
+    kind: Role
     metadata:
       labels:
         clickhouse.altinity.com/chop: 0.18.4
-      name: clickhouse-operator-NAMESPACE
+      name: clickhouse-operator
       namespace: NAMESPACE
     rules:
     - apiGroups:

diff --git a/...__snapshot__/clusterrolebinding.yaml.snap → ...erator/__snapshot__/rolebinding.yaml.snap b/...__snapshot__/clusterrolebinding.yaml.snap → ...erator/__snapshot__/rolebinding.yaml.snap
@@ -1,16 +1,16 @@
 the manifest should match the snapshot when using default values:
   1: |
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: ClusterRoleBinding
+    kind: RoleBinding
     metadata:
       labels:
         clickhouse.altinity.com/chop: 0.18.4
-      name: clickhouse-operator-NAMESPACE
+      name: clickhouse-operator
       namespace: NAMESPACE
     roleRef:
       apiGroup: rbac.authorization.k8s.io
-      kind: ClusterRole
-      name: clickhouse-operator-NAMESPACE
+      kind: Role
+      name: clickhouse-operator
     subjects:
     - kind: ServiceAccount
       name: clickhouse-operator

diff --git a/...ests/clickhouse-operator/clusterrole.yaml → ...sthog/tests/clickhouse-operator/role.yaml b/...ests/clickhouse-operator/clusterrole.yaml → ...sthog/tests/clickhouse-operator/role.yaml
@@ -1,6 +1,6 @@
-suite: ClickHouse cluster role definition
+suite: ClickHouse role definition
 templates:
-  - templates/clickhouse-operator/clusterrole.yaml
+  - templates/clickhouse-operator/role.yaml
 
 tests:
   - it: should be empty if clickhouse.enabled is set to false
@@ -16,7 +16,7 @@ tests:
           count: 1
       - matchSnapshot: {}
 
-  - it: ClusterRole/clickhouse-operator-posthog metadata.namespace override via clickhouse.namespace should work
+  - it: Role/clickhouse-operator-posthog metadata.namespace override via clickhouse.namespace should work
     set:
       clickhouse.namespace: "custom-namespace"
     documentIndex: 0
@@ -27,7 +27,7 @@ tests:
           path: metadata.namespace
           value: custom-namespace
 
-  - it: ClusterRole/clickhouse-operator-posthog metadata.namespace override via Release.Namespace should work
+  - it: Role/clickhouse-operator-posthog metadata.namespace override via Release.Namespace should work
     release:
       namespace: custom-namespace-from-release
     documentIndex: 0

diff --git a/...ickhouse-operator/clusterrolebinding.yaml → ...ests/clickhouse-operator/rolebinding.yaml b/...ickhouse-operator/clusterrolebinding.yaml → ...ests/clickhouse-operator/rolebinding.yaml
@@ -1,6 +1,6 @@
-suite: ClickHouse cluster role binding definition
+suite: ClickHouse role binding definition
 templates:
-  - templates/clickhouse-operator/clusterrolebinding.yaml
+  - templates/clickhouse-operator/rolebinding.yaml
 
 tests:
   - it: should be empty if clickhouse.enabled is set to false
@@ -16,7 +16,7 @@ tests:
           count: 1
       - matchSnapshot: {}
 
-  - it: ClusterRoleBinding/clickhouse-operator-posthog metadata.namespace override via clickhouse.namespace should work
+  - it: RoleBinding/clickhouse-operator-posthog metadata.namespace override via clickhouse.namespace should work
     set:
       clickhouse.namespace: "custom-namespace"
     documentIndex: 0
@@ -27,7 +27,7 @@ tests:
           path: metadata.namespace
           value: custom-namespace
 
-  - it: ClusterRoleBinding/clickhouse-operator-posthog metadata.namespace override via Release.Namespace should work
+  - it: RoleBinding/clickhouse-operator-posthog metadata.namespace override via Release.Namespace should work
     release:
       namespace: custom-namespace-from-release
     documentIndex: 0
@@ -38,7 +38,7 @@ tests:
           path: metadata.namespace
           value: custom-namespace-from-release
 
-  - it: ClusterRoleBinding/clickhouse-operator-posthog subjects[0].namespace override via clickhouse.namespace should work
+  - it: RoleBinding/clickhouse-operator-posthog subjects[0].namespace override via clickhouse.namespace should work
     set:
       clickhouse.namespace: "custom-namespace"
     documentIndex: 0
@@ -49,7 +49,7 @@ tests:
           path: subjects[0].namespace
           value: custom-namespace
 
-  - it: ClusterRoleBinding/clickhouse-operator-posthog subjects[0].namespace override via Release.Namespace should work
+  - it: RoleBinding/clickhouse-operator-posthog subjects[0].namespace override via Release.Namespace should work
     release:
       namespace: custom-namespace-from-release
     documentIndex: 0

diff --git a/scripts/clickhouse_operator_sync.sh b/scripts/clickhouse_operator_sync.sh
@@ -18,13 +18,13 @@ TMP_FOLDER="$(mktemp -d)"
 trap 'rm -rf -- "$TMP_FOLDER"' EXIT
 
 CLICKHOUSE_OPERATOR_TAG="0.18.4"
-URL="https://raw.githubusercontent.com/Altinity/clickhouse-operator/${CLICKHOUSE_OPERATOR_TAG}/deploy/operator/clickhouse-operator-install-template.yaml"
+REPO_URL="https://github.com/Altinity/clickhouse-operator.git"
 
 #
-# Download the 'altinity/clickhouse-operator' definition and save it as temporary file.
-#
-# see: https://github.com/Altinity/clickhouse-operator/blob/master/docs/quick_start.md#in-case-you-can-not-run-scripts-from-internet-in-your-protected-environment
+# Clone the 'altinity/clickhouse-operator' repo to temp folder.
 #
+git clone --branch ${CLICKHOUSE_OPERATOR_TAG} ${REPO_URL} "${TMP_FOLDER}"
+
 OPERATOR_NAMESPACE="PLACEHOLDER"
 METRICS_EXPORTER_NAMESPACE="${OPERATOR_NAMESPACE}"
 # NOTE: we pin to 0.19.0 here which is different to the 0.16.1 manifest version.
@@ -35,12 +35,13 @@ METRICS_EXPORTER_NAMESPACE="${OPERATOR_NAMESPACE}"
 OPERATOR_IMAGE="${OPERATOR_IMAGE:-altinity/clickhouse-operator:0.19.0}"
 METRICS_EXPORTER_IMAGE="${METRICS_EXPORTER_IMAGE:-altinity/metrics-exporter:latest}"
 
-curl -s "${URL}" | \
-    OPERATOR_IMAGE="${OPERATOR_IMAGE}" \
-    OPERATOR_NAMESPACE="${OPERATOR_NAMESPACE}" \
-    METRICS_EXPORTER_IMAGE="${METRICS_EXPORTER_IMAGE}" \
-    METRICS_EXPORTER_NAMESPACE="${METRICS_EXPORTER_NAMESPACE}" \
-    envsubst > "$TMP_FOLDER/clickhouse-operator.yaml"
+
+OPERATOR_IMAGE="${OPERATOR_IMAGE}" \
+OPERATOR_NAMESPACE="${OPERATOR_NAMESPACE}" \
+METRICS_EXPORTER_IMAGE="${METRICS_EXPORTER_IMAGE}" \
+METRICS_EXPORTER_NAMESPACE="${METRICS_EXPORTER_NAMESPACE}" \
+MANIFEST_PRINT_RBAC_NAMESPACED=yes \
+"${TMP_FOLDER}/deploy/builder/cat-clickhouse-operator-install-yaml.sh" > "${TMP_FOLDER}/clickhouse-operator.yaml"
 
 #
 # Use 'altinity/clickhouse-operator' definition file we fetched and parsed and slice it