From 5934470b41c1542b56113f4d9cb823696de78876 Mon Sep 17 00:00:00 2001 From: Benjamin Neff Date: Fri, 18 Nov 2022 19:25:42 +0100 Subject: [PATCH] Use MANIFEST_PRINT_RBAC_NAMESPACED to generate clickhouse-operator files This replaces the `ClusterRole` with a `Role` only for posthog namespace. If the clickhouse-operator is only deployed into a single namespace, it only needs access to this namespace and not the whole cluster. --- .../{clusterrole.yaml => role.yaml} | 14 ++++++------- ...usterrolebinding.yaml => rolebinding.yaml} | 8 ++++---- .../{clusterrole.yaml.snap => role.yaml.snap} | 4 ++-- ...inding.yaml.snap => rolebinding.yaml.snap} | 8 ++++---- .../{clusterrole.yaml => role.yaml} | 8 ++++---- ...usterrolebinding.yaml => rolebinding.yaml} | 12 +++++------ scripts/clickhouse_operator_sync.sh | 20 +++++++++---------- 7 files changed, 37 insertions(+), 37 deletions(-) rename charts/posthog/templates/clickhouse-operator/{clusterrole.yaml => role.yaml} (86%) rename charts/posthog/templates/clickhouse-operator/{clusterrolebinding.yaml => rolebinding.yaml} (70%) rename charts/posthog/tests/clickhouse-operator/__snapshot__/{clusterrole.yaml.snap => role.yaml.snap} (97%) rename charts/posthog/tests/clickhouse-operator/__snapshot__/{clusterrolebinding.yaml.snap => rolebinding.yaml.snap} (73%) rename charts/posthog/tests/clickhouse-operator/{clusterrole.yaml => role.yaml} (71%) rename charts/posthog/tests/clickhouse-operator/{clusterrolebinding.yaml => rolebinding.yaml} (67%) diff --git a/charts/posthog/templates/clickhouse-operator/clusterrole.yaml b/charts/posthog/templates/clickhouse-operator/role.yaml similarity index 86% rename from charts/posthog/templates/clickhouse-operator/clusterrole.yaml rename to charts/posthog/templates/clickhouse-operator/role.yaml index e59a9eeb7..19074d766 100644 --- a/charts/posthog/templates/clickhouse-operator/clusterrole.yaml +++ b/charts/posthog/templates/clickhouse-operator/role.yaml @@ -2,16 +2,16 @@ # Template Parameters: # # NAMESPACE={{ .Values.clickhouse.namespace | default .Release.Namespace }} -# COMMENT=# -# ROLE_KIND=ClusterRole -# ROLE_NAME=clickhouse-operator-{{ .Values.clickhouse.namespace | default .Release.Namespace }} -# ROLE_BINDING_KIND=ClusterRoleBinding -# ROLE_BINDING_NAME=clickhouse-operator-{{ .Values.clickhouse.namespace | default .Release.Namespace }} +# COMMENT= +# ROLE_KIND=Role +# ROLE_NAME=clickhouse-operator +# ROLE_BINDING_KIND=RoleBinding +# ROLE_BINDING_NAME=clickhouse-operator # apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: - name: clickhouse-operator-{{ .Values.clickhouse.namespace | default .Release.Namespace }} + name: clickhouse-operator namespace: {{ .Values.clickhouse.namespace | default .Release.Namespace }} labels: clickhouse.altinity.com/chop: 0.18.4 diff --git a/charts/posthog/templates/clickhouse-operator/clusterrolebinding.yaml b/charts/posthog/templates/clickhouse-operator/rolebinding.yaml similarity index 70% rename from charts/posthog/templates/clickhouse-operator/clusterrolebinding.yaml rename to charts/posthog/templates/clickhouse-operator/rolebinding.yaml index b8586d209..975b729f0 100644 --- a/charts/posthog/templates/clickhouse-operator/clusterrolebinding.yaml +++ b/charts/posthog/templates/clickhouse-operator/rolebinding.yaml @@ -2,16 +2,16 @@ # Setup ClusterRoleBinding between ClusterRole and ServiceAccount. # ClusterRoleBinding is namespace-less and must have unique name apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: - name: clickhouse-operator-{{ .Values.clickhouse.namespace | default .Release.Namespace }} + name: clickhouse-operator namespace: {{ .Values.clickhouse.namespace | default .Release.Namespace }} labels: clickhouse.altinity.com/chop: 0.18.4 roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: clickhouse-operator-{{ .Values.clickhouse.namespace | default .Release.Namespace }} + kind: Role + name: clickhouse-operator subjects: - kind: ServiceAccount name: clickhouse-operator diff --git a/charts/posthog/tests/clickhouse-operator/__snapshot__/clusterrole.yaml.snap b/charts/posthog/tests/clickhouse-operator/__snapshot__/role.yaml.snap similarity index 97% rename from charts/posthog/tests/clickhouse-operator/__snapshot__/clusterrole.yaml.snap rename to charts/posthog/tests/clickhouse-operator/__snapshot__/role.yaml.snap index 460cef6e0..9fcff7af3 100644 --- a/charts/posthog/tests/clickhouse-operator/__snapshot__/clusterrole.yaml.snap +++ b/charts/posthog/tests/clickhouse-operator/__snapshot__/role.yaml.snap @@ -1,11 +1,11 @@ the manifest should match the snapshot when using default values: 1: | apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole + kind: Role metadata: labels: clickhouse.altinity.com/chop: 0.18.4 - name: clickhouse-operator-NAMESPACE + name: clickhouse-operator namespace: NAMESPACE rules: - apiGroups: diff --git a/charts/posthog/tests/clickhouse-operator/__snapshot__/clusterrolebinding.yaml.snap b/charts/posthog/tests/clickhouse-operator/__snapshot__/rolebinding.yaml.snap similarity index 73% rename from charts/posthog/tests/clickhouse-operator/__snapshot__/clusterrolebinding.yaml.snap rename to charts/posthog/tests/clickhouse-operator/__snapshot__/rolebinding.yaml.snap index 47377c592..8d275fa2f 100644 --- a/charts/posthog/tests/clickhouse-operator/__snapshot__/clusterrolebinding.yaml.snap +++ b/charts/posthog/tests/clickhouse-operator/__snapshot__/rolebinding.yaml.snap @@ -1,16 +1,16 @@ the manifest should match the snapshot when using default values: 1: | apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding + kind: RoleBinding metadata: labels: clickhouse.altinity.com/chop: 0.18.4 - name: clickhouse-operator-NAMESPACE + name: clickhouse-operator namespace: NAMESPACE roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: clickhouse-operator-NAMESPACE + kind: Role + name: clickhouse-operator subjects: - kind: ServiceAccount name: clickhouse-operator diff --git a/charts/posthog/tests/clickhouse-operator/clusterrole.yaml b/charts/posthog/tests/clickhouse-operator/role.yaml similarity index 71% rename from charts/posthog/tests/clickhouse-operator/clusterrole.yaml rename to charts/posthog/tests/clickhouse-operator/role.yaml index 9c96a080f..e3c7e9516 100644 --- a/charts/posthog/tests/clickhouse-operator/clusterrole.yaml +++ b/charts/posthog/tests/clickhouse-operator/role.yaml @@ -1,6 +1,6 @@ -suite: ClickHouse cluster role definition +suite: ClickHouse role definition templates: - - templates/clickhouse-operator/clusterrole.yaml + - templates/clickhouse-operator/role.yaml tests: - it: should be empty if clickhouse.enabled is set to false @@ -16,7 +16,7 @@ tests: count: 1 - matchSnapshot: {} - - it: ClusterRole/clickhouse-operator-posthog metadata.namespace override via clickhouse.namespace should work + - it: Role/clickhouse-operator-posthog metadata.namespace override via clickhouse.namespace should work set: clickhouse.namespace: "custom-namespace" documentIndex: 0 @@ -27,7 +27,7 @@ tests: path: metadata.namespace value: custom-namespace - - it: ClusterRole/clickhouse-operator-posthog metadata.namespace override via Release.Namespace should work + - it: Role/clickhouse-operator-posthog metadata.namespace override via Release.Namespace should work release: namespace: custom-namespace-from-release documentIndex: 0 diff --git a/charts/posthog/tests/clickhouse-operator/clusterrolebinding.yaml b/charts/posthog/tests/clickhouse-operator/rolebinding.yaml similarity index 67% rename from charts/posthog/tests/clickhouse-operator/clusterrolebinding.yaml rename to charts/posthog/tests/clickhouse-operator/rolebinding.yaml index b16908c2d..ee7ce5b79 100644 --- a/charts/posthog/tests/clickhouse-operator/clusterrolebinding.yaml +++ b/charts/posthog/tests/clickhouse-operator/rolebinding.yaml @@ -1,6 +1,6 @@ -suite: ClickHouse cluster role binding definition +suite: ClickHouse role binding definition templates: - - templates/clickhouse-operator/clusterrolebinding.yaml + - templates/clickhouse-operator/rolebinding.yaml tests: - it: should be empty if clickhouse.enabled is set to false @@ -16,7 +16,7 @@ tests: count: 1 - matchSnapshot: {} - - it: ClusterRoleBinding/clickhouse-operator-posthog metadata.namespace override via clickhouse.namespace should work + - it: RoleBinding/clickhouse-operator-posthog metadata.namespace override via clickhouse.namespace should work set: clickhouse.namespace: "custom-namespace" documentIndex: 0 @@ -27,7 +27,7 @@ tests: path: metadata.namespace value: custom-namespace - - it: ClusterRoleBinding/clickhouse-operator-posthog metadata.namespace override via Release.Namespace should work + - it: RoleBinding/clickhouse-operator-posthog metadata.namespace override via Release.Namespace should work release: namespace: custom-namespace-from-release documentIndex: 0 @@ -38,7 +38,7 @@ tests: path: metadata.namespace value: custom-namespace-from-release - - it: ClusterRoleBinding/clickhouse-operator-posthog subjects[0].namespace override via clickhouse.namespace should work + - it: RoleBinding/clickhouse-operator-posthog subjects[0].namespace override via clickhouse.namespace should work set: clickhouse.namespace: "custom-namespace" documentIndex: 0 @@ -49,7 +49,7 @@ tests: path: subjects[0].namespace value: custom-namespace - - it: ClusterRoleBinding/clickhouse-operator-posthog subjects[0].namespace override via Release.Namespace should work + - it: RoleBinding/clickhouse-operator-posthog subjects[0].namespace override via Release.Namespace should work release: namespace: custom-namespace-from-release documentIndex: 0 diff --git a/scripts/clickhouse_operator_sync.sh b/scripts/clickhouse_operator_sync.sh index af7bca220..3e7c888a7 100755 --- a/scripts/clickhouse_operator_sync.sh +++ b/scripts/clickhouse_operator_sync.sh @@ -18,13 +18,13 @@ TMP_FOLDER="$(mktemp -d)" trap 'rm -rf -- "$TMP_FOLDER"' EXIT CLICKHOUSE_OPERATOR_TAG="0.18.4" -URL="https://raw.githubusercontent.com/Altinity/clickhouse-operator/${CLICKHOUSE_OPERATOR_TAG}/deploy/operator/clickhouse-operator-install-template.yaml" +REPO_URL="https://github.com/Altinity/clickhouse-operator.git" # -# Download the 'altinity/clickhouse-operator' definition and save it as temporary file. -# -# see: https://github.com/Altinity/clickhouse-operator/blob/master/docs/quick_start.md#in-case-you-can-not-run-scripts-from-internet-in-your-protected-environment +# Clone the 'altinity/clickhouse-operator' repo to temp folder. # +git clone --depth 1 --branch ${CLICKHOUSE_OPERATOR_TAG} ${REPO_URL} "${TMP_FOLDER}" + OPERATOR_NAMESPACE="PLACEHOLDER" METRICS_EXPORTER_NAMESPACE="${OPERATOR_NAMESPACE}" # NOTE: we pin to 0.19.0 here which is different to the 0.16.1 manifest version. @@ -35,12 +35,12 @@ METRICS_EXPORTER_NAMESPACE="${OPERATOR_NAMESPACE}" OPERATOR_IMAGE="${OPERATOR_IMAGE:-altinity/clickhouse-operator:0.19.0}" METRICS_EXPORTER_IMAGE="${METRICS_EXPORTER_IMAGE:-altinity/metrics-exporter:latest}" -curl -s "${URL}" | \ - OPERATOR_IMAGE="${OPERATOR_IMAGE}" \ - OPERATOR_NAMESPACE="${OPERATOR_NAMESPACE}" \ - METRICS_EXPORTER_IMAGE="${METRICS_EXPORTER_IMAGE}" \ - METRICS_EXPORTER_NAMESPACE="${METRICS_EXPORTER_NAMESPACE}" \ - envsubst > "$TMP_FOLDER/clickhouse-operator.yaml" +OPERATOR_IMAGE="${OPERATOR_IMAGE}" \ +OPERATOR_NAMESPACE="${OPERATOR_NAMESPACE}" \ +METRICS_EXPORTER_IMAGE="${METRICS_EXPORTER_IMAGE}" \ +METRICS_EXPORTER_NAMESPACE="${METRICS_EXPORTER_NAMESPACE}" \ +MANIFEST_PRINT_RBAC_NAMESPACED=yes \ +"${TMP_FOLDER}/deploy/builder/cat-clickhouse-operator-install-yaml.sh" > "${TMP_FOLDER}/clickhouse-operator.yaml" # # Use 'altinity/clickhouse-operator' definition file we fetched and parsed and slice it