Generate unique names for ClusterRoles and CRBindings (#371)

To avoid conflicts between multiple admin deployments, generate unique names for ClusterRole and ClusterRoleBinding by prepending the namespace and helm release name.
nuodb · Aug 15, 2024 · ccbb4af · ccbb4af
1 parent 1660991
commit ccbb4af
Show file tree

Hide file tree

Showing 4 changed files with 73 additions and 33 deletions.
diff --git a/stable/admin/templates/_helpers.tpl b/stable/admin/templates/_helpers.tpl
@@ -526,3 +526,16 @@ trusted-certificate" command which doesn't require AP restart.
 checksum/tls-passwords: {{ sha256sum $passwords }}
 {{- end }}
 {{- end -}}
+
+{{/*
+Create a cluster unique app name.
+*/}}
+{{- define "admin.fullclustername" -}}
+{{- $name := include "admin.fullname" . -}}
+{{- $ns := default .Release.Namespace .Values.admin.namespace | trunc 50 | trimSuffix "-" -}}
+{{- if contains $name $ns -}}
+  {{- printf "%s" $name -}}
+{{- else -}}
+  {{- printf "%s-%s" $name $ns -}}
+{{- end -}}
+{{- end -}}
diff --git a/stable/admin/templates/role.yaml b/stable/admin/templates/role.yaml
@@ -34,11 +34,13 @@ rules:
   - create
   - update
 {{- if eq (include "defaulttrue" .Values.nuodb.addClusterRoleBinding) "true" }}
+{{- $namespace := default .Release.Namespace .Values.admin.namespace  | trunc 50 | trimSuffix "-" -}}
+{{- $adminName := include "admin.fullname" . }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: nuodb-kube-inspector
+  name: {{ include "admin.fullclustername" . }}-kube-inspector
 rules:
 - apiGroups:
   - ""

diff --git a/stable/admin/templates/rolebinding.yaml b/stable/admin/templates/rolebinding.yaml
@@ -11,14 +11,16 @@ subjects:
 - kind: ServiceAccount
   name: {{ default "nuodb" .Values.nuodb.serviceAccount }}
 {{- if eq (include "defaulttrue" .Values.nuodb.addClusterRoleBinding) "true" }}
+{{- $namespace := default .Release.Namespace .Values.admin.namespace | trunc 50 | trimSuffix "-" -}}
+{{- $adminName := include "admin.fullname" . }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: nuodb-kube-inspector
+  name: {{ include "admin.fullclustername" . }}-kube-inspector
 roleRef:
   kind: ClusterRole
-  name: nuodb-kube-inspector
+  name: {{ include "admin.fullclustername" . }}-kube-inspector
   apiGroup: rbac.authorization.k8s.io
 subjects:
 - kind: ServiceAccount

diff --git a/test/integration/template_admin_test.go b/test/integration/template_admin_test.go
@@ -15,6 +15,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/gruntwork-io/terratest/modules/helm"
+	"github.com/gruntwork-io/terratest/modules/k8s"
 
 	"github.com/nuodb/nuodb-helm-charts/v3/test/testlib"
 )
@@ -1560,40 +1561,62 @@ func TestClusterRole(t *testing.T) {
 	helmChartPath := testlib.ADMIN_HELM_CHART_PATH
 
 	t.Run("testEnabled", func(t *testing.T) {
-		output := helm.RenderTemplate(t, &helm.Options{}, helmChartPath,
-			"release-name", []string{"templates/role.yaml", "templates/rolebinding.yaml"})
-
-		// Verify that nuodb-kube-inspector ClusterRole is created
-		for _, obj := range testlib.SplitAndRenderClusterRole(t, output, 1) {
-			assert.Equal(t, "nuodb-kube-inspector", obj.Name)
-
-			for _, rule := range obj.Rules {
-				isNode := false
-				for _, resource := range rule.Resources {
-					if resource == "nodes" {
-						isNode = true
-						break
+		options := []*helm.Options{
+			{
+				SetValues: map[string]string{
+					"admin.fullnameOverride": "full-name",
+				},
+				KubectlOptions: &k8s.KubectlOptions{
+					Namespace: "ns-name",
+				},
+			},
+			// Override namespace name
+			{
+				SetValues: map[string]string{
+					"admin.fullnameOverride": "full-name",
+					"admin.namespace":        "ns-name",
+				},
+				KubectlOptions: &k8s.KubectlOptions{
+					Namespace: "default",
+				},
+			},
+		}
+		for _, option := range options {
+			output := helm.RenderTemplate(t, option, helmChartPath,
+				"release-name", []string{"templates/role.yaml", "templates/rolebinding.yaml"})
+
+			// Verify that nuodb-kube-inspector ClusterRole is created
+			for _, obj := range testlib.SplitAndRenderClusterRole(t, output, 1) {
+				assert.Equal(t, "full-name-ns-name-kube-inspector", obj.Name)
+
+				for _, rule := range obj.Rules {
+					isNode := false
+					for _, resource := range rule.Resources {
+						if resource == "nodes" {
+							isNode = true
+							break
+						}
+					}
+					if !isNode {
+						continue
 					}
-				}
-				if !isNode {
-					continue
-				}
 
-				assert.Contains(t, rule.Verbs, "get")
+					assert.Contains(t, rule.Verbs, "get")
+				}
 			}
-		}
 
-		// Verify that nuodb-kube-inspector ClusterRoleBinding is created
-		for _, obj := range testlib.SplitAndRenderClusterClusterRoleBinding(t, output, 1) {
-			assert.Equal(t, "nuodb-kube-inspector", obj.Name)
-			// Verify that it is binding to the correct role
-			assert.Equal(t, "ClusterRole", obj.RoleRef.Kind)
-			assert.Equal(t, "nuodb-kube-inspector", obj.RoleRef.Name)
-			// Verify that it is binding to the correct user
-			subjects := obj.Subjects
-			assert.Equal(t, 1, len(subjects))
-			assert.Equal(t, "ServiceAccount", subjects[0].Kind)
-			assert.Equal(t, "nuodb", subjects[0].Name)
+			// Verify that nuodb-kube-inspector ClusterRoleBinding is created
+			for _, obj := range testlib.SplitAndRenderClusterClusterRoleBinding(t, output, 1) {
+				assert.Equal(t, "full-name-ns-name-kube-inspector", obj.Name)
+				// Verify that it is binding to the correct role
+				assert.Equal(t, "ClusterRole", obj.RoleRef.Kind)
+				assert.Equal(t, "full-name-ns-name-kube-inspector", obj.RoleRef.Name)
+				// Verify that it is binding to the correct user
+				subjects := obj.Subjects
+				assert.Equal(t, 1, len(subjects))
+				assert.Equal(t, "ServiceAccount", subjects[0].Kind)
+				assert.Equal(t, "nuodb", subjects[0].Name)
+			}
 		}
 	})