From 234773cab28e258d6067e8acad451be0ab9daef5 Mon Sep 17 00:00:00 2001 From: Jort Koopmans Date: Fri, 30 Aug 2024 18:27:16 +0200 Subject: [PATCH 1/2] Sync namespace for Event to the Application namespace (#847) Signed-off-by: Jort Koopmans --- pkg/kube/kubernetes.go | 6 +++--- pkg/kube/kubernetes_test.go | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/kube/kubernetes.go b/pkg/kube/kubernetes.go index 3ec66cfd..11583314 100644 --- a/pkg/kube/kubernetes.go +++ b/pkg/kube/kubernetes.go @@ -96,14 +96,14 @@ func (client *KubernetesClient) GetSecretField(namespace string, secretName stri } } -// CreateApplicationevent creates a kubernetes event with a custom reason and message for an application. +// CreateApplicationEvent creates a kubernetes event with a custom reason and message for an application. func (client *KubernetesClient) CreateApplicationEvent(app *appv1alpha1.Application, reason string, message string, annotations map[string]string) (*v1.Event, error) { t := metav1.Time{Time: time.Now()} event := v1.Event{ ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf("%v.%x", app.ObjectMeta.Name, t.UnixNano()), - Namespace: client.Namespace, + Namespace: app.ObjectMeta.Namespace, Annotations: annotations, }, Source: v1.EventSource{ @@ -125,7 +125,7 @@ func (client *KubernetesClient) CreateApplicationEvent(app *appv1alpha1.Applicat Reason: reason, } - result, err := client.Clientset.CoreV1().Events(client.Namespace).Create(client.Context, &event, metav1.CreateOptions{}) + result, err := client.Clientset.CoreV1().Events(app.ObjectMeta.Namespace).Create(client.Context, &event, metav1.CreateOptions{}) if err != nil { return nil, err } diff --git a/pkg/kube/kubernetes_test.go b/pkg/kube/kubernetes_test.go index 56ca6204..35d69223 100644 --- a/pkg/kube/kubernetes_test.go +++ b/pkg/kube/kubernetes_test.go @@ -93,6 +93,6 @@ func Test_CreateApplicationEvent(t *testing.T) { require.NoError(t, err) require.NotNil(t, event) assert.Equal(t, "ArgocdImageUpdater", event.Source.Component) - assert.Equal(t, "default", client.Namespace) + assert.Equal(t, "argocd", event.Namespace) }) } From d0c33006ccd34dfbdd22e3c38d2befbd2462d45b Mon Sep 17 00:00:00 2001 From: Jort Koopmans Date: Mon, 2 Sep 2024 08:41:31 +0200 Subject: [PATCH 2/2] Grant Event creation permission clusterwide (instead of install namespace) Signed-off-by: Jort Koopmans --- .../argocd-image-updater-clusterrole.yaml | 15 +++++++++++ ...gocd-image-updater-clusterrolebinding.yaml | 15 +++++++++++ .../base/rbac/argocd-image-updater-role.yaml | 7 ----- manifests/base/rbac/kustomization.yaml | 2 ++ manifests/install.yaml | 26 +++++++++++++++++++ 5 files changed, 58 insertions(+), 7 deletions(-) create mode 100644 manifests/base/rbac/argocd-image-updater-clusterrole.yaml create mode 100644 manifests/base/rbac/argocd-image-updater-clusterrolebinding.yaml diff --git a/manifests/base/rbac/argocd-image-updater-clusterrole.yaml b/manifests/base/rbac/argocd-image-updater-clusterrole.yaml new file mode 100644 index 00000000..fb4bc82d --- /dev/null +++ b/manifests/base/rbac/argocd-image-updater-clusterrole.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: argocd-image-updater + app.kubernetes.io/part-of: argocd-image-updater + app.kubernetes.io/component: controller + name: argocd-image-updater +rules: + - apiGroups: + - "" + resources: + - events + verbs: + - create diff --git a/manifests/base/rbac/argocd-image-updater-clusterrolebinding.yaml b/manifests/base/rbac/argocd-image-updater-clusterrolebinding.yaml new file mode 100644 index 00000000..f7187102 --- /dev/null +++ b/manifests/base/rbac/argocd-image-updater-clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: argocd-image-updater + app.kubernetes.io/part-of: argocd-image-updater + app.kubernetes.io/component: controller + name: argocd-image-updater +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argocd-image-updater +subjects: + - kind: ServiceAccount + name: argocd-image-updater diff --git a/manifests/base/rbac/argocd-image-updater-role.yaml b/manifests/base/rbac/argocd-image-updater-role.yaml index 60266f25..aa7cd020 100644 --- a/manifests/base/rbac/argocd-image-updater-role.yaml +++ b/manifests/base/rbac/argocd-image-updater-role.yaml @@ -25,10 +25,3 @@ rules: - list - update - patch - - apiGroups: - - "" - resources: - - events - verbs: - - create - diff --git a/manifests/base/rbac/kustomization.yaml b/manifests/base/rbac/kustomization.yaml index 882fcc1e..266ee1c3 100644 --- a/manifests/base/rbac/kustomization.yaml +++ b/manifests/base/rbac/kustomization.yaml @@ -2,6 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - argocd-image-updater-clusterrole.yaml + - argocd-image-updater-clusterrolebinding.yaml - argocd-image-updater-role.yaml - argocd-image-updater-rolebinding.yaml - argocd-image-updater-sa.yaml diff --git a/manifests/install.yaml b/manifests/install.yaml index 39282cb3..a3ed4796 100644 --- a/manifests/install.yaml +++ b/manifests/install.yaml @@ -34,6 +34,16 @@ rules: - list - update - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: argocd-image-updater + app.kubernetes.io/part-of: argocd-image-updater + name: argocd-image-updater +rules: - apiGroups: - "" resources: @@ -57,6 +67,22 @@ subjects: - kind: ServiceAccount name: argocd-image-updater --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: argocd-image-updater + app.kubernetes.io/part-of: argocd-image-updater + name: argocd-image-updater +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argocd-image-updater +subjects: +- kind: ServiceAccount + name: argocd-image-updater +--- apiVersion: v1 kind: ConfigMap metadata: