Skip to content

Fix teleport-cluster chart service account logic causing ArgoCD deployments to fail #49066

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hugoShaka merged 2 commits into from
Nov 15, 2024
Merged

Fix teleport-cluster chart service account logic causing ArgoCD deployments to fail #49066

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1dfc6b2
teleport-cluster: Use separate SA in hooks when possible
hugoShaka Nov 15, 2024
1666c68
test that SAs are not created when hooks are disabled
hugoShaka Nov 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions examples/chart/teleport-cluster/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,48 @@ if serviceAccount is not defined or serviceAccount.name is empty, use .Release.N
{{- coalesce .Values.serviceAccount.name .Release.Name -}}
{{- end -}}

{{/*
Create the name of the service account to use in the auth config check hook.

If the chart is creating service accounts, we know we can create new arbitrary service accounts.
We cannot reuse the same name as the deployment SA because the non-hook sevrice account might
Copy link
Copy Markdown
Contributor

@webvictim webvictim Nov 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
We cannot reuse the same name as the deployment SA because the non-hook sevrice account might
We cannot reuse the same name as the deployment SA because the non-hook service account might

not exist yet. We tried being smart with hooks but ArgoCD doesn't differentiate between install
and upgrade, causing various issues on update and eventually forcing us to use a separate SA.

If the chart is not creating service accounts, for backward compatibility we don't want
to force new service account names to existing chart users. We know the SA should already exist,
so we can use the same SA for deployments and hooks.
*/}}
{{- define "teleport-cluster.auth.hookServiceAccountName" -}}
{{- include "teleport-cluster.auth.serviceAccountName" . -}}
{{- if .Values.serviceAccount.create -}}
-hook
{{- end}}
Copy link
Copy Markdown
Contributor

@webvictim webvictim Nov 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
{{- end}}
{{- end }}

Just for consistency with all other usage.

{{- end -}}

{{- define "teleport-cluster.proxy.serviceAccountName" -}}
{{- coalesce .Values.serviceAccount.name .Release.Name -}}-proxy
{{- end -}}

{{/*
Create the name of the service account to use in the proxy config check hook.

If the chart is creating service accounts, we know we can create new arbitrary service accounts.
We cannot reuse the same name as the deployment SA because the non-hook sevrice account might
Copy link
Copy Markdown
Contributor

@webvictim webvictim Nov 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
We cannot reuse the same name as the deployment SA because the non-hook sevrice account might
We cannot reuse the same name as the deployment SA because the non-hook service account might

not exist yet. We tried being smart with hooks but ArgoCD doesn't differentiate between install
and upgrade, causing various issues on update and eventually forcing us to use a separate SA.

If the chart is not creating service accounts, for backward compatibility we don't want
to force new service account names to existing chart users. We know the SA should already exist,
so we can use the same SA for deployments and hooks.
*/}}
{{- define "teleport-cluster.proxy.hookServiceAccountName" -}}
{{- include "teleport-cluster.proxy.serviceAccountName" . -}}
{{- if .Values.serviceAccount.create -}}
-hook
{{- end}}
Copy link
Copy Markdown
Contributor

@webvictim webvictim Nov 15, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
{{- end}}
{{- end }}

Just for consistency with all other usage.

{{- end -}}

{{- define "teleport-cluster.version" -}}
{{- coalesce .Values.teleportVersionOverride .Chart.Version }}
{{- end -}}
Expand Down
2 changes: 1 addition & 1 deletion examples/chart/teleport-cluster/templates/auth/predeploy_job.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,5 +104,5 @@ spec:
{{- if .Values.extraVolumes }}
{{- toYaml .Values.extraVolumes | nindent 6 }}
{{- end }}
serviceAccountName: {{ include "teleport-cluster.auth.serviceAccountName" . }}
serviceAccountName: {{ include "teleport-cluster.auth.hookServiceAccountName" . }}
{{- end }}
8 changes: 4 additions & 4 deletions examples/chart/teleport-cluster/templates/auth/predeploy_serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,22 +2,21 @@
# upon first install of the chart. it will be deleted by Helm after the pre-deploy hooks run, then the
# regular serviceAccount is created with the same name and exists for the lifetime of the release.
{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
{{- if $auth.validateConfigOnDeploy }}
{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
{{- if $auth.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "teleport-cluster.auth.serviceAccountName" . }}
name: {{ template "teleport-cluster.auth.hookServiceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "teleport-cluster.auth.labels" . | nindent 4 }}
{{- if $auth.extraLabels.serviceAccount }}
{{- toYaml $auth.extraLabels.serviceAccount | nindent 4 }}
{{- end }}
annotations:
# this ServiceAccount resource MUST only be hooked on pre-install, as it would conflict
# with the existing ServiceAccount if hooked on pre-upgrade.
"helm.sh/hook": pre-install
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "3"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- if or $auth.annotations.serviceAccount $auth.azure.clientID }}
Expand All @@ -32,3 +31,4 @@ metadata:
automountServiceAccountToken: false
{{- end }}
{{- end }}
{{- end }}
2 changes: 1 addition & 1 deletion examples/chart/teleport-cluster/templates/proxy/predeploy_job.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,5 +100,5 @@ spec:
{{- if $proxy.extraVolumes }}
{{- toYaml $proxy.extraVolumes | nindent 6 }}
{{- end }}
serviceAccountName: {{ include "teleport-cluster.proxy.serviceAccountName" . }}
serviceAccountName: {{ include "teleport-cluster.proxy.hookServiceAccountName" . }}
{{- end }}
8 changes: 4 additions & 4 deletions examples/chart/teleport-cluster/templates/proxy/predeploy_serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,21 +3,20 @@
# regular serviceAccount is created with the same name and exists for the lifetime of the release.
{{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}}
{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
{{- if $proxy.validateConfigOnDeploy }}
{{- if $proxy.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "teleport-cluster.proxy.serviceAccountName" . }}
name: {{ include "teleport-cluster.proxy.hookServiceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "teleport-cluster.proxy.labels" . | nindent 4 }}
{{- if $proxy.extraLabels.serviceAccount }}
{{- toYaml $proxy.extraLabels.serviceAccount | nindent 4 }}
{{- end }}
annotations:
# this ServiceAccount resource MUST only be hooked on pre-install, as it would conflict
# with the existing ServiceAccount if hooked on pre-upgrade.
"helm.sh/hook": pre-install
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "3"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- if $proxy.annotations.serviceAccount }}
Expand All @@ -27,3 +26,4 @@ metadata:
automountServiceAccountToken: false
{{- end }}
{{- end }}
{{- end }}
39 changes: 33 additions & 6 deletions examples/chart/teleport-cluster/tests/predeploy_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,10 @@ suite: Pre-Deploy Config Test Hooks
templates:
- auth/predeploy_job.yaml
- auth/predeploy_config.yaml
- auth/predeploy_serviceaccount.yaml
- proxy/predeploy_job.yaml
- proxy/predeploy_config.yaml
- proxy/predeploy_serviceaccount.yaml
tests:
- it: Deploys the auth-test config
template: auth/predeploy_config.yaml
Expand Down Expand Up @@ -53,6 +55,7 @@ tests:
asserts:
- hasDocuments:
count: 0

- it: should set resources on auth predeploy job when set in values
template: auth/predeploy_job.yaml
values:
Expand Down Expand Up @@ -189,41 +192,65 @@ tests:
path: metadata.labels.baz
value: overridden

- it: should use default serviceAccount name for auth predeploy job SA when not set in values
- it: should use default serviceAccount name suffixed with -hook for auth predeploy job SA when not set in values and we're creating SAs
template: auth/predeploy_job.yaml
set:
clusterName: helm-lint
asserts:
- equal:
path: spec.template.spec.serviceAccountName
value: RELEASE-NAME-hook

- it: should use serviceAccount.name suffixed with -hook for auth predeploy job SA when set in values and we're creating SAs
template: auth/predeploy_job.yaml
set:
clusterName: helm-lint
serviceAccount:
name: helm-test-sa
asserts:
- equal:
path: spec.template.spec.serviceAccountName
value: RELEASE-NAME
value: helm-test-sa-hook

- it: should use serviceAccount.name for auth predeploy job SA when set in values
- it: should use serviceAccount.name for auth predeploy job SA when set in values and we're not cretaing SAs
Copy link
Copy Markdown
Contributor

@webvictim webvictim Nov 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- it: should use serviceAccount.name for auth predeploy job SA when set in values and we're not cretaing SAs
- it: should use serviceAccount.name for auth predeploy job SA when set in values and we're not creating SAs

template: auth/predeploy_job.yaml
set:
clusterName: helm-lint
serviceAccount:
name: helm-test-sa
create: false
asserts:
- equal:
path: spec.template.spec.serviceAccountName
value: helm-test-sa

- it: should use default serviceAccount name for proxy predeploy job SA when not set in values
- it: should use default serviceAccount name suffixed with -hook for proxy predeploy job SA when not set in values and we're creating SAs
template: proxy/predeploy_job.yaml
set:
clusterName: helm-lint
asserts:
- equal:
path: spec.template.spec.serviceAccountName
value: RELEASE-NAME-proxy
value: RELEASE-NAME-proxy-hook

- it: should use serviceAccount.name suffixed with -hook for proxy predeploy job SA when set in values and we're creating SAs
template: proxy/predeploy_job.yaml
set:
clusterName: helm-lint
serviceAccount:
name: helm-test-sa
asserts:
- equal:
path: spec.template.spec.serviceAccountName
value: helm-test-sa-proxy-hook

- it: should use serviceAccount.name for proxy predeploy job SA when set in values
- it: should use serviceAccount.name for proxy predeploy job SA when set in values and we're not cretaing SAs
Copy link
Copy Markdown
Contributor

@webvictim webvictim Nov 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- it: should use serviceAccount.name for proxy predeploy job SA when set in values and we're not cretaing SAs
- it: should use serviceAccount.name for proxy predeploy job SA when set in values and we're not creating SAs

template: proxy/predeploy_job.yaml
set:
clusterName: helm-lint
serviceAccount:
name: helm-test-sa
create: false
asserts:
- equal:
path: spec.template.spec.serviceAccountName
Expand Down