Merge pull request #70 from munnerz/fix-rbac-leaderelection

Automatic merge from submit-queue. Fix leader election with RBAC in tests **What this PR does / why we need it**: **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ```release-note NONE ```
jetstack · Oct 31, 2017 · 0e2c5a4 · 0e2c5a4
2 parents 17fda44 + 4f0d08b
commit 0e2c5a4
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 8 deletions.
diff --git a/contrib/charts/navigator/templates/controller.yaml b/contrib/charts/navigator/templates/controller.yaml
@@ -34,7 +34,10 @@ spec:
           image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}"
           args:
           - navigator-controller
-          - --namespace={{ .Values.controller.namespace | quote }}
+{{- if .Values.controller.namespace }}
+          - --namespace={{ .Values.controller.namespace }}
+          - --leader-election-namespace={{ .Values.controller.namespace }}
+{{- end }}
           - --v=100
           imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
           resources:

diff --git a/contrib/charts/navigator/templates/leaderelection-endpoint.yaml b/contrib/charts/navigator/templates/leaderelection-endpoint.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: navigator-controller
+{{- if .Values.controller.namespace }}
+  namespace: {{ .Values.controller.namespace }}
+{{- else }}
+  namespace: kube-system
+{{- end }}
+subsets: []
diff --git a/contrib/charts/navigator/templates/rbac.yaml b/contrib/charts/navigator/templates/rbac.yaml
@@ -84,17 +84,21 @@ items:
   kind: Role
 {{- end }}
   metadata:
-    name: "{{ template "fullname" . }}:controller-elasticsearch"
+    name: "{{ template "fullname" . }}:controller"
   rules:
   - apiGroups: ["navigator.jetstack.io"]
     resources: ["elasticsearchclusters", "pilots"]
-    verbs:     ["get", "list", "watch", "update"]
+    verbs:     ["get", "list", "watch", "update", "create", "delete"]
   - apiGroups: [""]
-    resources: ["services","configmaps","serviceaccounts"]
+    resources: ["services", "configmaps", "serviceaccounts", "pods"]
     verbs:     ["get", "list", "watch", "update", "create", "delete"]
   - apiGroups: ["apps"]
     resources: ["statefulsets"]
     verbs:     ["get", "list", "watch", "update", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs:     ["*"]
+    resourceNames: ["navigator-controller"]
 
 - apiVersion: rbac.authorization.k8s.io/v1beta1
 {{- if not .Values.controller.namespace }}
@@ -103,11 +107,15 @@ items:
   kind: RoleBinding
 {{- end }}
   metadata:
-    name: "{{ template "fullname" . }}:controller-elasticsearch"
+    name: "{{ template "fullname" . }}:controller"
   roleRef:
     apiGroup: rbac.authorization.k8s.io
+{{- if not .Values.controller.namespace }}
     kind: ClusterRole
-    name: "{{ template "fullname" . }}:controller-elasticsearch"
+{{- else }}
+    kind: Role
+{{- end }}
+    name: "{{ template "fullname" . }}:controller"
   subjects:
   - apiGroup: ""
     kind: ServiceAccount

diff --git a/contrib/charts/navigator/values.yaml b/contrib/charts/navigator/values.yaml
@@ -20,8 +20,8 @@ apiserver:
 
 controller:
   ## Optional: namespace to watch for resources in. This can be used when RBAC
-  # restricts you to a single namespace.
-  namespace: default
+  ## restricts you to a single namespace.
+  # namespace: default
   ## Optional: if not set, a service account will be automatically created
   # serviceAccount: "controller-svc-acct"
   image: