This is an automated email from the ASF dual-hosted git repository.
ethanfeng pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/celeborn.git
The following commit(s) were added to refs/heads/main by this push:
new eaa0726c5 [CELEBORN-1788] Add role and roleBinding helm charts
eaa0726c5 is described below
commit eaa0726c5c5b6f534c0d7f07cbefa1ee64858fe6
Author: zhaohehuhu <[email protected]>
AuthorDate: Mon Dec 23 11:42:16 2024 +0800
[CELEBORN-1788] Add role and roleBinding helm charts
### What changes were proposed in this pull request?
as title
### Why are the changes needed?
help service account control what permissions and resources a pod has
access to.
### Does this PR introduce _any_ user-facing change?
no
### How was this patch tested?
test the template rendering by helm template command line
Closes #3009 from zhaohehuhu/dev-1219.
Authored-by: zhaohehuhu <[email protected]>
Signed-off-by: mingji <[email protected]>
---
charts/celeborn/ci/values.yaml | 9 ++++
charts/celeborn/templates/_helpers.tpl | 22 ++++++++++
charts/celeborn/templates/role.yaml | 27 ++++++++++++
charts/celeborn/templates/rolebinding.yaml | 33 ++++++++++++++
charts/celeborn/tests/role_test.yaml | 59 ++++++++++++++++++++++++++
charts/celeborn/tests/rolebinding_test.yaml | 51 ++++++++++++++++++++++
charts/celeborn/tests/serviceaccount_test.yaml | 43 +++++++++++++++++++
charts/celeborn/values.yaml | 9 ++++
8 files changed, 253 insertions(+)
diff --git a/charts/celeborn/ci/values.yaml b/charts/celeborn/ci/values.yaml
index 81862d4a3..242e1b0c7 100644
--- a/charts/celeborn/ci/values.yaml
+++ b/charts/celeborn/ci/values.yaml
@@ -140,3 +140,12 @@ serviceAccount:
create: false
# -- Specifies the name of the service account
name: default
+
+rbac:
+ create: false
+ roleName: default
+ roleBindingName: default
+ rules:
+ - apiGroups: [""]
+ resources: ["pods"]
+ verbs: ["create", "list", "delete"]
diff --git a/charts/celeborn/templates/_helpers.tpl
b/charts/celeborn/templates/_helpers.tpl
index 770112936..4d26c696e 100644
--- a/charts/celeborn/templates/_helpers.tpl
+++ b/charts/celeborn/templates/_helpers.tpl
@@ -78,6 +78,28 @@ Create the name of the service account to use
{{- end }}
{{- end }}
+{{/*
+Create the name of the role to use
+*/}}
+{{- define "celeborn.roleName" -}}
+{{- if .Values.rbac.create }}
+{{- default (include "celeborn.fullname" .) .Values.rbac.roleName }}
+{{- else }}
+{{- default "default" .Values.rbac.roleName }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the roleBinding to use
+*/}}
+{{- define "celeborn.roleBindingName" -}}
+{{- if .Values.rbac.create }}
+{{- default (include "celeborn.fullname" .) .Values.rbac.roleBindingName }}
+{{- else }}
+{{- default "default" .Values.rbac.roleBindingName }}
+{{- end }}
+{{- end }}
+
{{/*
Create the name of configmap to use
*/}}
diff --git a/charts/celeborn/templates/role.yaml
b/charts/celeborn/templates/role.yaml
new file mode 100644
index 000000000..0580b8dc9
--- /dev/null
+++ b/charts/celeborn/templates/role.yaml
@@ -0,0 +1,27 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ include "celeborn.roleName" . }}
+ labels:
+ {{- include "celeborn.labels" . | nindent 4 }}
+rules: {{- toYaml .Values.rbac.rules | nindent 2 }}
+{{- end }}
+
diff --git a/charts/celeborn/templates/rolebinding.yaml
b/charts/celeborn/templates/rolebinding.yaml
new file mode 100644
index 000000000..ebe344978
--- /dev/null
+++ b/charts/celeborn/templates/rolebinding.yaml
@@ -0,0 +1,33 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ include "celeborn.roleBindingName" . }}
+ labels:
+ {{- include "celeborn.labels" . | nindent 4 }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "celeborn.serviceAccountName" . }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ include "celeborn.roleName" . }}
+{{- end }}
+
diff --git a/charts/celeborn/tests/role_test.yaml
b/charts/celeborn/tests/role_test.yaml
new file mode 100644
index 000000000..7f3651fd4
--- /dev/null
+++ b/charts/celeborn/tests/role_test.yaml
@@ -0,0 +1,59 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+suite: Test Celeborn role
+
+templates:
+ - role.yaml
+
+release:
+ name: celeborn
+
+tests:
+ - it: Should not create role if `rbac.create` is false
+ set:
+ rbac:
+ create: false
+ asserts:
+ - hasDocuments:
+ count: 0
+
+
+ - it: Should create a Role resource with specific rules when rbac.create is
true
+ set:
+ rbac:
+ create: true
+ rbac:
+ rules:
+ - apiGroups: [ "" ]
+ resources: [ "pods" ]
+ verbs: [ "get", "watch", "list" ]
+ asserts:
+ - containsDocument:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: Role
+ metadata:
+ name: celeborn-role
+ rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+ - watch
+ - list
diff --git a/charts/celeborn/tests/rolebinding_test.yaml
b/charts/celeborn/tests/rolebinding_test.yaml
new file mode 100644
index 000000000..42003a8da
--- /dev/null
+++ b/charts/celeborn/tests/rolebinding_test.yaml
@@ -0,0 +1,51 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+suite: Test Celeborn rolebinding
+
+templates:
+ - rolebinding.yaml
+
+release:
+ name: celeborn
+
+tests:
+ - it: Should not create a RoleBinding resource when rbac.create is false
+ set:
+ rbac:
+ create: false
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: Should create a RoleBinding resource when rbac.create is true
+ set:
+ rbac:
+ create: true
+ asserts:
+ - containsDocument:
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: RoleBinding
+ metadata:
+ name: celeborn-rolebinding
+ subjects:
+ - kind: ServiceAccount
+ name: default
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: celeborn-role
diff --git a/charts/celeborn/tests/serviceaccount_test.yaml
b/charts/celeborn/tests/serviceaccount_test.yaml
new file mode 100644
index 000000000..17d001aa0
--- /dev/null
+++ b/charts/celeborn/tests/serviceaccount_test.yaml
@@ -0,0 +1,43 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+suite: Test Celeborn service account
+
+templates:
+ - serviceaccount.yaml
+
+release:
+ name: celeborn
+
+tests:
+ - it: Should not create service account if `serviceAccount.create` is false
+ set:
+ serviceAccount:
+ create: false
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: Should create service account if `serviceAccount.create` is true
+ set:
+ serviceAccount:
+ create: true
+ asserts:
+ - containsDocument:
+ apiVersion: v1
+ kind: ServiceAccount
+ name: default
diff --git a/charts/celeborn/values.yaml b/charts/celeborn/values.yaml
index fc756a219..8847707be 100644
--- a/charts/celeborn/values.yaml
+++ b/charts/celeborn/values.yaml
@@ -253,3 +253,12 @@ serviceAccount:
create: false
# -- Specifies the name of the service account
name: default
+
+rbac:
+ create: true
+ roleName: default
+ roleBindingName: default
+ rules:
+ - apiGroups: [""]
+ resources: ["pods"]
+ verbs: ["create", "list", "delete"]
