From fed70bdeb8438e502dfb9207cea642b7ba52db8d Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Wed, 23 Oct 2024 21:11:02 +0100 Subject: [PATCH] fix(helm/coder): set serviceAccount.disableCreate=false by default, add tests (#15197) * Sets `serviceaccount.disableCreate=false` by default (accidentally changed by #14817) * Reverts changes made in https://github.com/coder/coder/pull/15196 --- .github/workflows/ci.yaml | 1 + helm/coder/tests/chart_test.go | 4 + .../tests/testdata/auto_access_url_1.golden | 15 +- .../tests/testdata/auto_access_url_2.golden | 15 +- .../tests/testdata/auto_access_url_3.golden | 15 +- helm/coder/tests/testdata/command.golden | 15 +- helm/coder/tests/testdata/command_args.golden | 15 +- .../tests/testdata/default_values.golden | 15 +- helm/coder/tests/testdata/env_from.golden | 15 +- .../tests/testdata/extra_templates.golden | 15 +- .../tests/testdata/labels_annotations.golden | 15 +- helm/coder/tests/testdata/prometheus.golden | 15 +- .../tests/testdata/provisionerd_psk.golden | 15 +- helm/coder/tests/testdata/sa.golden | 16 +- helm/coder/tests/testdata/sa_disabled.golden | 177 ++++++++++++++++++ helm/coder/tests/testdata/sa_disabled.yaml | 5 + .../tests/testdata/sa_extra_rules.golden | 15 +- helm/coder/tests/testdata/tls.golden | 15 +- .../tests/testdata/workspace_proxy.golden | 15 +- helm/coder/values.yaml | 2 +- 20 files changed, 399 insertions(+), 16 deletions(-) create mode 100644 helm/coder/tests/testdata/sa_disabled.golden create mode 100644 helm/coder/tests/testdata/sa_disabled.yaml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 77d747466f..fa5164b91c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -90,6 +90,7 @@ jobs: - "coderd/**" - "enterprise/**" - "examples/*" + - "helm/**" - "provisioner/**" - "provisionerd/**" - "provisionersdk/**" diff --git a/helm/coder/tests/chart_test.go b/helm/coder/tests/chart_test.go index d9bf4fee0c..c04e075da6 100644 --- a/helm/coder/tests/chart_test.go +++ b/helm/coder/tests/chart_test.go @@ -88,6 +88,10 @@ var testCases = []testCase{ name: "sa_extra_rules", expectedError: "", }, + { + name: "sa_disabled", + expectedError: "", + }, } type testCase struct { diff --git a/helm/coder/tests/testdata/auto_access_url_1.golden b/helm/coder/tests/testdata/auto_access_url_1.golden index bf11f21dcc..a55a7413fb 100644 --- a/helm/coder/tests/testdata/auto_access_url_1.golden +++ b/helm/coder/tests/testdata/auto_access_url_1.golden @@ -1,4 +1,18 @@ --- +# Source: coder/templates/coder.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder + app.kubernetes.io/part-of: coder + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-0.1.0 + name: coder +--- # Source: coder/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -83,7 +97,6 @@ spec: app.kubernetes.io/instance: release-name --- # Source: coder/templates/coder.yaml ---- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/helm/coder/tests/testdata/auto_access_url_2.golden b/helm/coder/tests/testdata/auto_access_url_2.golden index 11f79709ce..c7dd0b3c87 100644 --- a/helm/coder/tests/testdata/auto_access_url_2.golden +++ b/helm/coder/tests/testdata/auto_access_url_2.golden @@ -1,4 +1,18 @@ --- +# Source: coder/templates/coder.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder + app.kubernetes.io/part-of: coder + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-0.1.0 + name: coder +--- # Source: coder/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -83,7 +97,6 @@ spec: app.kubernetes.io/instance: release-name --- # Source: coder/templates/coder.yaml ---- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/helm/coder/tests/testdata/auto_access_url_3.golden b/helm/coder/tests/testdata/auto_access_url_3.golden index 0c1d88bd50..2a07c1e42f 100644 --- a/helm/coder/tests/testdata/auto_access_url_3.golden +++ b/helm/coder/tests/testdata/auto_access_url_3.golden @@ -1,4 +1,18 @@ --- +# Source: coder/templates/coder.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder + app.kubernetes.io/part-of: coder + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-0.1.0 + name: coder +--- # Source: coder/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -83,7 +97,6 @@ spec: app.kubernetes.io/instance: release-name --- # Source: coder/templates/coder.yaml ---- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/helm/coder/tests/testdata/command.golden b/helm/coder/tests/testdata/command.golden index e072d91349..9897e34382 100644 --- a/helm/coder/tests/testdata/command.golden +++ b/helm/coder/tests/testdata/command.golden @@ -1,4 +1,18 @@ --- +# Source: coder/templates/coder.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder + app.kubernetes.io/part-of: coder + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-0.1.0 + name: coder +--- # Source: coder/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -83,7 +97,6 @@ spec: app.kubernetes.io/instance: release-name --- # Source: coder/templates/coder.yaml ---- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/helm/coder/tests/testdata/command_args.golden b/helm/coder/tests/testdata/command_args.golden index 0b97f491ec..126127838b 100644 --- a/helm/coder/tests/testdata/command_args.golden +++ b/helm/coder/tests/testdata/command_args.golden @@ -1,4 +1,18 @@ --- +# Source: coder/templates/coder.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder + app.kubernetes.io/part-of: coder + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-0.1.0 + name: coder +--- # Source: coder/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -83,7 +97,6 @@ spec: app.kubernetes.io/instance: release-name --- # Source: coder/templates/coder.yaml ---- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/helm/coder/tests/testdata/default_values.golden b/helm/coder/tests/testdata/default_values.golden index 3911c8a134..f5d6b2ad2c 100644 --- a/helm/coder/tests/testdata/default_values.golden +++ b/helm/coder/tests/testdata/default_values.golden @@ -1,4 +1,18 @@ --- +# Source: coder/templates/coder.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder + app.kubernetes.io/part-of: coder + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-0.1.0 + name: coder +--- # Source: coder/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -83,7 +97,6 @@ spec: app.kubernetes.io/instance: release-name --- # Source: coder/templates/coder.yaml ---- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/helm/coder/tests/testdata/env_from.golden b/helm/coder/tests/testdata/env_from.golden index c2d8ea07b4..caef038614 100644 --- a/helm/coder/tests/testdata/env_from.golden +++ b/helm/coder/tests/testdata/env_from.golden @@ -1,4 +1,18 @@ --- +# Source: coder/templates/coder.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder + app.kubernetes.io/part-of: coder + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-0.1.0 + name: coder +--- # Source: coder/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -83,7 +97,6 @@ spec: app.kubernetes.io/instance: release-name --- # Source: coder/templates/coder.yaml ---- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/helm/coder/tests/testdata/extra_templates.golden b/helm/coder/tests/testdata/extra_templates.golden index 53abcde705..437b7ce13d 100644 --- a/helm/coder/tests/testdata/extra_templates.golden +++ b/helm/coder/tests/testdata/extra_templates.golden @@ -1,4 +1,18 @@ --- +# Source: coder/templates/coder.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder + app.kubernetes.io/part-of: coder + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-0.1.0 + name: coder +--- # Source: coder/templates/extra-templates.yaml apiVersion: v1 kind: ConfigMap @@ -92,7 +106,6 @@ spec: app.kubernetes.io/instance: release-name --- # Source: coder/templates/coder.yaml ---- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/helm/coder/tests/testdata/labels_annotations.golden b/helm/coder/tests/testdata/labels_annotations.golden index 6fbaaae72b..c6598737d2 100644 --- a/helm/coder/tests/testdata/labels_annotations.golden +++ b/helm/coder/tests/testdata/labels_annotations.golden @@ -1,4 +1,18 @@ --- +# Source: coder/templates/coder.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder + app.kubernetes.io/part-of: coder + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-0.1.0 + name: coder +--- # Source: coder/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -83,7 +97,6 @@ spec: app.kubernetes.io/instance: release-name --- # Source: coder/templates/coder.yaml ---- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/helm/coder/tests/testdata/prometheus.golden b/helm/coder/tests/testdata/prometheus.golden index ebe10c9389..a16fcc1a08 100644 --- a/helm/coder/tests/testdata/prometheus.golden +++ b/helm/coder/tests/testdata/prometheus.golden @@ -1,4 +1,18 @@ --- +# Source: coder/templates/coder.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder + app.kubernetes.io/part-of: coder + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-0.1.0 + name: coder +--- # Source: coder/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -84,7 +98,6 @@ spec: app.kubernetes.io/instance: release-name --- # Source: coder/templates/coder.yaml ---- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/helm/coder/tests/testdata/provisionerd_psk.golden b/helm/coder/tests/testdata/provisionerd_psk.golden index af1726ea8b..93f9e817eb 100644 --- a/helm/coder/tests/testdata/provisionerd_psk.golden +++ b/helm/coder/tests/testdata/provisionerd_psk.golden @@ -1,4 +1,18 @@ --- +# Source: coder/templates/coder.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder + app.kubernetes.io/part-of: coder + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-0.1.0 + name: coder +--- # Source: coder/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -83,7 +97,6 @@ spec: app.kubernetes.io/instance: release-name --- # Source: coder/templates/coder.yaml ---- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/helm/coder/tests/testdata/sa.golden b/helm/coder/tests/testdata/sa.golden index f872c57711..386131531b 100644 --- a/helm/coder/tests/testdata/sa.golden +++ b/helm/coder/tests/testdata/sa.golden @@ -1,4 +1,19 @@ --- +# Source: coder/templates/coder.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/coder-service-account + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder + app.kubernetes.io/part-of: coder + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-0.1.0 + name: coder-service-account +--- # Source: coder/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -83,7 +98,6 @@ spec: app.kubernetes.io/instance: release-name --- # Source: coder/templates/coder.yaml ---- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/helm/coder/tests/testdata/sa_disabled.golden b/helm/coder/tests/testdata/sa_disabled.golden new file mode 100644 index 0000000000..3911c8a134 --- /dev/null +++ b/helm/coder/tests/testdata/sa_disabled.golden @@ -0,0 +1,177 @@ +--- +# Source: coder/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: coder-workspace-perms +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +--- +# Source: coder/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "coder" +subjects: + - kind: ServiceAccount + name: "coder" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: coder-workspace-perms +--- +# Source: coder/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: coder + labels: + helm.sh/chart: coder-0.1.0 + app.kubernetes.io/name: coder + app.kubernetes.io/instance: release-name + app.kubernetes.io/part-of: coder + app.kubernetes.io/version: "0.1.0" + app.kubernetes.io/managed-by: Helm + annotations: + {} +spec: + type: LoadBalancer + sessionAffinity: None + ports: + - name: "http" + port: 80 + targetPort: "http" + protocol: TCP + + externalTrafficPolicy: "Cluster" + selector: + app.kubernetes.io/name: coder + app.kubernetes.io/instance: release-name +--- +# Source: coder/templates/coder.yaml +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder + app.kubernetes.io/part-of: coder + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-0.1.0 + name: coder +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/name: coder + template: + metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder + app.kubernetes.io/part-of: coder + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-0.1.0 + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/instance + operator: In + values: + - coder + topologyKey: kubernetes.io/hostname + weight: 1 + containers: + - args: + - server + command: + - /opt/coder + env: + - name: CODER_HTTP_ADDRESS + value: 0.0.0.0:8080 + - name: CODER_PROMETHEUS_ADDRESS + value: 0.0.0.0:2112 + - name: CODER_ACCESS_URL + value: http://coder.default.svc.cluster.local + - name: KUBE_POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CODER_DERP_SERVER_RELAY_URL + value: http://$(KUBE_POD_IP):8080 + image: ghcr.io/coder/coder:latest + imagePullPolicy: IfNotPresent + lifecycle: {} + livenessProbe: + httpGet: + path: /healthz + port: http + scheme: HTTP + name: coder + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + httpGet: + path: /healthz + port: http + scheme: HTTP + resources: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: null + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: [] + restartPolicy: Always + serviceAccountName: coder + terminationGracePeriodSeconds: 60 + volumes: [] diff --git a/helm/coder/tests/testdata/sa_disabled.yaml b/helm/coder/tests/testdata/sa_disabled.yaml new file mode 100644 index 0000000000..cc74e52155 --- /dev/null +++ b/helm/coder/tests/testdata/sa_disabled.yaml @@ -0,0 +1,5 @@ +coder: + image: + tag: latest + serviceAccount: + disableCreate: true diff --git a/helm/coder/tests/testdata/sa_extra_rules.golden b/helm/coder/tests/testdata/sa_extra_rules.golden index 25e4613603..5766f45c6c 100644 --- a/helm/coder/tests/testdata/sa_extra_rules.golden +++ b/helm/coder/tests/testdata/sa_extra_rules.golden @@ -1,4 +1,18 @@ --- +# Source: coder/templates/coder.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder + app.kubernetes.io/part-of: coder + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-0.1.0 + name: coder +--- # Source: coder/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -97,7 +111,6 @@ spec: app.kubernetes.io/instance: release-name --- # Source: coder/templates/coder.yaml ---- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/helm/coder/tests/testdata/tls.golden b/helm/coder/tests/testdata/tls.golden index d53b243d3f..33b1a85b9d 100644 --- a/helm/coder/tests/testdata/tls.golden +++ b/helm/coder/tests/testdata/tls.golden @@ -1,4 +1,18 @@ --- +# Source: coder/templates/coder.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder + app.kubernetes.io/part-of: coder + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-0.1.0 + name: coder +--- # Source: coder/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -88,7 +102,6 @@ spec: app.kubernetes.io/instance: release-name --- # Source: coder/templates/coder.yaml ---- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/helm/coder/tests/testdata/workspace_proxy.golden b/helm/coder/tests/testdata/workspace_proxy.golden index f2494d01a9..4ac30acbad 100644 --- a/helm/coder/tests/testdata/workspace_proxy.golden +++ b/helm/coder/tests/testdata/workspace_proxy.golden @@ -1,4 +1,18 @@ --- +# Source: coder/templates/coder.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + labels: + app.kubernetes.io/instance: release-name + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: coder + app.kubernetes.io/part-of: coder + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: coder-0.1.0 + name: coder +--- # Source: coder/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -83,7 +97,6 @@ spec: app.kubernetes.io/instance: release-name --- # Source: coder/templates/coder.yaml ---- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/helm/coder/values.yaml b/helm/coder/values.yaml index 1e4ae4dddc..5ecb28e6b9 100644 --- a/helm/coder/values.yaml +++ b/helm/coder/values.yaml @@ -114,7 +114,7 @@ coder: # coder.serviceAccount.name -- The service account name name: coder # coder.serviceAccount.name -- Whether to create the service account or use existing service account - disableCreate: true + disableCreate: false # coder.securityContext -- Fields related to the container's security # context (as opposed to the pod). Some fields are also present in the pod