diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 808417e2..039c61a8 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -128,8 +128,13 @@ jobs: include: - k3s-channel: v1.20 upgrade-from: "0.9.0" + dask-namespace: "default" - k3s-channel: stable + dask-namespace: "default" + - k3s-channel: stable + dask-namespace: "additional" - k3s-channel: latest + dask-namespace: "default" steps: - uses: actions/checkout@v3 @@ -172,6 +177,10 @@ jobs: --include-crds \ --values=resources/helm/testing/chart-install-values.yaml + - if: matrix.dask-namespace == 'additional' + run: | + kubectl create namespace additional + - name: helm install previous version ${{ matrix.upgrade-from }} if: matrix.upgrade-from != '' run: | @@ -209,6 +218,7 @@ jobs: resources/helm/dask-gateway \ --install \ --values=resources/helm/testing/chart-install-values.yaml \ + --set gateway.backend.namespace=${{ matrix.dask-namespace }} \ --wait \ --timeout 1m0s diff --git a/resources/helm/dask-gateway/templates/controller/rbac.yaml b/resources/helm/dask-gateway/templates/controller/rbac.yaml index ccb6ae84..a729f96b 100644 --- a/resources/helm/dask-gateway/templates/controller/rbac.yaml +++ b/resources/helm/dask-gateway/templates/controller/rbac.yaml @@ -1,6 +1,7 @@ {{- if .Values.controller.enabled -}} {{- if .Values.rbac.enabled -}} {{- if not .Values.rbac.controller.serviceAccountName -}} +{{- $multiNamespace := default false (and .Values.gateway.backend.namespace (ne .Release.Namespace .Values.gateway.backend.namespace)) }} apiVersion: v1 kind: ServiceAccount metadata: @@ -14,6 +15,49 @@ metadata: name: {{ include "dask-gateway.controllerName" . }} labels: {{- include "dask-gateway.labels" . | nindent 4 }} +rules: + - apiGroups: ["gateway.dask.org"] + resources: ["daskclusters", "daskclusters/status"] + verbs: {{ ternary "[\"*\"]" "[\"get\", \"list\", \"watch\"]" $multiNamespace }} + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch" {{- if $multiNamespace }}, "create", "delete"{{ end -}} ] + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "list", "watch"] +{{- if $multiNamespace }} + - apiGroups: [""] + resources: ["secrets", "services"] + verbs: ["create", "delete"] + - apiGroups: ["traefik.containo.us"] + resources: ["ingressroutes", "ingressroutetcps"] + verbs: ["get", "create", "delete"] +{{- end }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "dask-gateway.controllerName" . }} + labels: + {{- include "dask-gateway.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ include "dask-gateway.controllerName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "dask-gateway.controllerName" . }} + apiGroup: rbac.authorization.k8s.io + +--- +{{- if not $multiNamespace }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "dask-gateway.controllerName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "dask-gateway.labels" . | nindent 4 }} rules: - apiGroups: ["gateway.dask.org"] resources: ["daskclusters", "daskclusters/status"] @@ -31,10 +75,11 @@ rules: resources: ["secrets", "services"] verbs: ["create", "delete"] --- -kind: ClusterRoleBinding +kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ include "dask-gateway.controllerName" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "dask-gateway.labels" . | nindent 4 }} subjects: @@ -42,9 +87,11 @@ subjects: name: {{ include "dask-gateway.controllerName" . }} namespace: {{ .Release.Namespace }} roleRef: - kind: ClusterRole + kind: Role name: {{ include "dask-gateway.controllerName" . }} apiGroup: rbac.authorization.k8s.io + +{{- end }} {{- end }} {{- end }} {{- end }} diff --git a/resources/helm/dask-gateway/templates/gateway/rbac.yaml b/resources/helm/dask-gateway/templates/gateway/rbac.yaml index 2cda2c40..41eec5c8 100644 --- a/resources/helm/dask-gateway/templates/gateway/rbac.yaml +++ b/resources/helm/dask-gateway/templates/gateway/rbac.yaml @@ -1,5 +1,6 @@ {{- if .Values.rbac.enabled -}} {{- if not .Values.rbac.gateway.serviceAccountName -}} +{{- $multiNamespace := default false (and .Values.gateway.backend.namespace (ne .Release.Namespace .Values.gateway.backend.namespace)) }} apiVersion: v1 kind: ServiceAccount metadata: @@ -14,12 +15,14 @@ metadata: labels: {{- include "dask-gateway.labels" . | nindent 4 }} rules: +{{- if $multiNamespace }} - apiGroups: [""] resources: ["secrets"] verbs: ["get"] +{{- end }} - apiGroups: ["gateway.dask.org"] resources: ["daskclusters"] - verbs: ["*"] + verbs: {{ ternary "[\"*\"]" "[\"get\", \"list\", \"watch\"]" $multiNamespace }} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -35,5 +38,35 @@ roleRef: kind: ClusterRole name: {{ include "dask-gateway.apiName" . }} apiGroup: rbac.authorization.k8s.io + +{{- if not $multiNamespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "dask-gateway.apiName" . }} + namespace: {{ .Release.Namespace }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["gateway.dask.org"] + resources: ["daskclusters"] + verbs: ["*"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "dask-gateway.apiName" . }} + namespace: {{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: {{ include "dask-gateway.apiName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: {{ include "dask-gateway.apiName" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} {{- end }} {{- end }} diff --git a/resources/helm/dask-gateway/templates/traefik/deployment.yaml b/resources/helm/dask-gateway/templates/traefik/deployment.yaml index 378ee3f4..07874030 100644 --- a/resources/helm/dask-gateway/templates/traefik/deployment.yaml +++ b/resources/helm/dask-gateway/templates/traefik/deployment.yaml @@ -1,3 +1,4 @@ +{{- $multiNamespace := default false (and .Values.gateway.backend.namespace (ne .Release.Namespace .Values.gateway.backend.namespace)) }} apiVersion: apps/v1 kind: Deployment metadata: @@ -61,6 +62,9 @@ spec: - "--api.dashboard=true" - "--api.insecure=true" {{- end }} + {{- if not $multiNamespace }} + - "--providers.kubernetescrd.namespaces={{ .Release.Namespace }}" + {{- end }} {{- range .Values.traefik.additionalArguments }} - {{ . | quote }} {{- end }} diff --git a/resources/helm/dask-gateway/templates/traefik/rbac.yaml b/resources/helm/dask-gateway/templates/traefik/rbac.yaml index 3e3e029f..f89d53c9 100644 --- a/resources/helm/dask-gateway/templates/traefik/rbac.yaml +++ b/resources/helm/dask-gateway/templates/traefik/rbac.yaml @@ -1,11 +1,12 @@ {{- if .Values.rbac.enabled -}} {{- if not .Values.rbac.traefik.serviceAccountName -}} +{{- $multiNamespace := default false (and .Values.gateway.backend.namespace (ne .Release.Namespace .Values.gateway.backend.namespace)) }} kind: ServiceAccount apiVersion: v1 metadata: name: {{ include "dask-gateway.traefikName" . }} --- -kind: ClusterRole +kind: {{ ternary "ClusterRole" "Role" $multiNamespace }} apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ include "dask-gateway.traefikName" . }} @@ -52,13 +53,13 @@ rules: - list - watch --- -kind: ClusterRoleBinding +kind: {{ ternary "ClusterRoleBinding" "RoleBinding" $multiNamespace }} apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ include "dask-gateway.traefikName" . }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ ternary "ClusterRole" "Role" $multiNamespace }} name: {{ include "dask-gateway.traefikName" . }} subjects: - kind: ServiceAccount