fluxcd
/
flagger
mirror of https://github.com/fluxcd/flagger.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add example RBAC for `helm test`

This commit is contained in:
Cosmin Mogos 2020-05-27 18:45:43 +02:00
parent 3dd5dfa6aa
commit df103fb257
1 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
docs/gitbook/usage/webhooks.md
View File

@ -276,6 +276,9 @@ If you are using Helm v3, you'll have to create a dedicated service account and
cmd: "test {{ .Release.Name }} --timeout 3m -n {{ .Release.Namespace }}" cmd: "test {{ .Release.Name }} --timeout 3m -n {{ .Release.Namespace }}"
``` ```
If the test hangs or logs error messages hinting to insufficient permissions it can be related to RBAC,
check the [Troubleshooting](#Troubleshooting) section for an example configuration.
As an alternative to Helm you can use the [Bash Automated Testing System](https://github.com/bats-core/bats-core) to run your tests. As an alternative to Helm you can use the [Bash Automated Testing System](https://github.com/bats-core/bats-core) to run your tests.
```yaml ```yaml
@ -423,3 +426,51 @@ curl -d '{"name": "podinfo","namespace":"test"}' http://localhost:8080/rollback/
``` ```
If you have notifications enabled, Flagger will post a message to Slack or MS Teams if a canary has been rolled back. If you have notifications enabled, Flagger will post a message to Slack or MS Teams if a canary has been rolled back.
### Troubleshooting
#### Manually check if helm test is running
To debug in depth any issues with helm tests, you can execute commands on the flagger-loadtester pod.
```bash
kubectl -n linkerd exec -it flagger-loadtester -- bash
helmv3 test ....
```
#### Helm tests hang during canary deployment
If test execution hangs or displays insufficient permissions, check your RBAC settings.
```yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: helm-smoke-tester
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list", "update"]
# choose the permission based on helm test type (Pod or Job)
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["create", "list", "delete", "watch"]
- apiGroups: ["batch"]
resources: ["jobs", "jobs/log"]
verbs: ["create", "list", "delete", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: helm-smoke-tester
# Don't forget to update accordingly
namespace: namespace-of-the-tested-release
subjects:
- kind: User
name: system:serviceaccount:linkerd:default
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: helm-smoke-tester
apiGroup: rbac.authorization.k8s.io
```