Merge pull request #623 from aryan9600/sa-check
check if service account exists before uninstalling release
This commit is contained in:
Hidde Beydals
GitHub
commit
1f5c565123
|
|
@ -536,6 +536,18 @@ jobs:
|
|||
fi
|
||||
done
|
||||
echo ' done'
|
||||
- name: Run delete-ns tests
|
||||
run: |
|
||||
kubectl apply -f config/testdata/delete-ns
|
||||
kubectl -n delete-ns wait helmreleases/podinfo --for=condition=ready --timeout=2m
|
||||
kubectl delete ns delete-ns 1>/dev/null 2>&1 &
|
||||
echo -n ">> Waiting for namespace to be deleted"
|
||||
if kubectl wait --for=delete namespace delete-ns --timeout=2m; then
|
||||
echo 'Namespace deleted successfully'
|
||||
else
|
||||
echo 'Timed out waiting for namespace to be deleted'
|
||||
exit 1
|
||||
fi
|
||||
- name: Run post-renderer-kustomize test
|
||||
run: |
|
||||
kubectl -n helm-system apply -f config/testdata/post-renderer-kustomize
|
||||
|
|
|
|||
|
|
@ -0,0 +1,68 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: delete-ns
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: gotk-reconciler
|
||||
namespace: delete-ns
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: gotk-reconciler
|
||||
namespace: delete-ns
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- '*'
|
||||
verbs:
|
||||
- '*'
|
||||
- apiGroups:
|
||||
- apps
|
||||
resources:
|
||||
- '*'
|
||||
verbs:
|
||||
- '*'
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: gotk-reconciler
|
||||
namespace: delete-ns
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: gotk-reconciler
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: gotk-reconciler
|
||||
namespace: delete-ns
|
||||
---
|
||||
apiVersion: source.toolkit.fluxcd.io/v1beta1
|
||||
kind: HelmRepository
|
||||
metadata:
|
||||
name: podinfo
|
||||
namespace: delete-ns
|
||||
spec:
|
||||
interval: 1m
|
||||
url: https://stefanprodan.github.io/podinfo
|
||||
---
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: podinfo
|
||||
namespace: delete-ns
|
||||
spec:
|
||||
serviceAccountName: gotk-reconciler
|
||||
interval: 5m
|
||||
chart:
|
||||
spec:
|
||||
chart: podinfo
|
||||
version: 5.0.3
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: podinfo
|
||||
|
|
@ -660,8 +660,11 @@ func (r *HelmReleaseReconciler) composeValues(ctx context.Context, hr v2.HelmRel
|
|||
|
||||
// reconcileDelete deletes the v1beta2.HelmChart of the v2beta1.HelmRelease,
|
||||
// and uninstalls the Helm release if the resource has not been suspended.
|
||||
// It only performs a Helm uninstall if the ServiceAccount to be impersonated
|
||||
// exists.
|
||||
func (r *HelmReleaseReconciler) reconcileDelete(ctx context.Context, hr v2.HelmRelease) (ctrl.Result, error) {
|
||||
r.recordReadiness(ctx, hr)
|
||||
log := ctrl.LoggerFrom(ctx)
|
||||
|
||||
// Delete the HelmChart that belongs to this resource.
|
||||
if err := r.deleteHelmChart(ctx, &hr); err != nil {
|
||||
|
|
@ -670,19 +673,36 @@ func (r *HelmReleaseReconciler) reconcileDelete(ctx context.Context, hr v2.HelmR
|
|||
|
||||
// Only uninstall the Helm Release if the resource is not suspended.
|
||||
if !hr.Spec.Suspend {
|
||||
getter, err := r.buildRESTClientGetter(ctx, hr)
|
||||
if err != nil {
|
||||
return ctrl.Result{}, err
|
||||
}
|
||||
run, err := runner.NewRunner(getter, hr.GetStorageNamespace(), ctrl.LoggerFrom(ctx))
|
||||
if err != nil {
|
||||
return ctrl.Result{}, err
|
||||
}
|
||||
if err := run.Uninstall(hr); err != nil && !errors.Is(err, driver.ErrReleaseNotFound) {
|
||||
return ctrl.Result{}, err
|
||||
}
|
||||
ctrl.LoggerFrom(ctx).Info("uninstalled Helm release for deleted resource")
|
||||
impersonator := runtimeClient.NewImpersonator(
|
||||
r.Client,
|
||||
r.StatusPoller,
|
||||
r.PollingOpts,
|
||||
hr.Spec.KubeConfig,
|
||||
r.KubeConfigOpts,
|
||||
kube.DefaultServiceAccountName,
|
||||
hr.Spec.ServiceAccountName,
|
||||
hr.GetNamespace(),
|
||||
)
|
||||
|
||||
if impersonator.CanImpersonate(ctx) {
|
||||
getter, err := r.buildRESTClientGetter(ctx, hr)
|
||||
if err != nil {
|
||||
return ctrl.Result{}, err
|
||||
}
|
||||
run, err := runner.NewRunner(getter, hr.GetStorageNamespace(), ctrl.LoggerFrom(ctx))
|
||||
if err != nil {
|
||||
return ctrl.Result{}, err
|
||||
}
|
||||
if err := run.Uninstall(hr); err != nil && !errors.Is(err, driver.ErrReleaseNotFound) {
|
||||
return ctrl.Result{}, err
|
||||
}
|
||||
log.Info("uninstalled Helm release for deleted resource")
|
||||
} else {
|
||||
err := fmt.Errorf("failed to find service account to impersonate")
|
||||
msg := "skipping Helm uninstall"
|
||||
log.Error(err, msg)
|
||||
r.event(ctx, hr, hr.Status.LastAppliedRevision, eventv1.EventSeverityError, fmt.Sprintf("%s: %s", msg, err.Error()))
|
||||
}
|
||||
} else {
|
||||
ctrl.LoggerFrom(ctx).Info("skipping Helm uninstall for suspended resource")
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue