search

harness / delegate-helm-chart

Other
6 stars 20 forks source link

Feat: [CCM-13259]: Add CCM Visibility Role #50

Closed rssnyder closed 1 year ago

rssnyder commented 1 year ago

Adding CCM visibility clusterrole to delegate helm chart.

Why? When new customers are setting up CCM for k8s they have to deploy a delegate first, and then add the cluster visibility role later. This is only given to you in the UI, which leads to issues when infra teams are tasked with rolling out the delegate over many clusters and do not want to go to the harness UI every time.

This gives the customers an easier onboarding flow for enrolling clusters into CCM.

Previous flow:

  1. engineer deploys delegate into cluster via helm
  2. engineer gets clusterrole yaml from harness owner
  3. engineer adds clusterrole yaml into cluster via kubectl

New flow:

  1. engineer deploys delegate into cluster via helm - adds ccm value to enable clusterrole
rssnyder commented 1 year ago

@mdmilic any thoughts on my changes per your review?

mdmilic commented 1 year ago

@rssnyder you should link JIRA ticket to this PR (for future selves). E.g. we usually use format feat: [PL-12345]: some nice title which is enforced in other repos and automatically links your JIRA, but having any kind of JIRA ref is fine (i.e. just PL-12345)

rssnyder commented 1 year ago

@AnupamIO tests below:

install with ccm.visibility=true and k8sPermissionsType=CLUSTER_VIEWER, show role/binding are created

 zira ➜  delegate-helm-chart git:(feat/ccm-cost-access) ✗  helm upgrade -i zira-work-again --namespace harness-delegate-ng --create-namespace \
  ./harness-delegate-ng \
  --set delegateName=zira-work-again \
  --set accountId=wlgELJ0TTre5aZhzpt8gVA \
  --set delegateToken=xxxxx= \
  --set managerEndpoint=https://app.harness.io/gratis \
  --set delegateDockerImage=harness/delegate:23.06.79707 \
  --set replicas=1 --set upgrader.enabled=false --set ccm.visibility=true --set k8sPermissionsType=CLUSTER_VIEWER
Release "zira-work-again" does not exist. Installing it now.
NAME: zira-work-again
LAST DEPLOYED: Wed Aug  2 12:27:50 2023
NAMESPACE: harness-delegate-ng
STATUS: deployed
REVISION: 1
TEST SUITE: None
 zira ➜  delegate-helm-chart git:(feat/ccm-cost-access) ✗  k get clusterrole | grep ccm                                              
zira-work-again-ccm-visibility                                         2023-08-02T17:27:50Z
 zira ➜  delegate-helm-chart git:(feat/ccm-cost-access) ✗  k get clusterrolebinding | grep ccm                                              
zira-work-again-ccm-visibility-roleBinding             ClusterRole/zira-work-again-ccm-visibility                                         15s

install with ccm.visibility=true and k8sPermissionsType=CLUSTER_ADMIN, show role/binding are not created

 zira ➜  delegate-helm-chart git:(feat/ccm-cost-access) ✗  helm upgrade -i zira-work-again --namespace harness-delegate-ng --create-namespace \
  ./harness-delegate-ng \
  --set delegateName=zira-work-again \
  --set accountId=wlgELJ0TTre5aZhzpt8gVA \
  --set delegateToken=xxxxxxx= \
  --set managerEndpoint=https://app.harness.io/gratis \
  --set delegateDockerImage=harness/delegate:23.06.79707 \
  --set replicas=1 --set upgrader.enabled=false --set ccm.visibility=true --set k8sPermissionsType=CLUSTER_ADMIN 
Release "zira-work-again" has been upgraded. Happy Helming!
NAME: zira-work-again
LAST DEPLOYED: Wed Aug  2 12:28:19 2023
NAMESPACE: harness-delegate-ng
STATUS: deployed
REVISION: 2
TEST SUITE: None
 zira ➜  delegate-helm-chart git:(feat/ccm-cost-access) ✗  k get clusterrole | grep ccm                                                 
 zira ➜  delegate-helm-chart git:(feat/ccm-cost-access) ✗  k get clusterrolebinding | grep ccm

install with ccm.visibility=false and k8sPermissionsType=CLUSTER_VIEWER, show role/binding are not created

 zira ➜  delegate-helm-chart git:(feat/ccm-cost-access) ✗  helm upgrade -i zira-work-again --namespace harness-delegate-ng --create-namespace \
  ./harness-delegate-ng \
  --set delegateName=zira-work-again \
  --set accountId=wlgELJ0TTre5aZhzpt8gVA \
  --set delegateToken=xxxxxx= \
  --set managerEndpoint=https://app.harness.io/gratis \
  --set delegateDockerImage=harness/delegate:23.06.79707 \
  --set replicas=1 --set upgrader.enabled=false --set ccm.visibility=false --set k8sPermissionsType=CLUSTER_VIEWER
Release "zira-work-again" has been upgraded. Happy Helming!
NAME: zira-work-again
LAST DEPLOYED: Wed Aug  2 12:28:38 2023
NAMESPACE: harness-delegate-ng
STATUS: deployed
REVISION: 3
TEST SUITE: None
 zira ➜  delegate-helm-chart git:(feat/ccm-cost-access) ✗  k get clusterrole | grep ccm                                                 
 zira ➜  delegate-helm-chart git:(feat/ccm-cost-access) ✗  k get clusterrolebinding | grep ccm

install with ccm.visibility=true and k8sPermissionsType=CLUSTER_VIEWER, show role/binding are created

 zira ➜  delegate-helm-chart git:(feat/ccm-cost-access) ✗  helm upgrade -i zira-work-again --namespace harness-delegate-ng --create-namespace \
  ./harness-delegate-ng \
  --set delegateName=zira-work-again \
  --set accountId=wlgELJ0TTre5aZhzpt8gVA \
  --set delegateToken=xxxxx= \
  --set managerEndpoint=https://app.harness.io/gratis \
  --set delegateDockerImage=harness/delegate:23.06.79707 \
  --set replicas=1 --set upgrader.enabled=false --set ccm.visibility=true --set k8sPermissionsType=CLUSTER_VIEWER
Release "zira-work-again" has been upgraded. Happy Helming!
NAME: zira-work-again
LAST DEPLOYED: Wed Aug  2 12:28:52 2023
NAMESPACE: harness-delegate-ng
STATUS: deployed
REVISION: 4
TEST SUITE: None
 zira ➜  delegate-helm-chart git:(feat/ccm-cost-access) ✗  k get clusterrole | grep ccm                                                 
zira-work-again-ccm-visibility                                         2023-08-02T17:28:52Z
 zira ➜  delegate-helm-chart git:(feat/ccm-cost-access) ✗  k get clusterrolebinding | grep ccm                                                 
zira-work-again-ccm-visibility-roleBinding             ClusterRole/zira-work-again-ccm-visibility                                         4s

show content of role matches template

 zira ➜  delegate-helm-chart git:(feat/ccm-cost-access) ✗  k get clusterrole zira-work-again-ccm-visibility -o=yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    meta.helm.sh/release-name: zira-work-again
    meta.helm.sh/release-namespace: harness-delegate-ng
  creationTimestamp: "2023-08-02T17:28:52Z"
  labels:
    app.kubernetes.io/instance: zira-work-again
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: zira-work-again
    harness.io/name: zira-work-again
    helm.sh/chart: harness-delegate-ng-1.0.10
  name: zira-work-again-ccm-visibility
  resourceVersion: "936"
  uid: e7a99e60-4139-43fe-aa04-1bf1d9c3d0d2
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - nodes
  - nodes/proxy
  - events
  - namespaces
  - persistentvolumes
  - persistentvolumeclaims
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  - extensions
  resources:
  - statefulsets
  - deployments
  - daemonsets
  - replicasets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - batch
  resources:
  - jobs
  - cronjobs
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - metrics.k8s.io
  resources:
  - pods
  - nodes
  verbs:
  - get
  - list
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - get
  - list
  - watch