Prior to this, the waypoint on-demand runners were granted the edit role on the namespace the chart was installed into. This made made it impossible for runners to deploy into other namespaces.
As a concrete example, I'm trying to install waypoint into a waypoint namespace, and have it deploy into dev and prod namespaces.
This change adds a managedNamespaces field, and creates a rolebinding in each managed namespace to allow the on-demand runner to access its resources.
How to verify this change
Create a kubernetes cluster with waypoint, dev, and prod namespaces
Create the following values file:
runner:
odr:
managedNamespaces:
- dev
- prod
Install the helm chart into the waypoint namespace, i.e.: helm install --values=<values-file> waypoint ./ --namespace waypoint
Create a waypoint app that deploys into the devnamespace (or switches namespaces based on the workspace)
Add a git repo and auth to your project to enable the on-demand runners
Trigger a remote build and deploy, and observe as the on-demand runner can create a deployment in the dev namespace, while running in the waypoint namespace
Prior to this, the waypoint on-demand runners were granted the
editrole on the namespace the chart was installed into. This made made it impossible for runners to deploy into other namespaces.As a concrete example, I'm trying to install waypoint into a
waypointnamespace, and have it deploy intodevandprodnamespaces.This change adds a
managedNamespacesfield, and creates a rolebinding in each managed namespace to allow the on-demand runner to access its resources.How to verify this change
waypoint,dev, andprodnamespaceswaypointnamespace, i.e.:helm install --values=<values-file> waypoint ./ --namespace waypointdevnamespace (or switches namespaces based on the workspace)devnamespace, while running in thewaypointnamespace