search

hashicorp / waypoint

A tool to build, deploy, and release any application on any platform.
https://waypointproject.io
Other
4.76k stars 327 forks source link

Waypoint Runner Install With Namespace Provided Yields Runner Rolebinding in Default Namespace #4194

Open cicoyle opened 2 years ago

cicoyle commented 2 years ago

Describe the bug Waypoint runner install command with the namespace flag provided created the waypoint runner pod and odr runner rolebinding edit in the proper namespace, but the runner rolebinding was created in the default namespace.

Steps to Reproduce Note: k is an alias for kubectl

$ waypoint runner install \   
  -platform=kubernetes \
  -server-addr=<server_addr:port> \
  -k8s-namespace=cassie-hashitalk-deploy \
  -k8s-runner-image=hashicorp/waypoint:latest -id=azure -- -label=cloud=azure

$ k get po -n cassie-hashitalk-deploy
NAME                                           READY   STATUS    RESTARTS   AGE
waypoint-azure-runner-0                        1/1     Running   0          12m

$ k describe po waypoint-azure-runner-0  -n cassie-hashitalk-deploy
Name:             waypoint-azure-runner-0
Namespace:        cassie-hashitalk-deploy
Priority:         0
Service Account:  waypoint-runner
...

$ k get serviceaccount --all-namespaces                          
NAMESPACE                 NAME                                 SECRETS   AGE
cassie-hashitalk-deploy   default                              1         19h
cassie-hashitalk-deploy   waypoint-runner                      1         19h
cassie-hashitalk-deploy   waypoint-runner-odr                  1         19h

$ k get rolebindings --all-namespaces
NAMESPACE                 NAME                                                              ROLE                                                  AGE
cassie-hashitalk-deploy   waypoint-01ghsgk5dp76fbw20by9655bx4-runner-odr-rolebinding-edit   ClusterRole/edit                                      18h
default                   waypoint-01ghsgk5dp76fbw20by9655bx4-runner-rolebinding            ClusterRole/edit                                      18h

$ waypoint build

» Building hello-app...
! jobs.batch is forbidden: User
  "system:serviceaccount:cassie-hashitalk-deploy:waypoint-runner" cannot create
  resource "jobs" in API group "batch" in the namespace "cassie-hashitalk-deploy"

Expected behavior I would expect the runner rolebinding to be created in the specified namespace provided.

Waypoint Platform Versions

$ waypoint version
CLI: v0.10.3 (136a885b9)
Server: hcp v0.10.0

using an azure cluster
cicoyle commented 2 years ago

I just checked, and installing a runner this way works properly where the rolebindings go to the proper namespace

$ helm install --namespace=cassie-hashitalk-deploy  --set server.enabled=false   --set runner.server.addr=api.hcp.dev:443   --set runner.server.cookie='cookie'  --set runner.image.repository=hashicorp/waypoint   --set runner.image.tag=latest  --set runner.pullPolicy=always waypoint hashicorp/waypoint
briancain commented 2 years ago

This might be related to the issue we have open around helm and namespaces https://github.com/hashicorp/waypoint/issues/3065