search

helm / charts

⚠️(OBSOLETE) Curated applications for Kubernetes
Apache License 2.0
15.49k stars 16.79k forks source link

[stable/kong] Incorrect default value in ingress-controller rbac settings #10379

Closed haugene closed 5 years ago

haugene commented 5 years ago

Is this a request for help?:

No

Is this a BUG REPORT or FEATURE REQUEST? (choose one): BUG REPORT

Version of Helm and Kubernetes: helm

Client: &version.Version{SemVer:"v2.7.2", GitCommit:"8478fb4fc723885b155c924d1c8c410b7a9444e6", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.11.0", GitCommit:"2e55dbe1fdb5fdb96b75ff144a339489417b146b", GitTreeState:"clean"}

kubernetes

Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.1", GitCommit:"d4ab47518836c750f9949b9e0d387f20fb92260b", GitTreeState:"clean", BuildDate:"2018-04-13T22:27:55Z", GoVersion:"go1.9.5", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"10+", GitVersion:"v1.10.7-gke.11", GitCommit:"fa90543563c9cfafca69128ce8cd9ecd5941940f", GitTreeState:"clean", BuildDate:"2018-11-08T20:22:21Z", GoVersion:"go1.9.3b4", Compiler:"gc", Platform:"linux/amd64"}

Which chart: stable/kong - 0.6.9

What happened: Using the ingressController and default rbac-setup I get error logs from the controller saying:

E0103 14:54:27.082643       8 leaderelection.go:258] Failed to update lock: configmaps "kong-ingress-controller-leader-nginx-nginx" is forbidden: User "system:serviceaccount:my-namespace:kong-serviceaccount" cannot update configmaps in the namespace "my-namespace"

What you expected to happen: The serviceaccount should have the roles to change this configmap

How to reproduce it (as minimally and precisely as possible): Deploy with ingress-controller enabled. Maybe re-deploy kong pod (I did this changing useTLS and some ingress annotations - but don't think it's needed)

Anything else we need to know:

Updating configmaps resourceNames in controller-rbac-role.yaml seems to fix it. It's also documented that this needs to be updated when election-id or ingress-class is changed, so I guess others will find this easy enough as well. But after #9870 and #10031 the defaults are different. Should now be "kong-ingress-controller-leader-nginx-nginx" as in the logs.

I can also submit a PR.

haugene commented 5 years ago

Nevermind. Sorry, I see it was patched 20 hours ago.