search

zabbix-community / helm-zabbix

Helm chart for Zabbix
https://artifacthub.io/packages/helm/zabbix-community/zabbix
Apache License 2.0
77 stars 45 forks source link

additionalRulesForClusterRole seem to be broken in templates/clusterrole.yaml template #100

Closed mkaspar closed 5 days ago

mkaspar commented 5 days ago

Describe the bug I tried to add additional zabbix role rules via rbac.additionalRulesForClusterRole but it failed with an error: Error: YAML parse error on zabbix/templates/clusterrole.yaml: error converting YAML to JSON: yaml: line 53: did not find expected key

Version of Helm and Kubernetes: Helm: version.BuildInfo{Version:"v3.12.0", GitCommit:"c9f554d75773799f72ceef38c51210f1842a1dea", GitTreeState:"clean", GoVersion:"go1.20.3"}

Kubernetes:
Client Version: 4.13.0-0.okd-2023-06-24-145750
Kustomize Version: v4.5.7
Server Version: 4.15.0-0.okd-2024-03-10-010116
Kubernetes Version: v1.28.2-3598+6e2789bbd58938-dirty

What happened: The helm install (or template) ends with an error: Error: YAML parse error on zabbix/templates/clusterrole.yaml: error converting YAML to JSON: yaml: line 53: did not find expected key Running with debug flag renders the template with the error which reveals the source of the error:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: zabbix
  labels:
    app.kubernetes.io/name: zabbix
    helm.sh/chart: zabbix-4.4.1
    app.kubernetes.io/instance: zabbix
    app.kubernetes.io/version: "6.0.30"
    app.kubernetes.io/managed-by: Helm
rules:
  - nonResourceURLs:
      - "/metrics"
      - "/metrics/cadvisor"
      - "/version"
      - "/healthz"
      - "/readyz"
    verbs: ["get"]
  - apiGroups: [""]
    resources:
      - nodes/metrics
      - nodes/spec
      - nodes/proxy
      - nodes/stats
    verbs: ["get"]
  - apiGroups: [""]
    resources:
      - namespaces
      - pods
      - services
      - componentstatuses
      - nodes
      - endpoints
      - events
    verbs: ["get", "list"]
  - apiGroups: ["batch"]
    resources:
      - jobs
      - cronjobs
    verbs: ["get", "list"]
  - apiGroups: ["extensions"]
    resources:
      - deployments
      - daemonsets
    verbs: ["get", "list"]
  - apiGroups: ["apps"]
    resources:
      - statefulsets
      - deployments
      - daemonsets
    verbs: ["get", "list"]
- apiGroups:
  - security.openshift.io
  resourceNames:
  - zabbix
  resources:
  - securitycontextconstraints
  verbs:
  - use

The template code to render the additional rules looks like:

{{- if .Values.rbac.additionalRulesForClusterRole }}
{{ toYaml .Values.rbac.additionalRulesForClusterRole | indent 0 }}
{{- end }}
{{- end }}

It looks like there is incorrect indent value. Should be 4 instead of 0. We use chart version 4.4.1but the 5.0.0 behaves the same and I see the same code in master branch

What you expected to happen: Template should be rendered, the release installed.

How to reproduce it (as minimally and precisely as possible):

  1. Add this to the values.overrides.yaml: 
    rbac:
# -- Specifies whether the RBAC resources should be created
create: true
additionalRulesForClusterRole:
#  - apiGroups: [ "" ]
#    resources:
#      - nodes/proxy
#    verbs: [ "get", "list", "watch" ]
# SCC. Unfortunately there is a bug in Zabbix Helm chart preventing setting additional rules.
# https://docs.openshift.com/container-platform/4.15/authentication/managing-security-context-constraints.html#role-based-access-to-ssc_configuring-internal-oauth
- apiGroups:
    - security.openshift.io
  resourceNames:
    - zabbix
  resources:
    - securitycontextconstraints 
  verbs: 
    - use
  2. Try to generate template: helm template zabbix zabbix-community/zabbix --version 5.0.0 -f values.overrides.yaml

Anything else we need to know:

aeciopires commented 5 days ago

Hello @mkaspar!

Thanks for reporting this bug in great detail. I resolved the issue and will make a new release.