Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix connect pod service account values when launcher is enabled #593

Merged
merged 7 commits into from
Oct 28, 2024
Merged

Fix connect pod service account values when launcher is enabled #593

merged 7 commits into from
Oct 28, 2024
+11 −6

Conversation

dbkegley
Copy link
Collaborator

@dbkegley dbkegley commented Oct 22, 2024
edited
Loading

Fixes #584

The connect pod service account values were being incorrectly applied when the job launcher is enabled. This PR fixes the Connect pod's serviceAccount value and removes some dead code.

Before:

# w/o launcher
» helm template ./ --set rbac.serviceAccount.name=asdf | grep serviceAccount 
      serviceAccountName: "asdf"

# w/ launcher
» helm template ./ --set launcher.enabled=true --set sharedStorage.create=true --set rbac.serviceAccount.name=asdf | grep serviceAccount
   ...
      serviceAccountName: release-name-rstudio-connect

After:

# w/o launcher
» helm template ./ --set rbac.serviceAccount.name=asdf | grep serviceAccount 
      serviceAccountName: "asdf"

# w/ launcher
» helm template ./ --set launcher.enabled=true --set sharedStorage.create=true --set rbac.serviceAccount.name=asdf | grep serviceAccount
...
      serviceAccountName: asdf

@dbkegley dbkegley changed the title Kegs fix launcher service account Fix connect pod service account values when launcher is enabled Oct 22, 2024
dbkegley
dbkegley commented Oct 22, 2024
View reviewed changes
charts/rstudio-connect/templates/deployment.yaml
@@ -77,7 +77,7 @@ spec:
* https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-multiple-service-accounts
*/}}
{{- if and .Values.rbac.create .Values.launcher.enabled }}
{{ $serviceAccountName := default (default .Values.rbac.serviceAccount.name .Values.pod.serviceAccountName) (include "rstudio-connect.fullname" .) }}
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pod.serviceAccountName is already fully deprecated

» helm template ./ --set pod.serviceAccountName=asdf                  
Error: execution error at (rstudio-connect/templates/NOTES.txt:55:4): 

`pod.serviceAccountName` is no longer used. Use `rbac.serviceAccount.name` instead.

Use --debug flag to render out invalid YAML

@dbkegley dbkegley requested a review from jforest October 22, 2024 14:40
@zackverham
Copy link
Collaborator

Not immediately related to your PR itself - but it does feel like something in CI should have caught this, yeah?

@jforest
Copy link
Contributor

jforest commented Oct 23, 2024

Not immediately related to your PR itself - but it does feel like something in CI should have caught this, yeah?

There are not many ct install tests yet for each product, so we would not have had any way to catch this yet. Hopefully @dbkegley and others can help with creating the values files needed in ci/<product_name>/install/<testname>-values.yaml as we continue. We are working on it though!

@dbkegley
Copy link
Collaborator Author

@jforest I'm not very familiar with chart-testing but do you know if it would allow us to provide assertions for expected output? This bug for example would have produced a "valid" installation but would have used the wrong service account for the Connect pod. I'm happy to help look into this more myself as well, just wondering if you know off hand

@jforest
Copy link
Contributor

jforest commented Oct 23, 2024

@jforest I'm not very familiar with chart-testing but do you know if it would allow us to provide assertions for expected output? This bug for example would have produced a "valid" installation but would have used the wrong service account for the Connect pod. I'm happy to help look into this more myself as well, just wondering if you know off hand

I don't think so, I believe you can create a values file (ending in -values.yaml) and run an install with those values files.

Could you merge main into this branch please? It should fix the linting error

@dbkegley
Copy link
Collaborator Author

I don't think so, I believe you can create a values file (ending in -values.yaml) and run an install with those values files.

That makes sense, seems like we have the install half but are missing the assertions. I believe we just need to write some tests that live in the charts/rstudio-connect/templates/test directory and it sounds like they will get evaluated automatically by each ct install

https://helm.sh/docs/topics/chart_tests/
https://github.com/helm/chart-testing/blob/main/doc/ct_install.md#synopsis

cc @plascaray

Could you merge main into this branch please? It should fix the linting error

Done!

@dbkegley
Copy link
Collaborator Author

@jforest would you mind taking another look at this CI failure? I pulled from main and the branch seems to have passed all the linting but it's failing to add the linting results to the PR with the following error:

SyntaxError: Unexpected identifier 'pod'

@jforest
Copy link
Contributor

jforest commented Oct 28, 2024
edited
Loading

@jforest would you mind taking another look at this CI failure? I pulled from main and the branch seems to have passed all the linting but it's failing to add the linting results to the PR with the following error:

SyntaxError: Unexpected identifier 'pod'

Yah, I've got a test PR trying to fix this, I think I'm just going to pull out trying to post the output to the PR, it's causing more trouble than it's worth. People can just check the GHA output directly

I'll let you know when I've gotten that merged to main so you can merge main again

@jforest
Copy link
Contributor

jforest commented Oct 28, 2024

@dbkegley I have merged #597, you should merge main into your branch!

@dbkegley
Copy link
Collaborator Author

Thanks @jforest ! It's working now, would you mind reviewing/approving for infraops so we can get this fix released?

jforest
jforest approved these changes Oct 28, 2024
View reviewed changes
charts/rstudio-connect/templates/rbac.yaml
@@ -1,7 +1,7 @@
{{- if and (.Values.rbac.create) (.Values.launcher.enabled) }}
{{ $namespace := $.Release.Namespace }}
{{ $targetNamespace := default $.Release.Namespace .Values.launcher.namespace }}
{{ $serviceAccountName := default .Values.rbac.serviceAccount.name (include "rstudio-connect.fullname" .) }}
{{ $serviceAccountName := default (include "rstudio-connect.fullname" .) .Values.rbac.serviceAccount.name }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes of order here are just to ensure that if we have .Values.rbac.serviceAccount.name set, it will override the default of rstudio-connect.fullname?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, that's exactly right

@dbkegley dbkegley merged commit 884427b into main Oct 28, 2024
6 checks passed
@dbkegley dbkegley deleted the kegs-fix-launcher-service-account branch October 28, 2024 18:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jforest jforest jforest approved these changes

@zackverham zackverham zackverham approved these changes

@aronatkins aronatkins Awaiting requested review from aronatkins aronatkins is a code owner

@christierney christierney Awaiting requested review from christierney christierney is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[CONNECT] Service account name is not properly set
4 participants
@dbkegley @zackverham @jforest @actions-user