kommander: Ensure cleanup jobs use SA with necessary roles

mesosphere · Jan 28, 2020 · 0237a53 · 0237a53
1 parent 4c32f8f
commit 0237a53
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 6 deletions.
diff --git a/stable/kommander/templates/grafana/hooks-home-dashboard.yaml b/stable/kommander/templates/grafana/hooks-home-dashboard.yaml
@@ -9,7 +9,7 @@ metadata:
 {{ include "kommander.labels" . | indent 4 }}
   annotations:
     helm.sh/hook: post-install
-    helm.sh/hook-weight: "-5"
+    helm.sh/hook-weight: "-4"
     helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
 spec:
   template:
@@ -60,13 +60,14 @@ metadata:
 {{ include "kommander.labels" . | indent 4 }}
   annotations:
     "helm.sh/hook": pre-delete
-    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-weight": "5"
     "helm.sh/hook-delete-policy": hook-succeeded
 spec:
   template:
     metadata:
       name: cleanup-{{ .Values.grafana.hooks.jobName }}
     spec:
+      serviceAccountName: {{ .Values.grafana.hooks.kommanderServiceAccount }}
       containers:
         - name: kubectl
           image: bitnami/kubectl:1.16.2

diff --git a/stable/kommander/templates/grafana/opsportal-credentials-secret.yaml b/stable/kommander/templates/grafana/opsportal-credentials-secret.yaml
@@ -35,13 +35,14 @@ metadata:
 {{ include "kommander.labels" . | indent 4 }}
   annotations:
     "helm.sh/hook": pre-delete
-    "helm.sh/hook-weight": "-4"
+    "helm.sh/hook-weight": "5"
     "helm.sh/hook-delete-policy": hook-succeeded
 spec:
   template:
     metadata:
       name: cleanup-opsportal-credentials-secret
     spec:
+      serviceAccountName: {{ .Values.grafana.hooks.kommanderServiceAccount }}
       containers:
         - name: kubectl
           image: bitnami/kubectl:1.16.2

diff --git a/stable/kommander/templates/hooks-kubeaddons.yaml b/stable/kommander/templates/hooks-kubeaddons.yaml
@@ -7,7 +7,7 @@ metadata:
   labels:
 {{ include "kommander.labels" . | indent 4 }}
   annotations:
-    "helm.sh/hook": "pre-install"
+    "helm.sh/hook": pre-install,pre-delete
     "helm.sh/hook-weight": "1"
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
 rules:
@@ -27,7 +27,7 @@ metadata:
   labels:
 {{ include "kommander.labels" . | indent 4 }}
   annotations:
-    "helm.sh/hook": "pre-install"
+    "helm.sh/hook": pre-install,pre-delete
     "helm.sh/hook-weight": "2"
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
 roleRef:
@@ -38,6 +38,9 @@ subjects:
 - kind: ServiceAccount
   name: default
   namespace: {{ .Release.Namespace }}
+- kind: ServiceAccount
+  name: {{ template "kommander.fullname" . }}
+  namespace: {{ .Release.Namespace }}
 ---
 apiVersion: batch/v1
 kind: Job
@@ -47,7 +50,7 @@ metadata:
   labels:
 {{ include "kommander.labels" . | indent 4 }}
   annotations:
-    "helm.sh/hook": "pre-install"
+    "helm.sh/hook": pre-install
     "helm.sh/hook-weight": "3"
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
 spec:

diff --git a/stable/kommander/values.yaml b/stable/kommander/values.yaml
@@ -84,6 +84,7 @@ grafana:
     secretKeyRef: ops-portal-credentials
     serviceURL: http://kommander-kubeaddons-grafana.kommander
     homeDashboardUID: efa86fd1d0c121a26444b636a3f509a8
+    kommanderServiceAccount: kommander-kubeaddons
 
   ## Do not deploy default dashboards.
   ##