From 84a116d0ca4fdeb58d9bfc6c526d7d6cecb916fe Mon Sep 17 00:00:00 2001 From: Guillaume Jacquet Date: Fri, 8 Sep 2023 15:28:47 +0000 Subject: [PATCH 1/9] Fix KEDA crashes when using cert-manager certificates and restricted secret access Allow KEDA operator to get, list and watch secrets in its own namespace when restricted mode and certmanager are enabled. Signed-off-by: Guillaume Jacquet --- keda/Chart.yaml | 2 +- keda/templates/manager/role.yaml | 8 +++++--- keda/templates/manager/rolebinding.yaml | 2 +- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/keda/Chart.yaml b/keda/Chart.yaml index 316dee14..3875b642 100644 --- a/keda/Chart.yaml +++ b/keda/Chart.yaml @@ -8,7 +8,7 @@ kubeVersion: ">=v1.23.0-0" # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 2.11.2 +version: 2.11.3 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. diff --git a/keda/templates/manager/role.yaml b/keda/templates/manager/role.yaml index 04d384c9..76082a04 100644 --- a/keda/templates/manager/role.yaml +++ b/keda/templates/manager/role.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }} +{{- if or .Values.certificates.autoGenerated .Values.certificates.certManager.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -17,11 +17,13 @@ rules: resources: - secrets verbs: + {{- if not .Values.certificates.certManager.enabled }} - create - delete - - get - - list - patch - update + {{- end }} - watch + - get + - list {{- end -}} diff --git a/keda/templates/manager/rolebinding.yaml b/keda/templates/manager/rolebinding.yaml index d59542ef..3b0e5a49 100644 --- a/keda/templates/manager/rolebinding.yaml +++ b/keda/templates/manager/rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }} +{{- if or .Values.certificates.autoGenerated .Values.certificates.certManager.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: From b103bf65c62e2f01f497e48ee3d5a2ddb487066c Mon Sep 17 00:00:00 2001 From: Guillaume Jacquet Date: Wed, 13 Sep 2023 13:45:50 +0000 Subject: [PATCH 2/9] revert version bump Signed-off-by: Guillaume Jacquet --- keda/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/keda/Chart.yaml b/keda/Chart.yaml index 3875b642..316dee14 100644 --- a/keda/Chart.yaml +++ b/keda/Chart.yaml @@ -8,7 +8,7 @@ kubeVersion: ">=v1.23.0-0" # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 2.11.3 +version: 2.11.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. From dbdf3b4076e2ed8e761008edb235c8611793ca32 Mon Sep 17 00:00:00 2001 From: Guillaume Jacquet Date: Mon, 25 Sep 2023 13:02:39 +0000 Subject: [PATCH 3/9] extra conditions Signed-off-by: Guillaume Jacquet --- keda/templates/manager/role.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/keda/templates/manager/role.yaml b/keda/templates/manager/role.yaml index 76082a04..ebaf81ba 100644 --- a/keda/templates/manager/role.yaml +++ b/keda/templates/manager/role.yaml @@ -1,4 +1,4 @@ -{{- if or .Values.certificates.autoGenerated .Values.certificates.certManager.enabled }} +{{- if or .Values.certificates.autoGenerated (and .Values.permissions.operator.restrict.secret .Values.certificates.certManager.enabled)) }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -17,7 +17,7 @@ rules: resources: - secrets verbs: - {{- if not .Values.certificates.certManager.enabled }} + {{- if not (and .Values.permissions.operator.restrict.secret .Values.certificates.certManager.enabled) }} - create - delete - patch From 10b6d9c305186c48681a2157a6173908be331064 Mon Sep 17 00:00:00 2001 From: Guillaume Jacquet Date: Mon, 25 Sep 2023 13:09:44 +0000 Subject: [PATCH 4/9] fix ) Signed-off-by: Guillaume Jacquet --- keda/templates/manager/role.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/keda/templates/manager/role.yaml b/keda/templates/manager/role.yaml index ebaf81ba..7c512712 100644 --- a/keda/templates/manager/role.yaml +++ b/keda/templates/manager/role.yaml @@ -1,4 +1,4 @@ -{{- if or .Values.certificates.autoGenerated (and .Values.permissions.operator.restrict.secret .Values.certificates.certManager.enabled)) }} +{{- if or .Values.certificates.autoGenerated (and .Values.permissions.operator.restrict.secret .Values.certificates.certManager.enabled) }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: From b3689e495565a48b9add7557cc492e35a0a78ecb Mon Sep 17 00:00:00 2001 From: Guillaume Jacquet Date: Mon, 25 Sep 2023 13:12:48 +0000 Subject: [PATCH 5/9] extra conditions Signed-off-by: Guillaume Jacquet --- keda/templates/manager/rolebinding.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/keda/templates/manager/rolebinding.yaml b/keda/templates/manager/rolebinding.yaml index 3b0e5a49..ec48dbf1 100644 --- a/keda/templates/manager/rolebinding.yaml +++ b/keda/templates/manager/rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if or .Values.certificates.autoGenerated .Values.certificates.certManager.enabled }} +{{- if or .Values.certificates.autoGenerated (and .Values.permissions.operator.restrict.secret .Values.certificates.certManager.enabled) }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: From 3b69b8db1c0ae9fa29989f3542e43f2dfb7cf2c9 Mon Sep 17 00:00:00 2001 From: Guillaume Jacquet Date: Mon, 25 Sep 2023 15:30:09 +0000 Subject: [PATCH 6/9] fix role creation logic Signed-off-by: Guillaume Jacquet --- keda/templates/manager/role.yaml | 2 +- keda/templates/manager/rolebinding.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/keda/templates/manager/role.yaml b/keda/templates/manager/role.yaml index 7c512712..1a2901b5 100644 --- a/keda/templates/manager/role.yaml +++ b/keda/templates/manager/role.yaml @@ -1,4 +1,4 @@ -{{- if or .Values.certificates.autoGenerated (and .Values.permissions.operator.restrict.secret .Values.certificates.certManager.enabled) }} +{{- if or (and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled)) (and .Values.permissions.operator.restrict.secret .Values.certificates.certManager.enabled) }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/keda/templates/manager/rolebinding.yaml b/keda/templates/manager/rolebinding.yaml index ec48dbf1..358c5124 100644 --- a/keda/templates/manager/rolebinding.yaml +++ b/keda/templates/manager/rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if or .Values.certificates.autoGenerated (and .Values.permissions.operator.restrict.secret .Values.certificates.certManager.enabled) }} +{{- if or (and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled)) (and .Values.permissions.operator.restrict.secret .Values.certificates.certManager.enabled) }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: From be9a3ac968cc455db8a5c203b49c69e28684b936 Mon Sep 17 00:00:00 2001 From: Guillaume Jacquet Date: Mon, 25 Sep 2023 16:09:09 -0400 Subject: [PATCH 7/9] Update keda/templates/manager/role.yaml Co-authored-by: Jorge Turrado Ferrero Signed-off-by: Guillaume Jacquet --- keda/templates/manager/role.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/keda/templates/manager/role.yaml b/keda/templates/manager/role.yaml index 1a2901b5..fd8bd9cb 100644 --- a/keda/templates/manager/role.yaml +++ b/keda/templates/manager/role.yaml @@ -1,4 +1,4 @@ -{{- if or (and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled)) (and .Values.permissions.operator.restrict.secret .Values.certificates.certManager.enabled) }} +{{- if or (and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled)) (.Values.permissions.operator.restrict.secret) }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: From 19959a181ead90f6b64cfd7c2824958f73ff4966 Mon Sep 17 00:00:00 2001 From: Guillaume Jacquet Date: Mon, 25 Sep 2023 16:10:01 -0400 Subject: [PATCH 8/9] Update keda/templates/manager/rolebinding.yaml Co-authored-by: Jorge Turrado Ferrero Signed-off-by: Guillaume Jacquet --- keda/templates/manager/rolebinding.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/keda/templates/manager/rolebinding.yaml b/keda/templates/manager/rolebinding.yaml index 358c5124..b7f78259 100644 --- a/keda/templates/manager/rolebinding.yaml +++ b/keda/templates/manager/rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if or (and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled)) (and .Values.permissions.operator.restrict.secret .Values.certificates.certManager.enabled) }} +{{- if or (and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled)) (.Values.permissions.operator.restrict.secret) }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: From aae6df58f4e7a552c1f5ac611a2e38a6635663b4 Mon Sep 17 00:00:00 2001 From: Guillaume Jacquet Date: Mon, 25 Sep 2023 20:12:39 +0000 Subject: [PATCH 9/9] fixes Signed-off-by: Guillaume Jacquet --- keda/templates/manager/role.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/keda/templates/manager/role.yaml b/keda/templates/manager/role.yaml index fd8bd9cb..b3b8a284 100644 --- a/keda/templates/manager/role.yaml +++ b/keda/templates/manager/role.yaml @@ -17,7 +17,7 @@ rules: resources: - secrets verbs: - {{- if not (and .Values.permissions.operator.restrict.secret .Values.certificates.certManager.enabled) }} + {{- if and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled) }} - create - delete - patch