Skip to content

feat(helm/provisioner): support deploying multiple provisioners in same namespace#15637

Merged
johnstcn merged 3 commits into
mainfrom
cj/helm-provisioner-sa-disable-create
Nov 25, 2024
Merged

feat(helm/provisioner): support deploying multiple provisioners in same namespace#15637
johnstcn merged 3 commits into
mainfrom
cj/helm-provisioner-sa-disable-create

Conversation

@johnstcn
Copy link
Copy Markdown
Member

@johnstcn johnstcn commented Nov 24, 2024
edited
Loading

Fixes #15437

This allows us to support the following use-cases:

  1. Deploying multiple provisioner daemons with separate service accounts and roles: set nameOverride and coder.serviceAccount.Name
  2. Deploying a provisioner daemon that references an existing service account without creating a separate sa/role/rolebinding: set coder.serviceAccount.disableCreate=true, coder.serviceAccount.workspacePerms=false and coder.serviceAccount.name=<name of existing sa>.

Validated nameOverride using kustomize:

# Staged changes
--- a/kustomize/mycluster/coder/provisioner/kustomization.yaml
+++ b/kustomize/mycluster/coder/provisioner/kustomization.yaml
@@ -7,6 +7,12 @@ helmCharts:
     version: "2.17.2"
     namespace: coder
     valuesFile: provisioner-values.yaml
+  - name: coder-provisioner
+    releaseName: other-coder-provisioner
+    repo: https://helm.coder.com/v2
+    version: "2.17.2"
+    namespace: coder
+    valuesFile: other-provisioner-values.yaml

--- /dev/null
+++ b/kustomize/mycluster/coder/provisioner/other-provisioner-values.yaml
@@ -0,0 +1,7 @@
+coder:
+  serviceAccount:
+    name: "other-coder-provisioner"
+provisionerDaemon:
+  keySecretName: other-coder-provisioner-keys
+  keySecretKey: other-coder-onprem-1
+nameOverride: "other-coder-provisioner"

# Resulting new files (no modifications):

Untracked files:
  (use "git add <file>..." to include in what will be committed)
	clusters/mycluster/coder/generated/deployment-other-coder-provisioner.yaml
	clusters/mycluster/coder/generated/role-other-coder-provisioner-workspace-perms.yaml
	clusters/mycluster/coder/generated/rolebinding-other-coder-provisioner.yaml
	clusters/mycluster/coder/generated/serviceaccount-other-coder-provisioner.yaml

johnstcn
johnstcn commented Nov 24, 2024
View reviewed changes
Comment thread helm/coder/values.yaml
# coder.serviceAccount.name -- The service account name
name: coder
# coder.serviceAccount.name -- Whether to create the service account or use existing service account
# coder.serviceAccount.disableCreate -- Whether to create the service account or use existing service account.
Copy link
Copy Markdown
Member Author

@johnstcn johnstcn Nov 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

self review: drive-by typo fix

Comment thread helm/provisioner/README.md
Comment on lines -35 to +36
pskSecretName: "coder-provisioner-psk"
keySecretName: "coder-provisionerd-key"
keySecretKey: "provisionerd-key"
Copy link
Copy Markdown
Member Author

@johnstcn johnstcn Nov 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

self-review: advertising provisioner keys as the preferred auth method

Comment thread helm/provisioner/README.md
Comment on lines +105 to +113
extraTemplates:
- |
apiVersion: v1
kind: ConfigMap
metadata:
name: some-other-config
namespace: {{ .Release.Namespace }}
data:
key: some-other-value
Copy link
Copy Markdown
Member Author

@johnstcn johnstcn Nov 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

self-review: this isn't strictly necessary, but I figured it could be a potential point of confusion, so elected to clarify it here.

Comment thread helm/provisioner/README.md
keySecretKey: "provisionerd-key"
```

## Specific Examples
Copy link
Copy Markdown
Member Author

@johnstcn johnstcn Nov 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

self-review: these examples are essentially lifted from our tests

Comment thread helm/provisioner/README.md
name: other-coder-provisioner
provisionerDaemon:
# ...
nameOverride: "other-coder-provisioner"
Copy link
Copy Markdown
Member Author

@johnstcn johnstcn Nov 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

self-review: this setting is essentially buried in libcoder, but it seems to be the best way to do this. Introducing a new separate variable here is just going to make things more complicated.

Comment thread helm/provisioner/templates/coder.yaml
Comment on lines +2 to +4
{{- if not .Values.coder.serviceAccount.disableCreate }}
{{ include "libcoder.serviceaccount" (list . "coder.serviceaccount") }}
{{- end }}
Copy link
Copy Markdown
Member Author

@johnstcn johnstcn Nov 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

self-review: this was added for helm/coder in #14817 but not ported over here.

I'm not sure if it would be better to do it in libcoder, folks don't seem to look in there much.

Comment thread helm/provisioner/tests/testdata/name_override.golden
type: RuntimeDefault
volumeMounts: []
restartPolicy: Always
serviceAccountName: other-coder-provisioner
Copy link
Copy Markdown
Member Author

@johnstcn johnstcn Nov 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

self-review: the fact that nameOverride has no bearing on serviceAccountName explicitly allows us to reference a pre-existing service account

@johnstcn johnstcn requested a review from spikecurtis November 24, 2024 17:06
@johnstcn johnstcn marked this pull request as ready for review November 24, 2024 17:06
ethanndickson
ethanndickson reviewed Nov 25, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@ethanndickson ethanndickson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but will let someone with more helm experience approve

@johnstcn johnstcn removed the request for review from spikecurtis November 25, 2024 10:23
dannykopping
dannykopping approved these changes Nov 25, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@dannykopping dannykopping left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@johnstcn johnstcn merged commit 7876dc5 into main Nov 25, 2024
@johnstcn johnstcn deleted the cj/helm-provisioner-sa-disable-create branch November 25, 2024 14:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ethanndickson ethanndickson ethanndickson left review comments

@dannykopping dannykopping dannykopping approved these changes

Assignees

@johnstcn johnstcn

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Cannot deploy multiple provisioners on same namespace via Helm

3 participants

@johnstcn @dannykopping @ethanndickson