d1cf0ade4e
Chart 1.3.2 shipped serviceaccount-cutover-driver.yaml +
clusterrole-cutover-driver.yaml + clusterrolebinding-cutover-driver.yaml
with `{{ .Release.Namespace }}` directives that rendered fine via Helm
on Sovereigns but BROKE the Kustomize-mode contabo-mkt deploy: the
directives made Kustomize parse the files as invalid YAML and silently
skip them. Worse, the new files were never added to templates/
kustomization.yaml's resources list.
Result on contabo: catalyst-api Pod's spec.serviceAccountName references
a non-existent SA — the Pod fails ContainerCreating with the same RBAC
forbidden error #830 was meant to fix.
Fix:
- Strip `{{ .Release.Namespace }}` directives from the SA + ClusterRole
files. metadata.namespace auto-fills from Helm's --namespace flag
and from Kustomize's `namespace:` directive.
- For ClusterRoleBinding: Helm does NOT auto-inject subjects[0].
namespace the way it does metadata.namespace, so the apiserver
rejects bindings without it. Split into two files:
* clusterrolebinding-cutover-driver.yaml — Helm-only, uses
{{ .Release.Namespace }} (correctly resolves to catalyst-system
on Sovereigns).
* clusterrolebinding-cutover-driver-kustomize.yaml — Kustomize-
only, omits subjects[0].namespace and relies on Kustomize's
native injection (resolves to `catalyst` on contabo).
The .helmignore excludes the Kustomize-only file from Sovereign
chart packaging; templates/kustomization.yaml's resources list
references the Kustomize-only file, NOT the Helm-only one.
- Add the new RBAC files to templates/kustomization.yaml's resources
list so contabo's Flux Kustomization actually renders them.
Verified live with `helm template` (subjects[0].namespace=catalyst-system)
and `kubectl kustomize` (subjects[0].namespace=catalyst).
Bumps bp-catalyst-platform 1.3.2 → 1.3.3.
Issue: openova-io/openova#830 (Bug 1 follow-up)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
29 lines
1.2 KiB
YAML
29 lines
1.2 KiB
YAML
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
kind: Kustomization
|
|
namespace: catalyst
|
|
resources:
|
|
- ui-deployment.yaml
|
|
- ui-service.yaml
|
|
- api-deployment.yaml
|
|
- api-deployments-pvc.yaml
|
|
- api-cache-pvc.yaml
|
|
- api-service.yaml
|
|
- ingress.yaml
|
|
- ingress-console-tls.yaml
|
|
# Cutover-driver RBAC (issue #830 Bug 1): ServiceAccount +
|
|
# ClusterRole + ClusterRoleBinding bound to catalyst-api so the
|
|
# /api/v1/sovereign/cutover/start endpoint can read/patch the cutover
|
|
# ConfigMaps and create/watch Jobs in the cutover namespace.
|
|
# Without these listed here, the Kustomize render silently dropped
|
|
# them — contabo deploys would fail with the catalyst-api Pod
|
|
# referencing a non-existent SA.
|
|
#
|
|
# NOTE on the binding suffix: clusterrolebinding-cutover-driver-
|
|
# kustomize.yaml is the Kustomize-mode counterpart of the Helm-mode
|
|
# clusterrolebinding-cutover-driver.yaml. The Helm file uses
|
|
# {{ .Release.Namespace }} which Kustomize cannot parse, so we keep
|
|
# them as separate sibling files — see comments in each file.
|
|
- serviceaccount-cutover-driver.yaml
|
|
- clusterrole-cutover-driver.yaml
|
|
- clusterrolebinding-cutover-driver-kustomize.yaml
|