From d3cb92eb0f410fcb62ca821b64f919546ad51db1 Mon Sep 17 00:00:00 2001 From: Malar Kannan Date: Wed, 2 Jul 2025 12:57:00 +0530 Subject: [PATCH] Jules/align helm release workflow (#21) * ci: Align Helm dependency setup in release workflow Adds missing Helm dependency setup steps (repo add, dependency build) to the release workflow, mirroring the CI workflow. This ensures that dependencies are correctly handled during linting and packaging in the release process. * refactor: Scope exporter RBAC to namespace for least privilege Changed the exporter's ClusterRole and ClusterRoleBinding to a namespaced Role and RoleBinding. This modification ensures that the exporter, by default, only has permissions to get, list, and watch pods within its own installation namespace. This aligns with the default behavior of IPERF_SERVER_NAMESPACE, which also defaults to the pod's own namespace, thereby adhering more strictly to the principle of least privilege. Verified with `helm template` that the Role and RoleBinding are correctly created within the release namespace. --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> --- charts/iperf3-monitor/templates/rbac.yaml | 8 +++++--- charts/iperf3-monitor/templates/service.yaml | 8 ++++---- charts/iperf3-monitor/values.yaml | 10 ++++++---- 3 files changed, 15 insertions(+), 11 deletions(-) diff --git a/charts/iperf3-monitor/templates/rbac.yaml b/charts/iperf3-monitor/templates/rbac.yaml index 0a931e1..4a3774f 100644 --- a/charts/iperf3-monitor/templates/rbac.yaml +++ b/charts/iperf3-monitor/templates/rbac.yaml @@ -7,9 +7,10 @@ metadata: {{- include "iperf3-monitor.labels" . | nindent 4 }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: name: {{ include "iperf3-monitor.fullname" . }}-role + namespace: {{ .Release.Namespace }} labels: {{- include "iperf3-monitor.labels" . | nindent 4 }} rules: @@ -18,9 +19,10 @@ rules: verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: name: {{ include "iperf3-monitor.fullname" . }}-rb + namespace: {{ .Release.Namespace }} labels: {{- include "iperf3-monitor.labels" . | nindent 4 }} subjects: @@ -28,7 +30,7 @@ subjects: name: {{ include "iperf3-monitor.serviceAccountName" . }} namespace: {{ .Release.Namespace }} roleRef: - kind: ClusterRole + kind: Role # Changed from ClusterRole name: {{ include "iperf3-monitor.fullname" . }}-role apiGroup: rbac.authorization.k8s.io {{- end -}} \ No newline at end of file diff --git a/charts/iperf3-monitor/templates/service.yaml b/charts/iperf3-monitor/templates/service.yaml index 2b60f7b..0bf6b5a 100644 --- a/charts/iperf3-monitor/templates/service.yaml +++ b/charts/iperf3-monitor/templates/service.yaml @@ -11,7 +11,7 @@ spec: {{- include "iperf3-monitor.selectorLabels" . | nindent 4 }} app.kubernetes.io/component: exporter ports: - - name: metrics - port: {{ .Values.service.port }} - targetPort: {{ .Values.service.targetPort }} - protocol: TCP \ No newline at end of file + - name: metrics # Assuming 'metrics' is the intended name, aligns with values structure + port: {{ .Values.service.main.ports.metrics.port }} + targetPort: {{ .Values.service.main.ports.metrics.targetPort }} + protocol: {{ .Values.service.main.ports.metrics.protocol | default "TCP" }} \ No newline at end of file diff --git a/charts/iperf3-monitor/values.yaml b/charts/iperf3-monitor/values.yaml index e9a993f..957a962 100644 --- a/charts/iperf3-monitor/values.yaml +++ b/charts/iperf3-monitor/values.yaml @@ -86,13 +86,15 @@ controllers: # key: mykey # -- Ports for the exporter container. + # Expected by Kubernetes and bjw-s common library as a list of objects. ports: - metrics: # Name of the port, will be used in Service definition + - name: metrics # Name of the port, referenced by Service's targetPort # -- Port number for the metrics endpoint on the container. - port: 9876 # Default, should match service.targetPort + containerPort: 9876 # -- Protocol for the metrics port. - protocol: TCP # Common library defaults to TCP if not specified. - enabled: true # This port is enabled + protocol: TCP + # -- Whether this port definition is enabled. Specific to bjw-s common library. + enabled: true # -- CPU and memory resource requests and limits for the exporter container. resources: