[CELEBORN-1788] Add role and roleBinding helm charts

### What changes were proposed in this pull request? as title ### Why are the changes needed? help service account control what permissions and resources a pod has access to. ### Does this PR introduce _any_ user-facing change? no ### How was this patch tested? test the template rendering by helm template command line Closes #3009 from zhaohehuhu/dev-1219. Authored-by: zhaohehuhu <[email protected]> Signed-off-by: mingji <[email protected]>
apache · Dec 23, 2024 · eaa0726 · eaa0726
1 parent 8052321
commit eaa0726
Show file tree

Hide file tree

Showing 8 changed files with 253 additions and 0 deletions.
diff --git a/charts/celeborn/ci/values.yaml b/charts/celeborn/ci/values.yaml
@@ -140,3 +140,12 @@ serviceAccount:
   create: false
   # -- Specifies the name of the service account
   name: default
+
+rbac:
+  create: false
+  roleName: default
+  roleBindingName: default
+  rules:
+    - apiGroups: [""]
+      resources: ["pods"]
+      verbs: ["create", "list", "delete"]
diff --git a/charts/celeborn/templates/_helpers.tpl b/charts/celeborn/templates/_helpers.tpl
@@ -78,6 +78,28 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
+{{/*
+Create the name of the role to use
+*/}}
+{{- define "celeborn.roleName" -}}
+{{- if .Values.rbac.create }}
+{{- default (include "celeborn.fullname" .) .Values.rbac.roleName }}
+{{- else }}
+{{- default "default" .Values.rbac.roleName }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the roleBinding to use
+*/}}
+{{- define "celeborn.roleBindingName" -}}
+{{- if .Values.rbac.create }}
+{{- default (include "celeborn.fullname" .) .Values.rbac.roleBindingName }}
+{{- else }}
+{{- default "default" .Values.rbac.roleBindingName }}
+{{- end }}
+{{- end }}
+
 {{/*
 Create the name of configmap to use
 */}}

diff --git a/charts/celeborn/templates/role.yaml b/charts/celeborn/templates/role.yaml
@@ -0,0 +1,27 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "celeborn.roleName" . }}
+  labels:
+    {{- include "celeborn.labels" . | nindent 4 }}
+rules: {{- toYaml .Values.rbac.rules | nindent 2 }}
+{{- end }}
+
diff --git a/charts/celeborn/templates/rolebinding.yaml b/charts/celeborn/templates/rolebinding.yaml
@@ -0,0 +1,33 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "celeborn.roleBindingName" . }}
+  labels:
+    {{- include "celeborn.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "celeborn.serviceAccountName" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "celeborn.roleName" . }}
+{{- end }}
+
diff --git a/charts/celeborn/tests/role_test.yaml b/charts/celeborn/tests/role_test.yaml
@@ -0,0 +1,59 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+suite: Test Celeborn role
+
+templates:
+  - role.yaml
+
+release:
+  name: celeborn
+
+tests:
+  - it: Should not create role if `rbac.create` is false
+    set:
+      rbac:
+        create: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+
+  - it: Should create a Role resource with specific rules when rbac.create is true
+    set:
+      rbac:
+        create: true
+        rbac:
+          rules:
+            - apiGroups: [ "" ]
+              resources: [ "pods" ]
+              verbs: [ "get", "watch", "list" ]
+    asserts:
+      - containsDocument:
+          apiVersion: rbac.authorization.k8s.io/v1
+          kind: Role
+          metadata:
+            name: celeborn-role
+          rules:
+            - apiGroups:
+                - ""
+              resources:
+                - pods
+              verbs:
+                - get
+                - watch
+                - list
diff --git a/charts/celeborn/tests/rolebinding_test.yaml b/charts/celeborn/tests/rolebinding_test.yaml
@@ -0,0 +1,51 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+suite: Test Celeborn rolebinding
+
+templates:
+  - rolebinding.yaml
+
+release:
+  name: celeborn
+
+tests:
+  - it: Should not create a RoleBinding resource when rbac.create is false
+    set:
+      rbac:
+        create: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: Should create a RoleBinding resource when rbac.create is true
+    set:
+      rbac:
+        create: true
+    asserts:
+      - containsDocument:
+          apiVersion: rbac.authorization.k8s.io/v1
+          kind: RoleBinding
+          metadata:
+            name: celeborn-rolebinding
+          subjects:
+            - kind: ServiceAccount
+              name: default
+          roleRef:
+            apiGroup: rbac.authorization.k8s.io
+            kind: Role
+            name: celeborn-role
diff --git a/charts/celeborn/tests/serviceaccount_test.yaml b/charts/celeborn/tests/serviceaccount_test.yaml
@@ -0,0 +1,43 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+suite: Test Celeborn service account
+
+templates:
+  - serviceaccount.yaml
+
+release:
+  name: celeborn
+
+tests:
+  - it: Should not create service account if `serviceAccount.create` is false
+    set:
+      serviceAccount:
+        create: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: Should create service account if `serviceAccount.create` is true
+    set:
+      serviceAccount:
+        create: true
+    asserts:
+      - containsDocument:
+          apiVersion: v1
+          kind: ServiceAccount
+          name: default
diff --git a/charts/celeborn/values.yaml b/charts/celeborn/values.yaml
@@ -253,3 +253,12 @@ serviceAccount:
   create: false
   # -- Specifies the name of the service account
   name: default
+
+rbac:
+  create: true
+  roleName: default
+  roleBindingName: default
+  rules:
+    - apiGroups: [""]
+      resources: ["pods"]
+      verbs: ["create", "list", "delete"]