feat: [TKC-3299] add namespaces rbac (#997)

vsukhin · web-flow · commit 41e8d05b84fb · 2025-03-12T15:14:14.000+03:00
* feat: add namespaces rbac

Signed-off-by: Vladislav Sukhin &lt;vladislav@kubeshop.io&gt;

* fix: disable cron jobs flag

Signed-off-by: Vladislav Sukhin &lt;vladislav@kubeshop.io&gt;

* fix: typo

Signed-off-by: Vladislav Sukhin &lt;vladislav@kubeshop.io&gt;

* fix: change default flag

Signed-off-by: Vladislav Sukhin &lt;vladislav@kubeshop.io&gt;

* fix: add env var

Signed-off-by: Vladislav Sukhin &lt;vladislav@kubeshop.io&gt;

* fix: role typo

Signed-off-by: Vladislav Sukhin &lt;vladislav@kubeshop.io&gt;

* fix: watch role

Signed-off-by: Vladislav Sukhin &lt;vladislav@kubeshop.io&gt;

* fix: change default values

Signed-off-by: Vladislav Sukhin &lt;vladislav@kubeshop.io&gt;

* fix: change default value

Signed-off-by: Vladislav Sukhin &lt;vladislav@kubeshop.io&gt;

* fix: config name

Signed-off-by: Vladislav Sukhin &lt;vladislav@kubeshop.io&gt;

* fix: rename helm var

Signed-off-by: Vladislav Sukhin &lt;vladislav@kubeshop.io&gt;

* fix: rename helm var

Signed-off-by: Vladislav Sukhin &lt;vladislav@kubeshop.io&gt;

* fix: rename helm var

Signed-off-by: Vladislav Sukhin &lt;vladislav@kubeshop.io&gt;

* fix: disable con jobs

Signed-off-by: Vladislav Sukhin &lt;vladislav@kubeshop.io&gt;

---------

Signed-off-by: Vladislav Sukhin &lt;vladislav@kubeshop.io&gt;
diff --git a/charts/testkube-api/templates/configmap.yaml b/charts/testkube-api/templates/configmap.yaml
@@ -10,6 +10,9 @@ metadata:
   annotations: {{- include "global.tplvalues.render" ( dict "value" .Values.global.annotations "context" $ ) | nindent 4 }}
   {{- end }}
 data:
+{{- if .Values.next.enabled }}
+  enable-cron-jobs: "{{ .Values.next.cronJobs.enabled }}"
+{{- end }}
   executors.json: |-
 {{ include "testkube-api.executors" . | indent 4 }}
   job-container-template.yml: |-
diff --git a/charts/testkube-api/templates/deployment.yaml b/charts/testkube-api/templates/deployment.yaml
@@ -250,6 +250,8 @@ spec:
               value: "{{ .Values.next.gitops.namePatterns.kubernetes }}"
             - name: DISABLE_DEFAULT_AGENT
               value: "{{ not .Values.next.legacyAgent.enabled }}"
+            - name: ENABLE_CRON_JOBS
+              value: "{{ .Values.next.cronJobs.enabled }}"           
             {{- end }}
           image: {{ include "testkube-api.image" . }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
diff --git a/charts/testkube-api/values.yaml b/charts/testkube-api/values.yaml
@@ -194,6 +194,13 @@ next:
     ## Should it enable controller API
     enabled: true
 
+ 
+  ## Configure cron jobs in this installation.
+  # - tkcagnt_*** - Super Agent
+  cronJobs:
+    ## Should it manage cron jobs
+    enabled: false
+
 ## Testkube API Deployment parameters
 ## Running Testkube in Agent mode
 cloud:
diff --git a/charts/testkube-operator/README.md b/charts/testkube-operator/README.md
@@ -17,6 +17,7 @@ A Helm chart for the testkube-operator (installs needed CRDs only for now)
 | affinity | object | `{}` |  |
 | apiFullname | string | `"testkube-api-server"` |  |
 | apiPort | int | `8088` |  |
+| agentCronJobs | bool | `true` |  |
 | useArgoCDSync| bool | `false` |  |
 | extraEnvVars | list | `[]` |  |
 | fullnameOverride | string | `""` |  |
diff --git a/charts/testkube-operator/templates/deployment.yaml b/charts/testkube-operator/templates/deployment.yaml
@@ -82,6 +82,10 @@ spec:
         - name: APISERVER_PURGE_EXECUTIONS
           value: "true"
         {{- end }}
+        {{- if .Values.agentCronJobs }}        
+        - name: APISERVER_CONFIG
+          value: {{ .Values.apiFullname }}
+        {{- end }}
         ports:
         - containerPort: {{ .Values.webhookServerPort }}
           name: webhook-server
diff --git a/charts/testkube-operator/templates/role.yaml b/charts/testkube-operator/templates/role.yaml
@@ -541,4 +541,28 @@ rules:
   - update
 {{- end }}
 
+---
+
+apiVersion: {{ include "global.capabilities.rbac.apiVersion" . }}
+kind: ClusterRole
+metadata:
+  name: {{ .Release.Name }}-namespaces-role
+  labels:
+    {{- if .Values.global.labels }}
+    {{- include "global.tplvalues.render" ( dict "value" .Values.global.labels "context" $ ) | nindent 4 }}
+    {{- end }}
+    {{- if .Values.global.annotations }}
+  annotations: {{- include "global.tplvalues.render" ( dict "value" .Values.global.annotations "context" $ ) | nindent 4 }}
+    {{- end }}
+  namespace: {{ include "testkube-operator.namespace" . }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+
 {{- end -}}
diff --git a/charts/testkube-operator/templates/rolebinding.yaml b/charts/testkube-operator/templates/rolebinding.yaml
@@ -143,4 +143,28 @@ subjects:
     name: {{ include "testkube-operator.webhook.serviceAccountName" . }}
     namespace: {{ include "testkube-operator.namespace" . }}
 {{- end }}
+
+---
+
+apiVersion: {{ include "global.capabilities.rbac.apiVersion" . }}
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Release.Name }}-namespaces-rolebinding
+  labels:
+  {{- if .Values.global.labels }}
+  {{- include "global.tplvalues.render" ( dict "value" .Values.global.labels "context" $ ) | nindent 4 }}
+  {{- end }}
+  {{- if .Values.global.annotations }}
+  annotations: {{- include "global.tplvalues.render" ( dict "value" .Values.global.annotations "context" $ ) | nindent 4 }}
+  {{- end }}
+  namespace: {{ include "testkube-operator.namespace" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Release.Name }}-namespaces-role
+subjects:
+- kind: ServiceAccount
+  name: {{ include "testkube-operator.serviceAccountName" . }}
+  namespace: {{ include "testkube-operator.namespace" . }}
+
 {{- end -}}
diff --git a/charts/testkube-operator/values.yaml b/charts/testkube-operator/values.yaml
@@ -104,6 +104,8 @@ healthcheckPort: 8081
 useArgoCDSync: false
 # purge executions on CRD deletion
 purgeExecutions: false
+# agent cron jobs for scheduling test, suites, workflows
+agentCronJobs: false
 
 ## Service Account parameters
 serviceAccount:
diff --git a/charts/testkube/README.md b/charts/testkube/README.md
@@ -436,6 +436,7 @@ kubectl label --overwrite crds scripts.tests.testkube.io app.kubernetes.io/manag
 | testkube-operator.apiFullname | string | `"testkube-api-server"` | Testkube API full name |
 | testkube-operator.apiPort | int | `8088` | Testkube API port |
 | testkube-operator.cronJobTemplate | string | `""` |  |
+| testkube-operator.agentCronJobs | bool | `true` | Agent cron jobs for scheduling test, suites, workflows |
 | testkube-operator.enabled | bool | `true` |  |
 | testkube-operator.extraEnvVars | list | `[]` | Extra environment variables to be set on deployment |
 | testkube-operator.fullnameOverride | string | `"testkube-operator"` | Testkube Operator fullname override |
diff --git a/charts/testkube/values.yaml b/charts/testkube/values.yaml
@@ -567,6 +567,12 @@ testkube-api:
       ## Should it be enabled
       enabled: true
 
+    ## Configure cron jobs in this installation.
+    # - tkcagnt_*** - Super Agent
+    cronJobs:
+      ## Should it manage cron jobs
+      enabled: false
+
   # ref: https://cloud.google.com/kubernetes-engine/docs/how-to/prepare-arm-workloads-for-deployment#node-affinity-multi-arch-arm
   # -- Tolerations to schedule a workload to nodes with any architecture type. Required for deployment to GKE cluster.
   tolerations: []
@@ -1042,6 +1048,8 @@ testkube-operator:
   useArgoCDSync: false
   # -- Purge executions on CRD deletion
   purgeExecutions: false
+  # -- Agent cron jobs for scheduling test, suites, workflows
+  agentCronJobs: false
 
   # Service Account parameters
   serviceAccount:
