fix: Adjust for workflow service account and /srm

steveblackduck · steveblackduck · commit 146e12995c70 · 2024-02-17T17:03:49.000-05:00
diff --git a/setup/core/charts/codedx-tool-orchestration/Chart.yaml b/setup/core/charts/codedx-tool-orchestration/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: codedx-tool-orchestration
-version: 1.105.0
+version: 1.106.0
 appVersion: "1.32.0"
 description: A Helm chart for Code Dx Tool Orchestration
 icon: https://codedx.com/wp-content/uploads/2017/03/CodeDx-logo.png
diff --git a/setup/core/charts/codedx-tool-orchestration/templates/_helpers.tpl b/setup/core/charts/codedx-tool-orchestration/templates/_helpers.tpl
@@ -78,6 +78,21 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 {{- end -}}
 
+{{/*
+Create the name of the TO workflow service account to use
+*/}}
+{{- define "codedx-tool-orchestration.serviceAccountNameWorkflow" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (printf "%s-workflow" (include "codedx-tool-orchestration.fullname"  .)) .Values.serviceAccount.workflowName }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.workflowName }}
+{{- end }}
+{{- end }}
+
+{{- define "codedx-tool-orchestration.workflow.rolebindingname" -}}
+{{- printf "%s-to-workflow-rolebinding" (include "codedx-tool-orchestration.fullname"  .) }}
+{{- end -}}
+
 {{- define "codedx-tool-orchestration.workflow.role.name" -}}
 {{- (printf "%s-%s" (include "codedx-tool-orchestration.name" .) "workflow-role") -}}
 {{- end -}}
diff --git a/setup/core/charts/codedx-tool-orchestration/templates/tool-service-deployment.yaml b/setup/core/charts/codedx-tool-orchestration/templates/tool-service-deployment.yaml
@@ -74,7 +74,7 @@ spec:
           "-workDir", "/opt/codedx/service/work",
           "-workflowControllerInstanceName", "{{ .Release.Name }}",
           "-workflowPriorityClassName", {{ include "codedx-tool-orchestration.workflow.priorityClassName" . | quote }},
-          "-workflowRoleNames", {{ include "codedx-tool-orchestration.workflow.role.name" . }}]
+          "-workflowServiceAccount", {{ include "codedx-tool-orchestration.serviceAccountNameWorkflow" . | quote }}]
         readinessProbe:
           httpGet:
             port: 3333
diff --git a/setup/core/charts/codedx-tool-orchestration/templates/tool-service-rbac.yaml b/setup/core/charts/codedx-tool-orchestration/templates/tool-service-rbac.yaml
@@ -1,5 +1,7 @@
 {{- $saName := (include "codedx-tool-orchestration.serviceAccountName" .) | quote -}}
+{{- $saWorkflowName := (include "codedx-tool-orchestration.serviceAccountNameWorkflow" .) | quote -}}
 {{- $rName := (printf "%s-%s" (include "codedx-tool-orchestration.fullname" .) "role") | quote -}}
+{{- $workflowRoleName := (include "codedx-tool-orchestration.workflow.role.name" .) | quote -}}
 {{- $rbName := (printf "%s-%s" (include "codedx-tool-orchestration.fullname" .) "binding") | quote -}}
 
 {{- if .Values.serviceAccount.create -}}
@@ -11,6 +13,14 @@ metadata:
   labels:
     {{- include "codedx-tool-orchestration.commonLabels" . | nindent 4 }}
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $saWorkflowName }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "codedx-tool-orchestration.commonLabels" . | nindent 4 }}
+---
 {{ end -}}
 
 
@@ -31,25 +41,12 @@ rules:
 - apiGroups: [""]
   resources: ["pods"]
   verbs: ["get"]
-- apiGroups: [""]
-  resources: ["serviceaccounts"]
-  verbs: ["delete"]
 - apiGroups: ["argoproj.io"]
   resources: ["workflows"]
   verbs: ["get", "list", "create", "delete", "patch"]
-- apiGroups: [""]
-  resources: ["serviceaccounts"]
-  verbs: ["create"]
 - apiGroups: [""]
   resources: ["configmaps"]
   verbs: ["get"]
-- apiGroups: ["rbac.authorization.k8s.io"]
-  resources: ["rolebindings"]
-  verbs: ["create"]
-- apiGroups: ["rbac.authorization.k8s.io"]
-  resources: ["roles"]
-  verbs: ["bind"]
-  resourceNames: [{{ include "codedx-tool-orchestration.workflow.role.name" . | quote }}]
 {{- if .Values.podSecurityPolicy.tws.bind }}
 - apiGroups: ["policy"]
   resources: ["podsecuritypolicies"]
@@ -63,7 +60,7 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ include "codedx-tool-orchestration.workflow.role.name" . | quote }}
+  name: {{ $workflowRoleName }}
   namespace: {{ .Release.Namespace | quote }}
 rules:
 - apiGroups: [""]
@@ -82,6 +79,22 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
+metadata:
+  name: {{ (include "codedx-tool-orchestration.workflow.rolebindingname" .) | quote }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "codedx-tool-orchestration.commonLabels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $workflowRoleName }}
+subjects:
+- name: {{ $saWorkflowName }}
+  kind: ServiceAccount
+  namespace: {{ .Release.Namespace | quote }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
 metadata:
   name: {{ $rbName }}
   namespace: {{ .Release.Namespace | quote }}
diff --git a/setup/core/charts/codedx-tool-orchestration/values.yaml b/setup/core/charts/codedx-tool-orchestration/values.yaml
@@ -170,6 +170,8 @@ serviceAccount:
   create: true
   # (optional)
   name:
+  # (optional)
+  workflowName:
 
 podSecurityPolicy:
   tws:
diff --git a/setup/core/common/codedx.ps1 b/setup/core/common/codedx.ps1
@@ -1,5 +1,5 @@
 <#PSScriptInfo
-.VERSION 2.12.0
+.VERSION 2.13.0
 .GUID 6b1307f7-7098-4c65-9a86-8478840ad4cd
 .AUTHOR Code Dx
 #>
@@ -501,7 +501,7 @@ function New-ToolOrchestrationValuesFile([string]   $codedxNamespace,
 	$tlsConfig = $configureTls.ToString().ToLower()
 
 	$codeDxOrchestrationFullName = Get-CodeDxChartFullName $codedxReleaseName
-	$codedxBaseUrl = '{0}://{1}.{2}.svc.cluster.local:{3}/codedx' -f $protocol,$codeDxOrchestrationFullName,$codedxNamespace,$codedxPort
+	$codedxBaseUrl = '{0}://{1}.{2}.svc.cluster.local:{3}/srm' -f $protocol,$codeDxOrchestrationFullName,$codedxNamespace,$codedxPort
 
 	$imagePullSecretYaml      = $imagePullSecretName -eq '' ? '[]' : "[ {name: '$imagePullSecretName'} ]"
 	$minioImagePullSecretYaml = $imagePullSecretName -eq '' ? '[]' : "[ '$imagePullSecretName' ]"
