update operator rbac template resource naming to support multiple hel…

…m chart installations (#502)

* make Role naming consistent with ClusterRole to support multi installation of a helm chart

* fix roleRef

* add changelog

* update unit test

* pr feedback

changelog/v0.34.4/ns-rbac-resource-naming-fix.yaml

@@ -0,0 +1,6 @@
+changelog:
+  - type: FIX
+    issueLink:   https://github.com/solo-io/gloo-mesh-enterprise/issues/10521
+    description: >
+      Adds helm release information to k8s resources that use namespace-scoped rbac policies so we support multiple installations of a helm chart.
+    resolvesIssue: false

codegen/cmd_test.go

@@ -2062,7 +2062,7 @@ roleRef:
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: painter-{{ .Release.Name }}-{{ .Release.Namespace }}
+  name: painter-{{ .Release.Name }}-{{ .Release.Namespace }}-namespaced
   labels:
     app: painter
 rules:
@@ -2080,7 +2080,7 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: painter-{{ .Release.Name }}-{{ .Release.Namespace }}
+  name: painter-{{ .Release.Name }}-{{ .Release.Namespace }}-namespaced
   labels:
     app: painter
 subjects:
@@ -2089,13 +2089,13 @@ subjects:
   namespace: {{ default .Release.Namespace $painter.namespace }}
 roleRef:
   kind: ClusterRole
-  name: painter-{{ .Release.Name }}-{{ .Release.Namespace }}
+  name: painter-{{ .Release.Name }}-{{ .Release.Namespace }}-namespaced
   apiGroup: rbac.authorization.k8s.io`
 		roleTmpl := `
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: painter
+  name: painter-{{ $.Release.Name }}-{{ $.Release.Namespace }}-namespaced
   namespace: {{ $ns }}
   labels:
     app: painter
@@ -2114,7 +2114,7 @@ rules:
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: painter
+  name: painter-{{ $.Release.Name }}-{{ $.Release.Namespace }}-namespaced
   namespace: {{ $ns }}
   labels:
     app: painter
@@ -2124,7 +2124,7 @@ subjects:
   namespace: {{ default $.Release.Namespace $painter.namespace }}
 roleRef:
   kind: Role
-  name: painter
+  name: painter-{{ $.Release.Name }}-{{ $.Release.Namespace }}-namespaced
   apiGroup: rbac.authorization.k8s.io`
 		Expect(string(rbac)).To(ContainSubstring(clusterRole1Tmpl))
 		Expect(string(rbac)).To(ContainSubstring(clusterRoleBinding1Tmpl))

codegen/templates/chart/operator-rbac.yamltmpl

@@ -108,7 +108,7 @@ We need the following variables:
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: [[ $operator.Name ]]-{{ .Release.Name }}-{{ .Release.Namespace }}
+  name: [[ $operator.Name ]]-{{ .Release.Name }}-{{ .Release.Namespace }}-namespaced
   labels:
     app: [[ $operator.Name ]]
 rules:
@@ -125,7 +125,7 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: [[ $operator.Name ]]-{{ .Release.Name }}-{{ .Release.Namespace }}
+  name: [[ $operator.Name ]]-{{ .Release.Name }}-{{ .Release.Namespace }}-namespaced
   labels:
     app: [[ $operator.Name ]]
 subjects:
@@ -138,7 +138,7 @@ subjects:
 [[- end ]]
 roleRef:
   kind: ClusterRole
-  name: [[ $operator.Name ]]-{{ .Release.Name }}-{{ .Release.Namespace }}
+  name: [[ $operator.Name ]]-{{ .Release.Name }}-{{ .Release.Namespace }}-namespaced
   apiGroup: rbac.authorization.k8s.io
 {{- end }}
 
@@ -149,7 +149,7 @@ roleRef:
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: [[ $operator.Name ]]
+  name: [[ $operator.Name ]]-{{ $.Release.Name }}-{{ $.Release.Namespace }}-namespaced
   namespace: {{ $ns }}
   labels:
     app: [[ $operator.Name ]]
@@ -167,7 +167,7 @@ rules:
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: [[ $operator.Name ]]
+  name: [[ $operator.Name ]]-{{ $.Release.Name }}-{{ $.Release.Namespace }}-namespaced
   namespace: {{ $ns }}
   labels:
     app: [[ $operator.Name ]]
@@ -181,7 +181,7 @@ subjects:
 [[- end ]]
 roleRef:
   kind: Role
-  name: [[ $operator.Name ]]
+  name: [[ $operator.Name ]]-{{ $.Release.Name }}-{{ $.Release.Namespace }}-namespaced
   apiGroup: rbac.authorization.k8s.io
 
   {{- end }}[[/* range $ns, $resources := $[[ $operatorVar ]]NsToResources */]]

codegen/test/chart/templates/rbac.yaml

@@ -60,7 +60,7 @@ roleRef:
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: painter-{{ .Release.Name }}-{{ .Release.Namespace }}
+  name: painter-{{ .Release.Name }}-{{ .Release.Namespace }}-namespaced
   labels:
     app: painter
 rules:
@@ -80,7 +80,7 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: painter-{{ .Release.Name }}-{{ .Release.Namespace }}
+  name: painter-{{ .Release.Name }}-{{ .Release.Namespace }}-namespaced
   labels:
     app: painter
 subjects:
@@ -89,7 +89,7 @@ subjects:
   namespace: {{ default .Release.Namespace $painter.namespace }}
 roleRef:
   kind: ClusterRole
-  name: painter-{{ .Release.Name }}-{{ .Release.Namespace }}
+  name: painter-{{ .Release.Name }}-{{ .Release.Namespace }}-namespaced
   apiGroup: rbac.authorization.k8s.io
 {{- end }}
 
@@ -100,7 +100,7 @@ roleRef:
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: painter
+  name: painter-{{ $.Release.Name }}-{{ $.Release.Namespace }}-namespaced
   namespace: {{ $ns }}
   labels:
     app: painter
@@ -121,7 +121,7 @@ rules:
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: painter
+  name: painter-{{ $.Release.Name }}-{{ $.Release.Namespace }}-namespaced
   namespace: {{ $ns }}
   labels:
     app: painter
@@ -131,7 +131,7 @@ subjects:
   namespace: {{ default $.Release.Namespace $painter.namespace }}
 roleRef:
   kind: Role
-  name: painter
+  name: painter-{{ $.Release.Name }}-{{ $.Release.Namespace }}-namespaced
   apiGroup: rbac.authorization.k8s.io
 
   {{- end }}