Bug en chart 0.2.x: AddonClaim era Helm hook pre-install,pre-upgrade weight -10 SIN hook-delete-policy. El default Helm 3 es before-hook-creation → borra el claim en cada upgrade → finalizer cleanup-logical rotaba credenciales + atoraba release en pending-upgrade. Cambios: - helm/APP_NAME/templates/addonclaim.yaml eliminado. - manifests/addonclaim.yaml creado con placeholders sed. - scripts/pre-helm-detach.sh idempotente para migracion v1.0.0 → 1.1.0. - .gitea/workflows/APP_NAME-build.yaml: 2 nuevos steps detach + apply AddonClaim entre kubeconfig y helm upgrade. - Chart.yaml bump 0.2.0 → 0.3.0. - README reescrito (3 pasos workflow + tabla hooks sin AddonClaim + seccion Por que FUERA del chart + opt-out actualizado). - Comentarios stale del AddonClaim como hook -10 limpiados en networkpolicy.yaml, role-db-secret-reader.yaml, job-alembic-upgrade.yaml. ADR-066 del IDP documenta la decision arquitectural completa.
53 lines
2.0 KiB
YAML
53 lines
2.0 KiB
YAML
{{- if .Values.database.enabled }}
|
|
# Role + RoleBinding que permiten al SA de la app leer el Secret `<release>-db-creds`
|
|
# en el ns `apps`. Lo consume el InitContainer `wait-for-secret` del Job Alembic
|
|
# (hook pre-install/pre-upgrade weight 0) que hace busy-wait hasta que
|
|
# addon-provisioner publica el Secret tras reconciliar el AddonClaim.
|
|
#
|
|
# Hook weight "-7" — entre NetworkPolicy (-8) y SA (-5):
|
|
# - Garantiza que RBAC exista antes de que el SA del hook -5 se materialice
|
|
# y antes de que el Job -0 intente leer el Secret.
|
|
# - delete-policy: before-hook-creation para que sea idempotente entre upgrades
|
|
# sin dejar Roles huerfanos.
|
|
# (El AddonClaim ya no es hook del chart desde 0.3.0 — ADR-066. Lo aplica el
|
|
# workflow del tenant ANTES del `helm upgrade --install`.)
|
|
#
|
|
# Scope minimo: solo lectura (get/watch) del Secret `<release>-db-creds`, no
|
|
# secrets cluster-wide ni del ns `addons`. El root Secret de MariaDB vive en
|
|
# `addons` y nunca debe ser accesible desde `apps` (ADR-052 §6.1).
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: {{ .Release.Name }}-db-secret-reader
|
|
labels:
|
|
{{- include "app.labels" . | nindent 4 }}
|
|
annotations:
|
|
"helm.sh/hook": pre-install,pre-upgrade
|
|
"helm.sh/hook-weight": "-7"
|
|
"helm.sh/hook-delete-policy": before-hook-creation
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
resourceNames: [{{ .Values.database.secretName | quote }}]
|
|
verbs: ["get", "watch", "list"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: {{ .Release.Name }}-db-secret-reader
|
|
labels:
|
|
{{- include "app.labels" . | nindent 4 }}
|
|
annotations:
|
|
"helm.sh/hook": pre-install,pre-upgrade
|
|
"helm.sh/hook-weight": "-7"
|
|
"helm.sh/hook-delete-policy": before-hook-creation
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ .Release.Name }}
|
|
namespace: {{ .Release.Namespace }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: {{ .Release.Name }}-db-secret-reader
|
|
{{- end }}
|