Files
template-web-backend-python/helm/APP_NAME/templates/role-db-secret-reader.yaml
iilc 13b9fae61c
Some checks failed
__APP_NAME__ — build & deploy / Calidad + build + push (push) Failing after 14s
__APP_NAME__ — build & deploy / Helm upgrade --install (push) Has been skipped
chart 0.3.0: AddonClaim FUERA del chart Helm (ADR-066 del IDP)
Bug en chart 0.2.x: AddonClaim era Helm hook pre-install,pre-upgrade
weight -10 SIN hook-delete-policy. El default Helm 3 es
before-hook-creation → borra el claim en cada upgrade → finalizer
cleanup-logical rotaba credenciales + atoraba release en pending-upgrade.

Cambios:
- helm/APP_NAME/templates/addonclaim.yaml eliminado.
- manifests/addonclaim.yaml creado con placeholders sed.
- scripts/pre-helm-detach.sh idempotente para migracion v1.0.0 → 1.1.0.
- .gitea/workflows/APP_NAME-build.yaml: 2 nuevos steps detach + apply
  AddonClaim entre kubeconfig y helm upgrade.
- Chart.yaml bump 0.2.0 → 0.3.0.
- README reescrito (3 pasos workflow + tabla hooks sin AddonClaim +
  seccion Por que FUERA del chart + opt-out actualizado).
- Comentarios stale del AddonClaim como hook -10 limpiados en
  networkpolicy.yaml, role-db-secret-reader.yaml, job-alembic-upgrade.yaml.

ADR-066 del IDP documenta la decision arquitectural completa.
2026-05-25 14:28:17 -05:00

53 lines
2.0 KiB
YAML

{{- if .Values.database.enabled }}
# Role + RoleBinding que permiten al SA de la app leer el Secret `<release>-db-creds`
# en el ns `apps`. Lo consume el InitContainer `wait-for-secret` del Job Alembic
# (hook pre-install/pre-upgrade weight 0) que hace busy-wait hasta que
# addon-provisioner publica el Secret tras reconciliar el AddonClaim.
#
# Hook weight "-7" — entre NetworkPolicy (-8) y SA (-5):
# - Garantiza que RBAC exista antes de que el SA del hook -5 se materialice
# y antes de que el Job -0 intente leer el Secret.
# - delete-policy: before-hook-creation para que sea idempotente entre upgrades
# sin dejar Roles huerfanos.
# (El AddonClaim ya no es hook del chart desde 0.3.0 — ADR-066. Lo aplica el
# workflow del tenant ANTES del `helm upgrade --install`.)
#
# Scope minimo: solo lectura (get/watch) del Secret `<release>-db-creds`, no
# secrets cluster-wide ni del ns `addons`. El root Secret de MariaDB vive en
# `addons` y nunca debe ser accesible desde `apps` (ADR-052 §6.1).
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ .Release.Name }}-db-secret-reader
labels:
{{- include "app.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-7"
"helm.sh/hook-delete-policy": before-hook-creation
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: [{{ .Values.database.secretName | quote }}]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .Release.Name }}-db-secret-reader
labels:
{{- include "app.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-7"
"helm.sh/hook-delete-policy": before-hook-creation
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .Release.Name }}-db-secret-reader
{{- end }}