fix: scope RBAC permissions and fix hardcoded Helm resource names

[dmaizel]

No description provided.

[changeset-bot]

⚠️ No Changeset found

Latest commit: b2fea3c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[dmaizel]

Things I want to clean up next

While working on this PR I went through the whole chart and found a few things might be worth fixing. Keeping this PR focused on RBAC/naming but wanted to write these down so they don't get lost.

Template duplication

pre-install-tentacle-pod.yaml and tentacle-deployment.yaml have ~25 copy-pasted env vars. Same deal with the secrets - there are 3 pairs of files that are basically identical except for hook annotations and the -pre suffix. I'd like to pull the shared bits into named templates

Also, script-pod-template.yaml calls set/unset directly on .Values which mutates it in place for the rest of the render. Should use deepCopy first

Modernization

• values.schema.json - worth considering. Right now if someone typos a key or passes the wrong type, Helm silently deploys broken config. A schema would catch that at helm install time with a clear error. Side benefit: editors with YAML LSP support get autocomplete for values files when a schema exists. helm-values-schema-json can auto-generate a starting point from values.yaml so it's not a huge lift.
• Pre-install hook is a bare Pod - no backoffLimit, no timeout, won't reschedule if the node dies. Should be a Job at minimum. Might also be worth replacing the hook with an init container so it works with helm template | kubectl apply (GitOps).
• Boolean naming is all over the place - disruptionBudgetEnabled, crdDisabled, disableAutoPodCleanup, enabled. In my opinion we should keep it enabled: true/false everywhere.
• No top-level rbac.create toggle - Helm best practice is to provide a single flag to disable all RBAC creation. Currently you'd have to know about each component's individual override keys.

Questions

• tentacle-secret and tentacle-secret-pre have no data: field - are these populated by the app at runtime? Or leftover?
• Would you be open to replacing the pre-install hook with an init container down the road?

[liam-mackie]

Commenting rather than approving at the moment as if it's changed, it will break the upgrade process. We'll need to update the C# code (or the upgrade script itself) to get the right auto-upgrader service account. This is likely a change that we should include in v3 to enforce compatibility with a server version that includes the changes we'd need to get that account.

I think the easiest way forward is to remove the auto-upgrade changes specifically in this PR and introduce separately in a v3-compatible change.

[liam-mackie]

⚠️ This change would require changes in Octopus Server to support - see here

[dmaizel]

Good catch! Reverted the auto-upgrader service account name change - it's back to the hardcoded octopus-agent-auto-upgrader. We can make it dynamic in a v3-compatible change once the server-side code is updated :)

Kept the RBAC rule override support for auto-upgrader roles/clusterroles since those don't change any default behavior - they just add the ability to override rules.

[dmaizel]

@liam-mackie

[liam-mackie]

These changes look good to me! I'd like to get @APErebus to take a look at some point soon, since I think he had opinions on how we configured the role rules in the values.yaml - especially around how we set defaults.