-
Notifications
You must be signed in to change notification settings - Fork 31
Switch to prow for e2e testing. Fix intermittent test failures. #122
Changes from all commits
eeeb54e
4eae5b6
d873ea2
6d89d41
a7a26b9
551087a
a4ca7a9
595389e
086f5c4
942b24f
30d966d
892b505
be7bf4f
00ddc07
7c77e2c
0d6c8aa
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -87,7 +87,7 @@ items: | |
name: "{{ template "fullname" . }}:controller" | ||
rules: | ||
- apiGroups: ["navigator.jetstack.io"] | ||
resources: ["elasticsearchclusters", "pilots"] | ||
resources: ["elasticsearchclusters", "pilots", "elasticsearchclusters/status", "pilots/status"] | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ❓ Does a controller ever need to modify There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It needs to delegate permission to modify/update There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Got it. |
||
verbs: ["get", "list", "watch", "update", "create", "delete"] | ||
- apiGroups: [""] | ||
resources: ["services", "configmaps", "serviceaccounts", "pods"] | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,6 +11,13 @@ apiserver: | |
## which require cluster admin access to deploy. | ||
rbacDisabled: false | ||
|
||
## Extra arguments to pass to the navigator-apiserver | ||
extraArgs: | ||
# - --requestheader-client-ca-file=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt | ||
# - --requestheader-username-headers=X-Remote-User | ||
# - --requestheader-group-headers=X-Remote-Group | ||
# - --requestheader-extra-headers-prefix=X-Remote-Extra - --proxy-client-cert-file="${CERT_DIR}/client-auth-proxy.crt" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This line needs to be split. But do it in a followup branch if you like. |
||
|
||
## Optional: if not set, a service account will be automatically created | ||
# serviceAccount: "apiserver-svc-acct" | ||
image: | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,30 +6,14 @@ set -eux | |
SCRIPT_DIR="$(cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd)" | ||
source "${SCRIPT_DIR}/libe2e.sh" | ||
|
||
curl -Lo helm.tar.gz \ | ||
https://storage.googleapis.com/kubernetes-helm/helm-v2.6.1-linux-amd64.tar.gz | ||
tar xvf helm.tar.gz | ||
sudo mv linux-amd64/helm /usr/local/bin | ||
|
||
curl -Lo kubectl \ | ||
https://storage.googleapis.com/kubernetes-release/release/$KUBERNETES_VERSION/bin/linux/amd64/kubectl | ||
chmod +x kubectl | ||
sudo mv kubectl /usr/local/bin/ | ||
|
||
curl -Lo minikube \ | ||
https://storage.googleapis.com/minikube/releases/v0.23.0/minikube-linux-amd64 | ||
chmod +x minikube | ||
sudo mv minikube /usr/local/bin/ | ||
|
||
docker run -v /usr/local/bin:/hostbin quay.io/jetstack/ubuntu-nsenter cp /nsenter /hostbin/nsenter | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ❓ I see all this stuff gets installed here: https://github.com/jetstack/test-infra/blob/master/images/minikube-in-go/Dockerfile
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The KVM VM is launched in a container by passing through the libvirt socket into the container. Anything that works with libvirt should work okay within a container too. The |
||
|
||
# Create a cluster. We do this as root as we are using the 'docker' driver. | ||
# We enable RBAC on the cluster too, to test the RBAC in Navigators chart | ||
sudo -E CHANGE_MINIKUBE_NONE_USER=true minikube start \ | ||
# The kubeadm bootstrapper enables RBAC by default. | ||
minikube start \ | ||
-v 100 \ | ||
--vm-driver=none \ | ||
--vm-driver=kvm \ | ||
--kubernetes-version="$KUBERNETES_VERSION" \ | ||
--extra-config=apiserver.Authorization.Mode=RBAC | ||
--bootstrapper=kubeadm \ | ||
--profile="$HOSTNAME" | ||
|
||
echo "Waiting up to 5 minutes for Kubernetes to be ready..." | ||
if ! retry TIMEOUT=300 kubectl get nodes; then | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -32,33 +32,7 @@ items: | |
kind: ServiceAccount | ||
name: tiller | ||
namespace: kube-system | ||
### Generic ### | ||
# Create a ClusterRole to work with ElasticsearchCluster resources | ||
- apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
kind: ClusterRole | ||
metadata: | ||
name: navigator:authenticated | ||
# this rule defined on the role for specifically the | ||
# namespace-lifecycle admission-controller | ||
rules: | ||
- apiGroups: ["navigator.jetstack.io"] | ||
resources: ["elasticsearchclusters", "pilots"] | ||
verbs: ["get", "list", "watch", "create", "update", "delete"] | ||
- apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: "navigator:authenticated" | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: navigator:authenticated | ||
subjects: | ||
- kind: Group | ||
name: system:authenticated | ||
apiGroup: rbac.authorization.k8s.io | ||
- kind: Group | ||
name: system:unauthenticated | ||
apiGroup: rbac.authorization.k8s.io | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 👍 |
||
|
||
EOF | ||
helm init --service-account=tiller | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
# Default values for navigator. | ||
# This is a YAML-formatted file. | ||
# Declare variables to be passed into your templates. | ||
createAPIService: true | ||
|
||
rbac: | ||
enabled: true | ||
|
||
apiserver: | ||
## Set to true to skip deploying the apiserver components RBAC policies, | ||
## which require cluster admin access to deploy. | ||
rbacDisabled: false | ||
|
||
extraArgs: | ||
- --v=100 | ||
|
||
## Optional: if not set, a service account will be automatically created | ||
# serviceAccount: "apiserver-svc-acct" | ||
image: | ||
repository: jetstackexperimental/navigator-apiserver | ||
tag: build | ||
pullPolicy: Never | ||
|
||
controller: | ||
## Optional: namespace to watch for resources in. This can be used when RBAC | ||
## restricts you to a single namespace. | ||
# namespace: default | ||
## Optional: if not set, a service account will be automatically created | ||
# serviceAccount: "controller-svc-acct" | ||
image: | ||
repository: jetstackexperimental/navigator-controller | ||
tag: build | ||
pullPolicy: Never | ||
|
||
resources: | ||
requests: | ||
cpu: 50m | ||
memory: 64Mi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❓ Is it necessary to specify a profile here? The default is minikube, which should work on a new e2e VM right?
It means that I have to remember to use $HOSTNAME as the profile, when I launch minikube locally.