Skip to content

fix: Replace wildcards in RBAC objects with explicit resources and verbs #930

fix: Replace wildcards in RBAC objects with explicit resources and verbs

fix: Replace wildcards in RBAC objects with explicit resources and verbs #930

Workflow file for this run

name: Helm Chart CI (Core)
on:
# Trigger the workflow on push or pull request,
# but only for the main branch
push:
branches:
- main
paths:
- '.github/workflows/ci-core.yml'
- 'keda/**'
pull_request:
branches:
- main
- release/*
paths:
- '.github/workflows/ci-core.yml'
- 'keda/**'
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs:
lint-helm-3-x:
name: Lint Helm Chart
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v2
- name: Helm install
uses: Azure/setup-helm@v3
- name: Lint 'KEDA' Helm chart
run: helm lint keda
deploy-helm-3-x:
name: Deploy to Kubernetes ${{ matrix.kubernetesVersion }} in '${{matrix.namespace}}' namespace (${{ (matrix.enableAzureWorkloadIdentity == true && 'With Azure Workload Identity') || 'Without Azure Workload Identity' }} | ${{ (matrix.enableCertManager == true && 'With cert-manager') || 'Without cert-manager' }})
needs: lint-helm-3-x
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
enableAzureWorkloadIdentity: [false, true]
kubernetesVersion: [v1.29, v1.28, v1.27, v1.23]
namespace: ["keda", "not-keda"]
enableCertManager: [false, true]
include:
# Azure Workload Identity
- enableAzureWorkloadIdentity: true
tenantId: contoso
clientId: ABC
- enableAzureWorkloadIdentity: false
tenantId: ""
clientId: ""
# Images are defined on every Kind release
# See https://github.com/kubernetes-sigs/kind/releases
- kubernetesVersion: v1.29
kindImage: kindest/node:v1.29.0@sha256:eaa1450915475849a73a9227b8f201df25e55e268e5d619312131292e324d570
- kubernetesVersion: v1.28
kindImage: kindest/node:v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31
- kubernetesVersion: v1.27
kindImage: kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72
- kubernetesVersion: v1.23
kindImage: kindest/node:v1.23.17@sha256:59c989ff8a517a93127d4a536e7014d28e235fb3529d9fba91b3951d461edfdb
steps:
- name: Check out code
uses: actions/checkout@v2
- name: Helm install
uses: Azure/setup-helm@v3
- name: Create k8s ${{ matrix.kubernetesVersion }} Kind Cluster
uses: helm/kind-action@main
with:
node_image: ${{ matrix.kindImage }}
- name: Show Kubernetes version
run: |
kubectl version
- name: Show Kubernetes nodes
run: |
kubectl get nodes -o wide
- name: Show Helm version
run: |
helm version
- name: Generate values
run: |
cat <<EOF > test-values.yaml
image:
keda:
tag: main
metricsApiServer:
tag: main
webhooks:
tag: main
podIdentity:
azureWorkload:
enabled: ${{ matrix.enableAzureWorkloadIdentity }}
tenantId: ${{ matrix.tenantId }}
clientId: ${{ matrix.clientId }}
podDisruptionBudget:
operator:
maxUnavailable: 1
metricServer:
maxUnavailable: 1
webhooks:
maxUnavailable: 1
prometheus:
operator:
enabled: true
podMonitor:
enabled: true
serviceMonitor:
enabled: true
relabelings:
- regex: (go_.*)
action: drop
webhooks:
enabled: true
serviceMonitor:
enabled: true
relabelings:
- regex: (go_.*)
action: drop
metricServer:
enabled: true
serviceMonitor:
enabled: true
relabelings:
- regex: (go_.*)
action: drop
webhooks:
failurePolicy: Fail
certificates:
autoGenerated: true
certManager:
enabled: ${{ matrix.enableCertManager }}
generateCA: true
extraInitContainers:
- name: hello-once
args:
- -c
- "echo 'Hello World!'"
command:
- /bin/sh
image: 'busybox:glibc'
extraContainers:
- name: hello-many
args:
- -c
- "while true; do echo hi; sleep 300; done"
command:
- /bin/sh
image: 'busybox:glibc'
extraObjects:
- apiVersion: keda.sh/v1alpha1
kind: ClusterTriggerAuthentication
metadata:
name: aws-credentials
namespace: keda
annotations:
helm.sh/hook: post-install
spec:
podIdentity:
provider: aws-eks
additionalAnnotations:
sample: "annotation"
service:
additionalAnnotations:
hello: "cloud-native world"
EOF
- name: Install deps
run: |
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install prometheus-stack prometheus-community/kube-prometheus-stack --namespace monitoring --create-namespace --wait
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true
- name: Create KEDA's namespace (${{ matrix.namespace }})
run: kubectl create ns ${{ matrix.namespace }}
- name: Template Helm chart
run: helm template keda ./keda/ --namespace ${{ matrix.namespace }} --values test-values.yaml
- name: Install Helm chart
run: helm install keda ./keda/ --namespace ${{ matrix.namespace }} --values test-values.yaml --wait
- name: Show Kubernetes resources (KEDA)
run: kubectl get all --namespace ${{ matrix.namespace }}
if: always()
- name: Show Kubernetes resources (Monitoring)
run: kubectl get all --namespace monitoring
if: always()
- name: Get all CRDs
run: kubectl get crds -o wide
- name: Verify clustertriggerauthentications.keda.sh CRD is installed
run: kubectl get crd/clustertriggerauthentications.keda.sh -o wide
- name: Verify triggerauthentications.keda.sh CRD is installed
run: kubectl get crd/triggerauthentications.keda.sh -o wide
- name: Verify scaledjobs.keda.sh CRD is installed
run: kubectl get crd/scaledjobs.keda.sh -o wide
- name: Verify scaledobjects.keda.sh CRD is installed
run: kubectl get crd/scaledobjects.keda.sh -o wide
- name: Verify cloudeventsources.eventing.keda.sh CRD is installed
run: kubectl get crd/cloudeventsources.eventing.keda.sh -o wide
- name: Get all ScaledObjects
run: kubectl get scaledobjects -o wide
- name: Get all ScaledJobs
run: kubectl get scaledjobs -o wide
- name: Get all TriggerAuthentication
run: kubectl get triggerauth -o wide
- name: Get all ClusterTriggerAuthentication
run: kubectl get clustertriggerauth -o wide
- name: Get all CloudEventSource
run: kubectl get cloudeventsource -o wide
- name: Deploy Nginx with autoscaling
run: kubectl apply -f ./samples/nginx-scaledobject.yml
- name: Get our Nginx ScaledObject
run: kubectl get scaledobjects/nginx-autoscaling -o wide
if: always()