Armada-scheduler helm tweaks + make kube native auth work

- Set POD_NAMESPACE + SERVICE_ACCOUNT so kube native auth works properly from api and scheduler pods - Set the service account name properly in additionalClusterRoleBindings - Add to the armada-scheduler tls cert to sign for each replica of the scheduler - This is so the scheduler pods can talk to each other directly - Alternatively we could use a * record here
armadaproject · Jul 11, 2023 · f1314c2 · f1314c2
1 parent c56b215
commit f1314c2
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 2 deletions.
diff --git a/deployment/scheduler/templates/scheduler-clusterrolebinding.yaml b/deployment/scheduler/templates/scheduler-clusterrolebinding.yaml
@@ -28,6 +28,6 @@ roleRef:
   name: {{ .clusterRoleName }}
 subjects:
   - kind: ServiceAccount
-    name: {{ $root.Values.customServiceAccount | default (include "armada-scheduler.name" $root) }}
+    name: {{ $root.Values.scheduler.customServiceAccount | default (include "armada-scheduler.name" $root) }}
     namespace: {{ $root.Release.Namespace }}
 {{ end }}
diff --git a/deployment/scheduler/templates/scheduler-ingress.yaml b/deployment/scheduler/templates/scheduler-ingress.yaml
@@ -34,5 +34,9 @@ spec:
   {{ end }}
   tls:
     - hosts:
-      {{- toYaml .Values.scheduler.hostnames  | nindent 8 }}
+      {{- toYaml .Values.scheduler.hostnames  | nindent 6 }}
+      {{- $root := . -}}
+      {{- range $i := until (int .Values.scheduler.replicas) }}
+      - {{ include "armada-scheduler.name" $root }}-{{ $i }}.{{ include "armada-scheduler.name" $root }}.{{ $root.Release.Namespace }}.svc
+      {{- end }}
       secretName: armada-scheduler-service-tls
diff --git a/deployment/scheduler/templates/scheduler-statefulset.yaml b/deployment/scheduler/templates/scheduler-statefulset.yaml
@@ -49,6 +49,14 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+            - name: SERVICE_ACCOUNT
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.serviceAccountName
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
             {{- if  not (((.Values.scheduler.applicationConfig).leader).leaderConnection).armadaUrl }}
             - name: ARMADA_LEADER_LEADERCONNECTION_ARMADAURL
               value: "<name>.{{ include "armada-scheduler.name" . }}.{{ .Release.Namespace }}.svc:{{ .Values.scheduler.applicationConfig.grpc.port }}"