feat: allow k6 operator service account in rdev/staging (CCIE-3437) #3586
Conversation
christophermanahan
requested review from
kuannie1,
jakeyheath and
ademartini-czi
and removed request for
a team
|
No Jira issue reference found in branch, title, or body of PR. Please add a reference to a Jira issue in the form of CCIE-#### (eg: CCIE-1400) to the branch name, title, or body of your PR. |
|
No Jira issue reference found in branch, title, or body of PR. Please add a reference to a Jira issue in the form of CCIE-#### (eg: CCIE-1400) to the branch name, title, or body of your PR. |
|
No Jira issue reference found in branch, title, or body of PR. Please add a reference to a Jira issue in the form of CCIE-#### (eg: CCIE-1400) to the branch name, title, or body of your PR. |
1 similar comment
|
No Jira issue reference found in branch, title, or body of PR. Please add a reference to a Jira issue in the form of CCIE-#### (eg: CCIE-1400) to the branch name, title, or body of your PR. |
kuannie1
changed the title
There was a problem hiding this comment.
@christophermanahan instead of checking if you're in rdev or staging, do you think you can add another variable that's like, allow_k6_operator_controller with a description about grafana k6s? Then set the "default" to false so you can turn it on using that variable.
That way, we don't have the brittle logic about whether it's rdev or staging. Just something like this:
k6_operator_service_account = var.allow_k6_operator_controller ? [{
"kind" = "ServiceAccount"
"name" = "k6-operator-controller"
"namespace" = "k6-operator-system"
}] : []
more about variables here: https://developer.hashicorp.com/terraform/language/values/variables
We have variables.tf for blocks like this
christophermanahan
force-pushed
the
cmanahan/k6-operator-service-account
branch
3 times, most recently
from
1d3eb38
to
b7e9da2
Compare
| @@ -32,7 +32,12 @@ variable "allow_mesh_services" { | |||
| description = "A list of service/stack that we want to allow access to this protected service" | |||
| } | |||
|
|
|||
| variable "allow_k6_operator" { | |||
| type = bool | |||
| description = "A flag to allow the k6 operator to access this protected service" | |||
There was a problem hiding this comment.
add a default parameter here
| @@ -296,6 +296,7 @@ variable "routing" { | |||
| success_codes : optional(string, "200-499") | |||
| service_type : string | |||
| service_mesh : bool | |||
| allow_k6_operator : bool | |||
There was a problem hiding this comment.
| allow_k6_operator : bool | |
| allow_k6_operator : optional(bool, true) |
There was a problem hiding this comment.
make match the default above
christophermanahan
force-pushed
the
cmanahan/k6-operator-service-account
branch
from
6b3ca7d
to
201d4ee
Compare
@kuannie1 Updated to be a variable, thank you for the review and suggestion! |
CCIE-3437
Ticket: https://czi.atlassian.net/browse/CP-1504
Doc: https://czi.atlassian.net/wiki/spaces/ETE/pages/3192881220/PEMA+Project+End+Manual+Approvals
While Grafana k6 tests have been successfully POC’d in rdev via injection of the LinkerD sidecar into the test runner pods that are deployed by the k6 operator to test our private backend service endpoints - staging introduces LinkerD mesh access control lists that prevent the test runner pod from making successful requests to our services in staging. This PR adds the service account
k6-operator-controllerunder the namespacek6-operator-systemto the staging and rdev environments so that the test runner pods deployed by the k6 operator under thek6-operator-controllerservice account can make successful requests to the services in rdev and staging.A test stack of the session service was deployed to staging with the happy config pointing to the git SHA associated with this PR and a successful test run to create a session was achieved in staging to validate this approach and change.