Skip to content

Instantly share code, notes, and snippets.

@rssnyder

rssnyder/cross-ns-delegate-build-farm.md

Created July 12, 2024 17:05
Show Gist options
  • Save rssnyder/30112d00721612cf19ffeec1ada21a8c to your computer and use it in GitHub Desktop.
Save rssnyder/30112d00721612cf19ffeec1ada21a8c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
cross-ns-delegate-build-farm.md

deploy a namespaced delegate:

helm upgrade -i namespaced \
  harness-delegate/harness-delegate-ng \
  --set delegateName=namespaced \
  --set accountId=wlgELJ0TTre5aZhzpt8gVA \
  --set delegateToken=XXXXXX \
  --set managerEndpoint=https://app.harness.io/gratis \
  --set delegateDockerImage=harness/delegate:24.05.83001 \
  --set replicas=1 --set upgrader.enabled=true \
  --set k8sPermissionsType=NAMESPACE_ADMIN

the sa name created via the delegate helm chart is the same as the delegate name, so namespaced

create a role in the target namespace with the nessesary permissions for a build farm:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: build-farm
  namespace: target-namespace
rules:
  - apiGroups: [""]
    resources: ["pods", "secrets"]
    verbs: ["get", "list", "watch", "create", "update", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["list", "watch"]

create a RoleBinding object in the target namespace to bind the Role to the delegaet service account

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespaced-build-farm
  namespace: target-namespace
subjects:
  - kind: ServiceAccount
    name: namespaced
    namespace: default
roleRef:
  kind: Role
  name: build-farm
  apiGroup: rbac.authorization.k8s.io

now the service account namespaced in the default namespace has access to launch pods for Harness CI/IacM/Container Steps in the target-namespace namespace

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment