fix: install pod monitor role separately as shared resource for all namespaces

charts/hedera-network/templates/rbac/pod-monitor.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pod-monitor
+  namespace: {{ default $.Release.Namespace $.Values.global.namespaceOverride }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: pod-monitor-role-binding
+  namespace: {{ default $.Release.Namespace $.Values.global.namespaceOverride }}
+subjects:
+  - kind: ServiceAccount
+    name: pod-monitor
+    namespace: {{ default $.Release.Namespace $.Values.global.namespaceOverride }}
+roleRef:
+  kind: ClusterRole
+  name: {{ $.Values.tester.clusterRoleName }}
+  apiGroup: rbac.authorization.k8s.io

charts/hedera-network/values.yaml

@@ -26,6 +26,7 @@ terminationGracePeriodSeconds: 10
 
 # helm test container
 tester:
+  clusterRoleName: "pod-monitor-role" # this is a shared cluster role for all namespaces
   image:
     registry: "ghcr.io"
     repository: "hashgraph/full-stack-testing/kubectl-bats"
@@ -36,7 +37,7 @@ tester:
 # gateway-api configuration
 gatewayApi:
   gatewayClass:
-    name: "fst-gateway-class"
+    name: "fst-gateway-class" # this is a shared gateway class for all namespaces
   gateway:
     name: "fst"
     enable: "true"

dev/Makefile

@@ -59,21 +59,26 @@ uninstall-chart:
 update-helm-dependencies:
 	helm dependency update ../charts/hedera-network
 
-.PHONY: deploy-common
-deploy-common: update-helm-dependencies deploy-gateway-api deploy-prometheus-operator deploy-minio-operator-if-required
+.PHONY: deploy-shared
+deploy-shared: update-helm-dependencies deploy-gateway-api deploy-prometheus-operator deploy-minio-operator-if-required
+	source "${SCRIPTS_DIR}/main.sh" && deploy_shared
 
-.PHONY: destroy-common
-destroy-common: destroy-gateway-api destroy-prometheus-operator undeploy-minio-operator
+.PHONY: destroy-shared
+destroy-shared:
+	-$(MAKE) source "${SCRIPTS_DIR}/main.sh" && destroy_shared
+	-$(MAKE) undeploy-minio-operator
+	-$(MAKE) destroy-prometheus-operator
+	-$(MAKE) destroy-gateway-api
 
 .PHONY: deploy-chart
 deploy-chart:
-	$(MAKE) deploy-common
+	$(MAKE) deploy-shared
 	$(MAKE) install-chart
 
 .PHONY: destroy-chart
 destroy-chart:
 	-$(MAKE) uninstall-chart
-	-$(MAKE) destroy-common
+	-$(MAKE) destroy-shared
 
 .PHONY: deploy-network
 deploy-network: deploy-chart

dev/common-resources/pod-monitor-role.yaml

@@ -0,0 +1,29 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pod-monitor-role
+  labels:
+    fullstack.hedera.com/type: cluster-role
+rules:
+  - apiGroups: [ "" ]
+    resources:
+      - pods
+      - pods/log
+      - secrets
+    verbs:
+      - get
+      - list
+  - apiGroups: [ "" ]
+    resources:
+      - pods/exec
+    verbs:
+      - create
+  - apiGroups: [ "gateway.networking.k8s.io" ]
+    resources:
+      - gatewayclasses
+      - gateways
+      - httproutes
+      - tcproutes
+    verbs:
+      - get
+      - list

dev/scripts/env.sh

@@ -6,10 +6,11 @@ readonly SCRIPT_DIR
 readonly TMP_DIR="${SCRIPT_DIR}/../temp"
 readonly CHART_DIR="${SCRIPT_DIR}/../../charts/hedera-network"
 
+POD_MONITOR_ROLE="${POD_MONITOR_ROLE:-pod-monitor-role}"
+GATEWAY_CLASS_NAME="${GATEWAY_CLASS_NAME:-fst-gateway-class}"
 
 # telemetry related env variables
 readonly COMMON_RESOURCES="${SCRIPT_DIR}/../common-resources"
-readonly GATEWAY_CLASS_NAME="fst-gateway-class"
 readonly GATEWAY_API_DIR="${SCRIPT_DIR}/../gateway-api"
 readonly TELEMETRY_DIR="${SCRIPT_DIR}/../telemetry"
 readonly PROMETHEUS_DIR="${TELEMETRY_DIR}/prometheus"

dev/scripts/gateway.sh

@@ -67,33 +67,6 @@ function deploy_gateway_api_crd() {
 	fi
 }
 
-function deploy_fst_gateway_class() {
-  echo ""
-	echo "Installing FST Gateway Class: ${GATEWAY_CLASS_NAME}"
-  echo "-----------------------------------------------------------------------------------------------------"
-  local fst_gateway_class_type=$(kubectl get gc "${GATEWAY_CLASS_NAME}" -o jsonpath='{.metadata.labels.fullstack\.hedera\.com\/type}')
-  if [[ ! "${fst_gateway_class_type}" = "gateway-class" ]]; then
-    kubectl create -f "${COMMON_RESOURCES}/fst-gateway.yaml"
-    kubectl wait --for=condition=Accepted gc "${GATEWAY_CLASS_NAME}" --timeout=300s
-  else
-    echo "FST Gateway Class '${GATEWAY_CLASS_NAME}' is already installed"
-    echo ""
-  fi
-}
-
-function destroy_fst_gateway_class() {
-  echo ""
-	echo "Uninstalling FST Gateway Class: ${GATEWAY_CLASS_NAME}"
-  echo "-----------------------------------------------------------------------------------------------------"
-  local fst_gateway_class_type=$(kubectl get gc "${GATEWAY_CLASS_NAME}" -o jsonpath='{.metadata.labels.fullstack\.hedera\.com\/type}')
-  if [[ ! "${fst_gateway_class_type}" = "gateway-class" ]]; then
-    kubectl delete -f "${COMMON_RESOURCES}/fst-gateway.yaml"
-    sleep 2s
-  fi
-  echo "FST Gateway Class '${GATEWAY_CLASS_NAME}' is uninstalled"
-  echo ""
-}
-
 function deploy_envoy_gateway_api() {
   echo ""
 	echo "Installing Envoy Gateway API"
@@ -107,8 +80,6 @@ function deploy_envoy_gateway_api() {
     echo ""
   fi
 
-  deploy_fst_gateway_class
-
   get_gateway_status
 }
 
@@ -135,8 +106,6 @@ function destroy_envoy_gateway_api() {
   echo "-----------------------------------------------------------------------------------------------------"
   get_gateway_status
 
-  destroy_fst_gateway_class
-
   # Uninstall helm chart
   local helm_chart=$(helm list --all-namespaces | grep envoy-gateway)
   if [[ "${helm_chart}" ]]; then

dev/scripts/main.sh

@@ -28,6 +28,86 @@ function destroy_cluster() {
 	kubectl delete ns "${NAMESPACE}" || true
 }
 
+function deploy_shared() {
+  deploy_pod_monitor_role
+  deploy_fst_gateway_class
+}
+
+function destroy_shared() {
+  destroy_pod_monitor_role
+  destroy_fst_gateway_class
+}
+
+function deploy_pod_monitor_role() {
+  setup_kubectl_context
+
+	echo "Installing pod monitor role: ${POD_MONITOR_ROLE}"
+  echo "-----------------------------------------------------------------------------------------------------"
+  local pod_monitor_role=$(kubectl get ClusterRole "${POD_MONITOR_ROLE}" -o jsonpath='{.metadata.labels.fullstack\.hedera\.com\/type}')
+  if [[ -z "${pod_monitor_role}" ]]; then
+    kubectl create -f "${COMMON_RESOURCES}/pod-monitor-role.yaml"
+  else
+    echo "Pod monitor role '${POD_MONITOR_ROLE}' is already installed"
+    echo ""
+  fi
+
+  echo "-----------------------Pod Monitor Role------------------------------------------------------------------------------"
+  kubectl get clusterrole "${POD_MONITOR_ROLE}" -o wide
+  echo ""
+}
+
+function destroy_pod_monitor_role() {
+  setup_kubectl_context
+
+	echo "Uninstalling pod monitor role: ${POD_MONITOR_ROLE}"
+  echo "-----------------------------------------------------------------------------------------------------"
+  local pod_monitor_role=$(kubectl get ClusterRole "${POD_MONITOR_ROLE}" -o jsonpath='{.metadata.labels.fullstack\.hedera\.com\/type}')
+  if [[ -n "${pod_monitor_role}" ]]; then
+    kubectl delete -f "${COMMON_RESOURCES}/pod-monitor-role.yaml"
+  fi
+
+  echo "-----------------------Pod Monitor Role------------------------------------------------------------------------------"
+  kubectl get clusterrole "${POD_MONITOR_ROLE}" -o wide
+
+  echo "Pod monitor role '${POD_MONITOR_ROLE}' is uninstalled"
+  echo ""
+}
+
+function deploy_fst_gateway_class() {
+  echo ""
+	echo "Installing FST Gateway Class: ${GATEWAY_CLASS_NAME}"
+  echo "-----------------------------------------------------------------------------------------------------"
+  local fst_gateway_class_type=$(kubectl get gc "${GATEWAY_CLASS_NAME}" -o jsonpath='{.metadata.labels.fullstack\.hedera\.com\/type}')
+  if [[ ! "${fst_gateway_class_type}" = "gateway-class" ]]; then
+    kubectl create -f "${COMMON_RESOURCES}/fst-gateway.yaml"
+    kubectl wait --for=condition=Accepted gc "${GATEWAY_CLASS_NAME}" --timeout=300s
+  else
+    echo "FST Gateway Class '${GATEWAY_CLASS_NAME}' is already installed"
+    echo ""
+  fi
+
+  echo "-----------------------Gateway Class------------------------------------------------------------------------------"
+  kubectl get gatewayclass
+  echo ""
+}
+
+function destroy_fst_gateway_class() {
+  echo ""
+	echo "Uninstalling FST Gateway Class: ${GATEWAY_CLASS_NAME}"
+  echo "-----------------------------------------------------------------------------------------------------"
+  local fst_gateway_class_type=$(kubectl get gc "${GATEWAY_CLASS_NAME}" -o jsonpath='{.metadata.labels.fullstack\.hedera\.com\/type}')
+  if [[ ! "${fst_gateway_class_type}" = "gateway-class" ]]; then
+    kubectl delete -f "${COMMON_RESOURCES}/fst-gateway.yaml"
+    sleep 2s
+  fi
+
+  echo "-----------------------Gateway Class------------------------------------------------------------------------------"
+  kubectl get gatewayclass
+
+  echo "FST Gateway Class '${GATEWAY_CLASS_NAME}' is uninstalled"
+  echo ""
+}
+
 function install_chart() {
   local node_setup_script=$1
   [[ -z "${node_setup_script}" ]] && echo "ERROR: [install_chart] Node setup script name is required" && return 1

dev/scripts/template.env

@@ -5,5 +5,8 @@ HELM_RELEASE_NAME="fst"
 NMT_VERSION=v2.0.0-alpha.0
 PLATFORM_VERSION=v0.39.1
 
+POD_MONITOR_ROLE="${POD_MONITOR_ROLE:-pod-monitor-role}"
+GATEWAY_CLASS_NAME="${GATEWAY_CLASS_NAME:-fst-gateway-class}"
+
 #NODE_NAMES=(node0 node1 node2 node3)
 NODE_NAMES=(node0)