Skip to content

Infra 48603 kubelock support new version rbac#387

Open
nabadger wants to merge 2 commits into
mainfrom
INFRA-48603_kubelock-support-new-version-rbac
Open

Infra 48603 kubelock support new version rbac#387
nabadger wants to merge 2 commits into
mainfrom
INFRA-48603_kubelock-support-new-version-rbac

Conversation

@nabadger

@nabadger nabadger commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Updates standard-application-stack to v11.4.0 for kubelock v0.4.x: scoped Lease RBAC for the new GitLab kubelock release, retained legacy Endpoints RBAC for migration, and optional centralised kubelock binary injection via Helm.

Background

kubelock v0.4.0+ (gitlab.com/mintel/satoshi/tools/kubelock) switched from Endpoints-based to Lease-based leader election. Apps still on the old mintel/kubelock image need Endpoints RBAC; new kubelock needs scoped Lease RBAC.

Today many teams bundle kubelock into application images. This MR adds an opt-in Helm path to inject the binary from a centrally managed ECR image instead.

Changes

Kubelock RBAC (when kubelock.enabled)

  • Consolidated kubelock Role rules into helpers/_kubelock.yaml (mintel_common.kubelockRoleRules)
  • Leases: scoped via resourceNames to kubelock.nameOverride or release/job fullname (new kubelock)
  • Endpoints: retained, unscoped (legacy kubelock during migration)

Kubelock binary injection (opt-in: kubelock.injectBinary: true)

  • Init container copies kubelock from kubelock.image into a shared emptyDir
  • Main container mounts binary at /usr/local/bin/kubelock (overwrites any bundled copy)
  • Supported on: deployment, celery, jobs
  • Default image: 551844124467.dkr.ecr.${CLUSTER_REGION}.amazonaws.com/gitlab/mintel/satoshi/tools/kubelock:v0.4.1

New values

kubelock:
  enabled: false
  injectBinary: false
  image:
    registry: 551844124467.dkr.ecr.${CLUSTER_REGION}.amazonaws.com
    repository: gitlab/mintel/satoshi/tools/kubelock
    tag: v0.4.1

Job-level overrides via jobDefaults.kubelock / jobs[].kubelock (image defaults fall back to release-level config).

Adoption

RBAC only (existing bundled kubelock, upgrading to v0.4.x):

kubelock:
  enabled: true

Centralised binary (remove kubelock from app Dockerfile):

kubelock:
  enabled: true
  injectBinary: true

Requires kubelock v0.4.1+ (busybox-based image with /bin/sh for the init copy step).

Upgrade notes

  • No change when kubelock.enabled: false (default)
  • When kubelock.enabled: true: Lease rules gain resourceNames scoping; Endpoints rules unchanged
  • injectBinary is false by default — no init container/volume changes unless explicitly enabled
  • Apps on old kubelock image can stay on injectBinary: false until ready to migrate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nabadger @nickmintel