plugin requires PATCH verb when using three way merge
seboudry opened this issue · comments
Hi!
We are using helm-diff plugin behind helmfile.
In our CD pipelines we need to use a "read only" service account to see changes.
When using three way merge, it seems that the PATCH
verb is required on the role.
$ HELM_DIFF_THREE_WAY_MERGE=true helmfile diff
[...]
COMBINED OUTPUT:
Enabled three way merge via the envvar
Error: unable to generate manifests: cannot patch "my-release" with kind ServiceAccount: serviceaccounts "my-release" is forbidden: User "system:serviceaccount:my-namespace:readonly" cannot patch resource "serviceaccounts" in API group "" in the namespace "my-namespace"
Error: plugin "diff" exited with error
Without HELM_DIFF_THREE_WAY_MERGE=true
option no error occurs.
Unfortunatly, we can't allow this SA to have patch permission.
Is there a way to bypass this or change the code to not require this permission?
Thanks
$ helm diff version
3.7.0
what role do you use for helm diff? We need to do the same our CI pipelines such that no resources can be updated in PRs but only in merges to main.
Hi @bsgrigorov, after some months...
We use something like this (custom CRD removed):
❯ kubectl describe clusterrole gitlab-readonly
Name: gitlab-readonly
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
events [] [] [create get list watch]
configmaps [] [] [get list watch]
pods [] [] [get list watch]
secrets [] [] [get list watch]
serviceaccounts [] [] [get list watch]
services [] [] [get list watch]
customresourcedefinitions.apiextensions.k8s.io [] [] [get list watch]
deployments.apps [] [] [get list watch]
replicasets.apps [] [] [get list watch]
statefulsets.apps [] [] [get list watch]
certificates.cert-manager.io [] [] [get list watch]
issuers.cert-manager.io [] [] [get list watch]
kongplugins.configuration.konghq.com [] [] [get list watch]
deployments.extensions [] [] [get list watch]
replicasets.extensions [] [] [get list watch]
statefulsets.extensions [] [] [get list watch]
podmonitors.monitoring.coreos.com [] [] [get list watch]
servicemonitors.monitoring.coreos.com [] [] [get list watch]
ingresses.networking.k8s.io [] [] [get list watch]
poddisruptionbudgets.policy [] [] [get list watch]
rolebindings.rbac.authorization.k8s.io [] [] [get list watch]
roles.rbac.authorization.k8s.io [] [] [get list watch]
replicationcontrollers [] [] [list watch]
I am running into this issue as well. Has anyone found a workaround?
Same problem. Don't really understand why write permissions are needed for three way merge.
Error seems to be coming from here: https://github.com/databus23/helm-diff/blob/master/cmd/upgrade.go#L439