fix(spectre): add watch verb to spectre-test Role for kubectl logs -f [sc-17583]#288
Open
fix(spectre): add watch verb to spectre-test Role for kubectl logs -f [sc-17583]#288
Conversation
…f` [sc-17583] ArgoCD Sync hooks in app-of-apps (`check-logs`) use `kubectl logs --tail=0 -f $POD_NAME | grep -m 1 ...` to gate progressive rollouts. The bundled `spectre-test` ServiceAccount binds to a Role with verbs ["get", "list"] on pods and pods/log — missing `watch`, which the follow-mode stream depends on in newer kubectl clients and RBAC-strict clusters. Adds `watch` so the hook works against spectre-test without the app-of-apps layer having to duplicate a custom SA/Role/RoleBinding in extraObjects. Bumps chart version 0.3.5 -> 0.3.6. Validator chart already has this verb on its own Role (see charts/validator/templates/role.yaml:8,11). No change needed there. Companion work: app-of-apps PR (forthcoming) removes the legacy check-logs SA/Role/RoleBinding bloat from prod-relay / prod-vao-relay / staging-relay / staging-feed / stage-vao-relay appsets once this chart version is published.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add
watchverb to thespectre-testRole. One-line change plus chart version bump (0.3.5 → 0.3.6).Why
ArgoCD Sync hooks in app-of-apps use
to gate progressive rollouts. The follow-mode stream (
-f) needswatchverb onpods/pods/logfor RBAC-strict clusters / newer kubectl. The bundledspectre-testRole was["get", "list"]only.The app-of-apps layer currently works around this by duplicating a custom
check-logsSA + Role + RoleBinding (withwatch) insideextraObjects— that's dead-code bloat. Once this lands, app-of-apps can delete all that and use the chart-provided SA directly. Context: Discord thread with @WesleyCharlesBlake 2026-04-21.Diff
version: 0.3.5→0.3.6inChart.yaml.Not in scope
validatorchart already haswatchon its own Role (charts/validator/templates/role.yaml:8,11). No change needed.check-logsextraObjects — follow-up PR, depends on this version being published.Test plan
ct lintpassesct installpasses in kind clusterspectre-0.3.6to GHCR + chronicleprotocol.github.io/chartstargetRevision: '*.*.*'Refs: