Merge pull request #57 from empathyco/feat/rbac

chore: add support for rbac
empathyco · May 22, 2024 · 41ac186 · 41ac186
2 parents 0a0742a + a592ef7
commit 41ac186
Show file tree

Hide file tree

Showing 6 changed files with 88 additions and 4 deletions.
diff --git a/charts/motive-service/Chart.yaml b/charts/motive-service/Chart.yaml
@@ -4,6 +4,6 @@ description: A Helm chart for Kubernetes
 
 type: application
 
-version: 2.0.7
+version: 2.0.8
 
 appVersion: "1.0.0"
diff --git a/charts/motive-service/README.md b/charts/motive-service/README.md
@@ -1,6 +1,6 @@
 # motive-service
 
-![Version: 2.0.7](https://img.shields.io/badge/Version-2.0.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
+![Version: 2.0.8](https://img.shields.io/badge/Version-2.0.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
 
 A Helm chart for Kubernetes
 
@@ -61,6 +61,9 @@ A Helm chart for Kubernetes
 | metrics.serviceMonitor.scrapeTimeout | string | `"10s"` |  |
 | metrics.serviceMonitor.targetLabels | list | `[]` |  |
 | nameOverride | string | `""` |  |
+| rbac.bindings | list | `[]` | List of role bindings to create |
+| rbac.enabled | bool | `false` | Specifies whether RBAC resources should be created |
+| rbac.roles | list | `[]` | List of roles to create |
 | revisionHistoryLimit | int | 3 | How many old ReplicaSets to maintain for the Deployment |
 | rollouts.canary.abortScaleDownDelaySeconds | int | `30` | TBD |
 | rollouts.canary.analysis | object | `{}` | TBD |

diff --git a/charts/motive-service/templates/_helpers.tpl b/charts/motive-service/templates/_helpers.tpl
@@ -104,7 +104,7 @@ affinity:
       - labelSelector:
           matchLabels:
             {{- include "motive-service.selectorLabels" $ | nindent 12 }}
-        topologyKey: {{ .Values.service.podAntiAffinityTopologyKey }}
+        topologyKey: {{ $.Values.service.podAntiAffinityTopologyKey }}
         {{- if (semverCompare ">=1.29.0-0" $.Capabilities.KubeVersion.Version) }}
         matchLabelKeys:
           - pod-template-hash
@@ -117,7 +117,7 @@ affinity:
           labelSelector:
             matchLabels:
               {{- include "motive-service.selectorLabels" $ | nindent 14 }}
-          topologyKey: {{ .Values.service.podAntiAffinityTopologyKey }}
+          topologyKey: {{ $.Values.service.podAntiAffinityTopologyKey }}
           {{- if (semverCompare ">=1.29.0-0" $.Capabilities.KubeVersion.Version) }}
           matchLabelKeys:
             - pod-template-hash

diff --git a/charts/motive-service/templates/roles-binding.yaml b/charts/motive-service/templates/roles-binding.yaml
@@ -0,0 +1,28 @@
+{{- if .Values.rbac.enabled }}
+{{- range .Values.rbac.bindings }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "motive-service.fullname" $ }}-role-binding-{{ .name | required ".bindings.name is required." }}
+
+  labels:
+    {{- include "motive-service.labels" $ | nindent 4 }}
+    {{- with .labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+
+  {{- with .annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+
+roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: {{ .roleRef.kind | default "Role" }}
+    name: {{ tpl .roleRef.name $ }}
+
+subjects:
+  {{- tpl (toYaml .subjects) $ | nindent 2 }}
+{{- end }}
+{{- end }}
diff --git a/charts/motive-service/templates/roles.yaml b/charts/motive-service/templates/roles.yaml
@@ -0,0 +1,23 @@
+{{- if .Values.rbac.enabled }}
+{{- range .Values.rbac.roles }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "motive-service.fullname" $ }}-role-{{ .name | required ".roles.name is required." }}
+
+  labels:
+    {{- include "motive-service.labels" $ | nindent 4 }}
+    {{- with .labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+
+  {{- with .annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+
+rules:
+  {{- tpl (toYaml .rules) $ | nindent 2 }}
+{{- end }}
+{{- end }}
diff --git a/charts/motive-service/values.yaml b/charts/motive-service/values.yaml
@@ -359,6 +359,36 @@ service:
     annotations: {}
 
 
+# -- --------------
+# RBAC
+# -- --------------
+
+rbac:
+  # -- Specifies whether RBAC resources should be created
+  enabled: false
+
+  # -- List of roles to create
+  roles: []
+#    - name: 'test'
+#      labels: {}
+#      annotations: {}
+#      rules:
+#        - apiGroups: [""]
+#          resources: ["secrets"]
+#          verbs: ["get", "watch", "list"]
+
+  # -- List of role bindings to create
+  bindings: []
+#    - name: 'test-binding'
+#      labels: {}
+#      annotations: {}
+#      roleRef:
+#        kind: 'Role' # Role or ClusterRole (default is Role)
+#        name: 'test-role-{{ include "motive-service.fullname" $ }}'
+#      subjects:
+#        - kind: 'ServiceAccount' # User, Group, ServiceAccount
+#          name: 'default'
+#          namespace: 'default'
 
 # -- --------------
 # External Secrets