From a592ef77ff0f1d3ae14e32e331a7747f89748ce6 Mon Sep 17 00:00:00 2001 From: Jose Santorum Date: Wed, 22 May 2024 18:10:38 +0200 Subject: [PATCH] chore: add support for rbac --- charts/motive-service/Chart.yaml | 2 +- charts/motive-service/README.md | 5 +++- charts/motive-service/templates/_helpers.tpl | 4 +-- .../templates/roles-binding.yaml | 28 +++++++++++++++++ charts/motive-service/templates/roles.yaml | 23 ++++++++++++++ charts/motive-service/values.yaml | 30 +++++++++++++++++++ 6 files changed, 88 insertions(+), 4 deletions(-) create mode 100644 charts/motive-service/templates/roles-binding.yaml create mode 100644 charts/motive-service/templates/roles.yaml diff --git a/charts/motive-service/Chart.yaml b/charts/motive-service/Chart.yaml index 297d81a..6275fff 100644 --- a/charts/motive-service/Chart.yaml +++ b/charts/motive-service/Chart.yaml @@ -4,6 +4,6 @@ description: A Helm chart for Kubernetes type: application -version: 2.0.7 +version: 2.0.8 appVersion: "1.0.0" diff --git a/charts/motive-service/README.md b/charts/motive-service/README.md index e93dec8..ce43aad 100644 --- a/charts/motive-service/README.md +++ b/charts/motive-service/README.md @@ -1,6 +1,6 @@ # motive-service -![Version: 2.0.7](https://img.shields.io/badge/Version-2.0.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) +![Version: 2.0.8](https://img.shields.io/badge/Version-2.0.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) A Helm chart for Kubernetes @@ -61,6 +61,9 @@ A Helm chart for Kubernetes | metrics.serviceMonitor.scrapeTimeout | string | `"10s"` | | | metrics.serviceMonitor.targetLabels | list | `[]` | | | nameOverride | string | `""` | | +| rbac.bindings | list | `[]` | List of role bindings to create | +| rbac.enabled | bool | `false` | Specifies whether RBAC resources should be created | +| rbac.roles | list | `[]` | List of roles to create | | revisionHistoryLimit | int | 3 | How many old ReplicaSets to maintain for the Deployment | | rollouts.canary.abortScaleDownDelaySeconds | int | `30` | TBD | | rollouts.canary.analysis | object | `{}` | TBD | diff --git a/charts/motive-service/templates/_helpers.tpl b/charts/motive-service/templates/_helpers.tpl index 4e34213..e9b482a 100644 --- a/charts/motive-service/templates/_helpers.tpl +++ b/charts/motive-service/templates/_helpers.tpl @@ -104,7 +104,7 @@ affinity: - labelSelector: matchLabels: {{- include "motive-service.selectorLabels" $ | nindent 12 }} - topologyKey: {{ .Values.service.podAntiAffinityTopologyKey }} + topologyKey: {{ $.Values.service.podAntiAffinityTopologyKey }} {{- if (semverCompare ">=1.29.0-0" $.Capabilities.KubeVersion.Version) }} matchLabelKeys: - pod-template-hash @@ -117,7 +117,7 @@ affinity: labelSelector: matchLabels: {{- include "motive-service.selectorLabels" $ | nindent 14 }} - topologyKey: {{ .Values.service.podAntiAffinityTopologyKey }} + topologyKey: {{ $.Values.service.podAntiAffinityTopologyKey }} {{- if (semverCompare ">=1.29.0-0" $.Capabilities.KubeVersion.Version) }} matchLabelKeys: - pod-template-hash diff --git a/charts/motive-service/templates/roles-binding.yaml b/charts/motive-service/templates/roles-binding.yaml new file mode 100644 index 0000000..dcd7d1d --- /dev/null +++ b/charts/motive-service/templates/roles-binding.yaml @@ -0,0 +1,28 @@ +{{- if .Values.rbac.enabled }} +{{- range .Values.rbac.bindings }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "motive-service.fullname" $ }}-role-binding-{{ .name | required ".bindings.name is required." }} + + labels: + {{- include "motive-service.labels" $ | nindent 4 }} + {{- with .labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + + {{- with .annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: {{ .roleRef.kind | default "Role" }} + name: {{ tpl .roleRef.name $ }} + +subjects: + {{- tpl (toYaml .subjects) $ | nindent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/motive-service/templates/roles.yaml b/charts/motive-service/templates/roles.yaml new file mode 100644 index 0000000..5a0f13e --- /dev/null +++ b/charts/motive-service/templates/roles.yaml @@ -0,0 +1,23 @@ +{{- if .Values.rbac.enabled }} +{{- range .Values.rbac.roles }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "motive-service.fullname" $ }}-role-{{ .name | required ".roles.name is required." }} + + labels: + {{- include "motive-service.labels" $ | nindent 4 }} + {{- with .labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + + {{- with .annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + +rules: + {{- tpl (toYaml .rules) $ | nindent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/motive-service/values.yaml b/charts/motive-service/values.yaml index f71d254..26c74da 100644 --- a/charts/motive-service/values.yaml +++ b/charts/motive-service/values.yaml @@ -359,6 +359,36 @@ service: annotations: {} +# -- -------------- +# RBAC +# -- -------------- + +rbac: + # -- Specifies whether RBAC resources should be created + enabled: false + + # -- List of roles to create + roles: [] +# - name: 'test' +# labels: {} +# annotations: {} +# rules: +# - apiGroups: [""] +# resources: ["secrets"] +# verbs: ["get", "watch", "list"] + + # -- List of role bindings to create + bindings: [] +# - name: 'test-binding' +# labels: {} +# annotations: {} +# roleRef: +# kind: 'Role' # Role or ClusterRole (default is Role) +# name: 'test-role-{{ include "motive-service.fullname" $ }}' +# subjects: +# - kind: 'ServiceAccount' # User, Group, ServiceAccount +# name: 'default' +# namespace: 'default' # -- -------------- # External Secrets