[stable/kube-lego]: add RBAC support (#1287)

* add kube-lego RBAC support * Update to the new RBAC pattern * Trim the role permissions * bump the version
helm · Aug 15, 2017 · fe072f4 · fe072f4
1 parent 9047424
commit fe072f4
Show file tree

Hide file tree

Showing 7 changed files with 78 additions and 1 deletion.
diff --git a/stable/kube-lego/Chart.yaml b/stable/kube-lego/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 description: Automatically requests certificates from Let's Encrypt
 name: kube-lego
-version: 0.1.10
+version: 0.1.11
 keywords:
   - kube-lego
   - letsencrypt

diff --git a/stable/kube-lego/README.md b/stable/kube-lego/README.md
@@ -53,6 +53,8 @@ Parameter | Description | Default
 `podAnnotations` | annotations to be added to pods | `{}`
 `replicaCount` | desired number of pods | `1`
 `resources` | kube-lego resource requests and limits (YAML) |`{}`
+`rbac.create` | Create a role and serviceaccount | `false`
+`rbac.serviceAccountName` | serviceaccount name to use if `rbac.create` is false | `default`
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
 

diff --git a/stable/kube-lego/templates/deployment.yaml b/stable/kube-lego/templates/deployment.yaml
@@ -19,6 +19,7 @@ spec:
         app: {{ template "name" . }}
         release: {{ .Release.Name }}
     spec:
+      serviceAccountName: {{ if .Values.rbac.create }}{{ template "fullname" . }}{{ else }}"{{ .Values.rbac.serviceAccountName }}"{{ end }}
       containers:
         - name: {{ template "name" . }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"

diff --git a/stable/kube-lego/templates/role.yaml b/stable/kube-lego/templates/role.yaml
@@ -0,0 +1,40 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    app: {{ template "name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: {{ template "fullname" . }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create
+  - get
+  - delete
+- apiGroups:
+  - extensions
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - update
+  - create
+  - list
+  - patch
+  - delete
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+  - update
+{{- end -}}
diff --git a/stable/kube-lego/templates/rolebinding.yaml b/stable/kube-lego/templates/rolebinding.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: {{ template "name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: {{ template "fullname" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "fullname" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}
diff --git a/stable/kube-lego/templates/serviceaccount.yaml b/stable/kube-lego/templates/serviceaccount.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.rbac.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: {{ template "name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: {{ template "fullname" . }}
+{{- end -}}
diff --git a/stable/kube-lego/values.yaml b/stable/kube-lego/values.yaml
@@ -44,3 +44,7 @@ resources: {}
   # requests:
   #   cpu: 20m
   #   memory: 8Mi
+
+rbac:
+  create: false
+  serviceAccountName: default