[stable/kube-lego]: add RBAC support #1287
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @SamClinckspoor. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
needs-ok-to-test
SamClinckspoor
changed the title
SamClinckspoor
changed the title
|
/cc @jackzampolin |
|
@unguiculus: GitHub didn't allow me to request PR reviews from the following users: jackzampolin. Note that only kubernetes members can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
pinging for a review @jackzampolin |
|
@SamClinckspoor Thanks for the ping. Pulled this down and it looks good. Thanks for adding this! LGTM! 👍 |
|
@mgoodness what do we need to do to get this merged? I'd love to have RBAC "official" |
|
@dmccaffery give me just a couple more days. I'm on a roll with RBAC-related merges, so we should get this merged pretty quickly. |
| @@ -19,6 +19,9 @@ spec: | |||
| app: {{ template "name" . }} | |||
| release: {{ .Release.Name }} | |||
| spec: | |||
| {{- if .Values.rbac.enabled }} | |||
| serviceAccountName: {{ template "fullname" . }} | |||
| {{- end }} | |||
There was a problem hiding this comment.
Use serviceAccountName: {{ if .Values.rbac.create }}{{ template "fullname" . }}{{ else }}"{{ .Values.rbac.serviceAccountName }}"{{ end }}
stable/kube-lego/templates/role.yaml
Outdated
| rules: | ||
| - apiGroups: | ||
| - "" | ||
| - "extensions" |
There was a problem hiding this comment.
Nit: don't need quotes around extensions
stable/kube-lego/templates/role.yaml
Outdated
| - update | ||
| - delete | ||
| - apiGroups: | ||
| - "extensions" |
stable/kube-lego/templates/role.yaml
Outdated
| - delete | ||
| - watch | ||
| - apiGroups: | ||
| - "*" |
There was a problem hiding this comment.
We should be explicit, no?
stable/kube-lego/values.yaml
Outdated
| @@ -44,3 +44,6 @@ resources: {} | |||
| # requests: | |||
| # cpu: 20m | |||
| # memory: 8Mi | |||
|
|
|||
| rbac: | |||
| enabled: false | |||
There was a problem hiding this comment.
Let's make this create. Add rbac.serviceAccountName and set to default.
stable/kube-lego/README.md
Outdated
| @@ -53,6 +53,7 @@ Parameter | Description | Default | |||
| `podAnnotations` | annotations to be added to pods | `{}` | |||
| `replicaCount` | desired number of pods | `1` | |||
| `resources` | kube-lego resource requests and limits (YAML) |`{}` | |||
| `rbac.enabled` | Enable role and serviceaccount creation | `false` | |||
There was a problem hiding this comment.
Update with changes made to values.yaml
|
@mgoodness Changed to the new RBAC pattern and also trimmed the role permissions as per jetstack/kube-lego#99 (comment) |
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
|
/lgtm |
|
@SamClinckspoor: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
CI failure is expected due to the required |
Adds support in kube-lego for RBAC.
Permissions sourced from jetstack/kube-lego#99 and adjusted slightly.
setting
rbac.enabledto true will create a role, rolebinding and service account.