Fixes #47 Make clusterRoleBinding optional

RoadieHQ · Jul 15, 2020 · da792e1 · da792e1
1 parent bd945ba
commit da792e1
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 0 deletions.
diff --git a/helm_chart/templates/clusterrolebinding.yaml b/helm_chart/templates/clusterrolebinding.yaml
@@ -1,3 +1,4 @@
+{{- if and .Values.rbac.create (eq .Values.clusterRole.create true) -}}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -19,3 +20,4 @@ roleRef:
   kind: ClusterRole
   name: {{ include "kubewise.serviceAccountName" . }}
   apiGroup: rbac.authorization.k8s.io
+{{- end -}}
diff --git a/helm_chart/templates/rolebinding.yaml b/helm_chart/templates/rolebinding.yaml
@@ -0,0 +1,23 @@
+{{- if and .Values.rbac.create (eq .Values.clusterRole.create false) -}}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "kubewise.serviceAccountName" . }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["list", "get", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "kubewise.serviceAccountName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "kubewise.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+roleRef:
+  kind: Role
+  name: {{ include "kubewise.serviceAccountName" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end -}}
diff --git a/helm_chart/values.yaml b/helm_chart/values.yaml
@@ -39,6 +39,15 @@ serviceAccount:
   # If not set and create is true, a name is generated using the fullname template
   name: kubewise
 
+rbac:
+  # Specifies whether RBAC resources should be created
+  create: true
+
+# If create is `false` Kubewise will be restricted to the namespace
+# where it is deployed, and no ClusterRole or ClusterRoleBinding will be created.
+clusterRole:
+  create: true
+
 podSecurityContext: {}
   # fsGroup: 2000