Add optional k8s role binding to application chart (#129)

* Add optional serviceAccount.rbac to application chart * Fix naming collision * Increment version, add test, improve naming --------- Co-authored-by: Florian Heubeck <[email protected]>
MediaMarktSaturn · Jul 17, 2024 · 096e733 · 096e733
1 parent a478ceb
commit 096e733
Show file tree

Hide file tree

Showing 6 changed files with 39 additions and 2 deletions.
diff --git a/chart-tests/application/ci/test-init-container-values.yaml b/chart-tests/application/ci/test-init-container-values.yaml
@@ -17,7 +17,7 @@ initContainers:
       tag: 9.3
     command: ['sh', '-c', 'echo $BUMP_ME_UP']
     env:
-     BUMP_ME_UP: bump me up
+      BUMP_ME_UP: bump me up
     securityContext:
       runAsNonRoot: true
       allowPrivilegeEscalation: false

diff --git a/chart-tests/application/ci/test-role-binding-values.yaml b/chart-tests/application/ci/test-role-binding-values.yaml
@@ -0,0 +1,11 @@
+serviceAccount:
+  rbac:
+    - kind: RoleBinding
+      roleType: Role
+      roleName: admin
+    - kind: ClusterRoleBinding
+      roleType: ClusterRole
+      roleName: edit
+    - kind: ClusterRoleBinding
+      roleType: ClusterRole
+      roleName: view
diff --git a/charts/application/Chart.yaml b/charts/application/Chart.yaml
@@ -7,4 +7,4 @@ maintainers:
   - name: MediaMarktSaturn
     url: https://github.com/MediaMarktSaturn
 appVersion: 1.0.0
-version: 1.17.0
+version: 1.18.0
diff --git a/charts/application/README.md b/charts/application/README.md
@@ -72,6 +72,7 @@ Generic application chart with common requirements of a typical workload.
 | serviceAccount.secretName | string | `nil` |  |
 | serviceAccount.mountPath | string | `"/config/service-account"` |  |
 | serviceAccount.automountServiceAccountToken | bool | `false` |  |
+| serviceAccount.rbac | list | `[]` |  |
 | istio.enabled | bool | `false` |  |
 | istio.tlsMode | string | `"ISTIO_MUTUAL"` |  |
 | istio.ingress.enabled | bool | `true` |  |

diff --git a/charts/application/templates/k8s-rolebinding.yaml b/charts/application/templates/k8s-rolebinding.yaml
@@ -0,0 +1,20 @@
+{{- range .Values.serviceAccount.rbac }}
+{{- if or (eq .kind "RoleBinding") (eq .kind "ClusterRoleBinding") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ .kind }}
+metadata:
+  name: {{ printf "%s-%s" $.Release.Name .roleName | quote }}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "labels" $ | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: {{ .roleType }}
+  name: {{ .roleName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $.Release.Name }}
+    namespace: {{ $.Release.Namespace }}
+{{- end }}
+{{- end }}
diff --git a/charts/application/values.yaml b/charts/application/values.yaml
@@ -144,6 +144,11 @@ serviceAccount:
   mountPath: /config/service-account
   # k8s ServiceAccount.automountServiceAccountToken setting
   automountServiceAccountToken: false
+  # gives the application the defined role binding
+  rbac: []
+  #  - kind: RoleBinding
+  #    roleType: ClusterRole
+  #    roleName: admin
 
 # Pick one of the service mesh configs
 istio: