From 096e73348d56dad5482eb4d5e646bf0d3625659a Mon Sep 17 00:00:00 2001 From: blenkjon <80262793+blenkjon@users.noreply.github.com> Date: Wed, 17 Jul 2024 14:49:59 +0200 Subject: [PATCH] Add optional k8s role binding to application chart (#129) * Add optional serviceAccount.rbac to application chart * Fix naming collision * Increment version, add test, improve naming --------- Co-authored-by: Florian Heubeck <40993644+heubeck@users.noreply.github.com> --- .../ci/test-init-container-values.yaml | 2 +- .../ci/test-role-binding-values.yaml | 11 ++++++++++ charts/application/Chart.yaml | 2 +- charts/application/README.md | 1 + .../templates/k8s-rolebinding.yaml | 20 +++++++++++++++++++ charts/application/values.yaml | 5 +++++ 6 files changed, 39 insertions(+), 2 deletions(-) create mode 100644 chart-tests/application/ci/test-role-binding-values.yaml create mode 100644 charts/application/templates/k8s-rolebinding.yaml diff --git a/chart-tests/application/ci/test-init-container-values.yaml b/chart-tests/application/ci/test-init-container-values.yaml index 2b9841f..584d8a1 100644 --- a/chart-tests/application/ci/test-init-container-values.yaml +++ b/chart-tests/application/ci/test-init-container-values.yaml @@ -17,7 +17,7 @@ initContainers: tag: 9.3 command: ['sh', '-c', 'echo $BUMP_ME_UP'] env: - BUMP_ME_UP: bump me up + BUMP_ME_UP: bump me up securityContext: runAsNonRoot: true allowPrivilegeEscalation: false diff --git a/chart-tests/application/ci/test-role-binding-values.yaml b/chart-tests/application/ci/test-role-binding-values.yaml new file mode 100644 index 0000000..34e134b --- /dev/null +++ b/chart-tests/application/ci/test-role-binding-values.yaml @@ -0,0 +1,11 @@ +serviceAccount: + rbac: + - kind: RoleBinding + roleType: Role + roleName: admin + - kind: ClusterRoleBinding + roleType: ClusterRole + roleName: edit + - kind: ClusterRoleBinding + roleType: ClusterRole + roleName: view diff --git a/charts/application/Chart.yaml b/charts/application/Chart.yaml index c1a28c8..1dbe7b1 100644 --- a/charts/application/Chart.yaml +++ b/charts/application/Chart.yaml @@ -7,4 +7,4 @@ maintainers: - name: MediaMarktSaturn url: https://github.com/MediaMarktSaturn appVersion: 1.0.0 -version: 1.17.0 +version: 1.18.0 diff --git a/charts/application/README.md b/charts/application/README.md index f4b5741..e86c993 100644 --- a/charts/application/README.md +++ b/charts/application/README.md @@ -72,6 +72,7 @@ Generic application chart with common requirements of a typical workload. | serviceAccount.secretName | string | `nil` | | | serviceAccount.mountPath | string | `"/config/service-account"` | | | serviceAccount.automountServiceAccountToken | bool | `false` | | +| serviceAccount.rbac | list | `[]` | | | istio.enabled | bool | `false` | | | istio.tlsMode | string | `"ISTIO_MUTUAL"` | | | istio.ingress.enabled | bool | `true` | | diff --git a/charts/application/templates/k8s-rolebinding.yaml b/charts/application/templates/k8s-rolebinding.yaml new file mode 100644 index 0000000..3555edf --- /dev/null +++ b/charts/application/templates/k8s-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- range .Values.serviceAccount.rbac }} +{{- if or (eq .kind "RoleBinding") (eq .kind "ClusterRoleBinding") }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: {{ .kind }} +metadata: + name: {{ printf "%s-%s" $.Release.Name .roleName | quote }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "labels" $ | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: {{ .roleType }} + name: {{ .roleName }} +subjects: + - kind: ServiceAccount + name: {{ $.Release.Name }} + namespace: {{ $.Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/application/values.yaml b/charts/application/values.yaml index 198ef4b..23fac26 100644 --- a/charts/application/values.yaml +++ b/charts/application/values.yaml @@ -144,6 +144,11 @@ serviceAccount: mountPath: /config/service-account # k8s ServiceAccount.automountServiceAccountToken setting automountServiceAccountToken: false + # gives the application the defined role binding + rbac: [] + # - kind: RoleBinding + # roleType: ClusterRole + # roleName: admin # Pick one of the service mesh configs istio: