added service-account for app-proxy (#186)

roi-codefresh · web-flow · commit 940cb7a8c285 · 2020-09-23T09:52:35.000+03:00
* added service-account for app-proxy
diff --git a/venona/VERSION b/venona/VERSION
@@ -1 +1 @@
-1.4.24
+1.4.25
diff --git a/venonactl/VERSION b/venonactl/VERSION
@@ -1 +1 @@
-1.4.24
+1.4.25
diff --git a/venonactl/example/values-example.yaml b/venonactl/example/values-example.yaml
diff --git a/venonactl/pkg/templates/kubernetes/cluster-role-binding.app-proxy.yaml b/venonactl/pkg/templates/kubernetes/cluster-role-binding.app-proxy.yaml
@@ -0,0 +1,14 @@
+{{- if .CreateRbac }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: {{ .AppProxy.AppName }}-cluster-reader
+subjects:
+- kind: ServiceAccount
+  name: {{ .AppProxy.AppName }} # this service account can get secrets cluster-wide (all namespaces)
+  namespace: {{ .Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ .AppProxy.AppName }}-cluster-reader
+  apiGroup: rbac.authorization.k8s.io
+{{- end  }}
diff --git a/venonactl/pkg/templates/kubernetes/cluster-role.app-proxy.yaml b/venonactl/pkg/templates/kubernetes/cluster-role.app-proxy.yaml
@@ -0,0 +1,13 @@
+{{- if .CreateRbac }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .AppProxy.AppName }}-cluster-reader
+  labels:
+    app: {{ .AppProxy.AppName }}
+    version: {{ .Version }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get"]
+{{- end }}
diff --git a/venonactl/pkg/templates/kubernetes/deployment.app-proxy.yaml b/venonactl/pkg/templates/kubernetes/deployment.app-proxy.yaml
@@ -24,6 +24,9 @@ spec:
         app: {{ .AppProxy.AppName }}
         version: {{ .Version }}
     spec:
+      {{- if .CreateRbac }}
+      serviceAccountName: {{ .AppProxy.AppName }}
+      {{- end }}
       containers:
       - name: {{ .AppProxy.AppName }}
         image: {{ if ne .DockerRegistry ""}} {{- .DockerRegistry }}/{{ .AppProxy.Image.Name }}:{{ .AppProxy.Image.Tag }} {{- else }} {{- .AppProxy.Image.Name }}:{{ .AppProxy.Image.Tag }} {{- end}}
diff --git a/venonactl/pkg/templates/kubernetes/service-account.app-proxy.yaml b/venonactl/pkg/templates/kubernetes/service-account.app-proxy.yaml
@@ -0,0 +1,10 @@
+{{- if .CreateRbac }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .AppProxy.AppName }}
+  namespace: {{ .Namespace }}
+  labels:
+    app: {{ .AppProxy.AppName }}
+    version: {{ .Version }}
+{{- end }}
diff --git a/venonactl/pkg/templates/kubernetes/templates.go b/venonactl/pkg/templates/kubernetes/templates.go
