chore(rbac): rbac should only be generated when necessary

cryostatio · Apr 21, 2024 · a6cd757 · a6cd757
1 parent 62d8ff3
commit a6cd757
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 7 deletions.
diff --git a/charts/cryostat/templates/clusterrole.yaml b/charts/cryostat/templates/clusterrole.yaml
@@ -1,8 +1,8 @@
-{{- if .Values.rbac.create -}}
+{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "cryostat.fullname" . }}
+  name: {{ include "cryostat.fullname" . }}-namespaced
   labels:
     {{- include "cryostat.labels" . | nindent 4 }}
 rules:

diff --git a/charts/cryostat/templates/rolebinding.yaml b/charts/cryostat/templates/rolebinding.yaml
@@ -12,21 +12,19 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ include "cryostat.fullname" . }}
+  name: {{ include "cryostat.fullname" . }}-namespaced
 subjects:
 - kind: ServiceAccount
   name: {{ include "cryostat.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
 {{- end -}}
 {{- end -}}
 
-{{- if .Values.rbac.create -}}
-{{- $ := . -}}
+{{- if and .Values.rbac.create .Values.core.discovery.kubernetes.enabled -}}
 {{- $watchNs := list -}}
-{{- $ownNs := .Release.Namespace -}}
 {{- range .Values.core.discovery.kubernetes.namespaces -}}
 {{- if eq . "." -}}
-{{- $watchNs = append $watchNs $ownNs -}}
+{{- $watchNs = append $watchNs $.Release.Namespace -}}
 {{- else -}}
 {{- $watchNs = append $watchNs . -}}
 {{- end -}}