feat: add rbac cluster roles

- Install `ServiceAccount`, `Role`, and `RoleBinding` to the cluster during helm install - Attach `ServiceAccount` to deployment for API to create custom resource - Updated dummy values.yaml, NOTES.txt - Added `.gitignore` to ignore unwanted files Fixes issue #26
csye7125-fall2023-group05 · Nov 20, 2023 · edc9862 · edc9862
1 parent 96b2972
commit edc9862
Show file tree

Hide file tree

Showing 7 changed files with 55 additions and 21 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+.DS_Store
diff --git a/templates/NOTES.txt b/templates/NOTES.txt
@@ -4,6 +4,12 @@
 *                                                                      *
 ************************************************************************
 
+CHART NAME: {{ .Chart.Name  }}
+CHART VERSION: {{ .Chart.Version  }}
+APP VERSION: {{ .Chart.AppVersion  }}
+
+** Please be patient while the chart is being deployed **
+
 Thank you for installing {{ .Chart.Name }}.
 
 Your release is named {{ .Release.Name }}.
@@ -12,3 +18,7 @@ To learn more about the release, try:
 
   $ helm status {{ .Release.Name }}
   $ helm get all {{ .Release.Name }}
+
+To list all the releases in all the namespaces, use:
+
+  $ helm ls --all-namespaces -a
diff --git a/templates/deployment.yaml b/templates/deployment.yaml
@@ -16,6 +16,7 @@ spec:
     metadata:
       labels: {{ include "webapp-helm-chart.labels" . | indent 8 }}
     spec:
+      serviceAccountName: {{ .Release.Name }}-service-account
       imagePullSecrets:
         - name: {{ .Release.Name}}-robocop
       containers:

diff --git a/templates/role.yaml b/templates/role.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: {{ .Values.namespace }}
+  name: {{ .Release.Name }}-role
+rules:
+  - apiGroups:
+    - {{ .Values.config.k8s_group }}
+    resources:
+      - {{ .Values.config.k8s_cr_kind_plural }}
+    verbs: ["create", "update", "patch", "delete"]
diff --git a/templates/role_binding.yaml b/templates/role_binding.yaml
@@ -0,0 +1,21 @@
+---
+# This role binding allows {{ .Release.Name }}-role to read pods in the
+# {{ .Values.namespace }} namespace.
+# Need to already have a Role named {{ .Release.Name }}-role in that namespace
+# to create RoleBinding.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Release.Name }}-role-binding
+  namespace: {{ .Values.namespace }}
+subjects:
+  # You can specify more than one "subject"
+  - namespace: {{ .Values.namespace }}
+    kind: ServiceAccount
+    name: {{ .Release.Name }}-service-account # "name" is case sensitive
+roleRef:
+  # Role or ClusterRole
+  kind: Role
+  # Must match the name of the Role or ClusterRole you wish to bind to
+  name: {{ .Release.Name }}-role
+  apiGroup: rbac.authorization.k8s.io
diff --git a/templates/service_account.yaml b/templates/service_account.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-service-account
+  namespace: {{ .Values.namespace }}
diff --git a/values.yaml b/values.yaml
@@ -2,15 +2,12 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
-replicaCount: 3
+replicaCount: 1
 
 image:
-  username: rishabhagarwal14628
   containerImg: quay.io/pwncorp/webapp:latest
   initContainerImg: quay.io/pwncorp/migrate:latest
   pullPolicy: Always
-  # Overrides the image tag whose default is the chart appVersion.
-  tag: latest
 
 imagePullSecrets:
   type: kubernetes.io/dockerconfigjson
@@ -39,10 +36,10 @@ config:
   k8s_api_version: v1
   k8s_cr_kind: Cron
   k8s_cr_kind_plural: crons
-  k8s_namespace: default
-  k8s_broker_0: infra-helm-release-kafka-broker-0.infra-helm-release-kafka-broker-headless.webapp.svc.cluster.local:9094
-  k8s_broker_1: infra-helm-release-kafka-broker-1.infra-helm-release-kafka-broker-headless.webapp.svc.cluster.local:9094
-  k8s_broker_2: infra-helm-release-kafka-broker-2.infra-helm-release-kafka-broker-headless.webapp.svc.cluster.local:9094
+  k8s_namespace: webapp
+  k8s_broker_0: infra-helm-release-kafka-broker-0.infra-helm-release-kafka-broker-headless.deps.svc.cluster.local:9094
+  k8s_broker_1: infra-helm-release-kafka-broker-1.infra-helm-release-kafka-broker-headless.deps.svc.cluster.local:9094
+  k8s_broker_2: infra-helm-release-kafka-broker-2.infra-helm-release-kafka-broker-headless.deps.svc.cluster.local:9094
   k8s_client_id: webapp
   k8s_docker_config_json: b2theS1tci1oYWNrZXItY2FsbS1kb3duCg==
   k8s_topic: healthcheck
@@ -80,19 +77,6 @@ service:
   port: 3000
   dbport: 5432
 
-# Additional volumes on the output Deployment definition.
-volumes: []
-# - name: foo
-#   secret:
-#     secretName: mysecret
-#     optional: false
-
-# Additional volumeMounts on the output Deployment definition.
-volumeMounts: []
-# - name: foo
-#   mountPath: "/etc/foo"
-#   readOnly: true
-
 postgresql:
   auth:
     username: app_user