chart option to skip rbac resources creation

Signed-off-by: Reddysekhar Gaduputi <[email protected]>

chart/templates/cluster-role-binding.yaml

@@ -3,6 +3,7 @@
 # SPDX-License-Identifier: BUSL-1.1
 */ -}}
 
+{{- if .Values.controller.rbac.create }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -19,3 +20,4 @@ subjects:
   - kind: ServiceAccount
     name: '{{ include "vso.chart.fullname" . }}-controller-manager'
     namespace: {{ .Release.Namespace }}
+{{- end }}

chart/templates/clusterrole-aggregated-editor.yaml

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: BUSL-1.1
 */ -}}
 
-{{- if .Values.controller.rbac.clusterRoleAggregation.editorRoles -}}
+{{- if and .Values.controller.rbac.create .Values.controller.rbac.clusterRoleAggregation.editorRoles -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

chart/templates/clusterrole-aggregated-viewer.yaml

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: BUSL-1.1
 */ -}}
 
-{{- if .Values.controller.rbac.clusterRoleAggregation.viewerRoles -}}
+{{- if and .Values.controller.rbac.create .Values.controller.rbac.clusterRoleAggregation.viewerRoles -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

chart/templates/hcpauth_editor_role.yaml

@@ -5,6 +5,7 @@
 # auto generated by sync-rbac.sh from ./config/rbac/hcpauth_editor_role.yaml -- do not edit
 */ -}}
 
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -34,3 +35,4 @@ rules:
     - hcpauths/status
   verbs:
     - get
+{{- end }}

chart/templates/hcpauth_viewer_role.yaml

@@ -5,6 +5,7 @@
 # auto generated by sync-rbac.sh from ./config/rbac/hcpauth_viewer_role.yaml -- do not edit
 */ -}}
 
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -30,3 +31,4 @@ rules:
     - hcpauths/status
   verbs:
     - get
+{{- end }}

chart/templates/hcpvaultsecretsapp_editor_role.yaml

@@ -5,6 +5,7 @@
 # auto generated by sync-rbac.sh from ./config/rbac/hcpvaultsecretsapp_editor_role.yaml -- do not edit
 */ -}}
 
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -34,3 +35,4 @@ rules:
     - hcpvaultsecretsapps/status
   verbs:
     - get
+{{- end }}

chart/templates/hcpvaultsecretsapp_viewer_role.yaml

@@ -5,6 +5,7 @@
 # auto generated by sync-rbac.sh from ./config/rbac/hcpvaultsecretsapp_viewer_role.yaml -- do not edit
 */ -}}
 
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -30,3 +31,4 @@ rules:
     - hcpvaultsecretsapps/status
   verbs:
     - get
+{{- end }}

chart/templates/hook-upgrade-crds.yaml

@@ -18,6 +18,7 @@ metadata:
     helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
     helm.sh/hook-weight: "1"
 {{ include "vso.imagePullSecrets" . }}
+{{- if .Values.controller.rbac.create }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -62,6 +63,7 @@ roleRef:
   kind: ClusterRole
   name: {{ template "vso.chart.fullname" . }}-upgrade-crds
   apiGroup: rbac.authorization.k8s.io
+{{- end }}
 ---
 apiVersion: batch/v1
 kind: Job

chart/templates/leader-election-rbac.yaml

@@ -2,7 +2,7 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: BUSL-1.1
 */}}
-
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -60,3 +60,4 @@ subjects:
 - kind: ServiceAccount
   name: '{{ include "vso.chart.fullname" . }}-controller-manager'
   namespace: {{ .Release.Namespace }}
+{{- end }}

chart/templates/metrics-reader-rbac.yaml

@@ -3,6 +3,7 @@
 # SPDX-License-Identifier: BUSL-1.1
 */}}
 
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -15,3 +16,4 @@ rules:
   - /metrics
   verbs:
   - get
+{{- end }}

chart/templates/proxy-rbac.yaml

@@ -3,6 +3,7 @@
 # SPDX-License-Identifier: BUSL-1.1
 */}}
 
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -39,3 +40,4 @@ subjects:
 - kind: ServiceAccount
   name: '{{ include "vso.chart.fullname" . }}-controller-manager'
   namespace: {{ .Release.Namespace }}
+{{- end }}

chart/templates/role.yaml

@@ -5,6 +5,7 @@
 # auto generated by sync-rbac.sh from ./config/rbac/role.yaml -- do not edit
 */ -}}
 
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -331,3 +332,4 @@ rules:
     - get
     - patch
     - update
+{{- end }}

chart/templates/secrettransformation_editor_role.yaml

@@ -4,7 +4,7 @@
 
 # auto generated by sync-rbac.sh from ./config/rbac/secrettransformation_editor_role.yaml -- do not edit
 */ -}}
-
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -34,3 +34,4 @@ rules:
     - secrettransformations/status
   verbs:
     - get
+{{- end }}

chart/templates/secrettransformation_viewer_role.yaml

@@ -5,6 +5,7 @@
 # auto generated by sync-rbac.sh from ./config/rbac/secrettransformation_viewer_role.yaml -- do not edit
 */ -}}
 
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -30,3 +31,4 @@ rules:
     - secrettransformations/status
   verbs:
     - get
+{{- end }}

chart/templates/vaultauth_editor_role.yaml

@@ -5,6 +5,7 @@
 # auto generated by sync-rbac.sh from ./config/rbac/vaultauth_editor_role.yaml -- do not edit
 */ -}}
 
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -34,3 +35,4 @@ rules:
     - vaultauths/status
   verbs:
     - get
+{{- end }}

chart/templates/vaultauth_viewer_role.yaml

@@ -5,6 +5,7 @@
 # auto generated by sync-rbac.sh from ./config/rbac/vaultauth_viewer_role.yaml -- do not edit
 */ -}}
 
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -30,3 +31,4 @@ rules:
     - vaultauths/status
   verbs:
     - get
+{{- end }}

chart/templates/vaultauthglobal_editor_role.yaml

@@ -5,6 +5,7 @@
 # auto generated by sync-rbac.sh from ./config/rbac/vaultauthglobal_editor_role.yaml -- do not edit
 */ -}}
 
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -34,3 +35,4 @@ rules:
     - vaultauthglobals/status
   verbs:
     - get
+{{- end }}

chart/templates/vaultauthglobal_viewer_role.yaml

@@ -5,6 +5,7 @@
 # auto generated by sync-rbac.sh from ./config/rbac/vaultauthglobal_viewer_role.yaml -- do not edit
 */ -}}
 
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -30,3 +31,4 @@ rules:
     - vaultauthglobals/status
   verbs:
     - get
+{{- end }}

chart/templates/vaultconnection_editor_role.yaml

@@ -5,6 +5,7 @@
 # auto generated by sync-rbac.sh from ./config/rbac/vaultconnection_editor_role.yaml -- do not edit
 */ -}}
 
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -34,3 +35,4 @@ rules:
     - vaultconnections/status
   verbs:
     - get
+{{- end }}

chart/templates/vaultconnection_viewer_role.yaml

@@ -5,6 +5,7 @@
 # auto generated by sync-rbac.sh from ./config/rbac/vaultconnection_viewer_role.yaml -- do not edit
 */ -}}
 
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -30,3 +31,4 @@ rules:
     - vaultconnections/status
   verbs:
     - get
+{{- end }}

chart/templates/vaultdynamicsecret_editor_role.yaml

@@ -5,6 +5,7 @@
 # auto generated by sync-rbac.sh from ./config/rbac/vaultdynamicsecret_editor_role.yaml -- do not edit
 */ -}}
 
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -34,3 +35,4 @@ rules:
     - vaultdynamicsecrets/status
   verbs:
     - get
+{{- end }}

chart/templates/vaultdynamicsecret_viewer_role.yaml

@@ -5,6 +5,7 @@
 # auto generated by sync-rbac.sh from ./config/rbac/vaultdynamicsecret_viewer_role.yaml -- do not edit
 */ -}}
 
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -30,3 +31,4 @@ rules:
     - vaultdynamicsecrets/status
   verbs:
     - get
+{{- end }}

chart/templates/vaultpkisecret_editor_role.yaml

@@ -5,6 +5,7 @@
 # auto generated by sync-rbac.sh from ./config/rbac/vaultpkisecret_editor_role.yaml -- do not edit
 */ -}}
 
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -34,3 +35,4 @@ rules:
     - vaultpkisecrets/status
   verbs:
     - get
+{{- end }}

chart/templates/vaultpkisecret_viewer_role.yaml

@@ -5,6 +5,7 @@
 # auto generated by sync-rbac.sh from ./config/rbac/vaultpkisecret_viewer_role.yaml -- do not edit
 */ -}}
 
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -30,3 +31,4 @@ rules:
     - vaultpkisecrets/status
   verbs:
     - get
+{{- end }}

chart/templates/vaultstaticsecret_editor_role.yaml

@@ -5,6 +5,7 @@
 # auto generated by sync-rbac.sh from ./config/rbac/vaultstaticsecret_editor_role.yaml -- do not edit
 */ -}}
 
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -34,3 +35,4 @@ rules:
     - vaultstaticsecrets/status
   verbs:
     - get
+{{- end }}

chart/templates/vaultstaticsecret_viewer_role.yaml

@@ -5,6 +5,7 @@
 # auto generated by sync-rbac.sh from ./config/rbac/vaultstaticsecret_viewer_role.yaml -- do not edit
 */ -}}
 
+{{- if .Values.controller.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -30,3 +31,4 @@ rules:
     - vaultstaticsecrets/status
   verbs:
     - get
+{{- end }}

chart/values.yaml

@@ -67,6 +67,8 @@ controller:
   affinity: {}
 
   rbac:
+    # If true, create the necessary ClusterRole, ClusterRoleBinding, Role, RoleBinding for the operator.
+    create: true
     # clusterRoleAggregation defines the roles included in the aggregated ClusterRole.
     clusterRoleAggregation:
       # viewerRoles is a list of roles that will be aggregated into the viewer ClusterRole.