From e598750907da16bfbedfd4677e179f2042cffc3e Mon Sep 17 00:00:00 2001 From: Reddysekhar Gaduputi Date: Fri, 20 Sep 2024 19:38:07 +0530 Subject: [PATCH] chart option to skip rbac resources creation Signed-off-by: Reddysekhar Gaduputi --- chart/templates/cluster-role-binding.yaml | 2 ++ chart/templates/clusterrole-aggregated-editor.yaml | 2 +- chart/templates/clusterrole-aggregated-viewer.yaml | 2 +- chart/templates/hcpauth_editor_role.yaml | 2 ++ chart/templates/hcpauth_viewer_role.yaml | 2 ++ chart/templates/hcpvaultsecretsapp_editor_role.yaml | 2 ++ chart/templates/hcpvaultsecretsapp_viewer_role.yaml | 2 ++ chart/templates/hook-upgrade-crds.yaml | 2 ++ chart/templates/leader-election-rbac.yaml | 3 ++- chart/templates/metrics-reader-rbac.yaml | 2 ++ chart/templates/proxy-rbac.yaml | 2 ++ chart/templates/role.yaml | 2 ++ chart/templates/secrettransformation_editor_role.yaml | 3 ++- chart/templates/secrettransformation_viewer_role.yaml | 2 ++ chart/templates/vaultauth_editor_role.yaml | 2 ++ chart/templates/vaultauth_viewer_role.yaml | 2 ++ chart/templates/vaultauthglobal_editor_role.yaml | 2 ++ chart/templates/vaultauthglobal_viewer_role.yaml | 2 ++ chart/templates/vaultconnection_editor_role.yaml | 2 ++ chart/templates/vaultconnection_viewer_role.yaml | 2 ++ chart/templates/vaultdynamicsecret_editor_role.yaml | 2 ++ chart/templates/vaultdynamicsecret_viewer_role.yaml | 2 ++ chart/templates/vaultpkisecret_editor_role.yaml | 2 ++ chart/templates/vaultpkisecret_viewer_role.yaml | 2 ++ chart/templates/vaultstaticsecret_editor_role.yaml | 2 ++ chart/templates/vaultstaticsecret_viewer_role.yaml | 2 ++ chart/values.yaml | 2 ++ 27 files changed, 52 insertions(+), 4 deletions(-) diff --git a/chart/templates/cluster-role-binding.yaml b/chart/templates/cluster-role-binding.yaml index 9ecfdee18..f6484cf3c 100644 --- a/chart/templates/cluster-role-binding.yaml +++ b/chart/templates/cluster-role-binding.yaml @@ -3,6 +3,7 @@ # SPDX-License-Identifier: BUSL-1.1 */ -}} +{{- if .Values.controller.rbac.create }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -19,3 +20,4 @@ subjects: - kind: ServiceAccount name: '{{ include "vso.chart.fullname" . }}-controller-manager' namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/chart/templates/clusterrole-aggregated-editor.yaml b/chart/templates/clusterrole-aggregated-editor.yaml index fa9d2eea4..718db331d 100644 --- a/chart/templates/clusterrole-aggregated-editor.yaml +++ b/chart/templates/clusterrole-aggregated-editor.yaml @@ -3,7 +3,7 @@ # SPDX-License-Identifier: BUSL-1.1 */ -}} -{{- if .Values.controller.rbac.clusterRoleAggregation.editorRoles -}} +{{- if and .Values.controller.rbac.create .Values.controller.rbac.clusterRoleAggregation.editorRoles -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/chart/templates/clusterrole-aggregated-viewer.yaml b/chart/templates/clusterrole-aggregated-viewer.yaml index 78cc854f0..a48cae896 100644 --- a/chart/templates/clusterrole-aggregated-viewer.yaml +++ b/chart/templates/clusterrole-aggregated-viewer.yaml @@ -3,7 +3,7 @@ # SPDX-License-Identifier: BUSL-1.1 */ -}} -{{- if .Values.controller.rbac.clusterRoleAggregation.viewerRoles -}} +{{- if and .Values.controller.rbac.create .Values.controller.rbac.clusterRoleAggregation.viewerRoles -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/chart/templates/hcpauth_editor_role.yaml b/chart/templates/hcpauth_editor_role.yaml index 777d707bf..85c2758fd 100644 --- a/chart/templates/hcpauth_editor_role.yaml +++ b/chart/templates/hcpauth_editor_role.yaml @@ -5,6 +5,7 @@ # auto generated by sync-rbac.sh from ./config/rbac/hcpauth_editor_role.yaml -- do not edit */ -}} +{{- if .Values.controller.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -34,3 +35,4 @@ rules: - hcpauths/status verbs: - get +{{- end }} \ No newline at end of file diff --git a/chart/templates/hcpauth_viewer_role.yaml b/chart/templates/hcpauth_viewer_role.yaml index bf634cc00..56715f42a 100644 --- a/chart/templates/hcpauth_viewer_role.yaml +++ b/chart/templates/hcpauth_viewer_role.yaml @@ -5,6 +5,7 @@ # auto generated by sync-rbac.sh from ./config/rbac/hcpauth_viewer_role.yaml -- do not edit */ -}} +{{- if .Values.controller.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -30,3 +31,4 @@ rules: - hcpauths/status verbs: - get +{{- end }} \ No newline at end of file diff --git a/chart/templates/hcpvaultsecretsapp_editor_role.yaml b/chart/templates/hcpvaultsecretsapp_editor_role.yaml index 1f95ee816..c9ad62ec4 100644 --- a/chart/templates/hcpvaultsecretsapp_editor_role.yaml +++ b/chart/templates/hcpvaultsecretsapp_editor_role.yaml @@ -5,6 +5,7 @@ # auto generated by sync-rbac.sh from ./config/rbac/hcpvaultsecretsapp_editor_role.yaml -- do not edit */ -}} +{{- if .Values.controller.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -34,3 +35,4 @@ rules: - hcpvaultsecretsapps/status verbs: - get +{{- end }} \ No newline at end of file diff --git a/chart/templates/hcpvaultsecretsapp_viewer_role.yaml b/chart/templates/hcpvaultsecretsapp_viewer_role.yaml index 74c158235..7f98d692c 100644 --- a/chart/templates/hcpvaultsecretsapp_viewer_role.yaml +++ b/chart/templates/hcpvaultsecretsapp_viewer_role.yaml @@ -5,6 +5,7 @@ # auto generated by sync-rbac.sh from ./config/rbac/hcpvaultsecretsapp_viewer_role.yaml -- do not edit */ -}} +{{- if .Values.controller.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -30,3 +31,4 @@ rules: - hcpvaultsecretsapps/status verbs: - get +{{- end }} \ No newline at end of file diff --git a/chart/templates/hook-upgrade-crds.yaml b/chart/templates/hook-upgrade-crds.yaml index 3f5b3b131..189de4257 100644 --- a/chart/templates/hook-upgrade-crds.yaml +++ b/chart/templates/hook-upgrade-crds.yaml @@ -18,6 +18,7 @@ metadata: helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" helm.sh/hook-weight: "1" {{ include "vso.imagePullSecrets" . }} +{{- if .Values.controller.rbac.create }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -62,6 +63,7 @@ roleRef: kind: ClusterRole name: {{ template "vso.chart.fullname" . }}-upgrade-crds apiGroup: rbac.authorization.k8s.io +{{- end }} --- apiVersion: batch/v1 kind: Job diff --git a/chart/templates/leader-election-rbac.yaml b/chart/templates/leader-election-rbac.yaml index 3417f0346..2338c3122 100644 --- a/chart/templates/leader-election-rbac.yaml +++ b/chart/templates/leader-election-rbac.yaml @@ -2,7 +2,7 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: BUSL-1.1 */}} - +{{- if .Values.controller.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -60,3 +60,4 @@ subjects: - kind: ServiceAccount name: '{{ include "vso.chart.fullname" . }}-controller-manager' namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/chart/templates/metrics-reader-rbac.yaml b/chart/templates/metrics-reader-rbac.yaml index c5f5cdde7..5307009d7 100644 --- a/chart/templates/metrics-reader-rbac.yaml +++ b/chart/templates/metrics-reader-rbac.yaml @@ -3,6 +3,7 @@ # SPDX-License-Identifier: BUSL-1.1 */}} +{{- if .Values.controller.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -15,3 +16,4 @@ rules: - /metrics verbs: - get +{{- end }} \ No newline at end of file diff --git a/chart/templates/proxy-rbac.yaml b/chart/templates/proxy-rbac.yaml index 7f938bcc2..6ca55025c 100644 --- a/chart/templates/proxy-rbac.yaml +++ b/chart/templates/proxy-rbac.yaml @@ -3,6 +3,7 @@ # SPDX-License-Identifier: BUSL-1.1 */}} +{{- if .Values.controller.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -39,3 +40,4 @@ subjects: - kind: ServiceAccount name: '{{ include "vso.chart.fullname" . }}-controller-manager' namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/chart/templates/role.yaml b/chart/templates/role.yaml index 6232f8810..66f692fc5 100644 --- a/chart/templates/role.yaml +++ b/chart/templates/role.yaml @@ -5,6 +5,7 @@ # auto generated by sync-rbac.sh from ./config/rbac/role.yaml -- do not edit */ -}} +{{- if .Values.controller.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -331,3 +332,4 @@ rules: - get - patch - update +{{- end }} \ No newline at end of file diff --git a/chart/templates/secrettransformation_editor_role.yaml b/chart/templates/secrettransformation_editor_role.yaml index f5c831311..970da382b 100644 --- a/chart/templates/secrettransformation_editor_role.yaml +++ b/chart/templates/secrettransformation_editor_role.yaml @@ -4,7 +4,7 @@ # auto generated by sync-rbac.sh from ./config/rbac/secrettransformation_editor_role.yaml -- do not edit */ -}} - +{{- if .Values.controller.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -34,3 +34,4 @@ rules: - secrettransformations/status verbs: - get +{{- end }} \ No newline at end of file diff --git a/chart/templates/secrettransformation_viewer_role.yaml b/chart/templates/secrettransformation_viewer_role.yaml index ae6977108..8284dde3c 100644 --- a/chart/templates/secrettransformation_viewer_role.yaml +++ b/chart/templates/secrettransformation_viewer_role.yaml @@ -5,6 +5,7 @@ # auto generated by sync-rbac.sh from ./config/rbac/secrettransformation_viewer_role.yaml -- do not edit */ -}} +{{- if .Values.controller.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -30,3 +31,4 @@ rules: - secrettransformations/status verbs: - get +{{- end }} \ No newline at end of file diff --git a/chart/templates/vaultauth_editor_role.yaml b/chart/templates/vaultauth_editor_role.yaml index ce7db7f2f..93f7942b6 100644 --- a/chart/templates/vaultauth_editor_role.yaml +++ b/chart/templates/vaultauth_editor_role.yaml @@ -5,6 +5,7 @@ # auto generated by sync-rbac.sh from ./config/rbac/vaultauth_editor_role.yaml -- do not edit */ -}} +{{- if .Values.controller.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -34,3 +35,4 @@ rules: - vaultauths/status verbs: - get +{{- end }} \ No newline at end of file diff --git a/chart/templates/vaultauth_viewer_role.yaml b/chart/templates/vaultauth_viewer_role.yaml index a93018eed..50088c842 100644 --- a/chart/templates/vaultauth_viewer_role.yaml +++ b/chart/templates/vaultauth_viewer_role.yaml @@ -5,6 +5,7 @@ # auto generated by sync-rbac.sh from ./config/rbac/vaultauth_viewer_role.yaml -- do not edit */ -}} +{{- if .Values.controller.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -30,3 +31,4 @@ rules: - vaultauths/status verbs: - get +{{- end }} \ No newline at end of file diff --git a/chart/templates/vaultauthglobal_editor_role.yaml b/chart/templates/vaultauthglobal_editor_role.yaml index 3b292a448..361a61b4d 100644 --- a/chart/templates/vaultauthglobal_editor_role.yaml +++ b/chart/templates/vaultauthglobal_editor_role.yaml @@ -5,6 +5,7 @@ # auto generated by sync-rbac.sh from ./config/rbac/vaultauthglobal_editor_role.yaml -- do not edit */ -}} +{{- if .Values.controller.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -34,3 +35,4 @@ rules: - vaultauthglobals/status verbs: - get +{{- end }} \ No newline at end of file diff --git a/chart/templates/vaultauthglobal_viewer_role.yaml b/chart/templates/vaultauthglobal_viewer_role.yaml index 031f4ce51..340fd18ea 100644 --- a/chart/templates/vaultauthglobal_viewer_role.yaml +++ b/chart/templates/vaultauthglobal_viewer_role.yaml @@ -5,6 +5,7 @@ # auto generated by sync-rbac.sh from ./config/rbac/vaultauthglobal_viewer_role.yaml -- do not edit */ -}} +{{- if .Values.controller.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -30,3 +31,4 @@ rules: - vaultauthglobals/status verbs: - get +{{- end }} \ No newline at end of file diff --git a/chart/templates/vaultconnection_editor_role.yaml b/chart/templates/vaultconnection_editor_role.yaml index 393667a3e..ef7f1cd12 100644 --- a/chart/templates/vaultconnection_editor_role.yaml +++ b/chart/templates/vaultconnection_editor_role.yaml @@ -5,6 +5,7 @@ # auto generated by sync-rbac.sh from ./config/rbac/vaultconnection_editor_role.yaml -- do not edit */ -}} +{{- if .Values.controller.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -34,3 +35,4 @@ rules: - vaultconnections/status verbs: - get +{{- end }} \ No newline at end of file diff --git a/chart/templates/vaultconnection_viewer_role.yaml b/chart/templates/vaultconnection_viewer_role.yaml index 5cb71f28e..e0f8d56ca 100644 --- a/chart/templates/vaultconnection_viewer_role.yaml +++ b/chart/templates/vaultconnection_viewer_role.yaml @@ -5,6 +5,7 @@ # auto generated by sync-rbac.sh from ./config/rbac/vaultconnection_viewer_role.yaml -- do not edit */ -}} +{{- if .Values.controller.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -30,3 +31,4 @@ rules: - vaultconnections/status verbs: - get +{{- end }} \ No newline at end of file diff --git a/chart/templates/vaultdynamicsecret_editor_role.yaml b/chart/templates/vaultdynamicsecret_editor_role.yaml index 2329ec319..36ad02d26 100644 --- a/chart/templates/vaultdynamicsecret_editor_role.yaml +++ b/chart/templates/vaultdynamicsecret_editor_role.yaml @@ -5,6 +5,7 @@ # auto generated by sync-rbac.sh from ./config/rbac/vaultdynamicsecret_editor_role.yaml -- do not edit */ -}} +{{- if .Values.controller.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -34,3 +35,4 @@ rules: - vaultdynamicsecrets/status verbs: - get +{{- end }} \ No newline at end of file diff --git a/chart/templates/vaultdynamicsecret_viewer_role.yaml b/chart/templates/vaultdynamicsecret_viewer_role.yaml index 8a0d8c53d..a2279f65d 100644 --- a/chart/templates/vaultdynamicsecret_viewer_role.yaml +++ b/chart/templates/vaultdynamicsecret_viewer_role.yaml @@ -5,6 +5,7 @@ # auto generated by sync-rbac.sh from ./config/rbac/vaultdynamicsecret_viewer_role.yaml -- do not edit */ -}} +{{- if .Values.controller.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -30,3 +31,4 @@ rules: - vaultdynamicsecrets/status verbs: - get +{{- end }} \ No newline at end of file diff --git a/chart/templates/vaultpkisecret_editor_role.yaml b/chart/templates/vaultpkisecret_editor_role.yaml index bf2461661..bb6bcad54 100644 --- a/chart/templates/vaultpkisecret_editor_role.yaml +++ b/chart/templates/vaultpkisecret_editor_role.yaml @@ -5,6 +5,7 @@ # auto generated by sync-rbac.sh from ./config/rbac/vaultpkisecret_editor_role.yaml -- do not edit */ -}} +{{- if .Values.controller.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -34,3 +35,4 @@ rules: - vaultpkisecrets/status verbs: - get +{{- end }} \ No newline at end of file diff --git a/chart/templates/vaultpkisecret_viewer_role.yaml b/chart/templates/vaultpkisecret_viewer_role.yaml index 27d4882a8..e10ef4438 100644 --- a/chart/templates/vaultpkisecret_viewer_role.yaml +++ b/chart/templates/vaultpkisecret_viewer_role.yaml @@ -5,6 +5,7 @@ # auto generated by sync-rbac.sh from ./config/rbac/vaultpkisecret_viewer_role.yaml -- do not edit */ -}} +{{- if .Values.controller.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -30,3 +31,4 @@ rules: - vaultpkisecrets/status verbs: - get +{{- end }} \ No newline at end of file diff --git a/chart/templates/vaultstaticsecret_editor_role.yaml b/chart/templates/vaultstaticsecret_editor_role.yaml index 19800a819..26e939a55 100644 --- a/chart/templates/vaultstaticsecret_editor_role.yaml +++ b/chart/templates/vaultstaticsecret_editor_role.yaml @@ -5,6 +5,7 @@ # auto generated by sync-rbac.sh from ./config/rbac/vaultstaticsecret_editor_role.yaml -- do not edit */ -}} +{{- if .Values.controller.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -34,3 +35,4 @@ rules: - vaultstaticsecrets/status verbs: - get +{{- end }} \ No newline at end of file diff --git a/chart/templates/vaultstaticsecret_viewer_role.yaml b/chart/templates/vaultstaticsecret_viewer_role.yaml index 1cbeefd6d..e86040b9a 100644 --- a/chart/templates/vaultstaticsecret_viewer_role.yaml +++ b/chart/templates/vaultstaticsecret_viewer_role.yaml @@ -5,6 +5,7 @@ # auto generated by sync-rbac.sh from ./config/rbac/vaultstaticsecret_viewer_role.yaml -- do not edit */ -}} +{{- if .Values.controller.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -30,3 +31,4 @@ rules: - vaultstaticsecrets/status verbs: - get +{{- end }} \ No newline at end of file diff --git a/chart/values.yaml b/chart/values.yaml index 7db87e2a0..7fbdb9a12 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -67,6 +67,8 @@ controller: affinity: {} rbac: + # If true, create the necessary ClusterRole, ClusterRoleBinding, Role, RoleBinding for the operator. + create: true # clusterRoleAggregation defines the roles included in the aggregated ClusterRole. clusterRoleAggregation: # viewerRoles is a list of roles that will be aggregated into the viewer ClusterRole.