Modify helm chart to allow the clusterrole to be modify from values.yaml (#825)

2025-10-14 11:42:56 -04:00 · 2025-10-14 11:42:56 -04:00 · 073bf0de87
parent 4d5eb50176
commit 073bf0de87
6 changed files with 115 additions and 51 deletions
--- a/chart/keel/templates/clusterrole.yaml
+++ b/chart/keel/templates/clusterrole.yaml
@ -1,51 +1,14 @@
 {{- if .Values.rbac.enabled }}
+{{- if .Values.rbac.clusterRole.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "keel.name" . }}
 rules:
-  - apiGroups:
-      - ""
-    resources:
-      - namespaces
-    verbs:
-      - watch
-      - list
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    verbs:
-      - get
-      - watch
-      - list
-  - apiGroups:
-      - ""
-      - extensions
-      - apps
-      - batch
-    resources:
-      - pods
-      - replicasets
-      - replicationcontrollers
-      - statefulsets
-      - deployments
-      - daemonsets
-      - jobs
-      - cronjobs
-    verbs:
-      - get
-      - delete # required to delete pods during force upgrade of the same tag
-      - watch
-      - list
-      - update
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-      - pods/portforward
-    verbs:
-      - get
-      - create
-      - update
+{{- range .Values.rbac.clusterRole.rules }}
+  - apiGroups: {{ .apiGroups | toYaml | nindent 6 }}
+    resources: {{ .resources | toYaml | nindent 6 }}
+    verbs: {{ .verbs | toYaml | nindent 6 }}
+{{- end }}
+{{ end }}
 {{ end }}
--- a/chart/keel/templates/clusterrolebinding.yaml
+++ b/chart/keel/templates/clusterrolebinding.yaml
@ -1,4 +1,5 @@
 {{- if .Values.rbac.enabled }}
+{{- if .Values.rbac.clusterRole.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@ -12,3 +13,4 @@ subjects:
    name: {{ template "serviceAccount.name" . }}
    namespace: {{ .Release.Namespace }}
 {{ end }}
+{{ end }}
--- a/chart/keel/templates/role.yaml
+++ b/chart/keel/templates/role.yaml
@ -0,0 +1,15 @@
+{{- if .Values.rbac.enabled }}
+{{- if .Values.rbac.role.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "keel.name" . }}
+  namespace: {{ .Release.Namespace }}
+rules:
+{{- range .Values.rbac.role.rules }}
+  - apiGroups: {{ .apiGroups | toYaml | nindent 6 }}
+    resources: {{ .resources | toYaml | nindent 6 }}
+    verbs: {{ .verbs | toYaml | nindent 6 }}
+{{- end }}
+{{ end }}
+{{ end }}
--- a/chart/keel/templates/rolebinding.yaml
+++ b/chart/keel/templates/rolebinding.yaml
@ -0,0 +1,17 @@
+{{- if .Values.rbac.enabled }}
+{{- if .Values.rbac.role.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "keel.name" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "keel.name" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "serviceAccount.name" . }}
+    namespace: {{ .Release.Namespace }}
+{{ end }}
+{{ end }}
--- a/chart/keel/values.yaml
+++ b/chart/keel/values.yaml
@ -179,6 +179,56 @@ rbac:
    # If rbac.serviceAccount.name is not set, a new name for the service account is generated
    create: true

+  clusterRole:
+    create: true
+    rules:
+    - apiGroups:
+        - ""
+      resources:
+        - namespaces
+      verbs:
+        - watch
+        - list
+    - apiGroups:
+        - ""
+      resources:
+        - secrets
+      verbs:
+        - get
+        - watch
+        - list
+    - apiGroups:
+        - ""
+        - extensions
+        - apps
+        - batch
+      resources:
+        - pods
+        - replicasets
+        - replicationcontrollers
+        - statefulsets
+        - deployments
+        - daemonsets
+        - jobs
+        - cronjobs
+      verbs:
+        - get
+        - delete 
+        - watch
+        - list
+        - update
+    - apiGroups:
+        - ""
+      resources:
+        - configmaps
+        - pods/portforward
+      verbs:
+        - get
+        - create
+        - update
+  role:
+    create: false
+
 # Resources
 resources:
  limits:
--- a/registry/registry_test.go
+++ b/registry/registry_test.go
@ -321,11 +321,28 @@ var tagsResp = `{
 	]
  }`

+// func TestGetDockerHubManyTags(t *testing.T) {
+// 	client := docker.New("https://quay.io", "", "")
+// 	tags, err := client.Tags("coreos/prometheus-operator-app")
+// 	if err != nil {
+// 		t.Errorf("error while getting repo: %s", err)
+// 	}
+// 	fmt.Println(tags)
+// }
+
 func TestGetDockerHubManyTags(t *testing.T) {
-	client := docker.New("https://quay.io", "", "")
-	tags, err := client.Tags("coreos/prometheus-operator")
-	if err != nil {
-		t.Errorf("error while getting repo: %s", err)
-	}
-	fmt.Println(tags)
+    // Use DockerHub instead of Quay.io, since Quay repos often require authentication now
+    client := docker.New("https://registry.hub.docker.com", "", "")
+
+    // DockerHub official images are under "library/..."
+    tags, err := client.Tags("library/nginx")
+    if err != nil {
+        t.Errorf("error while getting repo: %s", err)
+    }
+
+    if len(tags) == 0 {
+        t.Errorf("expected to get some tags for nginx, got none")
+    }
+
+    fmt.Println("nginx tags:", tags[:5]) // print just a few tags for sanity
 }