Merge pull request #120 from Bregor/issues/115-add-rbac-to-helm-chart

Add RBAC to helm chart
2017-12-15 17:04:14 +00:00 · 2017-12-15 17:04:14 +00:00 · 1c5797a30d
parent 843868351a 89e1d389b4
commit 1c5797a30d
5 changed files with 59 additions and 2 deletions
--- a/chart/keel/README.md
+++ b/chart/keel/README.md
@ -106,6 +106,7 @@ The following table lists has the main configurable parameters (polling, trigger
 | `webhookRelay.key`                | WebhookRelay key                       |                                                           |
 | `webhookRelay.secret`             | WebhookRelay secret                    |                                                           |
 | `webhookRelay.bucket`             | WebhookRelay bucket                    |                                                           |
+| `rbac.enabled`                    | Enable/disable RBAC installation       | `false`                                                   |

 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.

--- a/chart/keel/templates/clusterrole.yaml
+++ b/chart/keel/templates/clusterrole.yaml
@ -0,0 +1,39 @@
+{{- if .Values.rbac.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - watch
+      - list
+  - apiGroups:
+      - ""
+      - extensions
+      - apps
+    resources:
+      - pods
+      - replicasets
+      - replicationcontrollers
+      - statefulsets
+      - deployments
+      - daemonsets
+      - jobs
+    verbs:
+      - get
+      - watch
+      - list
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - create
+      - update
+{{ end }}
--- a/chart/keel/templates/clusterrolebinding.yaml
+++ b/chart/keel/templates/clusterrolebinding.yaml
@ -0,0 +1,14 @@
+{{- if .Values.rbac.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "name" . }}
+    namespace: kube-system
+{{ end }}
--- a/chart/keel/templates/deployment.yaml
+++ b/chart/keel/templates/deployment.yaml
@ -8,8 +8,6 @@ metadata:
    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
-  annotations:
-    kubernetes.io/service-account.name: keel
 spec:
  replicas: 1
  template:
@ -17,6 +15,7 @@ spec:
      labels:
        app: {{ template "name" . }}
    spec:
+      serviceAccountName: {{ template "name" . }}
      containers:
        - name: keel
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
--- a/chart/keel/values.yaml
+++ b/chart/keel/values.yaml
@ -73,6 +73,10 @@ keel:
   - repository: image.repository
     tag: image.tag

+# RBAC manifests management
+rbac:
+  enabled: false
+
 # Resources
 resources:
  limits: