From 61858d67712f2a51cdd2f5f6b9b35ccf4a99585d Mon Sep 17 00:00:00 2001
From: Pranav Patil <pranav.patil@netcracker.com>
Date: Thu, 15 May 2025 16:22:45 +0530
Subject: [PATCH 1/2] creation of admin entities based on environment
 restriction

---
 charts/site-manager/templates/_helpers.tpl            | 11 +++++++++++
 .../site-manager/templates/cluster-role-binding.yaml  |  2 +-
 charts/site-manager/templates/cluster-role.yaml       |  2 +-
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/charts/site-manager/templates/_helpers.tpl b/charts/site-manager/templates/_helpers.tpl
index cd71e8b4..5b35fee2 100644
--- a/charts/site-manager/templates/_helpers.tpl
+++ b/charts/site-manager/templates/_helpers.tpl
@@ -42,3 +42,14 @@ IP addresses used to generate SSL certificate with "Subject Alternative Name" fi
   {{- print ( default 8080 .Values.paasGeoMonitor.config.port ) -}}
 {{- end -}}
 
+{{/*
+Checks if the environment is restricted (from .Values.INFRA_RESTRICTED_ENVIRONMENT).
+And render ClusterAdminEntities templates (cluster-role & cluster-role-biding) only if environment is not restricted. 
+*/}}
+{{- define "sitemanager.shouldCreateClusterAdminEntities" -}}
+  {{- if or (not (hasKey .Values "INFRA_RESTRICTED_ENVIRONMENT")) (not .Values.INFRA_RESTRICTED_ENVIRONMENT) -}}
+    {{- .Values.createClusterAdminEntities | default false | toYaml -}}
+  {{- else -}}
+    false
+  {{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/site-manager/templates/cluster-role-binding.yaml b/charts/site-manager/templates/cluster-role-binding.yaml
index 19cdff28..663490b1 100644
--- a/charts/site-manager/templates/cluster-role-binding.yaml
+++ b/charts/site-manager/templates/cluster-role-binding.yaml
@@ -1,4 +1,4 @@
-{{ if .Values.createClusterAdminEntities }}
+{{ if (include "sitemanager.shouldCreateClusterAdminEntities" .) | fromYaml }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
diff --git a/charts/site-manager/templates/cluster-role.yaml b/charts/site-manager/templates/cluster-role.yaml
index 06410f4a..953176a5 100644
--- a/charts/site-manager/templates/cluster-role.yaml
+++ b/charts/site-manager/templates/cluster-role.yaml
@@ -1,4 +1,4 @@
-{{ if .Values.createClusterAdminEntities }}
+{{ if (include "sitemanager.shouldCreateClusterAdminEntities" .) | fromYaml }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

From f99bc45a5510d8c1e9c5a2916590ecfada70ee5b Mon Sep 17 00:00:00 2001
From: Pranav Patil <pranav.patil@netcracker.com>
Date: Tue, 20 May 2025 10:52:48 +0530
Subject: [PATCH 2/2] creation of admin entities based on environment
 restriction

---
 charts/site-manager/templates/_helpers.tpl      | 17 +++++++++--------
 .../templates/cluster-role-binding.yaml         |  4 ++--
 charts/site-manager/templates/cluster-role.yaml |  5 +++--
 3 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/charts/site-manager/templates/_helpers.tpl b/charts/site-manager/templates/_helpers.tpl
index 5b35fee2..455c7c57 100644
--- a/charts/site-manager/templates/_helpers.tpl
+++ b/charts/site-manager/templates/_helpers.tpl
@@ -43,13 +43,14 @@ IP addresses used to generate SSL certificate with "Subject Alternative Name" fi
 {{- end -}}
 
 {{/*
-Checks if the environment is restricted (from .Values.INFRA_RESTRICTED_ENVIRONMENT).
-And render ClusterAdminEntities templates (cluster-role & cluster-role-biding) only if environment is not restricted. 
+Returns true if RBAC should be created.
+If INFRA_RESTRICTED_ENVIRONMENT is true => return false
+Else => return createClusterAdminEntities (default false)
 */}}
-{{- define "sitemanager.shouldCreateClusterAdminEntities" -}}
-  {{- if or (not (hasKey .Values "INFRA_RESTRICTED_ENVIRONMENT")) (not .Values.INFRA_RESTRICTED_ENVIRONMENT) -}}
-    {{- .Values.createClusterAdminEntities | default false | toYaml -}}
-  {{- else -}}
+{{- define "site-manager.shouldCreateClusterAdminEntities" -}}
+  {{- if and (hasKey .Values "INFRA_RESTRICTED_ENVIRONMENT") .Values.INFRA_RESTRICTED_ENVIRONMENT }}
     false
-  {{- end -}}
-{{- end -}}
\ No newline at end of file
+  {{- else }}
+    {{- .Values.createClusterAdminEntities | default false }}
+  {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/site-manager/templates/cluster-role-binding.yaml b/charts/site-manager/templates/cluster-role-binding.yaml
index 663490b1..c2591976 100644
--- a/charts/site-manager/templates/cluster-role-binding.yaml
+++ b/charts/site-manager/templates/cluster-role-binding.yaml
@@ -1,4 +1,4 @@
-{{ if (include "sitemanager.shouldCreateClusterAdminEntities" .) | fromYaml }}
+{{- if eq (include "site-manager.shouldCreateClusterAdminEntities" .) "true" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -11,4 +11,4 @@ subjects:
   - kind: ServiceAccount
     name: {{ .Values.serviceAccount.name }}
     namespace: {{ .Release.Namespace }}
-{{ end }}
\ No newline at end of file
+{{- end }}
\ No newline at end of file
diff --git a/charts/site-manager/templates/cluster-role.yaml b/charts/site-manager/templates/cluster-role.yaml
index 953176a5..1cc85182 100644
--- a/charts/site-manager/templates/cluster-role.yaml
+++ b/charts/site-manager/templates/cluster-role.yaml
@@ -1,4 +1,5 @@
-{{ if (include "sitemanager.shouldCreateClusterAdminEntities" .) | fromYaml }}
+# shouldCreateClusterAdminEntities = {{ include "site-manager.shouldCreateClusterAdminEntities" . | quote }}
+{{- if eq (include "site-manager.shouldCreateClusterAdminEntities" .) "true" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -25,4 +26,4 @@ rules:
   - apiGroups: ["authentication.k8s.io"]
     resources: ["tokenreviews"]
     verbs: ["create"]
-{{ end }}
+{{- end }}