From 0c53fc7d9477087af425a5ee2ca100afa457e6d7 Mon Sep 17 00:00:00 2001 From: rasta-rocket Date: Wed, 23 Jul 2025 14:37:36 +0200 Subject: [PATCH 1/5] feat: add clusterrole/binding support in the chart --- README.md | 1 + application/templates/clusterrole.yaml | 20 +++++++++++++ application/templates/clusterrolebinding.yaml | 30 +++++++++++++++++++ application/values.yaml | 22 ++++++++++++++ 4 files changed, 73 insertions(+) create mode 100644 application/templates/clusterrole.yaml create mode 100644 application/templates/clusterrolebinding.yaml diff --git a/README.md b/README.md index b28538c5..f761369a 100644 --- a/README.md +++ b/README.md @@ -220,6 +220,7 @@ helm delete --namespace test my-application | rbac.serviceAccount.additionalLabels | object | `nil` | Additional labels for Service Account. | | rbac.serviceAccount.annotations | object | `nil` | Annotations for Service Account. | | rbac.roles | list | `nil` | Namespaced Roles. | +| rbac.clusterRoles | list | `nil` | ClusterRoles (Clusterwide) | ### ConfigMap Parameters diff --git a/application/templates/clusterrole.yaml b/application/templates/clusterrole.yaml new file mode 100644 index 00000000..19f279c3 --- /dev/null +++ b/application/templates/clusterrole.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.rbac.enabled .Values.rbac.clusterRoles }} +{{- range .Values.rbac.clusterRoles }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + {{- include "application.labels" $ | nindent 4 }} +{{- if $.Values.rbac.additionalLabels }} +{{ toYaml $.Values.rbac.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.rbac.annotations }} + annotations: +{{ toYaml $.Values.rbac.annotations | indent 4 }} +{{- end }} + name: {{ template "application.name" $ }}-clusterrole-{{ .name }} +rules: +{{ toYaml .rules | indent 2 }} +--- +{{- end }} +{{- end }} diff --git a/application/templates/clusterrolebinding.yaml b/application/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..4e5ec52a --- /dev/null +++ b/application/templates/clusterrolebinding.yaml @@ -0,0 +1,30 @@ +{{- if and .Values.rbac.enabled .Values.rbac.clusterRoles }} +{{- range .Values.rbac.clusterRoles }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + {{- include "application.labels" $ | nindent 4 }} +{{- if $.Values.rbac.additionalLabels }} +{{ toYaml $.Values.rbac.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.rbac.annotations }} + annotations: +{{ toYaml $.Values.rbac.annotations | indent 4 }} +{{- end }} + name: {{ template "application.name" $ }}-clusterrolebinding-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "application.name" $ }}-clusterrole-{{ .name }} +subjects: + - kind: ServiceAccount + {{- if $.Values.rbac.serviceAccount.name }} + name: {{ $.Values.rbac.serviceAccount.name }} + {{- else }} + name: {{ template "application.name" $ }} + {{- end }} + namespace: {{ $.Release.Namespace }} +--- +{{- end }} +{{- end }} diff --git a/application/values.yaml b/application/values.yaml index 1d5c4e54..9edf2dfa 100644 --- a/application/values.yaml +++ b/application/values.yaml @@ -726,6 +726,28 @@ rbac: # verbs: # - get + # -- (list) ClusterRoles (Clusterwide) + # @section -- RBAC Parameters + clusterRoles: + # - name: configmaps + # rules: + # - apiGroups: + # - "" + # resources: + # - configmaps + # verbs: + # - get + # - name: pods + # rules: + # - apiGroups: + # - "" + # resources: + # - pods + # verbs: + # - get + # - list + # - watch + configMap: # -- (bool) Deploy additional ConfigMaps. # @section -- ConfigMap Parameters From b70b65fd252396015b4fe3e49d12bf99e7e95d31 Mon Sep 17 00:00:00 2001 From: Zadkiel AHARONIAN Date: Sat, 13 Sep 2025 16:09:40 +0200 Subject: [PATCH 2/5] fix: improve roles and clusterRoles field descriptions --- application/values.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/application/values.yaml b/application/values.yaml index 9edf2dfa..09a71cf3 100644 --- a/application/values.yaml +++ b/application/values.yaml @@ -706,7 +706,7 @@ rbac: # @section -- RBAC Parameters annotations: # key: value - # -- (list) Namespaced Roles. + # -- (list) Role definitions scoped to a single namespace. # @section -- RBAC Parameters roles: # - name: configmaps @@ -725,8 +725,7 @@ rbac: # - secrets # verbs: # - get - - # -- (list) ClusterRoles (Clusterwide) + # -- (list) ClusterRole definitions with cluster-wide permissions. # @section -- RBAC Parameters clusterRoles: # - name: configmaps From a8356182311782e2746fac181f82951673709a66 Mon Sep 17 00:00:00 2001 From: Zadkiel AHARONIAN Date: Sat, 13 Sep 2025 16:10:25 +0200 Subject: [PATCH 3/5] fix: improve roles and clusterRoles field descriptions in README --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f761369a..b4910ac6 100644 --- a/README.md +++ b/README.md @@ -219,8 +219,8 @@ helm delete --namespace test my-application | rbac.serviceAccount.name | string | `{{ include "application.name" $ }}` | Service Account Name. | | rbac.serviceAccount.additionalLabels | object | `nil` | Additional labels for Service Account. | | rbac.serviceAccount.annotations | object | `nil` | Annotations for Service Account. | -| rbac.roles | list | `nil` | Namespaced Roles. | -| rbac.clusterRoles | list | `nil` | ClusterRoles (Clusterwide) | +| rbac.roles | list | `nil` | Role definitions scoped to a single namespace. | +| rbac.clusterRoles | list | `nil` | ClusterRole definitions with cluster-wide permissions. | ### ConfigMap Parameters From f0071dce2b926fe23ef1af8cb62312e17e6de92a Mon Sep 17 00:00:00 2001 From: Zadkiel AHARONIAN Date: Sat, 13 Sep 2025 16:11:45 +0200 Subject: [PATCH 4/5] fix: align ClusterRole on Role template --- application/templates/clusterrole.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/application/templates/clusterrole.yaml b/application/templates/clusterrole.yaml index 19f279c3..640f358d 100644 --- a/application/templates/clusterrole.yaml +++ b/application/templates/clusterrole.yaml @@ -1,8 +1,10 @@ -{{- if and .Values.rbac.enabled .Values.rbac.clusterRoles }} +{{- if and (.Values.rbac).enabled .Values.rbac.clusterRoles }} {{- range .Values.rbac.clusterRoles }} +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + name: {{ template "application.name" $ }}-clusterrole-{{ .name }} labels: {{- include "application.labels" $ | nindent 4 }} {{- if $.Values.rbac.additionalLabels }} @@ -12,9 +14,7 @@ metadata: annotations: {{ toYaml $.Values.rbac.annotations | indent 4 }} {{- end }} - name: {{ template "application.name" $ }}-clusterrole-{{ .name }} rules: {{ toYaml .rules | indent 2 }} ---- {{- end }} {{- end }} From ffc8416b84e3641ecb4f52285646eddaa9245ab7 Mon Sep 17 00:00:00 2001 From: Zadkiel AHARONIAN Date: Sat, 13 Sep 2025 16:13:35 +0200 Subject: [PATCH 5/5] fix: align ClusterRoleBinding on RoleBinding template --- application/templates/clusterrolebinding.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/application/templates/clusterrolebinding.yaml b/application/templates/clusterrolebinding.yaml index 4e5ec52a..ca1c203b 100644 --- a/application/templates/clusterrolebinding.yaml +++ b/application/templates/clusterrolebinding.yaml @@ -1,8 +1,10 @@ -{{- if and .Values.rbac.enabled .Values.rbac.clusterRoles }} +{{- if and (.Values.rbac).enabled .Values.rbac.clusterRoles }} {{- range .Values.rbac.clusterRoles }} +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + name: {{ template "application.name" $ }}-clusterrolebinding-{{ .name }} labels: {{- include "application.labels" $ | nindent 4 }} {{- if $.Values.rbac.additionalLabels }} @@ -12,7 +14,6 @@ metadata: annotations: {{ toYaml $.Values.rbac.annotations | indent 4 }} {{- end }} - name: {{ template "application.name" $ }}-clusterrolebinding-{{ .name }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -25,6 +26,5 @@ subjects: name: {{ template "application.name" $ }} {{- end }} namespace: {{ $.Release.Namespace }} ---- {{- end }} {{- end }}