From a781ff26c45a0d578e3ccb3853030af2f448616d Mon Sep 17 00:00:00 2001
From: Raffael Sahli <raffael.sahli@doodle.com>
Date: Tue, 11 Jul 2023 13:45:09 +0000
Subject: [PATCH] fix: metrics rbac

---
 chart/k8soauth2-proxy-controller/Chart.yaml    |  2 +-
 .../templates/deployment.yaml                  |  2 +-
 .../templates/metrics-rbac.yaml                | 18 ++++++++++++++++++
 chart/k8soauth2-proxy-controller/values.yaml   |  8 +++++++-
 4 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/chart/k8soauth2-proxy-controller/Chart.yaml b/chart/k8soauth2-proxy-controller/Chart.yaml
index 71bb12e..d51e3ca 100644
--- a/chart/k8soauth2-proxy-controller/Chart.yaml
+++ b/chart/k8soauth2-proxy-controller/Chart.yaml
@@ -13,4 +13,4 @@ keywords:
 name: k8soauth2-proxy-controller
 sources:
 - https://github.com/DoodleScheduling/k8soauth2-proxy-controller
-version: 0.2.4
+version: 0.2.5
diff --git a/chart/k8soauth2-proxy-controller/templates/deployment.yaml b/chart/k8soauth2-proxy-controller/templates/deployment.yaml
index 8f588b3..9c6f354 100644
--- a/chart/k8soauth2-proxy-controller/templates/deployment.yaml
+++ b/chart/k8soauth2-proxy-controller/templates/deployment.yaml
@@ -88,7 +88,7 @@ spec:
         - --upstream=http://127.0.0.1:{{ .Values.metricsPort }}
         - --logtostderr=true
         - --v=0
-        image: quay.io/brancz/kube-rbac-proxy:v0.14.0
+        image: {{ .Values.kubeRBACProxy.image }}
         imagePullPolicy: IfNotPresent
         name: kube-rbac-proxy
         ports:
diff --git a/chart/k8soauth2-proxy-controller/templates/metrics-rbac.yaml b/chart/k8soauth2-proxy-controller/templates/metrics-rbac.yaml
index 24922b9..7049b4f 100644
--- a/chart/k8soauth2-proxy-controller/templates/metrics-rbac.yaml
+++ b/chart/k8soauth2-proxy-controller/templates/metrics-rbac.yaml
@@ -16,6 +16,24 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
+metadata:
+  name: {{ include "k8soauth2-proxy-controller.fullname" . }}-metrics
+  labels:
+    app.kubernetes.io/name: {{ include "k8soauth2-proxy-controller.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    helm.sh/chart: {{ include "k8soauth2-proxy-controller.chart" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "k8soauth2-proxy-controller.fullname" . }}-metrics-reader
+subjects:
+- kind: ServiceAccount
+  name: {{ template "k8soauth2-proxy-controller.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
 metadata:
   name: {{ include "k8soauth2-proxy-controller.fullname" . }}-proxy
   labels:
diff --git a/chart/k8soauth2-proxy-controller/values.yaml b/chart/k8soauth2-proxy-controller/values.yaml
index e9be5ef..2087dc4 100644
--- a/chart/k8soauth2-proxy-controller/values.yaml
+++ b/chart/k8soauth2-proxy-controller/values.yaml
@@ -132,7 +132,7 @@ prometheusRule:
 
 kubeRBACProxy:
   enabled: true
-
+  image: quay.io/brancz/kube-rbac-proxy:v0.14.2
   securityContext:
     allowPrivilegeEscalation: false
     capabilities:
@@ -140,5 +140,11 @@ kubeRBACProxy:
     readOnlyRootFilesystem: true
 
   resources: {}
+  # limits:
+  #   cpu: 500m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 5m
+  #   memory: 64Mi
 
 tolerations: []