Update chart to match RBAC best practices for charts

ref: https://github.com/kubernetes/helm/blob/master/docs/chart_best_practices/rbac.md
config-syncer · Mar 5, 2018 · 0681e06 · 0681e06
1 parent dff0605
commit 0681e06
Show file tree

Hide file tree

Showing 8 changed files with 32 additions and 15 deletions.
diff --git a/chart/stable/kubed/README.md b/chart/stable/kubed/README.md
@@ -49,8 +49,9 @@ The following tables lists the configurable parameters of the Kubed chart and th
 | `criticalAddon`                    | If true, installs kubed operator as critical addon                | `false`            |
 | `logLevel`                         | Log level for kubed                                               | `3`                |
 | `nodeSelector`                     | Node labels for pod assignment                                    | `{}`               |
-| `rbac.create`                      | install required rbac service account, roles and rolebindings     | `false`            |
-| `rbac.serviceAccountName`          | ServiceAccount Kubed will use (ignored if rbac.create=true)       | `default`          |
+| `rbac.create`                      | If `true`, create and use RBAC resources                           | `true`             |
+| `serviceAccount.create`            | If `true`, create a new service account                            | `true`             |
+| `serviceAccount.name`              | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | `` |
 | `apiserver.groupPriorityMinimum`   | The minimum priority the group should have.                       | 10000              |
 | `apiserver.versionPriority`        | The ordering of this API inside of the group.                     | 15                 |
 | `apiserver.ca`                     | CA certificate used by main Kubernetes api server                 | ``                 |

diff --git a/chart/stable/kubed/templates/_helpers.tpl b/chart/stable/kubed/templates/_helpers.tpl
@@ -14,3 +14,14 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- $name := default .Chart.Name .Values.nameOverride -}}
 {{- printf "%s-%s" $name .Release.Name | trunc 63 -}}
 {{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "kubed.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "kubed.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
diff --git a/chart/stable/kubed/templates/apiregistration.yaml b/chart/stable/kubed/templates/apiregistration.yaml
@@ -1,6 +1,5 @@
 {{- $ca := genCA "svc-cat-ca" 3650 }}
-{{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- $cn := printf "%s-%s" $name .Release.Name | trunc 63 -}}
+{{- $cn := include "kubed.fullname" . -}}
 {{- $altName1 := printf "%s.%s" $cn .Release.Namespace }}
 {{- $altName2 := printf "%s.%s.svc" $cn .Release.Namespace }}
 {{- $cert := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }}
@@ -55,7 +54,7 @@ roleRef:
   name: extension-apiserver-authentication-reader
 subjects:
 - kind: ServiceAccount
-  name: {{ template "kubed.fullname" . }}
+  name: {{ template "kubed.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
 ---
 # to delegate authentication and authorization
@@ -74,6 +73,6 @@ roleRef:
   name: system:auth-delegator
 subjects:
 - kind: ServiceAccount
-  name: {{ template "kubed.fullname" . }}
+  name: {{ template "kubed.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
 {{ end }}
diff --git a/chart/stable/kubed/templates/cluster-role-binding.yaml b/chart/stable/kubed/templates/cluster-role-binding.yaml
@@ -14,6 +14,6 @@ roleRef:
   name: {{ template "kubed.fullname" . }}
 subjects:
 - kind: ServiceAccount
-  name: {{ template "kubed.fullname" . }}
+  name: {{ template "kubed.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
 {{ end }}
diff --git a/chart/stable/kubed/templates/cluster-role.yaml b/chart/stable/kubed/templates/cluster-role.yaml
@@ -21,7 +21,7 @@ rules:
   - networking.k8s.io
   - storage.k8s.io
   - monitoring.coreos.com
-  - kubedb.com
+  - kubed.com
   - monitoring.appscode.com
   - rbac.authorization.k8s.io
   - stash.appscode.com

diff --git a/chart/stable/kubed/templates/deployment.yaml b/chart/stable/kubed/templates/deployment.yaml
@@ -23,7 +23,7 @@ spec:
         scheduler.alpha.kubernetes.io/critical-pod: ''
 {{- end }}
     spec:
-      serviceAccountName: {{ if .Values.rbac.create }}{{ template "kubed.fullname" . }}{{ else }}"{{ .Values.rbac.serviceAccountName }}"{{ end }}
+      serviceAccountName: {{ template "kubed.serviceAccountName" . }}
       {{- if .Values.imagePullSecrets }}
       imagePullSecrets:
 {{ toYaml .Values.imagePullSecrets | indent 6 }}

diff --git a/chart/stable/kubed/templates/service-account.yaml b/chart/stable/kubed/templates/service-account.yaml
@@ -1,8 +1,8 @@
-{{ if .Values.rbac.create }}
+{{ if .Values.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ template "kubed.fullname" . }}
+  name: {{ template "kubed.serviceAccountName" . }}
   labels:
     chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
     app: "{{ template "kubed.name" . }}"

diff --git a/chart/stable/kubed/values.yaml b/chart/stable/kubed/values.yaml
@@ -28,12 +28,18 @@ logLevel: 3
 ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
 ##
 nodeSelector: {}
+
 ## Install Default RBAC roles and bindings
 rbac:
-  ## If true, create & use RBAC resources
-  create: false
-  ## Ignored if rbac.create is true
-  serviceAccountName: default
+  # Specifies whether RBAC resources should be created
+  create: true
+
+serviceAccount:
+  # Specifies whether a ServiceAccount should be created
+  create: true
+  # The name of the ServiceAccount to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
 
 apiserver:
   # groupPriorityMinimum is the minimum priority the group should have. Please see