Add RBAC support for cross-namespace secret reading

[rohitrsh]

Tracking issue

Related to #6911

Why are the changes needed?

The Databricks Spark connector now supports Add multi-tenant Databricks token support via cross-namespace K8S secrets, allowing the connector to read Databricks tokens from Kubernetes secrets in workflow namespaces. This enables multi-tenant Databricks access, allowing each Flyte project to use its own Databricks workspace/token.

For this feature to work, the connector's ServiceAccount needs get permission on secrets across namespaces. Currently, the flyteconnector Helm chart creates a ServiceAccount but no RBAC resources (ClusterRole / ClusterRoleBinding), so the connector cannot read secrets from workflow namespaces.

What changes were proposed in this pull request?

New file: templates/connector/rbac.yaml

Adds an optional ClusterRole and ClusterRoleBinding for the flyteconnector ServiceAccount:

• ClusterRole Configurable rules via values.yaml, defaulting to get on secrets
• ClusterRoleBinding Binds the ClusterRole to the flyteconnector ServiceAccount
• Guarded Only created when rbac.enabled: true (default: false for backward compatibility)
• Follows existing patterns Uses the same naming and label conventions as the rest of the chart

# templates/connector/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ template "flyte.namespace" . -}}-{{- template "flyteconnector.name" . }}
  labels: {{ include "flyteconnector.labels" . | nindent 4 }}
rules:
  {{- toYaml .Values.rbac.rules | nindent 2 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ template "flyte.namespace" . -}}-{{- template "flyteconnector.name" . }}
  labels: {{ include "flyteconnector.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "flyte.namespace" . -}}-{{- template "flyteconnector.name" . }}
subjects:
- kind: ServiceAccount
  name: {{ template "flyteconnector.name" . }}
  namespace: {{ template "flyte.namespace" . }}

Updated: values.yaml

Added rbac configuration block:

# -- RBAC configuration for flyteconnector
rbac:
  # -- Should RBAC resources (ClusterRole/ClusterRoleBinding) be created
  enabled: false
  # -- Rules for the ClusterRole
  rules:
    # Allow reading secrets across namespaces (for per-project Databricks token resolution)
    - apiGroups:
        - ""
      resources:
        - secrets
      verbs:
        - get

Key design decisions:

• enabled: false by default Opt-in to avoid breaking existing deployments that don't need cross-namespace secret access
• Only get verb Least privilege; no list or watch
• Rules are configurable Operators can customise via values.yaml overrides
• No resourceNames restriction Supports both the default databricks-token and custom secret names

How was this patch tested?

1. Template rendering verified with helm template:

helm template ml-flyte charts/flyteconnector/ \
  --set rbac.enabled=true \
  --show-only templates/connector/rbac.yaml

2. Verified RBAC disabled by default no ClusterRole/ClusterRoleBinding rendered when rbac.enabled is omitted

3. Verified cross-namespace secret access after applying:

kubectl auth can-i get secrets \
  --as=system:serviceaccount:flyte:flyteconnector \
  -n <workflow-namespace>

4. End-to-end tested with the Databricks per-project token feature connector successfully reads namespace-specific tokens

Setup process

To enable Databricks per-project token support:

# values.yaml override
rbac:
  enabled: true

Then create secrets in workflow namespaces:

kubectl create secret generic databricks-token \
  --from-literal=token='dapi_your_token' \
  --namespace=<workflow-namespace>

Screenshots

N/A (infrastructure-only change)

Check all the applicable boxes

• I updated the documentation accordingly.
• All new and existing tests passed.
• All commits are signed-off.

Related PRs

• flytekit PR: Multi-tenant Databricks token support

Docs link

N/A