helm: additional cluster roles for secretproviderclasses (#836)

* feature: additional cluster roles for secretproviderclasses Adding Admin and Viewer cluster roles, aggregaring to default "admin" and "view" ClusterRoles. * adding new ClusterRole manifests to manifest_staging/deploy
kubernetes-sigs · Jan 26, 2022 · d32ca72 · d32ca72
1 parent afea7be
commit d32ca72
Show file tree

Hide file tree

Showing 4 changed files with 80 additions and 0 deletions.
diff --git a/...t_staging/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-admin.yaml b/...t_staging/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-admin.yaml
@@ -0,0 +1,25 @@
+{{ if .Values.rbac.install }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: secretproviderclasses-admin-role
+rules:
+- apiGroups:
+  - secrets-store.csi.x-k8s.io
+  resources:
+  - secretproviderclasses
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+{{ end }}
diff --git a/..._staging/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-viewer.yaml b/..._staging/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-viewer.yaml
@@ -0,0 +1,20 @@
+{{ if .Values.rbac.install }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: secretproviderclasses-viewer-role
+rules:
+- apiGroups:
+  - secrets-store.csi.x-k8s.io
+  resources:
+  - secretproviderclasses
+  verbs:
+  - get
+  - list
+  - watch
+{{ end }}
diff --git a/manifest_staging/deploy/role-secretproviderclasses-admin.yaml b/manifest_staging/deploy/role-secretproviderclasses-admin.yaml
@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: secretproviderclasses-admin-role
+rules:
+- apiGroups:
+  - secrets-store.csi.x-k8s.io
+  resources:
+  - secretproviderclasses
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
diff --git a/manifest_staging/deploy/role-secretproviderclasses-viewer.yaml b/manifest_staging/deploy/role-secretproviderclasses-viewer.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: secretproviderclasses-viewer-role
+rules:
+- apiGroups:
+  - secrets-store.csi.x-k8s.io
+  resources:
+  - secretproviderclasses
+  verbs:
+  - get
+  - list
+  - watch