From 2e410f1a0a9ddbfc7df5a97e66e9f88207eb7349 Mon Sep 17 00:00:00 2001 From: Charlie Haley Date: Sun, 9 Jun 2024 20:24:22 +0100 Subject: [PATCH] redpanda: convert rbac.yaml to go code --- charts/redpanda/rbac.go | 288 ++++++++++++++++++++++++++ charts/redpanda/templates/rbac.go.tpl | 86 ++++++++ charts/redpanda/templates/rbac.yaml | 275 ++++-------------------- charts/redpanda/values.go | 1 + charts/redpanda/values.schema.json | 3 + charts/redpanda/values_partial.gen.go | 1 + 6 files changed, 421 insertions(+), 233 deletions(-) create mode 100644 charts/redpanda/rbac.go create mode 100644 charts/redpanda/templates/rbac.go.tpl diff --git a/charts/redpanda/rbac.go b/charts/redpanda/rbac.go new file mode 100644 index 0000000000..62320e6a1a --- /dev/null +++ b/charts/redpanda/rbac.go @@ -0,0 +1,288 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=rbac.go.tpl +package redpanda + +import ( + "fmt" + + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + rbacv1 "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func ClusterRoles(dot *helmette.Dot) []*rbacv1.ClusterRole { + values := helmette.Unwrap[Values](dot.Values) + + if !values.RBAC.Enabled { + return nil + } + + rpkBundleName := fmt.Sprintf("%s-rpk-bundle", Fullname(dot)) + + return []*rbacv1.ClusterRole{ + { + TypeMeta: metav1.TypeMeta{ + APIVersion: "rbac.authorization.k8s.io/v1", + Kind: "ClusterRole", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: Fullname(dot), + Labels: FullLabels(dot), + Annotations: values.ServiceAccount.Annotations, + }, + Rules: []rbacv1.PolicyRule{ + { + APIGroups: []string{""}, + Resources: []string{"nodes"}, + Verbs: []string{"get", "list"}, + }, + }, + }, + { + TypeMeta: metav1.TypeMeta{ + APIVersion: "rbac.authorization.k8s.io/v1", + Kind: "ClusterRole", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: rpkBundleName, + Labels: FullLabels(dot), + Annotations: values.ServiceAccount.Annotations, + }, + Rules: []rbacv1.PolicyRule{ + { + APIGroups: []string{""}, + Resources: []string{ + "configmaps", + "endpoints", + "events", + "limitranges", + "persistentvolumeclaims", + "pods", + "pods/log", + "replicationcontrollers", + "resourcequotas", + "serviceaccounts", + "services", + }, + Verbs: []string{"get", "list"}, + }, + }, + }, + } +} + +func ClusterRoleBindings(dot *helmette.Dot) []*rbacv1.ClusterRoleBinding { + values := helmette.Unwrap[Values](dot.Values) + + if !values.RBAC.Enabled { + return nil + } + + rpkBundleName := fmt.Sprintf("%s-rpk-bundle", Fullname(dot)) + return []*rbacv1.ClusterRoleBinding{ + { + TypeMeta: metav1.TypeMeta{ + APIVersion: "rbac.authorization.k8s.io/v1", + Kind: "ClusterRoleBinding", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: Fullname(dot), + Labels: FullLabels(dot), + Annotations: values.ServiceAccount.Annotations, + }, + RoleRef: rbacv1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "ClusterRole", + Name: Fullname(dot), + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Name: ServiceAccountName(dot), + Namespace: dot.Release.Namespace, + }, + }, + }, + { + TypeMeta: metav1.TypeMeta{ + APIVersion: "rbac.authorization.k8s.io/v1", + Kind: "ClusterRoleBinding", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: rpkBundleName, + Labels: FullLabels(dot), + Annotations: values.ServiceAccount.Annotations, + }, + RoleRef: rbacv1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "ClusterRole", + Name: rpkBundleName, + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Name: ServiceAccountName(dot), + Namespace: dot.Release.Namespace, + }, + }, + }, + } +} + +func SidecarControllersClusterRole(dot *helmette.Dot) *rbacv1.ClusterRole { + values := helmette.Unwrap[Values](dot.Values) + + if !values.Statefulset.SideCars.Controllers.Enabled || !values.Statefulset.SideCars.Controllers.CreateRBAC { + return nil + } + + sidecarControllerName := fmt.Sprintf("%s-sidecar-controllers", Fullname(dot)) + return &rbacv1.ClusterRole{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "rbac.authorization.k8s.io/v1", + Kind: "ClusterRole", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: sidecarControllerName, + Labels: FullLabels(dot), + Annotations: values.ServiceAccount.Annotations, + }, + Rules: []rbacv1.PolicyRule{ + { + APIGroups: []string{""}, + Resources: []string{"nodes"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{""}, + Resources: []string{"persistentvolumes"}, + Verbs: []string{"delete", "get", "list", "patch", "update", "watch"}, + }, + }, + } +} + +func SidecarControllersClusterRoleBinding(dot *helmette.Dot) *rbacv1.ClusterRoleBinding { + values := helmette.Unwrap[Values](dot.Values) + + if !values.Statefulset.SideCars.Controllers.Enabled || !values.Statefulset.SideCars.Controllers.CreateRBAC { + return nil + } + + sidecarControllerName := fmt.Sprintf("%s-sidecar-controllers", Fullname(dot)) + return &rbacv1.ClusterRoleBinding{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "rbac.authorization.k8s.io/v1", + Kind: "ClusterRoleBinding", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: sidecarControllerName, + Labels: FullLabels(dot), + Annotations: values.ServiceAccount.Annotations, + }, + RoleRef: rbacv1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "ClusterRole", + Name: sidecarControllerName, + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Name: ServiceAccountName(dot), + Namespace: dot.Release.Namespace, + }, + }, + } +} + +func SidecarControllersRole(dot *helmette.Dot) *rbacv1.Role { + values := helmette.Unwrap[Values](dot.Values) + + if !values.Statefulset.SideCars.Controllers.Enabled || !values.Statefulset.SideCars.Controllers.CreateRBAC { + return nil + } + + sidecarControllerName := fmt.Sprintf("%s-sidecar-controllers", Fullname(dot)) + return &rbacv1.Role{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "rbac.authorization.k8s.io/v1", + Kind: "Role", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: sidecarControllerName, + Namespace: dot.Release.Namespace, + Labels: FullLabels(dot), + Annotations: values.ServiceAccount.Annotations, + }, + Rules: []rbacv1.PolicyRule{ + { + APIGroups: []string{"apps"}, + Resources: []string{"statefulsets/status"}, + Verbs: []string{"patch", "update"}, + }, + { + APIGroups: []string{""}, + Resources: []string{"secrets", "pods"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{"apps"}, + Resources: []string{"statefulsets"}, + Verbs: []string{"get", "patch", "update", "list", "watch"}, + }, + { + APIGroups: []string{""}, + Resources: []string{"persistentvolumeclaims"}, + Verbs: []string{"delete", "get", "list", "patch", "update", "watch"}, + }, + }, + } +} + +func SidecarControllersRoleBinding(dot *helmette.Dot) *rbacv1.RoleBinding { + values := helmette.Unwrap[Values](dot.Values) + + if !values.Statefulset.SideCars.Controllers.Enabled || !values.Statefulset.SideCars.Controllers.CreateRBAC { + return nil + } + + sidecarControllerName := fmt.Sprintf("%s-sidecar-controllers", Fullname(dot)) + return &rbacv1.RoleBinding{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "rbac.authorization.k8s.io/v1", + Kind: "RoleBinding", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: sidecarControllerName, + Namespace: dot.Release.Namespace, + Labels: FullLabels(dot), + Annotations: values.ServiceAccount.Annotations, + }, + RoleRef: rbacv1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "Role", + Name: sidecarControllerName, + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Name: ServiceAccountName(dot), + Namespace: dot.Release.Namespace, + }, + }, + } +} diff --git a/charts/redpanda/templates/rbac.go.tpl b/charts/redpanda/templates/rbac.go.tpl new file mode 100644 index 0000000000..f8bcca6dc5 --- /dev/null +++ b/charts/redpanda/templates/rbac.go.tpl @@ -0,0 +1,86 @@ +{{- /* Generated from "rbac.go" */ -}} + +{{- define "redpanda.ClusterRoles" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.rbac.enabled) -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $rpkBundleName := (printf "%s-rpk-bundle" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "nodes") "verbs" (list "get" "list") ))) )) (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $rpkBundleName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "configmaps" "endpoints" "events" "limitranges" "persistentvolumeclaims" "pods" "pods/log" "replicationcontrollers" "resourcequotas" "serviceaccounts" "services") "verbs" (list "get" "list") ))) )))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ClusterRoleBindings" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.rbac.enabled) -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $rpkBundleName := (printf "%s-rpk-bundle" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) )) (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $rpkBundleName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" $rpkBundleName )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) )))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SidecarControllersClusterRole" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRbac)) -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "nodes") "verbs" (list "get" "list" "watch") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "persistentvolumes") "verbs" (list "delete" "get" "list" "patch" "update" "watch") ))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SidecarControllersClusterRoleBinding" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRbac)) -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" $sidecarControllerName )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SidecarControllersRole" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRbac)) -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "Role" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "apps") "resources" (list "statefulsets/status") "verbs" (list "patch" "update") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "secrets" "pods") "verbs" (list "get" "list" "watch") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "apps") "resources" (list "statefulsets") "verbs" (list "get" "patch" "update" "list" "watch") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "persistentvolumeclaims") "verbs" (list "delete" "get" "list" "patch" "update" "watch") ))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SidecarControllersRoleBinding" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRbac)) -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "RoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "Role" "name" $sidecarControllerName )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/templates/rbac.yaml b/charts/redpanda/templates/rbac.yaml index 7fdf638ab9..6a49a4ecb5 100644 --- a/charts/redpanda/templates/rbac.yaml +++ b/charts/redpanda/templates/rbac.yaml @@ -1,243 +1,52 @@ {{/* -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */}} - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} ---- -{{- if .Values.rbac.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "redpanda.fullname" . }} - labels: -{{- with include "full.labels" . }} - {{- . | nindent 4 }} -{{- end }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -rules: - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list +{{- $crs := (get ((include "redpanda.ClusterRoles" (dict "a" (list .))) | fromJson) "r") }} +{{- range $_, $cr := $crs }} --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "redpanda.fullname" . }}-rpk-bundle - labels: -{{- with include "full.labels" . }} - {{- . | nindent 4 }} +{{ toYaml $cr }} {{- end }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -rules: - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - events - - limitranges - - persistentvolumeclaims - - pods - - pods/log - - replicationcontrollers - - resourcequotas - - serviceaccounts - - services - verbs: - - get - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "redpanda.fullname" . }} - labels: -{{- with include "full.labels" . }} - {{- . | nindent 4 }} -{{- end }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "redpanda.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ include "redpanda.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + +{{- $crbs := (get ((include "redpanda.ClusterRoleBindings" (dict "a" (list .))) | fromJson) "r") }} +{{- range $_, $crb := $crbs }} --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "redpanda.fullname" . }}-rpk-bundle - labels: -{{- with include "full.labels" . }} - {{- . | nindent 4 }} +{{ toYaml $crb }} {{- end }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "redpanda.fullname" . }}-rpk-bundle -subjects: - - kind: ServiceAccount - name: {{ include "redpanda.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} -{{- end }} -{{- if and .Values.statefulset.sideCars.controllers.enabled .Values.statefulset.sideCars.controllers.createRBAC }} + +{{- $sccr := (get ((include "redpanda.SidecarControllersClusterRole" (dict "a" (list .))) | fromJson) "r") -}} +{{- if ne $sccr nil -}} --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "redpanda.fullname" . }}-sidecar-controllers - labels: - {{- with include "full.labels" . }} - {{- . | nindent 4 }} - {{- end }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -rules: - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - delete - - get - - list - - patch - - update - - watch +{{toYaml $sccr}} +{{- end -}} + +{{- $sccrb := (get ((include "redpanda.SidecarControllersClusterRoleBinding" (dict "a" (list .))) | fromJson) "r") -}} +{{- if ne $sccrb nil -}} --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "redpanda.fullname" . }}-sidecar-controllers - labels: - {{- with include "full.labels" . }} - {{- . | nindent 4 }} - {{- end }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "redpanda.fullname" . }}-sidecar-controllers -subjects: - - kind: ServiceAccount - name: {{ include "redpanda.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} +{{toYaml $sccrb}} +{{- end -}} + +{{- $scr := (get ((include "redpanda.SidecarControllersRole" (dict "a" (list .))) | fromJson) "r") -}} +{{- if ne $scr nil -}} --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "redpanda.fullname" . }}-sidecar-controllers - namespace: {{ .Release.Namespace | quote }} - labels: - {{- with include "full.labels" . }} - {{- . | nindent 4 }} - {{- end }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -rules: - - apiGroups: - - apps - resources: - - statefulsets/status - verbs: - - patch - - update - - apiGroups: - - "" - resources: - - secrets - - pods - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - statefulsets - verbs: - - get - - patch - - update - - list - - watch - - apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - delete - - get - - list - - patch - - update - - watch +{{toYaml $scr}} +{{- end -}} + +{{- $scrb := (get ((include "redpanda.SidecarControllersRoleBinding" (dict "a" (list .))) | fromJson) "r") -}} +{{- if ne $scrb nil -}} --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "redpanda.fullname" . }}-sidecar-controllers - namespace: {{ .Release.Namespace | quote }} - labels: - {{- with include "full.labels" . }} - {{- . | nindent 4 }} - {{- end }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "redpanda.fullname" . }}-sidecar-controllers - namespace: {{ .Release.Namespace | quote }} -subjects: - - kind: ServiceAccount - name: {{ include "redpanda.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} -{{- end }} +{{toYaml $scr}} +{{- end -}} diff --git a/charts/redpanda/values.go b/charts/redpanda/values.go index 7b413431ef..168fd4d838 100644 --- a/charts/redpanda/values.go +++ b/charts/redpanda/values.go @@ -388,6 +388,7 @@ type Statefulset struct { Repository string `json:"repository" jsonschema:"required,default=docker.redpanda.com/redpandadata/redpanda-operator"` } `json:"image"` Enabled bool `json:"enabled"` + CreateRBAC bool `json:"createRbac"` Resources any `json:"resources"` SecurityContext *corev1.SecurityContext `json:"securityContext"` } `json:"controllers"` diff --git a/charts/redpanda/values.schema.json b/charts/redpanda/values.schema.json index b1e8405a2d..f99bd82aa4 100644 --- a/charts/redpanda/values.schema.json +++ b/charts/redpanda/values.schema.json @@ -1695,6 +1695,9 @@ }, "controllers": { "properties": { + "createRbac": { + "type": "boolean" + }, "enabled": { "type": "boolean" }, diff --git a/charts/redpanda/values_partial.gen.go b/charts/redpanda/values_partial.gen.go index e208bb68fc..757e0653c8 100644 --- a/charts/redpanda/values_partial.gen.go +++ b/charts/redpanda/values_partial.gen.go @@ -277,6 +277,7 @@ type PartialStatefulset struct { Repository *string `json:"repository,omitempty" jsonschema:"required,default=docker.redpanda.com/redpandadata/redpanda-operator"` } `json:"image,omitempty"` Enabled *bool `json:"enabled,omitempty"` + CreateRBAC *bool `json:"createRbac,omitempty"` Resources any `json:"resources,omitempty"` SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"` } `json:"controllers,omitempty"`