Remove --rbac flag (#761)

suaas21 · tamalsaha · commit f10a28c91633 · 2019-05-06T23:50:41.000-07:00
diff --git a/chart/stash/README.md b/chart/stash/README.md
@@ -59,7 +59,6 @@ The following table lists the configurable parameters of the Stash chart and the
 | `annotations`                        | Annotations applied to operator pod(s)                                                                                                                                     | `{}`                                                      |
 | `nodeSelector`                       | Node labels for pod assignment                                                                                                                                             | `{}`                                                      |
 | `tolerations`                        | Tolerations used pod assignment                                                                                                                                            | `{}`                                                      |
-| `rbac.create`                        | If `true`, create and use RBAC resources                                                                                                                                   | `true`                                                    |
 | `serviceAccount.create`              | If `true`, create a new service account                                                                                                                                    | `true`                                                    |
 | `serviceAccount.name`                | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template                                              | ``                                                        |
 | `apiserver.groupPriorityMinimum`     | The minimum priority the group should have.                                                                                                                                | 10000                                                     |
@@ -91,23 +90,4 @@ installing the chart. For example:
 $ helm install --name stash-operator --values values.yaml appscode/stash
 ```
 
-## RBAC
-By default the chart will not install the recommended RBAC roles and rolebindings.
 
-You need to have the flag `--authorization-mode=RBAC` on the api server. See the following document for how to enable [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/).
-
-To determine if your cluster supports RBAC, run the following command:
-
-```console
-$ kubectl api-versions | grep rbac
-```
-
-If the output contains "beta", you may install the chart with RBAC enabled (see below).
-
-### Enable RBAC role/rolebinding creation
-
-To enable the creation of RBAC resources (On clusters with RBAC). Do the following:
-
-```console
-$ helm install --name stash-operator appscode/stash --set rbac.create=true
-```
diff --git a/chart/stash/templates/apiregistration.yaml b/chart/stash/templates/apiregistration.yaml
@@ -66,7 +66,6 @@ data:
   tls.key: {{ b64enc $cert.Key }}
 ---
 {{- end }}
-{{ if .Values.rbac.create }}
 # to read the config for terminating authentication
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -99,4 +98,3 @@ subjects:
 - kind: ServiceAccount
   name: {{ template "stash.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
-{{ end }}
diff --git a/chart/stash/templates/cluster-role-binding.yaml b/chart/stash/templates/cluster-role-binding.yaml
@@ -1,4 +1,3 @@
-{{ if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -13,4 +12,3 @@ subjects:
 - kind: ServiceAccount
   name: {{ template "stash.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
-{{ end }}
diff --git a/chart/stash/templates/cluster-role.yaml b/chart/stash/templates/cluster-role.yaml
@@ -1,4 +1,3 @@
-{{ if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -86,4 +85,3 @@ rules:
   - roles
   - rolebindings
   verbs: ["get", "create", "delete", "patch"]
-{{ end }}
diff --git a/chart/stash/templates/deployment.yaml b/chart/stash/templates/deployment.yaml
@@ -44,7 +44,6 @@ spec:
         args:
         - run
         - --v={{ .Values.logLevel }}
-        - --rbac={{ .Values.rbac.create }}
         - --docker-registry={{ .Values.operator.registry }}
         - --secure-port=8443
         - --audit-log-path=-
diff --git a/chart/stash/templates/user-roles.yaml b/chart/stash/templates/user-roles.yaml
@@ -1,4 +1,3 @@
-{{ if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -45,4 +44,3 @@ rules:
   resources:
   - snapshots
   verbs: ["get", "list"]
-{{ end }}
diff --git a/chart/stash/values.yaml b/chart/stash/values.yaml
@@ -53,11 +53,6 @@ tolerations: {}
 ##
 affinity: {}
 
-## Install Default RBAC roles and bindings
-rbac:
-  # Specifies whether RBAC resources should be created
-  create: true
-
 serviceAccount:
   # Specifies whether a ServiceAccount should be created
   create: true
diff --git a/deploy/operator.yaml b/deploy/operator.yaml
@@ -26,7 +26,6 @@ spec:
         args:
         - run
         - --v=3
-        - --rbac=${STASH_ENABLE_RBAC}
         - --docker-registry=${STASH_DOCKER_REGISTRY}
         - --secure-port=8443
         - --audit-log-path=-
diff --git a/deploy/stash.sh b/deploy/stash.sh
@@ -108,7 +108,6 @@ onessl_found || {
 export STASH_NAMESPACE=kube-system
 export STASH_SERVICE_ACCOUNT=stash-operator
 export STASH_SERVICE_NAME=stash-operator
-export STASH_ENABLE_RBAC=true
 export STASH_RUN_ON_MASTER=0
 export STASH_ENABLE_VALIDATING_WEBHOOK=false
 export STASH_ENABLE_MUTATING_WEBHOOK=false
@@ -160,7 +159,6 @@ show_help() {
   echo "options:"
   echo "-h, --help                             show brief help"
   echo "-n, --namespace=NAMESPACE              specify namespace (default: kube-system)"
-  echo "    --rbac                             create RBAC roles and bindings (default: true)"
   echo "    --docker-registry                  docker registry used to pull stash images (default: appscode)"
   echo "    --image-pull-secret                name of secret used to pull stash operator images"
   echo "    --run-on-master                    run stash operator on master"
@@ -254,14 +252,6 @@ while test $# -gt 0; do
       fi
       shift
       ;;
-    --rbac*)
-      val=$(echo $1 | sed -e 's/^[^=]*=//g')
-      if [ "$val" = "false" ]; then
-        export STASH_SERVICE_ACCOUNT=default
-        export STASH_ENABLE_RBAC=false
-      fi
-      shift
-      ;;
     --run-on-master)
       export STASH_RUN_ON_MASTER=1
       shift
@@ -429,11 +419,9 @@ export TLS_SERVING_KEY=$(cat server.key | $ONESSL base64)
 
 ${SCRIPT_LOCATION}hack/deploy/operator.yaml | $ONESSL envsubst | kubectl apply -f -
 
-if [ "$STASH_ENABLE_RBAC" = true ]; then
-  ${SCRIPT_LOCATION}hack/deploy/service-account.yaml | $ONESSL envsubst | kubectl apply -f -
-  ${SCRIPT_LOCATION}hack/deploy/rbac-list.yaml | $ONESSL envsubst | kubectl auth reconcile -f -
-  ${SCRIPT_LOCATION}hack/deploy/user-roles.yaml | $ONESSL envsubst | kubectl auth reconcile -f -
-fi
+${SCRIPT_LOCATION}hack/deploy/service-account.yaml | $ONESSL envsubst | kubectl apply -f -
+${SCRIPT_LOCATION}hack/deploy/rbac-list.yaml | $ONESSL envsubst | kubectl auth reconcile -f -
+${SCRIPT_LOCATION}hack/deploy/user-roles.yaml | $ONESSL envsubst | kubectl auth reconcile -f -
 
 if [ "$STASH_RUN_ON_MASTER" -eq 1 ]; then
   kubectl patch deploy stash-operator -n $STASH_NAMESPACE \
