feat(node-config): Updated image to v3.10 (#987)

Signed-off-by: Steve Hipwell <steve.hipwell@gmail.com>
stevehipwell · Jun 24, 2024 · 5ecfc8e · 5ecfc8e
1 parent 7fa3c21
commit 5ecfc8e
Show file tree

Hide file tree

Showing 6 changed files with 57 additions and 8 deletions.
diff --git a/charts/node-config/CHANGELOG.md b/charts/node-config/CHANGELOG.md
@@ -14,6 +14,16 @@
 
 ## [UNRELEASED]
 
+## [v0.6.0] - 2023-06-24
+
+### Added
+
+- Added `rbac.create` & `rbac.rules` to configure a `ClusterRole` for the `ServiceAccount`.
+
+### Changed
+
+- Updated the `registry.k8s.io/pause` image to `3.10`.
+
 ## [v0.5.0] - 2023-05-22
 
 ### Added
@@ -60,6 +70,7 @@
 RELEASE LINKS
 -->
 [UNRELEASED]: https://github.com/stevehipwell/helm-charts/tree/main/charts/node-config
+[v0.6.0]: https://github.com/stevehipwell/helm-charts/releases/tag/node-config-0.6.0
 [v0.5.0]: https://github.com/stevehipwell/helm-charts/releases/tag/node-config-0.5.0
 [v0.4.1]: https://github.com/stevehipwell/helm-charts/releases/tag/node-config-0.4.1
 [v0.4.0]: https://github.com/stevehipwell/helm-charts/releases/tag/node-config-0.4.0

diff --git a/charts/node-config/Chart.yaml b/charts/node-config/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: node-config
 description: Helm chart for configuring Kubernetes nodes via a DaemonSet init container.
 type: application
-version: 0.5.0
+version: 0.6.0
 appVersion: 0.1.0
 home: https://github.com/stevehipwell/helm-charts/
 icon: https://raw.githubusercontent.com/stevehipwell/helm-charts/main/charts/node-config/icon.png
@@ -17,4 +17,6 @@ maintainers:
 annotations:
   artifacthub.io/changes: |
     - kind: added
-      description: "Added `affinity.nodeAffinity`."
+      description: "Added `rbac.create` & `rbac.rules` to configure a `ClusterRole` for the `ServiceAccount`."
+    - kind: changed
+      description: "Updated the `registry.k8s.io/pause` image to `3.10`."
diff --git a/charts/node-config/README.md b/charts/node-config/README.md
@@ -1,6 +1,6 @@
 # node-config
 
-![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square)
+![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square)
 
 Helm chart for configuring Kubernetes nodes via a DaemonSet init container.
 
@@ -23,15 +23,15 @@ Helm chart for configuring Kubernetes nodes via a DaemonSet init container.
 To install the chart using the recommended OCI method you can use the following command.
 
 ```shell
-helm upgrade --install node-config oci://ghcr.io/stevehipwell/helm-charts/node-config --version 0.5.0
+helm upgrade --install node-config oci://ghcr.io/stevehipwell/helm-charts/node-config --version 0.6.0
 ```
 
 #### Verification
 
 As the OCI chart release is signed by [Cosign](https://github.com/sigstore/cosign) you can verify the chart before installing it by running the following command.
 
 ```shell
-cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp 'https://github\.com/action-stars/helm-workflows/\.github/workflows/release\.yaml@.+' --certificate-github-workflow-repository stevehipwell/helm-charts --certificate-github-workflow-name Release ghcr.io/stevehipwell/helm-charts/node-config:0.5.0
+cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp 'https://github\.com/action-stars/helm-workflows/\.github/workflows/release\.yaml@.+' --certificate-github-workflow-repository stevehipwell/helm-charts --certificate-github-workflow-name Release ghcr.io/stevehipwell/helm-charts/node-config:0.6.0
 ```
 
 ### Non-OCI Repository
@@ -40,7 +40,7 @@ Alternatively you can use the legacy non-OCI method via the following commands.
 
 ```shell
 helm repo add stevehipwell https://stevehipwell.github.io/helm-charts/
-helm upgrade --install node-config stevehipwell/node-config --version 0.5.0
+helm upgrade --install node-config stevehipwell/node-config --version 0.6.0
 ```
 
 ## Values
@@ -65,12 +65,14 @@ helm upgrade --install node-config stevehipwell/node-config --version 0.5.0
 | nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selector labels for scheduling. |
 | pause.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy for the pause container. |
 | pause.image.repository | string | `"registry.k8s.io/pause"` | Image repository for the pause container. |
-| pause.image.tag | float | `3.9` | Image tag for the pause container |
+| pause.image.tag | string | `"3.10"` | Image tag for the pause container |
 | pause.resources | object | `{"limits":{"cpu":"100m","memory":"8Mi"},"requests":{"cpu":"10m","memory":"8Mi"}}` | Resources for the pause container. |
 | podAnnotations | object | `{}` | Annotations to add to the pod. |
 | podLabels | object | `{}` | Labels to add to the pod. |
 | podSecurityContext | object | See _values.yaml_ | Security context for the pod. |
 | priorityClassName | string | `nil` | Priority class name for the pod. |
+| rbac.create | bool | `false` | If `true`, create a `ClusterRole` & `ClusterRoleBinding` with access to the Kubernetes API. |
+| rbac.rules | list | `[]` | Rules to add to the `ClusterRole` if `rbac.create` is set to `true`. |
 | scripts | list | See _values.yaml_ | Scripts to create and mount. |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
 | serviceAccount.create | bool | `true` | If `true`, create a new `ServiceAccount`. |

diff --git a/charts/node-config/templates/clusterrole.yaml b/charts/node-config/templates/clusterrole.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.rbac.create -}}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "node-config.fullname" . }}
+  labels:
+    {{- include "node-config.labels" . | nindent 4 }}
+rules:
+{{- with .Values.rbac.rules }}
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/node-config/templates/clusterrolebinding.yaml b/charts/node-config/templates/clusterrolebinding.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "node-config.fullname" . }}
+  labels:
+    {{- include "node-config.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "node-config.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "node-config.fullname" . }}
+{{- end -}}
diff --git a/charts/node-config/values.yaml b/charts/node-config/values.yaml
@@ -24,6 +24,12 @@ serviceAccount:
   # -- (string) If this is set and `serviceAccount.create` is `true` this will be used for the created `ServiceAccount` name, if set and `serviceAccount.create` is `false` then this will define an existing `ServiceAccount` to use.
   name:
 
+rbac:
+  # -- If `true`, create a `ClusterRole` & `ClusterRoleBinding` with access to the Kubernetes API.
+  create: false
+  # -- Rules to add to the `ClusterRole` if `rbac.create` is set to `true`.
+  rules: []
+
 # -- Scripts to create and mount.
 # @default -- See _values.yaml_
 scripts:
@@ -89,7 +95,7 @@ pause:
     # -- Image repository for the pause container.
     repository: registry.k8s.io/pause
     # -- Image tag for the pause container
-    tag: 3.9
+    tag: "3.10"
     # -- Image pull policy for the pause container.
     pullPolicy: IfNotPresent