Chart update: Tiller Proxy namespace awareness and rbac support (#569)

* Add POD_NAMESPACE in Tiller Proxy * Add service account * RBAC info
vmware-tanzu · Aug 30, 2018 · 4440f85 · 4440f85
1 parent 0b92c88
commit 4440f85
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 4 deletions.
diff --git a/chart/kubeapps/Chart.yaml b/chart/kubeapps/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 name: kubeapps
-version: 0.3.1
+version: 0.3.2
 appVersion: DEVEL
 description: Kubeapps is a dashboard for your Kubernetes cluster that makes it easy to deploy and manage applications in your cluster using Helm
 icon: https://raw.githubusercontent.com/kubeapps/kubeapps/master/docs/img/logo.png

diff --git a/chart/kubeapps/templates/tiller-proxy-deployment.yaml b/chart/kubeapps/templates/tiller-proxy-deployment.yaml
@@ -19,6 +19,7 @@ spec:
         app: {{ template "kubeapps.tiller-proxy.fullname" . }}
         release: {{ .Release.Name }}
     spec:
+      serviceAccountName: {{ template "kubeapps.tiller-proxy.fullname" . }}
       containers:
       - name: proxy
         image: {{ template "kubeapps.image" .Values.tillerProxy.image }}
@@ -31,16 +32,22 @@ spec:
         {{- if .Values.tillerProxy.tls.verify }}
         - --tls-verify
         {{- end }}
-        env:
-        - name: HELM_HOME
-          value: /etc/certs
         volumeMounts:
         - name: tiller-certs
           mountPath: /etc/certs
         {{- end }}
         ports:
         - name: http
           containerPort: {{ .Values.chartsvc.service.port }}
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        {{- if .Values.tillerProxy.tls }}
+        - name: HELM_HOME
+          value: /etc/certs
+        {{- end }}
         resources:
 {{ toYaml .Values.tillerProxy.resources | indent 12 }}
       {{- if .Values.tillerProxy.tls }}

diff --git a/chart/kubeapps/templates/tiller-proxy-rbac.yaml b/chart/kubeapps/templates/tiller-proxy-rbac.yaml
@@ -0,0 +1,36 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: {{ template "kubeapps.tiller-proxy.fullname" . }}
+  labels:
+    app: {{ template "kubeapps.tiller-proxy.fullname" . }}
+    chart: {{ template "kubeapps.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: {{ template "kubeapps.tiller-proxy.fullname" . }}
+  labels:
+    app: {{ template "kubeapps.tiller-proxy.fullname" . }}
+    chart: {{ template "kubeapps.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "kubeapps.tiller-proxy.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kubeapps.tiller-proxy.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end -}}
diff --git a/chart/kubeapps/templates/tiller-proxy-serviceaccount.yaml b/chart/kubeapps/templates/tiller-proxy-serviceaccount.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "kubeapps.tiller-proxy.fullname" . }}
+  labels:
+    app: {{ template "kubeapps.tiller-proxy.fullname" . }}
+    chart: {{ template "kubeapps.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}