wbstack · m90 · Jun 1, 2023 · May 3, 2023 · May 9, 2023 · May 10, 2023
diff --git a/charts/api/CHANGELOG.md b/charts/api/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 This chart does not yet follow SemVer.
 
+## 0.21.0
+- Extend permissions for Kubernetes ServiceAccount role
+- Add dedicated Kubernetes namespace to run jobs in
+
 ## 0.20.2
 - Add support for env var `WBSTACK_ELASTICSEARCH_ENABLED_BY_DEFAULT`
 

diff --git a/charts/api/Chart.yaml b/charts/api/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: "1.0"
 description: A Helm chart for the WBStack API
 name: api
-version: 0.20.2
+version: 0.21.0
 home: https://github.com/wbstack
 maintainers:
   - name: WBstack

diff --git a/charts/api/templates/deployment-queue.yaml b/charts/api/templates/deployment-queue.yaml
@@ -18,7 +18,7 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name }}
         app.kubernetes.io/component: queue
     spec:
-      serviceAccountName: {{ include "api.fullname" . }}-ingresscreator
+      serviceAccountName: {{ include "api.fullname" . }}-defaultrole
     {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -240,6 +240,8 @@ spec:
                 name: {{ template "api.fullname" . }}-app-passport-keys
                 {{- end }}
                 key: oauth-private.key
+          - name: API_JOB_NAMESPACE
+            value: {{ .Values.queue.apiJobNamespace }}
       {{- if .Values.app.gce.serviceAccountSecret }}
           volumeMounts:
             - name: "service-account-wbstack-api"

diff --git a/charts/api/templates/role-defaultrole.yaml b/charts/api/templates/role-defaultrole.yaml
@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "api.fullname" . }}-defaultrole
+  labels:
+{{ include "api.labels" . | indent 4 }}
+rules:
+- apiGroups: ["extensions", "networking.k8s.io"]
+  resources: ["ingresses"]
+  verbs: ["get", "create", "list"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["batch"]
+  resources: ["jobs"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
diff --git a/charts/api/templates/role-ingresscreator.yaml b/charts/api/templates/role-ingresscreator.yaml
diff --git a/charts/api/templates/rolebinding-defaultrole.yaml b/charts/api/templates/rolebinding-defaultrole.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "api.fullname" . }}-defaultrole
+  labels:
+{{ include "api.labels" . | indent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "api.fullname" . }}-defaultrole
+  namespace: default
+roleRef:
+  kind: ClusterRole
+  name: {{ include "api.fullname" . }}-defaultrole
+  apiGroup: rbac.authorization.k8s.io
diff --git a/charts/api/templates/rolebinding-ingresscreator.yaml b/charts/api/templates/rolebinding-ingresscreator.yaml
diff --git a/...plates/serviceaccount-ingresscreator.yaml → ...templates/serviceaccount-defaultrole.yaml b/...plates/serviceaccount-ingresscreator.yaml → ...templates/serviceaccount-defaultrole.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "api.fullname" . }}-ingresscreator
+  name: {{ include "api.fullname" . }}-defaultrole
   labels:
 {{ include "api.labels" . | indent 4 }}
diff --git a/charts/api/values.yaml b/charts/api/values.yaml
@@ -35,6 +35,7 @@ replicaCount:
   queue: 1
 
 queue:
+  apiJobNamespace: api-jobs
   mw:
     db:
       readHost: someHost
-Original file line number
+Diff line change
@@ Expand Up / @@ -35,6 +35,7 @@ replicaCount: @@
       queue: 1
     queue:
+      apiJobNamespace: api-jobs
       mw:
         db:
           readHost: someHost
@@ Expand Down @@