chore(argo-cd): Consolidate cluster-wide RBAC (#1597)
Signed-off-by: Petr Drastil <petr.drastil@gmail.com>
This commit is contained in:
Petr Drastil
GitHub
parent
7992b5d04b
commit
c5648d5c9f
10 changed files with 70 additions and 66 deletions
|
|
@ -52,6 +52,18 @@ DEPRECATED option configs.gpgKeys - Use config.gpg.keys
|
|||
{{- if .Values.configs.gpgKeysAnnotations }}
|
||||
DEPRECATED option configs.gpgKeysAnnotations - Use config.gpg.annotations
|
||||
{{- end }}
|
||||
{{- if hasKey .Values "createAggregateRoles" }}
|
||||
DEPRECATED option createAggregateRoles - Use global.rbac.aggregatedRoles
|
||||
{{- end }}
|
||||
{{- if hasKey (.Values.controller.clusterAdminAccess | default dict) "enabled" }}
|
||||
DEPRECATED option .controller.clusterAdminAccess.enabled - Use createClusterRoles
|
||||
{{- end }}
|
||||
{{- if hasKey (.Values.server.clusterAdminAccess | default dict) "enabled" }}
|
||||
DEPRECATED option .server.clusterAdminAccess.enabled - Use createClusterRoles
|
||||
{{- end }}
|
||||
{{- if hasKey (.Values.repoServer.clusterAdminAccess | default dict) "enabled" }}
|
||||
DEPRECATED option .server.clusterAdminAccess.enabled - Use createClusterRoles
|
||||
{{- end }}
|
||||
{{- if .Values.controller.service }}
|
||||
REMOVED option controller.service - Use controller.metrics
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -1,23 +1,24 @@
|
|||
{{- if .Values.controller.clusterAdminAccess.enabled }}
|
||||
{{- $config := .Values.controller.clusterAdminAccess | default dict -}}
|
||||
{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "argo-cd.controller.fullname" . }}
|
||||
name: {{ include "argo-cd.controller.fullname" . }}
|
||||
labels:
|
||||
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
|
||||
rules:
|
||||
{{- if .Values.controller.clusterRoleRules.enabled }}
|
||||
{{- toYaml .Values.controller.clusterRoleRules.rules | nindent 0 }}
|
||||
{{- toYaml .Values.controller.clusterRoleRules.rules | nindent 2 }}
|
||||
{{- else }}
|
||||
- apiGroups:
|
||||
- '*'
|
||||
resources:
|
||||
- '*'
|
||||
verbs:
|
||||
- '*'
|
||||
- nonResourceURLs:
|
||||
- '*'
|
||||
verbs:
|
||||
- '*'
|
||||
- apiGroups:
|
||||
- '*'
|
||||
resources:
|
||||
- '*'
|
||||
verbs:
|
||||
- '*'
|
||||
- nonResourceURLs:
|
||||
- '*'
|
||||
verbs:
|
||||
- '*'
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -1,16 +1,17 @@
|
|||
{{- if .Values.controller.clusterAdminAccess.enabled }}
|
||||
{{- $config := .Values.controller.clusterAdminAccess | default dict -}}
|
||||
{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "argo-cd.controller.fullname" . }}
|
||||
name: {{ include "argo-cd.controller.fullname" . }}
|
||||
labels:
|
||||
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "argo-cd.controller.fullname" . }}
|
||||
name: {{ include "argo-cd.controller.fullname" . }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "argo-cd.controllerServiceAccountName" . }}
|
||||
name: {{ include "argo-cd.controllerServiceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -1,23 +1,24 @@
|
|||
{{- if and .Values.repoServer.serviceAccount.create .Values.repoServer.clusterAdminAccess.enabled }}
|
||||
{{- $config := .Values.repoServer.clusterAdminAccess | default dict -}}
|
||||
{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "argo-cd.repoServer.fullname" . }}
|
||||
name: {{ include "argo-cd.repoServer.fullname" . }}
|
||||
labels:
|
||||
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
|
||||
rules:
|
||||
{{- if .Values.repoServer.clusterRoleRules.enabled }}
|
||||
{{- toYaml .Values.repoServer.clusterRoleRules.rules | nindent 0 }}
|
||||
{{- toYaml .Values.repoServer.clusterRoleRules.rules | nindent 2 }}
|
||||
{{- else }}
|
||||
- apiGroups:
|
||||
- '*'
|
||||
resources:
|
||||
- '*'
|
||||
verbs:
|
||||
- '*'
|
||||
- nonResourceURLs:
|
||||
- '*'
|
||||
verbs:
|
||||
- '*'
|
||||
- apiGroups:
|
||||
- '*'
|
||||
resources:
|
||||
- '*'
|
||||
verbs:
|
||||
- '*'
|
||||
- nonResourceURLs:
|
||||
- '*'
|
||||
verbs:
|
||||
- '*'
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -1,16 +1,17 @@
|
|||
{{- if and .Values.repoServer.serviceAccount.create .Values.repoServer.clusterAdminAccess.enabled }}
|
||||
{{- $config := .Values.repoServer.clusterAdminAccess | default dict -}}
|
||||
{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "argo-cd.repoServer.fullname" . }}
|
||||
name: {{ include "argo-cd.repoServer.fullname" . }}
|
||||
labels:
|
||||
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "argo-cd.repoServer.fullname" . }}
|
||||
name: {{ include "argo-cd.repoServer.fullname" . }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "argo-cd.repoServerServiceAccountName" . }}
|
||||
name: {{ include "argo-cd.repoServerServiceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
{{- if .Values.server.clusterAdminAccess.enabled }}
|
||||
{{- $config := .Values.server.clusterAdminAccess | default dict -}}
|
||||
{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
|
|
|
|||
|
|
@ -1,16 +1,17 @@
|
|||
{{- if .Values.server.clusterAdminAccess.enabled }}
|
||||
{{- $config := .Values.server.clusterAdminAccess | default dict -}}
|
||||
{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "argo-cd.server.fullname" . }}
|
||||
name: {{ include "argo-cd.server.fullname" . }}
|
||||
labels:
|
||||
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "argo-cd.server.fullname" . }}
|
||||
name: {{ include "argo-cd.server.fullname" . }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "argo-cd.serverServiceAccountName" . }}
|
||||
name: {{ include "argo-cd.serverServiceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue