Merge branch '81-add-rbac-to-the-helm-chart-for-k8s-access-from-dashboard-backend' into 'main'

Resolve "Add RBAC to the helm chart for k8s access from dashboard-backend"

Closes #81

See merge request stackspin/dashboard!52
This commit is contained in:
Arie Peterson 2022-10-05 13:22:09 +00:00
commit 308fb12e81
7 changed files with 119 additions and 6 deletions

View file

@ -1,6 +1,6 @@
dependencies:
- name: common
repository: https://charts.bitnami.com/bitnami
version: 2.0.1
digest: sha256:eac8729956b60d78414de3eea46b919b44afcd7afdcd19dacd640269b3d731f2
generated: "2022-08-24T15:52:13.18511608+02:00"
version: 2.0.3
digest: sha256:dfd07906c97f7fca7593af69d01f6f044e10a609a03057352142766a5caca6cd
generated: "2022-09-29T15:38:57.444746866+02:00"

View file

@ -1,7 +1,7 @@
annotations:
category: Dashboard
apiVersion: v2
appVersion: 0.2.8
appVersion: 0.3.0
dependencies:
- name: common
# https://artifacthub.io/packages/helm/bitnami/common
@ -23,4 +23,4 @@ name: stackspin-dashboard
sources:
- https://open.greenhost.net/stackspin/dashboard/
- https://open.greenhost.net/stackspin/dashboard-backend/
version: 1.2.3
version: 1.3.0

View file

@ -24,6 +24,7 @@ data:
HYDRA_ADMIN_URL: {{ .Values.backend.hydra.adminUrl }}
LOGIN_PANEL_URL: {{ .Values.backend.loginPanelUrl }}
DATABASE_URL: {{ .Values.backend.databaseUrl }}
LOAD_INCLUSTER_CONFIG: "true"
# {{- if .Values.backend.smtp.enabled }}
# DASHBOARD_BACKEND_SMTP_HOST: {{ .Values.backend.smtp.host | quote }}
# DASHBOARD_BACKEND_SMTP_PORT: {{ .Values.backend.smtp.port | quote }}

View file

@ -0,0 +1,45 @@
{{- if .Values.rbac.create -}}
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRole
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- kustomize.toolkit.fluxcd.io
resources:
- kustomizations
verbs:
- list
- delete
- get
- patch
- create
- apiGroups:
- helm.toolkit.fluxcd.io
resources:
- helmreleases
verbs:
- list
- delete
- get
- patch
- create
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- list
- get
- patch
- delete
{{- end }}

View file

@ -0,0 +1,22 @@
{{- if .Values.rbac.create -}}
kind: ClusterRoleBinding
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
metadata:
name: {{ template "common.names.fullname" . }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: server
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "common.names.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "dashboard.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

View file

@ -0,0 +1,22 @@
{{- if and .Values.rbac.create .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "dashboard.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: server
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.serviceAccount.annotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.serviceAccount.annotations "context" $) | nindent 4 }}
{{- end }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}

View file

@ -236,7 +236,7 @@ backend:
image:
registry: open.greenhost.net:4567
repository: stackspin/dashboard-backend/dashboard-backend
tag: 0-2-10
tag: 0-3-1
digest: ""
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
@ -695,3 +695,26 @@ ingress:
## key:
## certificate:
secrets: []
# The dashboard-backend needs access to certain Kubernetes APIs to be able to
# install and remove apps
rbac:
## @param backend.rbac.create Specifies whether RBAC resources should be created
create: true
## ServiceAccount configuration for dashboard backend
##
serviceAccount:
## @param backend.serviceAccount.create Specifies whether a ServiceAccount should be created
##
create: true
## @param backend.serviceAccount.name The name of the ServiceAccount to use.
## If not set and create is true, a name is generated using the common.names.fullname template
##
name: ""
## @param backend.serviceAccount.automountServiceAccountToken Automount service account token for the dashboard backend service account
##
automountServiceAccountToken: true
## @param backend.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.
##
annotations: {}