Merge branch '81-add-rbac-to-the-helm-chart-for-k8s-access-from-dashboard-backend' into 'main'

Resolve "Add RBAC to the helm chart for k8s access from dashboard-backend" Closes #81 See merge request stackspin/dashboard!52
2022-10-05 13:22:09 +00:00 · 2022-10-05 13:22:09 +00:00 · 308fb12e81
commit 308fb12e81
parent 1f95383ab0 803986dd85
7 changed files with 119 additions and 6 deletions
--- a/deployment/helmchart/Chart.lock
+++ b/deployment/helmchart/Chart.lock
@ -1,6 +1,6 @@
 dependencies:
 - name: common
  repository: https://charts.bitnami.com/bitnami
-  version: 2.0.1
-digest: sha256:eac8729956b60d78414de3eea46b919b44afcd7afdcd19dacd640269b3d731f2
-generated: "2022-08-24T15:52:13.18511608+02:00"
+  version: 2.0.3
+digest: sha256:dfd07906c97f7fca7593af69d01f6f044e10a609a03057352142766a5caca6cd
+generated: "2022-09-29T15:38:57.444746866+02:00"
--- a/deployment/helmchart/Chart.yaml
+++ b/deployment/helmchart/Chart.yaml
@ -1,7 +1,7 @@
 annotations:
  category: Dashboard
 apiVersion: v2
-appVersion: 0.2.8
+appVersion: 0.3.0
 dependencies:
  - name: common
    # https://artifacthub.io/packages/helm/bitnami/common
@ -23,4 +23,4 @@ name: stackspin-dashboard
 sources:
  - https://open.greenhost.net/stackspin/dashboard/
  - https://open.greenhost.net/stackspin/dashboard-backend/
-version: 1.2.3
+version: 1.3.0
--- a/deployment/helmchart/templates/configmaps.yaml
+++ b/deployment/helmchart/templates/configmaps.yaml
@ -24,6 +24,7 @@ data:
  HYDRA_ADMIN_URL: {{ .Values.backend.hydra.adminUrl }}
  LOGIN_PANEL_URL: {{ .Values.backend.loginPanelUrl }}
  DATABASE_URL: {{ .Values.backend.databaseUrl }}
+  LOAD_INCLUSTER_CONFIG: "true"
  # {{- if .Values.backend.smtp.enabled }}
  # DASHBOARD_BACKEND_SMTP_HOST: {{ .Values.backend.smtp.host | quote }}
  # DASHBOARD_BACKEND_SMTP_PORT: {{ .Values.backend.smtp.port | quote }}
--- a/deployment/helmchart/templates/rbac/clusterrole.yaml
+++ b/deployment/helmchart/templates/rbac/clusterrole.yaml
@ -0,0 +1,45 @@
+{{- if .Values.rbac.create -}}
+apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
+kind: ClusterRole
+metadata:
+  name: {{ template "common.names.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups:
+      - kustomize.toolkit.fluxcd.io
+    resources:
+      - kustomizations
+    verbs:
+      - list
+      - delete
+      - get
+      - patch
+      - create
+  - apiGroups:
+      - helm.toolkit.fluxcd.io
+    resources:
+      - helmreleases
+    verbs:
+      - list
+      - delete
+      - get
+      - patch
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - configmaps
+    verbs:
+      - list
+      - get
+      - patch
+      - delete
+{{- end }}
--- a/deployment/helmchart/templates/rbac/clusterrolebinding.yaml
+++ b/deployment/helmchart/templates/rbac/clusterrolebinding.yaml
@ -0,0 +1,22 @@
+{{- if .Values.rbac.create -}}
+kind: ClusterRoleBinding
+apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
+metadata:
+  name: {{ template "common.names.fullname" . }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    app.kubernetes.io/component: server
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "common.names.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "dashboard.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
--- a/deployment/helmchart/templates/rbac/serviceaccount.yaml
+++ b/deployment/helmchart/templates/rbac/serviceaccount.yaml
@ -0,0 +1,22 @@
+{{- if and .Values.rbac.create .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "dashboard.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    app.kubernetes.io/component: server
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }}
+  annotations:
+    {{- if .Values.commonAnnotations }}
+      {{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $) | nindent 4 }}
+    {{- end }}
+    {{- if .Values.serviceAccount.annotations }}
+      {{- include "common.tplvalues.render" (dict "value" .Values.serviceAccount.annotations "context" $) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+{{- end }}
--- a/deployment/helmchart/values.yaml
+++ b/deployment/helmchart/values.yaml
@ -236,7 +236,7 @@ backend:
  image:
    registry: open.greenhost.net:4567
    repository: stackspin/dashboard-backend/dashboard-backend
-    tag: 0-2-10
+    tag: 0-3-1
    digest: ""
    ## Optionally specify an array of imagePullSecrets.
    ## Secrets must be manually created in the namespace.
@ -695,3 +695,26 @@ ingress:
  ##   key:
  ##   certificate:
  secrets: []
+
+# The dashboard-backend needs access to certain Kubernetes APIs to be able to
+# install and remove apps
+rbac:
+  ## @param backend.rbac.create Specifies whether RBAC resources should be created
+  create: true
+
+## ServiceAccount configuration for dashboard backend
+##
+serviceAccount:
+  ## @param backend.serviceAccount.create Specifies whether a ServiceAccount should be created
+  ##
+  create: true
+  ## @param backend.serviceAccount.name The name of the ServiceAccount to use.
+  ## If not set and create is true, a name is generated using the common.names.fullname template
+  ##
+  name: ""
+  ## @param backend.serviceAccount.automountServiceAccountToken Automount service account token for the dashboard backend service account
+  ##
+  automountServiceAccountToken: true
+  ## @param backend.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.
+  ##
+  annotations: {}