Merge pull request #10 from finleap-connect/fix/helm-chart

Helm Chart Problems
finleap-connect · Mar 8, 2022 · 5cb0c45 · 5cb0c45
2 parents 50388b0 + 0ba0351
commit 5cb0c45
Show file tree

Hide file tree

Showing 31 changed files with 221 additions and 296 deletions.
diff --git a/.gitignore b/.gitignore
@@ -6,10 +6,10 @@
 !/tools/vault-install
 /bin
 /reports
+/tmp
 
 *.coverprofile
 
-
 # Binaries for programs and plugins
 *.exe
 *.exe~

diff --git a/Makefile b/Makefile
@@ -61,8 +61,6 @@ manifests: $(CONTROLLER_GEN) $(KUSTOMIZE) ## Generate manifests e.g. CRD, RBAC e
 	$(CONTROLLER_GEN) crd:trivialVersions=false rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 	echo "# Generated by 'make manifests'\n" > $(HELM_CHART_DIR)/templates/crds.yaml
 	$(KUSTOMIZE) build config/crd-templates >> $(HELM_CHART_DIR)/templates/crds.yaml
-	echo "# Generated by 'make manifests'\n" > $(HELM_CHART_DIR)/templates/rbac.yaml
-	$(KUSTOMIZE) build config/rbac-templates >> $(HELM_CHART_DIR)/templates/rbac.yaml
 	echo "# Generated by 'make manifests'\n" > $(HELM_CHART_DIR)/templates/webhook.yaml
 	$(KUSTOMIZE) build config/webhook-templates >> $(HELM_CHART_DIR)/templates/webhook.yaml
 

diff --git a/charts/vault-operator/templates/_helpers.tpl b/charts/vault-operator/templates/_helpers.tpl
@@ -40,8 +40,6 @@ helm.sh/chart: {{ include "vault-operator.chart" . }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
-app: vault-operator
-control-plane: controller-manager
 {{- end }}
 
 {{/*
@@ -51,3 +49,14 @@ Selector labels
 app.kubernetes.io/name: {{ include "vault-operator.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "vault-operator.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "vault-operator.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/charts/vault-operator/templates/cert.yaml b/charts/vault-operator/templates/cert.yaml
@@ -24,8 +24,8 @@ metadata:
     {{- include "vault-operator.labels" . | nindent 4 }}
 spec:
   dnsNames:
-  - vault-operator-webhook-service.{{ .Release.Namespace }}.svc
-  - vault-operator-webhook-service.{{ .Release.Namespace }}.svc.cluster.local
+  - {{ include "vault-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
+  - {{ include "vault-operator.fullname" . }}-webhook.svc.cluster.local
   issuerRef:
     kind: Issuer
     name: selfsigned-issuer

diff --git a/charts/vault-operator/templates/crds.yaml b/charts/vault-operator/templates/crds.yaml
@@ -14,7 +14,7 @@ spec:
     webhookClientConfig:
       caBundle: Cg==
       service:
-        name: vault-operator-webhook-service
+        name: '{{ include "vault-operator.fullname" . }}-webhook'
         namespace: '{{ .Release.Namespace }}'
         path: /convert
   group: vault.finleap.cloud

diff --git a/charts/vault-operator/templates/deployment.yaml b/charts/vault-operator/templates/deployment.yaml
@@ -4,7 +4,6 @@ metadata:
   name: {{ include "vault-operator.fullname" . }}
   labels:
     {{- include "vault-operator.labels" . | nindent 4 }}
-    control-plane: controller-manager
 spec:
   replicas: {{ .Values.replicaCount }}
   selector:
@@ -23,7 +22,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      serviceAccountName: vault-operator
+      serviceAccountName: {{ include "vault-operator.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:

diff --git a/charts/vault-operator/templates/leaderelection-rbac.yaml b/charts/vault-operator/templates/leaderelection-rbac.yaml
@@ -0,0 +1,57 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "vault-operator.fullname" . }}-leaderelection
+  labels:
+    {{- include "vault-operator.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - configmaps/status
+  verbs:
+  - get
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - list
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "vault-operator.fullname" . }}-leaderelection
+  labels:
+    {{- include "vault-operator.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "vault-operator.fullname" . }}-leaderelection
+subjects:
+- kind: ServiceAccount
+  name: {{ include "vault-operator.serviceAccountName" . }}
+  namespace: "{{ .Release.Namespace }}"
diff --git a/charts/vault-operator/templates/manager-rbac.yaml b/charts/vault-operator/templates/manager-rbac.yaml
@@ -0,0 +1,61 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "vault-operator.fullname" . }}-manager
+  labels:
+    {{- include "vault-operator.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - vault.finleap.cloud
+  resources:
+  - vaultsecrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - vault.finleap.cloud
+  resources:
+  - vaultsecrets/status
+  verbs:
+  - get
+  - patch
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "vault-operator.fullname" . }}-manager
+  labels:
+    {{- include "vault-operator.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "vault-operator.fullname" . }}-manager
+subjects:
+- kind: ServiceAccount
+  name: {{ include "vault-operator.serviceAccountName" . }}
+  namespace: '{{ .Release.Namespace }}'
diff --git a/charts/vault-operator/templates/metrics-rbac.yaml b/charts/vault-operator/templates/metrics-rbac.yaml
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: {{ include "vault-operator.fullname" . }}-metrics-reader
+  labels:
+    {{- include "vault-operator.labels" . | nindent 4 }}
+rules:
+- nonResourceURLs:
+  - /metrics
+  verbs:
+  - get
diff --git a/charts/vault-operator/templates/proxy-rbac.yaml b/charts/vault-operator/templates/proxy-rbac.yaml
@@ -0,0 +1,32 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "vault-operator.fullname" . }}-proxy
+  labels:
+    {{- include "vault-operator.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "vault-operator.fullname" . }}-proxy
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "vault-operator.fullname" . }}-proxy
+subjects:
+- kind: ServiceAccount
+  name: {{ include "vault-operator.serviceAccountName" . }}
+  namespace: '{{ .Release.Namespace }}'