chore: add rbac for mission to lookup secrets

agent-chart/templates/deployment.yaml

@@ -14,11 +14,11 @@ spec:
       labels:
         {{- include "incident-commander.selectorLabels" . | nindent 8 }}
     spec:
-      serviceAccountName: {{ include "incident-commander.fullname" . }}-sa
+      serviceAccountName: {{ include "incident-commander.name" . }}-sa
       volumes:
         - name: properties-config
           configMap:
-            name: {{ include "incident-commander.fullname" . }}-properties-config
+            name: {{ include "incident-commander.name" . }}-properties-config
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"

chart/templates/deployment.yaml

@@ -14,11 +14,11 @@ spec:
       labels:
         {{- include "incident-commander.selectorLabels" . | nindent 8 }}
     spec:
-      serviceAccountName: {{ include "incident-commander.fullname" . }}-sa
+      serviceAccountName: {{ include "incident-commander.name" . }}-sa
       volumes:
         - name: properties-config
           configMap:
-            name: {{ include "incident-commander.fullname" . }}-properties-config
+            name: {{ include "incident-commander.name" . }}-properties-config
       {{- if ne .Values.identityRoleMapper.configMap.name ""}}
         - name: identity-role-mapper
           configMap:

chart/templates/properties-configmap.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ include "incident-commander.fullname" . }}-properties-config
+  name: {{ include "incident-commander.name" . }}-properties-config
   labels:
     {{- include "incident-commander.labels" . | nindent 4 }}
 data:

chart/templates/rbac.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "incident-commander.fullname" . }}-sa
+  name: {{ include "incident-commander.name" . }}-sa
   labels:
     {{- include "incident-commander.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}
@@ -10,7 +10,7 @@ metadata:
   {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: {{if .Values.serviceAccount.rbac.clusterRole}}Cluster{{end}}Role
 metadata:
   creationTimestamp: null
   name: {{ include "incident-commander.name" . }}-role
@@ -50,16 +50,71 @@ rules:
   - get
   - patch
   - update
+{{- if .Values.serviceAccount.rbac.secrets}}
+- apiGroups:
+    - v1
+  resources:
+    - secrets
+  verbs:
+    - get
+    - list
+{{- end}}
+{{- if .Values.serviceAccount.rbac.configmaps}}
+- apiGroups:
+    - v1
+  resources:
+    - configmaps
+  verbs:
+    - get
+    - list
+{{- end}}
+{{- if .Values.serviceAccount.rbac.exec}}
+- apiGroups: [""]
+  resources:
+    - pods/attach
+    - pods/exec
+    - pods/log
+  verbs:
+    - '*'
+{{- end}}
+{{- if .Values.serviceAccount.rbac.podRun}}
+- apiGroups: [""]
+  resources:
+    - pods/attach
+    - pods/exec
+    - pods/log
+    - pods
+  verbs:
+    - '*'
+{{- end}}
+{{- if .Values.serviceAccount.rbac.tokenRequest}}
+- apiGroups:
+    - authentication.k8s.io/v1
+  resources:
+    - serviceaccounts/token
+  verbs:
+    - create
+{{- end}}
+{{- if .Values.serviceAccount.rbac.readAll}}
+- apiGroups:
+    - "*"
+  resources:
+    - "*"
+  verbs:
+    - list
+    - get
+    - watch
+{{- end}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: {{if .Values.serviceAccount.rbac.clusterRole}}Cluster{{end}}RoleBinding
 metadata:
-  name: {{ include "incident-commander.fullname" . }}-rolebinding
+  name: {{ include "incident-commander.name" . }}-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: {{if .Values.serviceAccount.rbac.clusterRole}}Cluster{{end}}Role
   name: {{ include "incident-commander.name" . }}-role
 subjects:
   - kind: ServiceAccount
-    name: {{ include "incident-commander.fullname" . }}-sa
+    name: {{ include "incident-commander.name" . }}-sa
     namespace: {{ .Release.Namespace }}

chart/values.yaml

@@ -27,6 +27,24 @@
 serviceAccount:
   # Annotations to add to the service account
   annotations: {}
+  rbac:
+    # Whether to create cluster-wide or namespaced roles
+    clusterRole: true
+
+    # for secret management with valueFrom
+    tokenRequest: true
+    secrets: true
+    configmaps: true
+
+    # for use with kubernetes resource lookups
+    readAll: true
+
+    # Playbook pod actions
+    podRun: true
+
+    # exec
+    exec: true
+
 extraArgs: {}
 externalPostgrest:
   enable: true
@@ -77,24 +95,24 @@
     work_mem: 10MB
     max_wal_size: 4GB
     log_autovacuum_min_duration: 0
     log_connections: on
     log_destination: "stderr"
     log_directory: "/var/log/postgresql"
     log_file_mode: 0644
     log_filename: "postgresql.log"
     log_line_prefix: "%m [%p] %q[user=%u,db=%d,app=%a] "
     log_lock_waits: on
     log_min_duration_statement: "1s"
     log_rotation_age: 0
     log_rotation_size: 0
     log_statement: "all"
     log_temp_files: 0
     log_timezone: "UTC"
     logging_collector: on
     ssl: off
     timezone: "UTC"
     password_encryption: scram-sha-256
     db_user_namespace: off
     extra_float_digits: 0
   secretKeyRef:
     name: incident-commander-postgres