Merge pull request #24 from tombokombo/feat/rbac

add roles to access node info

charts/warpstream-agent/templates/clusterrole.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.rbac.create }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    {{- include "warpstream-agent.labels" . | nindent 4 }}
+  {{- with .Values.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "warpstream-agent.fullname" . }}-clusterrole
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - watch
+  - list
+{{- end}}

charts/warpstream-agent/templates/clusterrolebinding.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.rbac.create }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "warpstream-agent.fullname" . }}-clusterrolebinding
+  labels:
+    {{- include "warpstream-agent.labels" . | nindent 4 }}
+  {{- with .Values.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "warpstream-agent.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "warpstream-agent.fullname" . }}-clusterrole
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

charts/warpstream-agent/templates/deployment.yaml

@@ -18,7 +18,7 @@ spec:
       labels:
         {{- include "warpstream-agent.selectorLabels" . | nindent 8 }}
     spec:
-      automountServiceAccountToken: false
+      automountServiceAccountToken: true
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -52,6 +52,16 @@ spec:
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.namespace
             - name: WARPSTREAM_API_KEY
               valueFrom:
                 secretKeyRef:

charts/warpstream-agent/templates/role.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.rbac.create }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    {{- include "warpstream-agent.labels" . | nindent 4 }}
+  {{- with .Values.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "warpstream-agent.fullname" . }}-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - watch
+  - list
+{{- end}}

charts/warpstream-agent/templates/rolebinding.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.rbac.create }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "warpstream-agent.fullname" . }}-rolebinding
+  labels:
+    {{- include "warpstream-agent.labels" . | nindent 4 }}
+  {{- with .Values.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "warpstream-agent.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "warpstream-agent.fullname" . }}-role
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

charts/warpstream-agent/templates/service.yaml

@@ -8,6 +8,7 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+automountServiceAccountToken: true
 spec:
   type: {{ .Values.service.type }}
   ports:

charts/warpstream-agent/values.yaml

@@ -30,6 +30,9 @@ service:
   port: 9092
   httpPort: 8080
 
+rbac:
+  create: true
+
 headlessService:
   enabled: true