From 2776a5aa0451afa740526bc4134b2cff2d3b385d Mon Sep 17 00:00:00 2001 From: outbreak86 Date: Tue, 10 Dec 2024 17:13:36 +0100 Subject: [PATCH] feat: add option to disable cluster rbac installation Signed-off-by: outbreak86 --- deploy/charts/trust-manager/README.md | 7 +++++++ .../trust-manager/templates/clusterrole.yaml | 2 ++ .../templates/clusterrolebinding.yaml | 2 ++ deploy/charts/trust-manager/values.schema.json | 17 +++++++++++++++++ deploy/charts/trust-manager/values.yaml | 5 +++++ 5 files changed, 33 insertions(+) diff --git a/deploy/charts/trust-manager/README.md b/deploy/charts/trust-manager/README.md index af2080d0..2df726ff 100644 --- a/deploy/charts/trust-manager/README.md +++ b/deploy/charts/trust-manager/README.md @@ -179,6 +179,13 @@ digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 > ``` imagePullPolicy for the default package image. +#### **rbac.create** ~ `bool` +> Default value: +> ```yaml +> true +> ``` + +Create required ClusterRole and ClusterRoleBinding for trust-manager. If set to false it will also disable the possibility to set secretTargets #### **secretTargets.enabled** ~ `bool` > Default value: > ```yaml diff --git a/deploy/charts/trust-manager/templates/clusterrole.yaml b/deploy/charts/trust-manager/templates/clusterrole.yaml index d13bc5fe..3c9e2a6f 100644 --- a/deploy/charts/trust-manager/templates/clusterrole.yaml +++ b/deploy/charts/trust-manager/templates/clusterrole.yaml @@ -1,3 +1,4 @@ +{{- if .Values.rbac.create }} kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -64,3 +65,4 @@ rules: resourceNames: {{ .Values.secretTargets.authorizedSecrets | toYaml | nindent 2 }} {{- end -}} {{- end -}} +{{- end }} \ No newline at end of file diff --git a/deploy/charts/trust-manager/templates/clusterrolebinding.yaml b/deploy/charts/trust-manager/templates/clusterrolebinding.yaml index 379df9d3..8bc719bc 100644 --- a/deploy/charts/trust-manager/templates/clusterrolebinding.yaml +++ b/deploy/charts/trust-manager/templates/clusterrolebinding.yaml @@ -1,3 +1,4 @@ +{{- if .Values.rbac.create }} kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -12,3 +13,4 @@ subjects: - kind: ServiceAccount name: {{ include "trust-manager.name" . }} namespace: {{ include "trust-manager.namespace" . }} +{{- end }} \ No newline at end of file diff --git a/deploy/charts/trust-manager/values.schema.json b/deploy/charts/trust-manager/values.schema.json index e362c2ae..0fddf07a 100644 --- a/deploy/charts/trust-manager/values.schema.json +++ b/deploy/charts/trust-manager/values.schema.json @@ -54,6 +54,9 @@ "resources": { "$ref": "#/$defs/helm-values.resources" }, + "rbac": { + "$ref": "#/$defs/helm-values.rbac" + }, "secretTargets": { "$ref": "#/$defs/helm-values.secretTargets" }, @@ -673,6 +676,20 @@ "description": "Kubernetes pod resource limits for trust.\n\nFor example:\nresources:\n limits:\n cpu: 100m\n memory: 128Mi\n requests:\n cpu: 100m\n memory: 128Mi", "type": "object" }, + "helm-values.rbac": { + "additionalProperties": false, + "properties": { + "create": { + "$ref": "#/$defs/helm-values.rbac.create" + } + }, + "type": "object" + }, + "helm-values.rbac.create": { + "default": true, + "description": "Create required ClusterRole and ClusterRoleBinding for trust-manager.\nIf set to false it will also disable the possibility to set secretTargets", + "type": "boolean" + }, "helm-values.secretTargets": { "additionalProperties": false, "properties": { diff --git a/deploy/charts/trust-manager/values.yaml b/deploy/charts/trust-manager/values.yaml index 92c9fca1..17bfe14c 100644 --- a/deploy/charts/trust-manager/values.yaml +++ b/deploy/charts/trust-manager/values.yaml @@ -104,6 +104,11 @@ defaultPackageImage: # imagePullPolicy for the default package image. pullPolicy: IfNotPresent +rbac: + # Create required ClusterRole and ClusterRoleBinding for trust-manager. + # If set to false it will also disable the possibility to set secretTargets + create: true + secretTargets: # If set to true, enable writing trust bundles to Kubernetes Secrets as a target. # trust-manager can only write to secrets which are explicitly allowed via either authorizedSecrets or authorizedSecretsAll.