From b7f535d6ff01425966833d45a1643b294fc4e5a4 Mon Sep 17 00:00:00 2001 From: Stavros kois Date: Fri, 2 Sep 2022 22:32:06 +0300 Subject: [PATCH] add clusterrole --- .../templates/addons/vpn/tailscale/_addon.tpl | 1 + .../addons/vpn/tailscale/_container.tpl | 20 ------------ .../templates/addons/vpn/tailscale/_rbac.tpl | 32 +++++++++++++++++++ .../templates/addons/vpn/tailscale/_sa.tpl | 2 +- 4 files changed, 34 insertions(+), 21 deletions(-) create mode 100644 charts/common/templates/addons/vpn/tailscale/_rbac.tpl diff --git a/charts/common/templates/addons/vpn/tailscale/_addon.tpl b/charts/common/templates/addons/vpn/tailscale/_addon.tpl index 1d16d06f..f393c692 100644 --- a/charts/common/templates/addons/vpn/tailscale/_addon.tpl +++ b/charts/common/templates/addons/vpn/tailscale/_addon.tpl @@ -8,5 +8,6 @@ Template to render Tailscale addon. It will add the container to the list of add {{- if $container -}} {{- $_ := set .Values.additionalContainers "addon-tailscale" $container -}} {{ include "tailscale.sa" . }} + {{ include "tailscale.rbac" . }} {{- end -}} {{- end -}} diff --git a/charts/common/templates/addons/vpn/tailscale/_container.tpl b/charts/common/templates/addons/vpn/tailscale/_container.tpl index fc0c6c5f..c4fa4f72 100644 --- a/charts/common/templates/addons/vpn/tailscale/_container.tpl +++ b/charts/common/templates/addons/vpn/tailscale/_container.tpl @@ -19,26 +19,6 @@ securityContext: add: - NET_ADMIN -rbac: - main: - enabled: true - rules: - - apiGroups: - - "" - resources: - - "secrets" - verbs: - - "create" - - apiGroups: - - "" - resources: - - "secrets" - resourceNames: - - '{{ $secretName }}' - verbs: - - "get" - - "update" - envFrom: - secretRef: name: {{ $secretName }} diff --git a/charts/common/templates/addons/vpn/tailscale/_rbac.tpl b/charts/common/templates/addons/vpn/tailscale/_rbac.tpl new file mode 100644 index 00000000..e6e18d41 --- /dev/null +++ b/charts/common/templates/addons/vpn/tailscale/_rbac.tpl @@ -0,0 +1,32 @@ +{{- define "tailscale.rbac" -}} + +{{- $rbacName := printf "%s-tailscale-addon" (include "tc.common.names.fullname" .) -}} +{{- $secretName := printf "%s-tailscale-secret" (include "tc.common.names.fullname" .) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ $rbacName }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} + annotations: + {{- with .Values.addons.vpn.tailscale.annotations }} + {{- tpl ( toYaml . ) $ | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "" + resources: + - "secrets" + verbs: + - "create" + - apiGroups: + - "" + resources: + - "secrets" + resourceNames: + - '{{ $secretName }}' + verbs: + - "get" + - "update" +{{- end -}} diff --git a/charts/common/templates/addons/vpn/tailscale/_sa.tpl b/charts/common/templates/addons/vpn/tailscale/_sa.tpl index 50db90b1..3a46c432 100644 --- a/charts/common/templates/addons/vpn/tailscale/_sa.tpl +++ b/charts/common/templates/addons/vpn/tailscale/_sa.tpl @@ -9,8 +9,8 @@ metadata: name: {{ $saName }} labels: {{- include "tc.common.labels" . | nindent 4 }} - {{- with .Values.addons.vpn.tailscale.annotations }} annotations: + {{- with .Values.addons.vpn.tailscale.annotations }} {{- tpl ( toYaml . ) $ | nindent 4 }} {{- end }} {{- end -}}