fix helm chart to use latest rbac definitions

Author: jmccormick2001

chart/install-tiller-rbac.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+helm init --service-account tiller

chart/postgres-operator/templates/cluster-role-binding.yaml

@@ -2,18 +2,29 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ template "postgres-operator.fullname" . }}
-  labels:
-    app: {{ template "postgres-operator.name" . }}
-    chart: {{ template "postgres-operator.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
+  name: pgopclusterbinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ template "postgres-operator.fullname" . }}
+  name: pgopclusterrole
 subjects:
-- kind: ServiceAccount
-  name: {{ template "postgres-operator.serviceAccountName" . }}
-  namespace: "{{ .Release.Namespace }}"
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: postgres-operator
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: pgopclusterbindingcrd
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: pgopclusterrolecrd
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: postgres-operator
+
 {{ end }}

chart/postgres-operator/templates/cluster-role.yaml

@@ -2,33 +2,34 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
-  name: {{ template "postgres-operator.fullname" . }}
-  labels:
-    app: {{ template "postgres-operator.name" . }}
-    chart: {{ template "postgres-operator.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
+  name: pgopclusterrole
 rules:
   - verbs:
       - get
       - list
-      - watch
-      - create
-      - patch
-      - update
     apiGroups:
       - '*'
     resources:
-      - customresourcedefinitions
-      - customresourcedefinitions/status
       - nodes
-      - jobs
-      - jobs/status
-      - pgbackups
-      - pgingests
+
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: pgopclusterrolecrd
+rules:
+  - verbs:
+      - '*'
+    apiGroups:
+      - '*'
+    resources:
       - pgclusters
       - pgpolicies
-      - pgpolicylogs
       - pgupgrades
       - pgtasks
-{{ end }}
+      - pgingests
+      - pgbackups
+      - pgreplicas
+
+
+{{ end }}

chart/postgres-operator/templates/deployment.yaml

@@ -15,8 +15,9 @@ spec:
         app: {{ template "postgres-operator.name" . }}
         release: {{ .Release.Name }}
     spec:
+      serviceAccountName: postgres-operator
       containers:
-        - name: {{ .Chart.Name }}-apiserver
+        - name: apiserver
           image: "{{ .Values.env.co_image_prefix }}/pgo-apiserver:{{ .Values.env.co_image_tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           securityContext: {}
@@ -36,7 +37,7 @@ spec:
             - name: operator-conf
               mountPath: /operator-conf
               readOnly: true
-        - name: {{ .Chart.Name }}-operator
+        - name: operator
           image: "{{ .Values.env.co_image_prefix }}/postgres-operator:{{ .Values.env.co_image_tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           securityContext: {}

chart/postgres-operator/templates/rbac.yaml

@@ -0,0 +1,66 @@
+{{ if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgres-operator
+  labels:
+    app: {{ template "postgres-operator.name" . }}
+    chart: {{ template "postgres-operator.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  namespace: "{{ .Release.Namespace }}"
+
+---
+
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: pgo-role
+  namespace: "{{ .Release.Namespace }}"
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - "*"
+  verbs:
+  - "*"
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - services
+  - endpoints
+  - persistentvolumeclaims
+  - events
+  - configmaps
+  - secrets
+  verbs:
+  - "*"
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - daemonsets
+  - replicasets
+  - statefulsets
+  verbs:
+  - "*"
+
+---
+
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: pgo-role-binding
+  namespace: "{{ .Release.Namespace }}"
+subjects:
+- kind: ServiceAccount
+  name: postgres-operator
+  namespace: "{{ .Release.Namespace }}"
+roleRef:
+  kind: Role
+  name: pgo-role
+  apiGroup: rbac.authorization.k8s.io
+
+
+{{ end }}

chart/postgres-operator/templates/role-binding.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tiller
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: tiller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: tiller
+    namespace: kube-system

chart/postgres-operator/templates/role.yaml

@@ -121,7 +121,6 @@ tar xvzf ./postgres-operator.3.2.tar.gz
 Next, deploy the operator to your Kubernetes cluster -
 ....
 cd $COROOT
-go get github.com/blang/expenv
 make installrbac
 make deployoperator
 ....