Add Kubernetes secret RBAC support to Helm chart

Add Role and RoleBinding templates for reading Kubernetes secrets.
Bump Helm chart version to 0.16.1.
Fix service account name resolution in _helpers.tpl.

Made-with: Cursor

Author: ZOHARGO

helm/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: sql-exporter
 description: Database-agnostic SQL exporter for Prometheus
 type: application
-version: 0.16.0
+version: 0.16.1
 appVersion: 0.20.0
 keywords:
   - exporter

helm/templates/_helpers.tpl

@@ -77,7 +77,11 @@ Common annotations
 Create the name of the service account to use
 */}}
 {{- define "sql-exporter.serviceAccountName" -}}
-{{- dig "serviceAccount" "name" "default" .Values }}
+{{- if .Values.serviceAccount.create -}}
+{{ default (include "sql-exporter.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+{{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
 {{- end }}
 
 {{- define "sql-exporter.volumes" -}}

helm/templates/serviceaccount.yaml

@@ -14,4 +14,30 @@ metadata:
       {{- toYaml . | nindent 4 }}
     {{- end }}
 automountServiceAccountToken: {{ default "false" .Values.serviceAccount.automountServiceAccountToken }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "sql-exporter.fullname" . }}-secret-reader
+  labels:
+    {{- include "sql-exporter.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "sql-exporter.fullname" . }}-secret-reader
+  labels:
+    {{- include "sql-exporter.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "sql-exporter.fullname" . }}-secret-reader
+subjects:
+- kind: ServiceAccount
+  name: {{ template "sql-exporter.fullname" . }}
+  namespace: {{ .Release.Namespace }}
 {{- end }}