feat(cf-common): add cluster wide rbac (#26)

* feat(cf-common): add cluster wide rbac

Author: mikhail-klimko

charts/cf-common-test/tests/rbac/metadata_test.yaml

@@ -59,6 +59,7 @@ tests:
         enabled: true
       rbac:
         enabled: true
+        namespaced: true
         rules:
           - apiGroups:
               - ""
@@ -98,6 +99,7 @@ tests:
         enabled: true
       rbac:
         enabled: true
+        namespaced: true
         rules:
           - apiGroups:
               - ""
@@ -129,3 +131,35 @@ tests:
           path: metadata.name
           value: RELEASE-NAME-cf-common-test
         documentIndex: 2
+
+  - it: Test cluster role and binding are created when rbac.namespaced=false
+    template: templates/rbac.yaml
+    values:
+      - values.yaml
+    set:
+      rbac:
+        namespaced: false
+    asserts:
+      - hasDocuments:
+          count: 3
+      - isKind:
+          of: ServiceAccount
+        documentIndex: 0
+      - isKind:
+          of: ClusterRole
+        documentIndex: 1
+      - isKind:
+          of: ClusterRoleBinding
+        documentIndex: 2
+      - equal:
+          path: metadata.labels
+          value:
+            app.kubernetes.io/instance: RELEASE-NAME
+            app.kubernetes.io/managed-by: Helm
+            app.kubernetes.io/name: cf-common-test
+            helm.sh/chart: cf-common-test-0.0.0
+        documentIndex: 1
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-cf-common-test
+        documentIndex: 1

charts/cf-common-test/tests/rbac/spec_test.yaml

@@ -35,6 +35,7 @@ tests:
         enabled: true
       rbac:
         enabled: true
+        namespaced: true
         rules:
           - apiGroups:
               - ""
@@ -63,6 +64,7 @@ tests:
         enabled: true
       rbac:
         enabled: true
+        namespaced: true
         rules:
           - apiGroups:
               - ""

charts/cf-common-test/tests/rbac/values.yaml

@@ -18,3 +18,4 @@ serviceAccount:
   enabled: true
 rbac:
   enabled: true
+  namespaced: true

charts/cf-common/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: v0.0.0
 description: Codefresh library chart
 name: cf-common
-version: 0.0.23
+version: 0.0.24
 type: library
 keywords:
   - codefresh

charts/cf-common/README.md

@@ -2,7 +2,7 @@
 
 Codefresh library chart
 
-![Version: 0.0.23](https://img.shields.io/badge/Version-0.0.23-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: v0.0.0](https://img.shields.io/badge/AppVersion-v0.0.0-informational?style=flat-square)
+![Version: 0.0.24](https://img.shields.io/badge/Version-0.0.24-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: v0.0.0](https://img.shields.io/badge/AppVersion-v0.0.0-informational?style=flat-square)
 
 ## Installing the Chart
 
@@ -18,7 +18,7 @@ Include this chart as a dependency in your `Chart.yaml` e.g.
 # Chart.yaml
 dependencies:
 - name: cf-common
-  version: 0.0.23
+  version: 0.0.24
   repository: https://chartmuseum.codefresh.io/cf-common
 ```
 
@@ -126,6 +126,7 @@ dependencies:
 | podSecurityContext | object | `{}` | Set security context for the pod |
 | rbac | object | See below | Configure RBAC parameters |
 | rbac.enabled | bool | `false` | Enable RBAC resources |
+| rbac.namespaced | bool | `true` | Restrict RBAC in a single namespace instead of cluster-wide scope |
 | rbac.rules | list | `[]` | Create custom rules |
 | secrets.secret | object | `{"annotation":{},"data":{},"enabled":false,"labels":{},"stringData":{},"type":"Opaque"}` | Secret name. Make sure to use the same name in `volumes` and `container.volumeMounts` |
 | secrets.secret.annotation | object | `{}` | Add additional annotations to the secret |

charts/cf-common/templates/render/_rbac.tpl

@@ -24,19 +24,19 @@ secrets:
 {{- if and .Values.serviceAccount.enabled .Values.rbac.enabled  }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }}
 metadata:
   name: {{ include "cf-common.names.fullname" $ }}
   labels: {{ include "cf-common.labels.standard" . | nindent 4 }}
 rules: {{ include "cf-common.tplrender" (dict "Values" .Values.rbac.rules "context" $) | nindent 2 }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: {{ .Values.rbac.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }}
 metadata:
   name: {{ include "cf-common.names.fullname" $ }}
   labels: {{ include "cf-common.labels.standard" . | nindent 4 }}
 roleRef:
-  kind: Role
+  kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }}
   name: {{ include "cf-common.names.fullname" $ }}
   apiGroup: rbac.authorization.k8s.io
 subjects:

charts/cf-common/values.yaml

@@ -543,6 +543,8 @@ serviceAccount:
 rbac:
   # -- Enable RBAC resources
   enabled: false
+  # -- Restrict RBAC in a single namespace instead of cluster-wide scope
+  namespaced: true
   # -- Create custom rules
   rules: []
   # E.g.