TEAMENG-1150: Give RBAC permissions to the Connector for cluster formation (#5)

Author: ramnes

charts/connector/templates/_helpers.tpl

@@ -44,3 +44,16 @@ Selector labels
 app.kubernetes.io/name: {{ include "connector.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "connector.serviceAccountName" -}}
+{{- if .Values.serviceAccount.name }}
+{{- .Values.serviceAccount.name }}
+{{- else if .Values.serviceAccount.create }}
+{{- include "connector.fullname" . }}
+{{- else }}
+{{- fail "Cannot determine service account name. Either set serviceAccount.create=true or provide serviceAccount.name" }}
+{{- end }}
+{{- end }}

charts/connector/templates/deployment.yaml

@@ -23,9 +23,7 @@ spec:
     spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      {{- if .Values.serviceAccount.name }}
-      serviceAccountName: {{ .Values.serviceAccount.name }}
-      {{- end }}
+      serviceAccountName: {{ include "connector.serviceAccountName" . }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:

charts/connector/templates/rbac.yaml

@@ -0,0 +1,30 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "connector.fullname" . }}
+  labels:
+    {{- include "connector.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list"]
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "create", "update", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "connector.fullname" . }}
+  labels:
+    {{- include "connector.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "connector.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "connector.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

charts/connector/templates/serviceaccount.yaml

@@ -0,0 +1,8 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "connector.serviceAccountName" . }}
+  labels:
+    {{- include "connector.labels" . | nindent 4 }}
+{{- end }}

charts/connector/values.yaml

@@ -59,7 +59,16 @@ podAnnotations:
   cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
 volumes: []
 volumeMounts: []
+
+# RBAC resources give pod and lease permissions to the service account for
+# cluster formation (pod discovery + lease-based bootstrap coordination)
+rbac:
+  create: true
+
+# Set to `create` to false and provide your own service account name if you
+# don't want this chart to create one
 serviceAccount:
+  create: true
   name: ""
 
 # Extra manifests to deploy as an array of objects