remove dedicated options to define RBAC

xrstf · xrstf · commit f5a4c4893b96 · 2025-01-10T12:25:42.000+01:00
This offered no real benefit over someone simply having their own rbac.yaml. Adding this as an option to the chart just means we have to continue to support it, and why would we then only support defining custom RBAC and not even other resources? At that point we would become a meta-meta Helm chart and that's just not worth it. On-behalf-of: @SAP christoph.mewes@sap.com
diff --git a/charts/api-syncagent/templates/deployment.yaml b/charts/api-syncagent/templates/deployment.yaml
@@ -3,7 +3,7 @@ kind: ServiceAccount
 metadata:
   name: '{{ template "name" . }}'
   labels:
-    app.kubernetes.io/name: kcp-sync-agent
+    app.kubernetes.io/name: kcp-api-syncagent
     app.kubernetes.io/instance: '{{ template "agentname" . }}'
 
 ---
@@ -15,12 +15,12 @@ spec:
   replicas: {{ .Values.replicas | default 1 }}
   selector:
     matchLabels:
-      app.kubernetes.io/name: kcp-sync-agent
+      app.kubernetes.io/name: kcp-api-syncagent
       app.kubernetes.io/instance: '{{ template "agentname" . }}'
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: kcp-sync-agent
+        app.kubernetes.io/name: kcp-api-syncagent
         app.kubernetes.io/instance: '{{ template "agentname" . }}'
         app.kubernetes.io/version: '{{ .Values.image.tag | default .Chart.AppVersion }}'
     spec:
diff --git a/charts/api-syncagent/templates/rbac.yaml b/charts/api-syncagent/templates/rbac.yaml
@@ -1,5 +1,3 @@
-{{- if .Values.rbac.create }}
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -42,8 +40,7 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: '{{ template "name" . }}:{{ .Release.Namespace }}:services'
-  namespace: kdp
+  name: '{{ template "name" . }}:{{ .Release.Namespace }}'
 rules:
   - apiGroups:
       - ""
@@ -55,55 +52,12 @@ rules:
       - watch
       - create
       - update
-  - apiGroups:
-      - services.syncagent.kcp.io
-    resources:
-      - publishedresources
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - services.syncagent.kcp.io
-    resources:
-      - publishedresources/status
-    verbs:
-      - create
-      - get
-      - update
-      - patch
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: '{{ template "name" . }}:{{ .Release.Namespace }}:services'
-  namespace: kdp
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: '{{ template "name" . }}:{{ .Release.Namespace }}:services'
-subjects:
-  - kind: ServiceAccount
-    name: '{{ template "name" . }}'
-    namespace: '{{ .Release.Namespace }}'
-{{- end }}
-
-{{ if .Values.rbac.createClusterRole }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: '{{ template "name" . }}:{{ .Release.Namespace }}'
-  namespace: kdp
-rules: {{ .Values.rbac.rules | toYaml | nindent 2 }}
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: '{{ template "name" . }}:{{ .Release.Namespace }}'
-  namespace: kdp
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -112,4 +66,3 @@ subjects:
   - kind: ServiceAccount
     name: '{{ template "name" . }}'
     namespace: '{{ .Release.Namespace }}'
-{{ end }}
diff --git a/charts/api-syncagent/values.yaml b/charts/api-syncagent/values.yaml
@@ -29,15 +29,6 @@ image:
 
 replicas: 2
 
-rbac:
-  # When set to false, no RBAC will be created.
-  create: true
-  # When set to true, will create a ClusterRole named "<releasename>:<namespace>"
-  # and assign it the configured rules; use this to provide additional permissions
-  # for the Sync Agent.
-  createClusterRole: false
-  rules: []
-
 resources:
   requests:
     cpu: 100m
