Skip to content

Commit 98285a9

Browse files
mms-build-accountRodrigo Valin
mms-build-account
authored and
Rodrigo Valin
committed
Updated: helm_chart/templates/operator-roles.yaml
1 parent 80cb98a commit 98285a9

File tree

1 file changed

+47
-64
lines changed

1 file changed

+47
-64
lines changed

helm_chart/templates/operator-roles.yaml

Lines changed: 47 additions & 64 deletions
Original file line numberDiff line numberDiff line change
@@ -1,27 +1,36 @@
1+
{{ if .Values.operator.createOperatorServiceAccount }}
12
---
23
apiVersion: v1
34
kind: ServiceAccount
45
metadata:
56
name: {{ .Values.operator.name }}
6-
{{- if .Values.namespace }}
77
namespace: {{ .Values.namespace }}
8-
{{- end }}
98
{{- if .Values.registry.imagePullSecrets}}
109
imagePullSecrets:
1110
- name: {{ .Values.registry.imagePullSecrets }}
1211
{{- end }}
1312

13+
{{- end }}
14+
15+
{{- $watchNamespace := list .Values.namespace }}
16+
{{- if .Values.operator.watchNamespace }}
17+
{{- $watchNamespace = regexSplit "," .Values.operator.watchNamespace -1 }}
18+
{{- $watchNamespace = concat $watchNamespace (list .Values.namespace) }}
19+
{{- end }}
20+
21+
{{- $roleScope := "Role" -}}
22+
{{- if or (gt (len $watchNamespace) 1) (eq (first $watchNamespace) "*") }}
23+
{{- $roleScope = "ClusterRole" }}
24+
{{- end }}
1425

1526
---
16-
kind: {{ if eq (.Values.operator.watchNamespace | default "") "*" }} ClusterRole {{ else }} Role {{ end }}
27+
kind: {{ $roleScope }}
1728
apiVersion: rbac.authorization.k8s.io/v1
1829
metadata:
1930
name: {{ .Values.operator.name }}
20-
{{- if not (eq (.Values.operator.watchNamespace | default "*") "*") }}
21-
namespace: {{ .Values.operator.watchNamespace }}
22-
{{- else }}
31+
{{- if eq $roleScope "Role" }}
2332
namespace: {{ .Values.namespace }}
24-
{{- end }}
33+
{{- end }}
2534
rules:
2635
- apiGroups:
2736
- ""
@@ -65,30 +74,36 @@ rules:
6574
- get
6675
- list
6776
- watch
68-
{{- if eq (.Values.operator.watchNamespace | default "") "*" }}
69-
- apiGroups:
70-
- ""
71-
resources:
72-
- namespaces
73-
verbs:
74-
- list
75-
- watch
76-
{{- end}}
77+
- delete
78+
- deletecollection
7779
- apiGroups:
7880
- mongodb.com
81+
verbs:
82+
- "*"
7983
resources:
8084
- mongodb
8185
- mongodb/finalizers
8286
- mongodbusers
8387
- opsmanagers
8488
- opsmanagers/finalizers
89+
- mongodbmulti
90+
- mongodbmulti/finalizers
8591
{{- if .Values.subresourceEnabled }}
8692
- mongodb/status
8793
- mongodbusers/status
8894
- opsmanagers/status
95+
- mongodbmulti/status
8996
{{- end }}
97+
{{- if eq $roleScope "ClusterRole" }}
98+
- apiGroups:
99+
- ""
100+
resources:
101+
- namespaces
90102
verbs:
91-
- "*"
103+
- list
104+
- watch
105+
{{- end}}
106+
92107
# This ClusterRoleBinding is necessary in order to use validating
93108
# webhooks—these will prevent you from applying a variety of invalid resource
94109
# definitions. The validating webhooks are optional so this can be removed if
@@ -108,61 +123,29 @@ subjects:
108123
name: {{ .Values.operator.name }}
109124
namespace: {{ .Values.namespace }}
110125

111-
---
112-
kind: {{ if eq (.Values.operator.watchNamespace | default "") "*" }} ClusterRoleBinding {{ else }} RoleBinding {{ end }}
113-
apiVersion: rbac.authorization.k8s.io/v1
114-
metadata:
115-
name: {{ .Values.operator.name }}
116-
{{- if not (eq (.Values.operator.watchNamespace | default "*") "*") }}
117-
namespace: {{ .Values.operator.watchNamespace }}
118-
{{- else }}
119-
namespace: {{ .Values.namespace }}
120-
{{- end }}
121-
roleRef:
122-
apiGroup: rbac.authorization.k8s.io
123-
kind: {{ if eq (.Values.operator.watchNamespace | default "") "*" }} ClusterRole {{ else }} Role {{ end }}
124-
name: {{ .Values.operator.name }}
125-
subjects:
126-
- kind: ServiceAccount
127-
name: {{ .Values.operator.name }}
128-
{{- if .Values.namespace }}
129-
namespace: {{ .Values.namespace }}
130-
{{- end }}
126+
{{- range $idx, $namespace := $watchNamespace }}
131127

132-
# This ClusterRole is needed if the user wants to use the Kubernetes CA
133-
# infrastructure to generate certificates.
134-
{{- if .Values.needsCAInfrastructure }}
135-
---
136-
kind: ClusterRole
137-
apiVersion: rbac.authorization.k8s.io/v1
138-
metadata:
139-
name: {{ .Values.operator.name }}-{{ .Values.namespace }}-certs
140-
rules:
141-
- apiGroups:
142-
- certificates.k8s.io
143-
resources:
144-
- certificatesigningrequests
145-
verbs:
146-
- get
147-
- create
148-
- list
149-
- watch
128+
{{- $namespaceBlock := "" }}
129+
{{- if not (eq $namespace "*") }}
130+
{{- $namespaceBlock = printf "namespace: %s" $namespace }}
131+
{{- end }}
150132

151133
---
134+
{{- if eq $namespace "*" }}
152135
kind: ClusterRoleBinding
136+
{{- else }}
137+
kind: RoleBinding
138+
{{- end }}
153139
apiVersion: rbac.authorization.k8s.io/v1
154140
metadata:
155-
name: {{ .Values.operator.name }}-{{ .Values.namespace }}-certs-binding
156-
namespace: {{ .Values.namespace }}
141+
name: {{ $.Values.operator.name }}
142+
{{ $namespaceBlock }}
157143
roleRef:
158144
apiGroup: rbac.authorization.k8s.io
159-
kind: ClusterRole
160-
name: {{ .Values.operator.name }}-{{ .Values.namespace }}-certs
145+
kind: {{ $roleScope }}
146+
name: {{ $.Values.operator.name }}
161147
subjects:
162148
- kind: ServiceAccount
163-
name: {{ .Values.operator.name }}
164-
namespace: {{ .Values.namespace }}
165-
149+
name: {{ $.Values.operator.name }}
150+
namespace: {{ $.Values.namespace }}
166151
{{- end }}
167-
168-

0 commit comments

Comments
 (0)