From 9bea8290c7e6df9374d983686712cebc77c27d8d Mon Sep 17 00:00:00 2001 From: Marc <7050295+marcleblanc2@users.noreply.github.com> Date: Thu, 26 Jun 2025 16:19:31 -0600 Subject: [PATCH] Create Values.frontend.createRoleBinding to allow it to be disabled (#704) ### Checklist - [x] Follow the [manual testing process](https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/TEST.md) - [ ] Update [changelog](https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/charts/sourcegraph/CHANGELOG.md) - [ ] Update [Kubernetes update doc](https://docs.sourcegraph.com/admin/updates/kubernetes) ### Test plan Ran `helm template`, `helm lint`, and `helm unittest`, all passed (cherry picked from commit 2e145ab96319bacb6e102a95e6ecca7f5e7732f2) --- charts/sourcegraph/README.md | 1 + .../templates/frontend/sourcegraph-frontend.RoleBinding.yaml | 2 ++ charts/sourcegraph/values.yaml | 2 ++ 3 files changed, 5 insertions(+) diff --git a/charts/sourcegraph/README.md b/charts/sourcegraph/README.md index 08110c8e..103dc890 100644 --- a/charts/sourcegraph/README.md +++ b/charts/sourcegraph/README.md @@ -94,6 +94,7 @@ In addition to the documented values, all services also support the following va | codeIntelDB.storageSize | string | `"200Gi"` | PVC Storage Request for `codeintel-db` data volume | | extraResources | list | `[]` | Additional resources to include in the rendered manifest. Templates are supported. | | frontend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":101,"runAsUser":100}` | Security context for the `frontend` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | +| frontend.createRoleBinding | bool | `true` | Disable the roleBinding resource for deployment environments blocking RBAC, ex. OpenShift's default "secure" SCC | | frontend.env | object | the chart will add some default environment values | Environment variables for the `frontend` container | | frontend.image.defaultTag | string | `"6.0.0@sha256:d4f21178096da5fdb3804099ae9de2e050b06e859a327aa79452b1ea2f3ede0a"` | Docker image tag for the `frontend` image | | frontend.image.name | string | `"frontend"` | Docker image name for the `frontend` image | diff --git a/charts/sourcegraph/templates/frontend/sourcegraph-frontend.RoleBinding.yaml b/charts/sourcegraph/templates/frontend/sourcegraph-frontend.RoleBinding.yaml index e470cd91..02075fcc 100644 --- a/charts/sourcegraph/templates/frontend/sourcegraph-frontend.RoleBinding.yaml +++ b/charts/sourcegraph/templates/frontend/sourcegraph-frontend.RoleBinding.yaml @@ -1,3 +1,4 @@ +{{- if .Values.frontend.createRoleBinding }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -21,3 +22,4 @@ subjects: - kind: ServiceAccount name: {{ include "sourcegraph.serviceAccountName" (list . "frontend") }} namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/sourcegraph/values.yaml b/charts/sourcegraph/values.yaml index afab1c1f..320f488d 100644 --- a/charts/sourcegraph/values.yaml +++ b/charts/sourcegraph/values.yaml @@ -326,6 +326,8 @@ frontend: runAsUser: 100 runAsGroup: 101 readOnlyRootFilesystem: true + # -- Disable the roleBinding resource for deployment environments blocking RBAC, ex. OpenShift's default "secure" SCC + createRoleBinding: true # -- Security context for the `frontend` pod, # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) podSecurityContext: {}