Merge branch 'posixfs-support-3'

Author: Your Name

charts/opencloud-microservices/Chart.yaml

@@ -12,7 +12,7 @@ maintainers:
     email: [email protected]
     url: https://opencloud.eu
 type: application
-version: 0.3.2
+version: 0.3.3
 # renovate: datasource=docker depName=opencloudeu/opencloud-rolling
 appVersion: 3.4.0
 kubeVersion: ""

charts/opencloud-microservices/deployments/timoni/opencloud/configmap.yaml

@@ -15,11 +15,6 @@ data:
   EXTERNAL_DOMAIN: "cloud.opencloud.test"
   TAG: ""
 
-  ###############################################################################
-  # Flux RBAC Configuration
-  ###############################################################################
-  SERVICE_ACCOUNT_ENABLED: "true"
-
   ###############################################################################
   # Deployment Strategy
   ###############################################################################

charts/opencloud-microservices/deployments/timoni/opencloud/opencloud.cue

@@ -14,7 +14,7 @@ bundle: {
                 }
                 chart: {
                     name:    "opencloud-microservices"
-                    version: "0.3.2"
+                    version: "0.3.3"
                 }
                 sync: {
                     timeout: 10
@@ -37,9 +37,6 @@ bundle: {
                         level: string @timoni(runtime:string:OPENCLOUD_LOGGING_LEVEL)
                     }
                     externalDomain: string @timoni(runtime:string:EXTERNAL_DOMAIN)
-                    serviceAccount: {
-                        enabled: bool @timoni(runtime:bool:SERVICE_ACCOUNT_ENABLED)
-                    }
                     image: {
                         tag: string @timoni(runtime:string:TAG)
                     }

charts/opencloud-microservices/deployments/timoni/opencloud/runtime.cue

@@ -116,7 +116,6 @@ runtime: {
 				"ANTIVIRUS_INFECTED_FILE_HANDLING": "obj.data.ANTIVIRUS_INFECTED_FILE_HANDLING"
 				"ANTIVIRUS_ICAP_URL": "obj.data.ANTIVIRUS_ICAP_URL"
 				"ANTIVIRUS_ICAP_SERVICE": "obj.data.ANTIVIRUS_ICAP_SERVICE"
-				"SERVICE_ACCOUNT_ENABLED": "obj.data.SERVICE_ACCOUNT_ENABLED"
 			}
 		}
 	]

charts/opencloud-microservices/deployments/timoni/opencloud/sa.yaml

@@ -0,0 +1,33 @@
+# Service account opencloud namespace
+# 1) ServiceAccount — Flux will impersonate this
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: flux
+  namespace: opencloud        # <- target namespace
+---
+# 2) Role — full power *inside* that namespace
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: flux-full-access
+  namespace: opencloud
+rules:
+  - apiGroups:   ["*"]     # core & all groups
+    resources:   ["*"]     # every namespaced resource
+    verbs:       ["*"]     # get, list, create, delete, …
+---
+# 3) RoleBinding — ties the Role to the SA
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: flux-full-access-binding
+  namespace: opencloud
+subjects:
+  - kind:      ServiceAccount
+    name:      flux
+    namespace: opencloud
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind:     Role
+  name:     flux-full-access

charts/opencloud-microservices/values.schema.json

@@ -2,6 +2,20 @@
   "$schema": "http://json-schema.org/draft-07/schema#",
   "additionalProperties": false,
   "properties": {
+     "serviceAccount": {
+      "additionalProperties": false,
+      "description": "ServiceAccount for Flux RBAC",
+      "properties": {
+        "enabled": {
+          "required": [],
+          "title": "enabled",
+          "type": "boolean"
+        }
+      },
+      "required": [],
+      "title": "serviceAccount",
+      "type": "object"
+    },
     "autoscaling": {
       "additionalProperties": true,
       "description": "Autoscaling settings.",
@@ -13363,21 +13377,5 @@
     "minio",
     "keycloak"
   ],
-  "properties": {
-    "serviceAccount": {
-      "additionalProperties": false,
-      "description": "ServiceAccount for Flux RBAC",
-      "properties": {
-        "enabled": {
-          "required": [],
-          "title": "enabled",
-          "type": "boolean"
-        }
-      },
-      "required": [],
-      "title": "serviceAccount",
-      "type": "object"
-    }
-  },
   "type": "object"
 }