Merge pull request #6736 from zalando-incubator/config-provider-service

Author: szuecs

cluster/config-defaults.yaml

@@ -934,8 +934,9 @@ disable_zmon_appliance_worker_tracking: "true"
 # Add ClusterRole for clusters required by hyped-article-lifecycle-management controller
 hyped_article_lifecycle_management: "false"
 
-# Add ClusterRole for clusters required by business-partner controller
+# Add ClusterRole for clusters required by business-partner and config-provider controller
 business_partner_service: "false"
+config_provider_service: "false"
 
 # enable SizeMemoryBackedVolumes feature flag
 enable_size_memory_backed_volumes: "true"

cluster/manifests/deletions.yaml

@@ -247,6 +247,12 @@ post_apply:
 - name: business-partner-service
   kind: ClusterRoleBinding
 {{ end }}
+{{ if eq .Cluster.ConfigItems.config_provider_service "false" }}
+- name: config-provider-service
+  kind: ClusterRole
+- name: config-provider-service
+  kind: ClusterRoleBinding
+{{ end }}
 {{ if ne .Cluster.ConfigItems.kubelet_summary_metrics_enabled "true" }}
 - name: kubelet-summary-metrics
   kind: ClusterRole

cluster/manifests/roles/config-provider-rbac.yaml

@@ -0,0 +1,33 @@
+{{- if eq .Cluster.ConfigItems.config_provider_service "true" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: config-provider-service
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  resourceNames:
+  - business-partners-config
+  - sales-channels-config
+  verbs:
+  - get
+  - create
+  - update
+  - patch
+  - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: config-provider-service
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: config-provider-service
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: zalando-iam:zalando:service:stups_config-provider-service
+{{- end }}