From a6a549547741d10375b5f71a6401de91b950db0a Mon Sep 17 00:00:00 2001 From: Gregor Tudan Date: Thu, 27 Jun 2024 17:04:57 +0200 Subject: [PATCH] Move cluster role to a separate template. (#5721) Move cluster role to a separate template, to allow disabling it without breaking the service account --- .../seaweedfs/templates/cluster-role.yaml | 35 +++++++++++++++++ .../seaweedfs/templates/service-account.yaml | 38 +------------------ 2 files changed, 36 insertions(+), 37 deletions(-) create mode 100644 k8s/charts/seaweedfs/templates/cluster-role.yaml diff --git a/k8s/charts/seaweedfs/templates/cluster-role.yaml b/k8s/charts/seaweedfs/templates/cluster-role.yaml new file mode 100644 index 000000000..154de0675 --- /dev/null +++ b/k8s/charts/seaweedfs/templates/cluster-role.yaml @@ -0,0 +1,35 @@ +{{- if .Values.global.createClusterRole }} +#hack for delete pod master after migration +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.global.serviceAccountName }}-rw-cr + labels: + app.kubernetes.io/name: {{ template "seaweedfs.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: system:serviceaccount:{{ .Values.global.serviceAccountName }}:default + labels: + app.kubernetes.io/name: {{ template "seaweedfs.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +subjects: + - kind: ServiceAccount + name: {{ .Values.global.serviceAccountName }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.global.serviceAccountName }}-rw-cr +{{- end }} \ No newline at end of file diff --git a/k8s/charts/seaweedfs/templates/service-account.yaml b/k8s/charts/seaweedfs/templates/service-account.yaml index 56f18ac5b..a00c9f3f7 100644 --- a/k8s/charts/seaweedfs/templates/service-account.yaml +++ b/k8s/charts/seaweedfs/templates/service-account.yaml @@ -1,20 +1,3 @@ -{{- if .Values.global.createClusterRole }} -#hack for delete pod master after migration ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ .Values.global.serviceAccountName }}-rw-cr - labels: - app.kubernetes.io/name: {{ template "seaweedfs.name" . }} - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} -rules: - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] ---- apiVersion: v1 kind: ServiceAccount metadata: @@ -24,23 +7,4 @@ metadata: app.kubernetes.io/name: {{ template "seaweedfs.name" . }} helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: system:serviceaccount:{{ .Values.global.serviceAccountName }}:default - labels: - app.kubernetes.io/name: {{ template "seaweedfs.name" . }} - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} -subjects: -- kind: ServiceAccount - name: {{ .Values.global.serviceAccountName }} - namespace: {{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.global.serviceAccountName }}-rw-cr -{{- end }} + app.kubernetes.io/instance: {{ .Release.Name }} \ No newline at end of file