Merge pull request #44 from foomo/namespace-v0.2.3

Namespace v0.2.3
foomo · Nov 8, 2024 · d93f7a4 · d93f7a4
2 parents 80192f5 + 842a392
commit d93f7a4
Show file tree

Hide file tree

Showing 7 changed files with 131 additions and 5 deletions.
diff --git a/charts/namespace/Chart.yaml b/charts/namespace/Chart.yaml
@@ -14,5 +14,5 @@ annotations:
     - name: Chart Source
       url: https://github.com/foomo/helm-charts
 
-version: 0.2.2
-appVersion: 0.2.2
+version: 0.2.3
+appVersion: 0.2.3
diff --git a/charts/namespace/README.md b/charts/namespace/README.md
@@ -1,6 +1,6 @@
 # namespace
 
-![Version: 0.2.2](https://img.shields.io/badge/Version-0.2.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.2](https://img.shields.io/badge/AppVersion-0.2.2-informational?style=flat-square)
+![Version: 0.2.3](https://img.shields.io/badge/Version-0.2.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square)
 
 Common Namespace Resource Chart
 
@@ -16,7 +16,9 @@ Common Namespace Resource Chart
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| clusterRoles | object | `{}` | Cluster Roles to create |
 | dockerSecrets | object | `{}` | Docker config json secrets |
+| roleBindings | object | `{}` | Role Bindings to create |
 | secrets | object | `{}` | Opaque secrets |
 | serviceAccounts | object | `{}` | Service accounts settings |
 | tlsSecrets | object | `{}` | TLS secrets |

diff --git a/charts/namespace/examples/k9s.yaml b/charts/namespace/examples/k9s.yaml
@@ -0,0 +1,19 @@
+clusterRoles:
+  k9s:
+    rules:
+      # Grants RO access to cluster resources node, pod and namespace
+      - apiGroups: [""]
+        resources: ["nodes", "namespaces", "persistentvolumes", "pods"]
+        verbs: ["get", "list", "watch"]
+      # Grants RO access to RBAC resources
+      - apiGroups: ["rbac.authorization.k8s.io"]
+        resources: ["clusterroles", "roles", "clusterrolebindings", "rolebindings"]
+        verbs: ["get", "list", "watch"]
+      # Grants RO access to CRD resources
+      - apiGroups: ["apiextensions.k8s.io"]
+        resources: ["customresourcedefinitions"]
+        verbs: ["get", "list", "watch"]
+      # Grants RO access to metric server (if present)
+      - apiGroups: ["metrics.k8s.io"]
+        resources: ["nodes", "pods"]
+        verbs: ["get", "list", "watch"]
diff --git a/charts/namespace/templates/clusterrole.yaml b/charts/namespace/templates/clusterrole.yaml
@@ -0,0 +1,16 @@
+{{- range $key, $value := .Values.clusterRoles }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ $key }}
+  labels: 
+    {{- include "namespace.labels" $ | nindent 4 }}
+    {{- with $value.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with $value.annotations }}
+  annotations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules: {{- toYaml .rules | nindent 2 }}
+---
+{{- end }}
diff --git a/charts/namespace/templates/rolebinding.yaml b/charts/namespace/templates/rolebinding.yaml
@@ -0,0 +1,17 @@
+{{- range $key, $value := .Values.roleBindings }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $key }}
+  labels: {{- include "namespace.labels" $ | nindent 4 }}
+  {{- with $value.annotations }}
+  annotations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  namespace: {{ include "namespace.namespace" $ }}
+subjects: {{- toYaml $value.subjects | nindent 2 }}
+roleRef:
+  kind: {{ $value.kind }}
+  name: {{ $value.role }}
+  apiGroup: rbac.authorization.k8s.io
+---
+{{- end }}
diff --git a/charts/namespace/values.schema.json b/charts/namespace/values.schema.json
@@ -2,6 +2,13 @@
   "$schema": "http://json-schema.org/draft-07/schema#",
   "additionalProperties": false,
   "properties": {
+    "clusterRoles": {
+      "additionalProperties": true,
+      "description": "Cluster Roles to create",
+      "required": [],
+      "title": "clusterRoles",
+      "type": "object"
+    },
     "dockerSecrets": {
       "additionalProperties": {
         "properties": {
@@ -48,6 +55,33 @@
       "title": "namespaceOverride",
       "type": "string"
     },
+    "roleBindings": {
+      "additionalProperties": {
+        "properties": {
+          "annotations": {
+            "additionalProperties": true,
+            "type": "object"
+          },
+          "kind": {
+            "additionalProperties": true,
+            "type": "string"
+          },
+          "role": {
+            "additionalProperties": true,
+            "type": "string"
+          },
+          "subjects": {
+            "additionalProperties": true,
+            "type": "array"
+          }
+        },
+        "type": "object"
+      },
+      "description": "clusterRoles:\n  my-cluster-role:\n    annotations: {}\n    labels: {}\n    rules: {}\nRole Bindings to create",
+      "required": [],
+      "title": "roleBindings",
+      "type": "object"
+    },
     "secrets": {
       "additionalProperties": {
         "properties": {
@@ -66,7 +100,7 @@
         },
         "type": "object"
       },
-      "description": "Opaque secrets",
+      "description": "roleBindings:\n  my-role-binding:\n    annotations:\n      replicator.v1.mittwald.de/replicate-to: \".*\"\n    group: \"\"\n    role: \"\"\nOpaque secrets",
       "required": [],
       "title": "secrets",
       "type": "object"

diff --git a/charts/namespace/values.yaml b/charts/namespace/values.yaml
@@ -18,7 +18,45 @@ fullnameOverride: ''
 # -- The name of the Namespace to deploy
 # @section -- Overrides
 namespaceOverride: ''
-
+# @schema
+# type: object
+# additionalProperties: true
+# @schema
+# -- Cluster Roles to create
+# @section -- General
+clusterRoles: {}
+# clusterRoles:
+#   my-cluster-role:
+#     annotations: {}
+#     labels: {}
+#     rules: {}
+# @schema
+# type: object
+# additionalProperties:
+#   type: object
+#   properties:
+#     annotations:
+#       type: object
+#       additionalProperties: true
+#     subjects:
+#       type: array
+#       additionalProperties: true
+#     kind:
+#       type: string
+#       additionalProperties: true
+#     role:
+#       type: string
+#       additionalProperties: true
+# @schema
+# -- Role Bindings to create
+# @section -- General
+roleBindings: {}
+# roleBindings:
+#   my-role-binding:
+#     annotations:
+#       replicator.v1.mittwald.de/replicate-to: ".*"
+#     group: ""
+#     role: ""
 # @schema
 # type: object
 # additionalProperties: