homarr-labs · oben01 · Feb 12, 2025
@@ -3,11 +3,11 @@ name: homarr
 description: A Helm chart to deploy homarr for Kubernetes
 home: https://homarr-labs.github.io/charts/charts/homarr/
 type: application
-version: 2.9.0
+version: 3.0.0
 # renovate datasource=docker depName=ghcr.io/homarr-labs/homarr
 appVersion: "v1.7.0"
 icon: https://raw.githubusercontent.com/homarr-labs/charts/refs/heads/main/charts/homarr/icon.svg
-kubeVersion: ">=1.22.0-0"
+kubeVersion: ">=1.24.0-0"
 dependencies:
   - name: mysql
     repository: "https://charts.bitnami.com/bitnami"
@@ -27,7 +27,7 @@ annotations:
     url: https://homarr-labs.github.io/charts/pgp_keys.asc
   artifacthub.io/changes: |-
     - kind: added
-      description: persistence and declarative option for trusted certificates
+      description: add rbac configuration to enable kubernetes tool
   artifacthub.io/links: |-
     - name: App Source
       url: https://github.com/homarr-labs/homarr

@@ -2,7 +2,7 @@
 
 <img src="https://raw.githubusercontent.com/homarr-labs/charts/refs/heads/main/charts/homarr/icon.svg" align="right" width="92" alt="homarr logo">
 
-![Version: 2.9.0](https://img.shields.io/badge/Version-2.9.0-informational?style=flat)
+![Version: 3.0.0](https://img.shields.io/badge/Version-2.6.0-informational?style=flat)
 ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat)
 ![AppVersion: v1.7.0](https://img.shields.io/badge/AppVersion-v1.7.0-informational?style=flat)
 
@@ -16,7 +16,7 @@ A Helm chart to deploy homarr for Kubernetes
 
 ## Requirements
 
-Kubernetes: `>=1.22.0-0`
+Kubernetes: `>=1.24.0-0`
 
 ## Dependencies
 
@@ -347,6 +347,8 @@ All available values are listed on the [artifacthub](https://artifacthub.io/pack
 | podAnnotations | object | `{}` | Pod annotations |
 | podLabels | object | `{}` | Pod labels |
 | podSecurityContext | object | `{}` | Pod security context |
+| rbac | object | `{"enabled":false}` | Enable RBAC resources for Kubernetes integration Creates Role, ClusterRole, and associated bindings for Homarr's Kubernetes features |
+| rbac.enabled | bool | `false` | Enable to create RBAC resources and activate Kubernetes integration |
 | readinessProbe.httpGet.path | string | `"/api/health/ready"` | This is the readiness check endpoint used by Kubernetes to determine if the application is ready to handle traffic. |
 | readinessProbe.httpGet.port | int | `7575` | The port on which the readiness check will be performed. This must match the container's exposed port. |
 | replicaCount | int | `1` | Number of replicas |

@@ -23,6 +23,9 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      {{- if .Values.rbac.enabled }}
+      serviceAccountName: "{{ .Release.Name }}-sa"
+      {{- end }}
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -80,6 +83,14 @@ spec:
             failureThreshold: 3
           {{- end }}
           env:
+           {{- if .Values.rbac.enabled }}
+           - name: KUBERNETES_SERVICE_ACCOUNT_NAME
+             value: {{ .Release.Name }}-sa
+           {{- end }}
+           - name: ENABLE_DOCKER
+             value: "false"
+           - name: ENABLE_KUBERNETES
+             value: {{ .Values.rbac.enabled | ternary "true" "false" | quote }}
            {{- range $key, $value := .Values.env }}
            - name: {{ $key }}
              value: "{{ $value }}"

@@ -0,0 +1,88 @@
+{{- if .Values.rbac.enabled }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-sa
+  labels:
+      {{- include "homarr.labels" . | nindent 4 }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-sa-token
+  annotations:
+    kubernetes.io/service-account.name: "{{ .Release.Name }}-sa"
+type: kubernetes.io/service-account-token
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-role
+  labels:
+      {{- include "homarr.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "pods", "services", "secrets", "configmaps", "persistentvolumeclaims", "namespaces", "persistentvolumes", "nodes" ]
+    verbs: [ "get", "list", "watch", "use" ]
+  - apiGroups: [ "apps" ]
+    resources: [ "deployments" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "networking.k8s.io" ]
+    resources: [ "ingresses" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "metrics.k8s.io" ]
+    resources: [ "nodes", "pods" ]
+    verbs: [ "get", "list", "watch" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Release.Name }}-rolebinding
+  labels:
+      {{- include "homarr.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}-sa
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-role
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Release.Name }}-cluster-role
+  labels:
+      {{- include "homarr.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "pods", "services", "secrets", "configmaps", "persistentvolumeclaims", "namespaces", "persistentvolumes", "nodes" ]
+    verbs: [ "get", "list", "watch", "use" ]
+  - apiGroups: [ "apps" ]
+    resources: [ "deployments" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "networking.k8s.io" ]
+    resources: [ "ingresses" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "metrics.k8s.io" ]
+    resources: [ "nodes", "pods" ]
+    verbs: [ "get", "list", "watch" ]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Release.Name }}-cluster-rolebinding
+  labels:
+      {{- include "homarr.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}-sa
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ .Release.Name }}-cluster-role
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
@@ -315,3 +315,9 @@ mysql:
     existingSecret: "db-secret"
     username: homarr
     database: homarrdb
+
+# -- Enable RBAC resources for Kubernetes integration
+# Creates Role, ClusterRole, and associated bindings for Homarr's Kubernetes features
+rbac:
+  # -- Enable to create RBAC resources and activate Kubernetes integration
+  enabled: false