628fd3007d
Currently, services have two serviceaccounts: one specified in the chart that cannot read anything, and one injected via helm-toolkit that can read everything. This patch set refactors the logic to: - cleanup the roles and their binding automatically when the helm chart is deleted; - remove the need to separately mount a serviceaccount with secret; - better handling of namespaces resource restriction. Co-Authored-By: portdirect <pete@port.direct> Change-Id: I47d41e0cad9b5b002f59fc9652bad2cc025538dc
34 lines
1017 B
YAML
34 lines
1017 B
YAML
{{/*
|
|
Copyright 2017 The Openstack-Helm Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/}}
|
|
|
|
{{- if .Values.manifests.clusterrolebinding }}
|
|
{{- $envAll := . }}
|
|
{{- $serviceAccountName := "alertmanager"}}
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: run-alertmanager
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ $serviceAccountName }}
|
|
namespace: {{ $envAll.Release.Namespace }}
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: cluster-admin
|
|
apiGroup: rbac.authorization.k8s.io
|
|
{{- end }}
|