openstack/openstack-helm
Code Issues Proposed changes
3d842e184b
openstack-helm/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
Tin Lam 943a400b9a RBAC: Fix issue with inclusion of empty jobs or daemonsets 
Currently, the rbac logic would allow for ``jobs`` or ``daemonsets``
if it is specified in the dependencies, even if they may just be empty
or null.  This patch set addresses this by checking the jobs or
daemonsets map in the value.yaml is non-empty before including it
in the Role.

This mirrors the fix in OSH-infra in [0].

[0] https://review.openstack.org/#/c/530337/1

Change-Id: I37e8d8c1a0d587410811c544e049bbafed73cba8
Signed-off-by: Tin Lam <tin@irrational.io>
2017-12-28 22:05:34 -06:00

51 lines
2.0 KiB
Smarty
Raw Blame History

{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
{{- $envAll := index . 0 -}}
{{- $deps := index . 1 -}}
{{- $saName := index . 2 -}}
{{- $saNamespace := $envAll.Release.Namespace }}
{{- $randomKey := randAlphaNum 32 }}
{{- $allNamespace := dict $randomKey "" }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $saName }}
namespace: {{ $saNamespace }}
{{- range $k, $v := $deps -}}
{{- if eq $k "services" }}
{{- range $serv := $v }}
{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
{{- end -}}
{{- end -}}
{{- else if and (eq $k "jobs") $v }}
{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
{{- else if and (eq $k "daemonset") $v }}
{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
{{- end -}}
{{- end -}}
{{- $_ := unset $allNamespace $randomKey }}
{{- range $ns, $vv := $allNamespace }}
{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
{{- end -}}
{{- end -}}
View Git Blame Copy Permalink