fix pth
This commit is contained in:
behrooz
268
vcluster-0.28.0/templates/_rbac.tpl
Normal file
268
vcluster-0.28.0/templates/_rbac.tpl
Normal file
@@ -0,0 +1,268 @@
|
||||
{{- define "vcluster.clusterRoleName" -}}
|
||||
{{- printf "vc-%s-v-%s" .Release.Name .Release.Namespace | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "vcluster.clusterRoleNameMultinamespace" -}}
|
||||
{{- printf "vc-mn-%s-v-%s" .Release.Name .Release.Namespace | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Whether to create a cluster role or not
|
||||
*/}}
|
||||
{{- define "vcluster.createClusterRole" -}}
|
||||
{{- if eq (toString .Values.rbac.clusterRole.enabled) "true" -}}
|
||||
{{- true -}}
|
||||
{{- else if eq (toString .Values.rbac.clusterRole.enabled) "auto" -}}
|
||||
{{- if or
|
||||
.Values.rbac.clusterRole.overwriteRules
|
||||
(not (empty (include "vcluster.rbac.clusterRoleExtraRules" . )))
|
||||
(not (empty (include "vcluster.plugin.clusterRoleExtraRules" . )))
|
||||
(not (empty (include "vcluster.generic.clusterRoleExtraRules" . )))
|
||||
.Values.networking.replicateServices.fromHost
|
||||
.Values.pro
|
||||
.Values.sync.toHost.storageClasses.enabled
|
||||
.Values.experimental.isolatedControlPlane.enabled
|
||||
.Values.sync.toHost.persistentVolumes.enabled
|
||||
.Values.sync.toHost.priorityClasses.enabled
|
||||
.Values.sync.fromHost.priorityClasses.enabled
|
||||
.Values.sync.toHost.volumeSnapshotContents.enabled
|
||||
.Values.sync.fromHost.volumeSnapshotClasses.enabled
|
||||
(and (eq (include "vcluster.distro" .) "k8s") .Values.controlPlane.distro.k8s.scheduler.enabled)
|
||||
.Values.controlPlane.advanced.virtualScheduler.enabled
|
||||
.Values.sync.toHost.pods.hybridScheduling.enabled
|
||||
.Values.sync.fromHost.ingressClasses.enabled
|
||||
.Values.sync.fromHost.runtimeClasses.enabled
|
||||
(eq (toString .Values.sync.fromHost.storageClasses.enabled) "true")
|
||||
(eq (toString .Values.sync.fromHost.csiNodes.enabled) "true")
|
||||
(eq (toString .Values.sync.fromHost.csiDrivers.enabled) "true")
|
||||
(eq (toString .Values.sync.fromHost.csiStorageCapacities.enabled) "true")
|
||||
.Values.sync.fromHost.nodes.enabled
|
||||
.Values.sync.toHost.customResources
|
||||
.Values.sync.fromHost.customResources
|
||||
.Values.integrations.kubeVirt.enabled
|
||||
.Values.integrations.externalSecrets.enabled
|
||||
(and .Values.integrations.certManager.enabled .Values.integrations.certManager.sync.fromHost.clusterIssuers.enabled)
|
||||
(and .Values.integrations.metricsServer.enabled .Values.integrations.metricsServer.nodes)
|
||||
.Values.sync.fromHost.configMaps.enabled
|
||||
.Values.sync.fromHost.secrets.enabled
|
||||
.Values.integrations.istio.enabled
|
||||
.Values.sync.toHost.namespaces.enabled
|
||||
-}}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Role rules defined on global level
|
||||
*/}}
|
||||
{{- define "vcluster.rbac.roleExtraRules" -}}
|
||||
{{- if .Values.rbac.role.extraRules }}
|
||||
{{- range $ruleIndex, $rule := .Values.rbac.role.extraRules }}
|
||||
- {{ toJson $rule }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Role rules defined by plugins
|
||||
*/}}
|
||||
{{- define "vcluster.plugin.roleExtraRules" -}}
|
||||
{{- range $key, $container := .Values.plugin }}
|
||||
{{- if $container.rbac }}
|
||||
{{- if $container.rbac.role }}
|
||||
{{- if $container.rbac.role.extraRules }}
|
||||
{{- range $ruleIndex, $rule := $container.rbac.role.extraRules }}
|
||||
- {{ toJson $rule }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- range $key, $container := .Values.plugins }}
|
||||
{{- if $container.rbac }}
|
||||
{{- if $container.rbac.role }}
|
||||
{{- if $container.rbac.role.extraRules }}
|
||||
{{- range $ruleIndex, $rule := $container.rbac.role.extraRules }}
|
||||
- {{ toJson $rule }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Cluster role rules defined by plugins
|
||||
*/}}
|
||||
{{- define "vcluster.plugin.clusterRoleExtraRules" -}}
|
||||
{{- range $key, $container := .Values.plugin }}
|
||||
{{- if $container.rbac }}
|
||||
{{- if $container.rbac.clusterRole }}
|
||||
{{- if $container.rbac.clusterRole.extraRules }}
|
||||
{{- range $ruleIndex, $rule := $container.rbac.clusterRole.extraRules }}
|
||||
- {{ toJson $rule }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- range $key, $container := .Values.plugins }}
|
||||
{{- if $container.rbac }}
|
||||
{{- if $container.rbac.clusterRole }}
|
||||
{{- if $container.rbac.clusterRole.extraRules }}
|
||||
{{- range $ruleIndex, $rule := $container.rbac.clusterRole.extraRules }}
|
||||
- {{ toJson $rule }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Role rules defined in generic syncer
|
||||
*/}}
|
||||
{{- define "vcluster.generic.roleExtraRules" -}}
|
||||
{{- if .Values.experimental.genericSync.role }}
|
||||
{{- if .Values.experimental.genericSync.role.extraRules }}
|
||||
{{- range $ruleIndex, $rule := .Values.experimental.genericSync.role.extraRules }}
|
||||
- {{ toJson $rule }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Role rules defined in generic syncer
|
||||
*/}}
|
||||
{{- define "vcluster.customResources.roleExtraRules" -}}
|
||||
{{- if .Values.sync.toHost.customResources }}
|
||||
{{- range $crdName, $rule := .Values.sync.toHost.customResources }}
|
||||
{{- if $rule.enabled }}
|
||||
{{- $crdNameWithoutVersion := (split "/" $crdName)._0 -}} # Takes part before "/"
|
||||
- resources: [ "{{ (splitn "." 2 $crdNameWithoutVersion)._0 }}" ]
|
||||
apiGroups: [ "{{ (splitn "." 2 $crdNameWithoutVersion)._1 }}" ]
|
||||
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Cluster role rules defined in generic syncer
|
||||
*/}}
|
||||
{{- define "vcluster.customResources.clusterRoleExtraRules" -}}
|
||||
{{- if .Values.sync.fromHost.customResources }}
|
||||
{{- range $crdName, $rule := .Values.sync.fromHost.customResources }}
|
||||
{{- if $rule.enabled }}
|
||||
{{- $crdNameWithoutVersion := (split "/" $crdName)._0 -}} # Takes part before "/"
|
||||
- resources: [ "{{ (splitn "." 2 $crdNameWithoutVersion)._0 }}" ]
|
||||
apiGroups: [ "{{ (splitn "." 2 $crdNameWithoutVersion)._1 }}" ]
|
||||
verbs: ["get", "list", "watch"]
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Cluster role rules defined in generic syncer
|
||||
*/}}
|
||||
{{- define "vcluster.generic.clusterRoleExtraRules" -}}
|
||||
{{- if .Values.experimental.genericSync.clusterRole }}
|
||||
{{- if .Values.experimental.genericSync.clusterRole.extraRules }}
|
||||
{{- range $ruleIndex, $rule := .Values.experimental.genericSync.clusterRole.extraRules }}
|
||||
- {{ toJson $rule }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Cluster Role rules defined on global level
|
||||
*/}}
|
||||
{{- define "vcluster.rbac.clusterRoleExtraRules" -}}
|
||||
{{- if .Values.rbac.clusterRole.extraRules }}
|
||||
{{- range $ruleIndex, $rule := .Values.rbac.clusterRole.extraRules }}
|
||||
- {{ toJson $rule }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Whether to create a role and role binding to access the platform API key secret
|
||||
*/}}
|
||||
{{- define "vcluster.rbac.createPlatformSecretRole" -}}
|
||||
{{- $createRBAC := dig "platform" "apiKey" "createRBAC" true .Values.external -}}
|
||||
{{- if and $createRBAC (ne (include "vcluster.rbac.platformSecretNamespace" .) .Release.Namespace) }}
|
||||
{{- true -}}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Namespace containing the vCluster platform secret
|
||||
*/}}
|
||||
{{- define "vcluster.rbac.platformSecretNamespace" -}}
|
||||
{{- dig "platform" "apiKey" "namespace" .Release.Namespace .Values.external | default .Release.Namespace -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Name specifies the secret name containing the vCluster platform licenses and tokens
|
||||
*/}}
|
||||
{{- define "vcluster.rbac.platformSecretName" -}}
|
||||
{{- dig "platform" "apiKey" "secretName" "vcluster-platform-api-key" .Values.external | quote -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "vcluster.rbac.platformRoleName" -}}
|
||||
{{- printf "vc-%s-v-%s-platform-role" .Release.Name .Release.Namespace | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
|
||||
{{- define "vcluster.rbac.platformRoleBindingName" -}}
|
||||
{{- printf "vc-%s-v-%s-platform-role-binding" .Release.Name .Release.Namespace | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Cluster role rules needed for fromHost sync (containing namespaces + configmaps/secret/other core resources)
|
||||
*/}}
|
||||
{{- define "vcluster.rbac.rulesForFromHostSyncerForGivenCoreResource" -}}
|
||||
{{- $root := index . 0 -}}
|
||||
{{- $mappings := index . 1 -}}
|
||||
{{- $kind := index . 2 -}}
|
||||
{{- $enabled := index . 3 -}}
|
||||
{{- if and $enabled $mappings -}}
|
||||
{{- $namespaces := list -}}
|
||||
{{- $objNames := list -}}
|
||||
{{- $addResourceNames := true -}}
|
||||
{{- range $key, $val := $mappings -}}
|
||||
{{- $sourceNs := splitList "/" $key | first -}}
|
||||
{{- $sourceObjName := splitList "/" $key | last }}
|
||||
{{- if eq $sourceNs "" -}}
|
||||
{{- $namespaces = append $namespaces (quote $root.Release.Namespace) -}}
|
||||
{{- else -}}
|
||||
{{- $namespaces = append $namespaces (quote $sourceNs) -}}
|
||||
{{- end -}}
|
||||
{{- if eq $sourceObjName "*" -}}
|
||||
{{- $addResourceNames = false -}}
|
||||
{{- else -}}
|
||||
{{- $objNames = append $objNames (quote $sourceObjName) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- $objList := $objNames | uniq | sortAlpha -}}
|
||||
{{- $nsList := $namespaces | uniq | sortAlpha -}}
|
||||
- apiGroups: [""]
|
||||
resources: [ "namespaces" ]
|
||||
resourceNames: [ {{ join "," $nsList }} ]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: [ {{ $kind | quote }} ]
|
||||
verbs: ["list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: [ {{ $kind | quote }} ]
|
||||
verbs: ["get"]
|
||||
{{- if $addResourceNames }}
|
||||
resourceNames: [ {{ join "," $objList }} ]
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
Reference in New Issue
Block a user