Add rancher cluster roles (#1656)

* Auto-detect Rancher clusters and apply Rancher ClusterRole and ClusterRoleBinding
NetApp · Jul 22, 2024 · 5824103 · 5824103
1 parent 55d8064
commit 5824103
Show file tree

Hide file tree

Showing 4 changed files with 60 additions and 0 deletions.
diff --git a/helm/trident-operator/templates/_helpers.tpl b/helm/trident-operator/templates/_helpers.tpl
@@ -206,3 +206,32 @@ Trident image pull policy
 {{- "IfNotPresent" }}
 {{- end }}
 {{- end }}
+
+{{/*
+Determines if rancher roles should be created by checking for the presence of the cattle-system namespace
+or annotations with the prefix "cattle.io/" in the namespace where the chart is being installed.
+Override auto-detection and force install the roles by setting Values.forceInstallRancherClusterRoles to 'true'.
+*/}}
+{{- define "shouldInstallRancherRoles" -}}
+{{- $isRancher := false -}}
+{{- $currentNs := .Release.Namespace -}}
+{{- $currentNsObj := lookup "v1" "Namespace" "" $currentNs -}}
+{{- /* Check if 'forceInstallRancherClusterRoles' is set */ -}}
+{{- if .Values.forceInstallRancherClusterRoles }}
+    {{- $isRancher = true -}}
+{{- end }}
+{{- /* Check if the annotation prefix "cattle.io/" exists on the namespace */ -}}
+{{- if $currentNsObj }}
+  {{- range $key, $value := $currentNsObj.metadata.annotations }}
+    {{- if hasPrefix "cattle.io/" $key }}
+      {{- $isRancher = true -}}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- /* Check if cattle-system ns exists */ -}}
+{{- $cattleNs := lookup "v1" "Namespace" "" "cattle-system" -}}
+{{- if $cattleNs }}
+  {{- $isRancher = true -}}
+{{- end }}
+{{- $isRancher -}}
+{{- end }}
diff --git a/helm/trident-operator/templates/clusterrole-rancher.yaml b/helm/trident-operator/templates/clusterrole-rancher.yaml
@@ -0,0 +1,13 @@
+{{- if include "shouldInstallRancherRoles" . | eq "true" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: trident-operator-rancher
+rules:
+  - apiGroups:
+      - management.cattle.io
+    resources:
+      - projects
+    verbs:
+      - updatepsa
+{{- end }}
diff --git a/helm/trident-operator/templates/clusterrolebinding-rancher.yaml b/helm/trident-operator/templates/clusterrolebinding-rancher.yaml
@@ -0,0 +1,14 @@
+{{- if include "shouldInstallRancherRoles" . | eq "true" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: trident-operator-rancher
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: trident-operator-rancher
+subjects:
+  - kind: ServiceAccount
+    name: trident-operator
+    namespace: trident
+{{- end }}
diff --git a/helm/trident-operator/values.yaml b/helm/trident-operator/values.yaml
@@ -148,6 +148,10 @@ iscsiSelfHealingWaitTime: "7m0s"
 # configuratorReconcileInterval is the resource refresh rate for the auto generated backends.
 configuratorReconcileInterval: 30m0s
 
+# forceInstallRancherClusterRoles will install a Rancher specific ClusterRole and ClusterRoleBinding when set to true.
+# When set to false, the ClusterRole and ClusterRoleBinding will be installed only when a Rancher cluster is detected. 
+forceInstallRancherClusterRoles: false
+
 # Auto generated ANF backend related fields consumed by the configurator controller.
 anfConfigurator:
   enabled: false