From 5824103a201cb2f1be13f9435e554ad160c829b3 Mon Sep 17 00:00:00 2001 From: jharrod Date: Mon, 22 Jul 2024 11:50:21 -0600 Subject: [PATCH] Add rancher cluster roles (#1656) * Auto-detect Rancher clusters and apply Rancher ClusterRole and ClusterRoleBinding --- helm/trident-operator/templates/_helpers.tpl | 29 +++++++++++++++++++ .../templates/clusterrole-rancher.yaml | 13 +++++++++ .../templates/clusterrolebinding-rancher.yaml | 14 +++++++++ helm/trident-operator/values.yaml | 4 +++ 4 files changed, 60 insertions(+) create mode 100644 helm/trident-operator/templates/clusterrole-rancher.yaml create mode 100644 helm/trident-operator/templates/clusterrolebinding-rancher.yaml diff --git a/helm/trident-operator/templates/_helpers.tpl b/helm/trident-operator/templates/_helpers.tpl index c794fdb1e..b46e6a6ac 100644 --- a/helm/trident-operator/templates/_helpers.tpl +++ b/helm/trident-operator/templates/_helpers.tpl @@ -206,3 +206,32 @@ Trident image pull policy {{- "IfNotPresent" }} {{- end }} {{- end }} + +{{/* +Determines if rancher roles should be created by checking for the presence of the cattle-system namespace +or annotations with the prefix "cattle.io/" in the namespace where the chart is being installed. +Override auto-detection and force install the roles by setting Values.forceInstallRancherClusterRoles to 'true'. +*/}} +{{- define "shouldInstallRancherRoles" -}} +{{- $isRancher := false -}} +{{- $currentNs := .Release.Namespace -}} +{{- $currentNsObj := lookup "v1" "Namespace" "" $currentNs -}} +{{- /* Check if 'forceInstallRancherClusterRoles' is set */ -}} +{{- if .Values.forceInstallRancherClusterRoles }} + {{- $isRancher = true -}} +{{- end }} +{{- /* Check if the annotation prefix "cattle.io/" exists on the namespace */ -}} +{{- if $currentNsObj }} + {{- range $key, $value := $currentNsObj.metadata.annotations }} + {{- if hasPrefix "cattle.io/" $key }} + {{- $isRancher = true -}} + {{- end }} + {{- end }} +{{- end }} +{{- /* Check if cattle-system ns exists */ -}} +{{- $cattleNs := lookup "v1" "Namespace" "" "cattle-system" -}} +{{- if $cattleNs }} + {{- $isRancher = true -}} +{{- end }} +{{- $isRancher -}} +{{- end }} diff --git a/helm/trident-operator/templates/clusterrole-rancher.yaml b/helm/trident-operator/templates/clusterrole-rancher.yaml new file mode 100644 index 000000000..6300f2f28 --- /dev/null +++ b/helm/trident-operator/templates/clusterrole-rancher.yaml @@ -0,0 +1,13 @@ +{{- if include "shouldInstallRancherRoles" . | eq "true" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: trident-operator-rancher +rules: + - apiGroups: + - management.cattle.io + resources: + - projects + verbs: + - updatepsa +{{- end }} diff --git a/helm/trident-operator/templates/clusterrolebinding-rancher.yaml b/helm/trident-operator/templates/clusterrolebinding-rancher.yaml new file mode 100644 index 000000000..165a51b70 --- /dev/null +++ b/helm/trident-operator/templates/clusterrolebinding-rancher.yaml @@ -0,0 +1,14 @@ +{{- if include "shouldInstallRancherRoles" . | eq "true" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: trident-operator-rancher +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: trident-operator-rancher +subjects: + - kind: ServiceAccount + name: trident-operator + namespace: trident +{{- end }} diff --git a/helm/trident-operator/values.yaml b/helm/trident-operator/values.yaml index 461d865e8..4751d07ad 100644 --- a/helm/trident-operator/values.yaml +++ b/helm/trident-operator/values.yaml @@ -148,6 +148,10 @@ iscsiSelfHealingWaitTime: "7m0s" # configuratorReconcileInterval is the resource refresh rate for the auto generated backends. configuratorReconcileInterval: 30m0s +# forceInstallRancherClusterRoles will install a Rancher specific ClusterRole and ClusterRoleBinding when set to true. +# When set to false, the ClusterRole and ClusterRoleBinding will be installed only when a Rancher cluster is detected. +forceInstallRancherClusterRoles: false + # Auto generated ANF backend related fields consumed by the configurator controller. anfConfigurator: enabled: false