helm: add gcp ccm permissions for internal LBs (#2474)

* helm: add gcp ccm permissions
edgelesssys · Oct 19, 2023 · 498b5d6 · 498b5d6
1 parent 0bfb4f7
commit 498b5d6
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 0 deletions.
diff --git a/cli/internal/helm/BUILD.bazel b/cli/internal/helm/BUILD.bazel
@@ -411,6 +411,7 @@ go_library(
         "charts/edgeless/csi/charts/aws-csi-driver/templates/storageclass_integrity.yaml",
         "charts/edgeless/csi/charts/aws-csi-driver/templates/volumesnapshotclass.yaml",
         "charts/edgeless/csi/charts/aws-csi-driver/values.yaml",
+        "charts/edgeless/constellation-services/charts/ccm/templates/gcp-clusterrolebinding.yaml",
     ],
     importpath = "github.com/edgelesssys/constellation/v2/cli/internal/helm",
     visibility = ["//cli:__subpackages__"],

diff --git a/...m/charts/edgeless/constellation-services/charts/ccm/templates/gcp-clusterrolebinding.yaml b/...m/charts/edgeless/constellation-services/charts/ccm/templates/gcp-clusterrolebinding.yaml
@@ -0,0 +1,14 @@
+{{- if eq .Values.csp "GCP" -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:cloud-provider
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: cloud-provider
+    namespace: {{ .Release.Namespace }}
+{{- end -}}
diff --git a/...helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-clusterrolebinding.yaml b/...helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:cloud-provider
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: cloud-provider
+    namespace: testNamespace