Revert cluster role (#186)

* Revert "feat: Remove ClusterRole (#169)" This reverts commit 2c53130. * add toggle for clusterrole * bump version
goauthentik · Jul 13, 2023 · 9eb23f2 · 9eb23f2
1 parent 7f13cc6
commit 9eb23f2
Show file tree

Hide file tree

Showing 6 changed files with 48 additions and 3 deletions.
diff --git a/charts/authentik-remote-cluster/Chart.yaml b/charts/authentik-remote-cluster/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-version: 1.2.1
+version: 1.2.2
 appVersion: 2023.6.0
 name: authentik-remote-cluster
 description: RBAC required for a remote cluster to be connected to authentik.

diff --git a/charts/authentik-remote-cluster/README.md b/charts/authentik-remote-cluster/README.md
@@ -5,7 +5,7 @@
 ---
 
 [![](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://goauthentik.io/discord)
-![Version: 1.2.1](https://img.shields.io/badge/Version-1.2.1-informational?style=for-the-badge)
+![Version: 1.2.2](https://img.shields.io/badge/Version-1.2.2-informational?style=for-the-badge)
 ![AppVersion: 2023.6.0](https://img.shields.io/badge/AppVersion-2023.6.0-informational?style=for-the-badge)
 
 RBAC required for a remote cluster to be connected to authentik.
@@ -28,6 +28,7 @@ RBAC required for a remote cluster to be connected to authentik.
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | annotations | object | `{}` |  |
+| clusterRole.enabled | bool | `true` |  |
 | fullnameOverride | string | `""` |  |
 | nameOverride | string | `""` |  |
 | serviceAccountSecret.enabled | bool | `true` |  |
diff --git a/charts/authentik-remote-cluster/README.md.gotmpl b/charts/authentik-remote-cluster/README.md.gotmpl
@@ -5,7 +5,7 @@
 ---
 
 [![](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://goauthentik.io/discord)
-![Version: 1.2.1](https://img.shields.io/badge/Version-1.2.1-informational?style=for-the-badge)
+![Version: 1.2.2](https://img.shields.io/badge/Version-1.2.2-informational?style=for-the-badge)
 ![AppVersion: 2023.6.0](https://img.shields.io/badge/AppVersion-2023.6.0-informational?style=for-the-badge)
 
 {{ template "chart.deprecationWarning" . }}

diff --git a/charts/authentik-remote-cluster/templates/cluster-role-binding.yaml b/charts/authentik-remote-cluster/templates/cluster-role-binding.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.clusterRole.enabled -}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "authentik-remote-cluster.fullname" . }}-{{ .Release.Namespace }}
+  labels:
+    {{- include "authentik-remote-cluster.labels" . | nindent 4 }}
+  {{- with .Values.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "authentik-remote-cluster.fullname" . }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "authentik-remote-cluster.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/charts/authentik-remote-cluster/templates/cluster-role.yaml b/charts/authentik-remote-cluster/templates/cluster-role.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.clusterRole.enabled -}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "authentik-remote-cluster.fullname" . }}-{{ .Release.Namespace }}
+  labels:
+    {{- include "authentik-remote-cluster.labels" . | nindent 4 }}
+  {{- with .Values.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - list
+{{- end }}
diff --git a/charts/authentik-remote-cluster/values.yaml b/charts/authentik-remote-cluster/values.yaml
@@ -5,3 +5,6 @@ annotations: {}
 
 serviceAccountSecret:
   enabled: true
+
+clusterRole:
+  enabled: true