Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove role for Profile-CRD from chart #697

Open
ArcticXWolf opened this issue Nov 4, 2020 · 0 comments
Open

Remove role for Profile-CRD from chart #697

ArcticXWolf opened this issue Nov 4, 2020 · 0 comments

Comments

@ArcticXWolf
Copy link

Followup on #696.
Now that we can disable the creation of the CRDs in the helm chart, we can also move the creation of the roles for the Profiles CRD behind the toggle, as they are not needed if the CRD does not exist.

Expected Behaviour

If I disable the creation of the CRDs in the helm chart, I expect the chart to not create roles and role-bindings concerning the non-existing CRDs.

Current Behaviour

The chart creates the roles in all cases, if the CRDs are created or not.

Possible Solution

Wrap the following lines inside a {{- if .Values.createCRDs }} ... {{- end}} block:

faas-netes/chart/openfaas/templates/controller-rbac.yaml

Lines 76 to 83 in 08ffc57

- apiGroups:
- "openfaas.com"
resources:
- "profiles"
verbs:
- "get"
- "list"
- "watch"

faas-netes/chart/openfaas/templates/controller-rbac.yaml

Lines 184 to 204 in 08ffc57

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: faas-controller
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ .Release.Name }}-profiles
namespace: {{ .Release.Namespace | quote }}
rules:
- apiGroups:
- "openfaas.com"
resources:
- "profiles"
verbs:
- "get"
- "list"
- "watch"

faas-netes/chart/openfaas/templates/controller-rbac.yaml

Lines 205 to 224 in 08ffc57

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: faas-controller
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ .Release.Name }}-profiles
namespace: {{ .Release.Namespace | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .Release.Name }}-profiles
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-controller
namespace: {{ .Release.Namespace | quote }}

Context / Usecase

Without this change, users that have to skip creating the CRDs due to access rights might not be able to install the chart. For example I cannot create the role {{ .Release.Name }}-profiles and thus cannot install the chart.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ArcticXWolf