update
diff --git a/charts/jenkins/templates/rbac.yaml b/charts/jenkins/templates/rbac.yaml
new file mode 100644
index 0000000..581cb8d
--- /dev/null
+++ b/charts/jenkins/templates/rbac.yaml
@@ -0,0 +1,149 @@
+{{ if .Values.rbac.create }}
+{{- $serviceName := include "jenkins.fullname" . -}}
+
+# This role is used to allow Jenkins scheduling of agents via Kubernetes plugin.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $serviceName }}-schedule-agents
+ namespace: {{ template "jenkins.agent.namespace" . }}
+ labels:
+ "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+ {{- if .Values.renderHelmLabels }}
+ "helm.sh/chart": "{{ template "jenkins.label" .}}"
+ {{- end }}
+ "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+ "app.kubernetes.io/instance": "{{ .Release.Name }}"
+ "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
+rules:
+- apiGroups: [""]
+ resources: ["pods", "pods/exec", "pods/log", "persistentvolumeclaims", "events"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+ resources: ["pods", "pods/exec", "persistentvolumeclaims"]
+ verbs: ["create", "delete", "deletecollection", "patch", "update"]
+
+---
+
+# We bind the role to the Jenkins service account. The role binding is created in the namespace
+# where the agents are supposed to run.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $serviceName }}-schedule-agents
+ namespace: {{ template "jenkins.agent.namespace" . }}
+ labels:
+ "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+ {{- if .Values.renderHelmLabels }}
+ "helm.sh/chart": "{{ template "jenkins.label" .}}"
+ {{- end }}
+ "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+ "app.kubernetes.io/instance": "{{ .Release.Name }}"
+ "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $serviceName }}-schedule-agents
+subjects:
+- kind: ServiceAccount
+ name: {{ template "jenkins.serviceAccountName" .}}
+ namespace: {{ template "jenkins.namespace" . }}
+
+---
+
+{{- if .Values.rbac.readSecrets }}
+# This is needed if you want to use https://jenkinsci.github.io/kubernetes-credentials-provider-plugin/
+# as it needs permissions to get/watch/list Secrets
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ template "jenkins.fullname" . }}-read-secrets
+ namespace: {{ template "jenkins.namespace" . }}
+ labels:
+ "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+ {{- if .Values.renderHelmLabels }}
+ "helm.sh/chart": "{{ template "jenkins.label" .}}"
+ {{- end }}
+ "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+ "app.kubernetes.io/instance": "{{ .Release.Name }}"
+ "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
+rules:
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "watch", "list"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $serviceName }}-read-secrets
+ namespace: {{ template "jenkins.namespace" . }}
+ labels:
+ "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+ {{- if .Values.renderHelmLabels }}
+ "helm.sh/chart": "{{ template "jenkins.label" .}}"
+ {{- end }}
+ "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+ "app.kubernetes.io/instance": "{{ .Release.Name }}"
+ "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "jenkins.fullname" . }}-read-secrets
+subjects:
+ - kind: ServiceAccount
+ name: {{ template "jenkins.serviceAccountName" . }}
+ namespace: {{ template "jenkins.namespace" . }}
+
+---
+{{- end}}
+
+{{- if .Values.controller.sidecars.configAutoReload.enabled }}
+# The sidecar container which is responsible for reloading configuration changes
+# needs permissions to watch ConfigMaps
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ template "jenkins.fullname" . }}-casc-reload
+ namespace: {{ template "jenkins.namespace" . }}
+ labels:
+ "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+ {{- if .Values.renderHelmLabels }}
+ "helm.sh/chart": "{{ template "jenkins.label" .}}"
+ {{- end }}
+ "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+ "app.kubernetes.io/instance": "{{ .Release.Name }}"
+ "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
+rules:
+- apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["get", "watch", "list"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $serviceName }}-watch-configmaps
+ namespace: {{ template "jenkins.namespace" . }}
+ labels:
+ "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+ {{- if .Values.renderHelmLabels }}
+ "helm.sh/chart": "{{ template "jenkins.label" .}}"
+ {{- end }}
+ "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+ "app.kubernetes.io/instance": "{{ .Release.Name }}"
+ "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "jenkins.fullname" . }}-casc-reload
+subjects:
+- kind: ServiceAccount
+ name: {{ template "jenkins.serviceAccountName" . }}
+ namespace: {{ template "jenkins.namespace" . }}
+
+{{- end}}
+
+{{ end }}