Blame - charts/hydra-maester/templates/rbac.yaml - pcloud

blob: e67cc623bba74777646eaf76b2061c87bdd4f7b9 [file] [log] [blame]

Giorgi Lekveishvili	925f0de	2024-03-14 18:51:56 +0400	[diff] [blame^]	1	---
				2	apiVersion: v1
				3	kind: ServiceAccount
				4	metadata:
				5	name: {{ include "hydra-maester.fullname" . }}-account
				6	namespace: {{ .Release.Namespace }}
				7	labels:
				8	{{- include "hydra-maester.labels" . \| nindent 4 }}
				9	{{- with .Values.deployment.serviceAccount.annotations }}
				10	annotations:
				11	{{- toYaml . \| nindent 4 }}
				12	{{- end }}
				13	{{- if not .Values.singleNamespaceMode }}
				14	---
				15	kind: ClusterRole
				16	apiVersion: rbac.authorization.k8s.io/v1
				17	metadata:
				18	name: {{ include "hydra-maester.fullname" . }}-role
				19	rules:
				20	- apiGroups: ["hydra.ory.sh"]
				21	resources: ["oauth2clients", "oauth2clients/status"]
				22	verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
				23	- apiGroups: [""]
				24	resources: ["secrets"]
				25	verbs: ["list", "watch", "create"]
				26	---
				27	kind: ClusterRoleBinding
				28	apiVersion: rbac.authorization.k8s.io/v1
				29	metadata:
				30	name: {{ include "hydra-maester.fullname" . }}-role-binding
				31	subjects:
				32	- kind: ServiceAccount
				33	name: {{ include "hydra-maester.fullname" . }}-account # Service account assigned to the controller pod.
				34	namespace: {{ .Release.Namespace }}
				35	roleRef:
				36	apiGroup: rbac.authorization.k8s.io
				37	kind: ClusterRole
				38	name: {{ include "hydra-maester.fullname" . }}-role
				39	{{- end }}
				40	---
				41	kind: Role
				42	apiVersion: rbac.authorization.k8s.io/v1
				43	metadata:
				44	name: {{ include "hydra-maester.fullname" . }}-role
				45	namespace: {{ .Release.Namespace }}
				46	rules:
				47	- apiGroups: [""]
				48	resources: ["secrets"]
				49	verbs: ["get", "list", "watch", "create"]
				50	- apiGroups: ["hydra.ory.sh"]
				51	resources: ["oauth2clients", "oauth2clients/status"]
				52	verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
				53	---
				54	kind: RoleBinding
				55	apiVersion: rbac.authorization.k8s.io/v1
				56	metadata:
				57	name: {{ include "hydra-maester.fullname" . }}-role-binding
				58	namespace: {{ .Release.Namespace }}
				59	subjects:
				60	- kind: ServiceAccount
				61	name: {{ include "hydra-maester.fullname" . }}-account # Service account assigned to the controller pod.
				62	namespace: {{ .Release.Namespace }}
				63	roleRef:
				64	apiGroup: rbac.authorization.k8s.io
				65	kind: Role
				66	name: {{ include "hydra-maester.fullname" . }}-role
				67
				68	{{- $name := include "hydra-maester.fullname" . -}}
				69	{{- $namespace := .Release.Namespace -}}
				70	{{- range .Values.enabledNamespaces }}
				71	---
				72	kind: Role
				73	apiVersion: rbac.authorization.k8s.io/v1
				74	metadata:
				75	name: {{ $name }}-role
				76	namespace: {{ . }}
				77	rules:
				78	- apiGroups: [""]
				79	resources: ["secrets"]
				80	verbs: ["get", "list", "watch", "create", "update"]
				81	---
				82	kind: RoleBinding
				83	apiVersion: rbac.authorization.k8s.io/v1
				84	metadata:
				85	name: {{ $name }}-role-binding
				86	namespace: {{ . }}
				87	subjects:
				88	- kind: ServiceAccount
				89	name: {{ $name }}-account # Service account assigned to the controller pod.
				90	namespace: {{ $namespace }}
				91	roleRef:
				92	apiGroup: rbac.authorization.k8s.io
				93	kind: Role
				94	name: {{ $name }}-role
				95	{{- end }}