fix(DMVP-9768): Add support for RBAC

charts/base/Chart.yaml

@@ -15,13 +15,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.25
+version: 0.3.26
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.3.25"
+appVersion: "0.3.26"
 
 dependencies:
   - name: gateway-api

charts/base/templates/_helpers.tpl

@@ -71,6 +71,26 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
+{{/*
+Name for optional namespace Role and RoleBinding (rbac.role).
+*/}}
+{{- define "base.rbac.roleName" -}}
+{{- default (printf "%s-role" (include "base.fullname" .)) .Values.rbac.role.name }}
+{{- end }}
+
+{{/*
+Kubernetes Role rules: from rbac.role.rules, or one rule built from rbac.role.apiGroups/resources/verbs.
+*/}}
+{{- define "base.rbac.roleRules" -}}
+{{- $rules := .Values.rbac.role.rules }}
+{{- if $rules }}
+{{- toYaml $rules }}
+{{- else if and (not (empty .Values.rbac.role.apiGroups)) (not (empty .Values.rbac.role.resources)) (not (empty .Values.rbac.role.verbs)) }}
+{{- $rule := dict "apiGroups" .Values.rbac.role.apiGroups "resources" .Values.rbac.role.resources "verbs" .Values.rbac.role.verbs }}
+{{- list $rule | toYaml }}
+{{- end }}
+{{- end }}
+
 {{/*
 Return the target/server Kubernetes version
 */}}

charts/base/templates/rbac-role.yaml

@@ -0,0 +1,31 @@
+{{- if and .Values.rbac.role.enabled (include "base.rbac.roleRules" .) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "base.rbac.roleName" . }}
+  namespace: {{ default .Release.Namespace .Values.rbac.role.namespace }}
+  labels:
+    {{- include "base.labels" . | nindent 4 }}
+rules:
+{{ include "base.rbac.roleRules" . | trim | nindent 2 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "base.rbac.roleName" . }}
+  namespace: {{ default .Release.Namespace .Values.rbac.role.namespace }}
+  labels:
+    {{- include "base.labels" . | nindent 4 }}
+subjects:
+{{- if .Values.rbac.role.subjects }}
+{{ toYaml .Values.rbac.role.subjects | nindent 2 }}
+{{- else }}
+  - kind: ServiceAccount
+    name: {{ default (include "base.serviceAccountName" .) .Values.rbac.role.serviceAccount.name }}
+    namespace: {{ default .Release.Namespace .Values.rbac.role.serviceAccount.namespace }}
+{{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "base.rbac.roleName" . }}
+{{- end }}

charts/base/values.yaml

@@ -49,6 +49,27 @@ serviceAccount:
   # If not set and create is true, a name is generated using the fullname template
   name: ""
 
+# Optional namespace Role + RoleBinding. Set rules (Kubernetes policyRules) and/or bind subjects.
+rbac:
+  role:
+    enabled: false
+    # Optional override for Role and RoleBinding metadata.name (default: <release fullname>-role)
+    name: ""
+    # Optional; defaults to the Helm release namespace
+    namespace: ""
+    # Policy rules: list of { apiGroups, resources, verbs, ... }. Use this for multiple rules.
+    rules: []
+    # Single-rule shorthand (used when rules is empty): set all three
+    apiGroups: []
+    resources: []
+    verbs: []
+    # If non-empty, used as RoleBinding.subjects (overrides serviceAccount below)
+    subjects: []
+    serviceAccount:
+      # Defaults to this chart's ServiceAccount (see serviceAccount.*)
+      name: ""
+      namespace: ""
+
 job:
   labels:
     - name: app.kubernetes.io/component

examples/base/with-rbac-role.yaml

@@ -0,0 +1,22 @@
+# Namespace Role + RoleBinding: pass apiGroups, resources, and verbs (or full rules: []).
+# Install: helm upgrade --install -n dev myapp ./charts/base/ -f ./examples/base/with-rbac-role.yaml
+
+rbac:
+  role:
+    enabled: true
+    # name: myapp-role
+    # namespace: dev
+    rules:
+      - apiGroups: [""]
+        resources: ["pods"]
+        verbs: ["get", "list"]
+    #   - apiGroups: ["apps"]
+    #     resources: ["deployments"]
+    #     verbs: ["get", "list", "watch"]
+    # subjects:
+    #   - kind: ServiceAccount
+    #     name: myapp
+    #     namespace: dev
+
+serviceAccount:
+  create: true