Generate RBAC for KKP integration using helm chart (#79)

Signed-off-by: Waleed Malik <[email protected]>
kubermatic · Dec 5, 2024 · c7bfd49 · c7bfd49
1 parent eec2a1a
commit c7bfd49
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 0 deletions.
diff --git a/charts/kubelb-manager/README.md b/charts/kubelb-manager/README.md
@@ -35,6 +35,7 @@ helm install kubelb-manager kubelb-manager --namespace kubelb -f values.yaml --c
 | image.repository | string | `"quay.io/kubermatic/kubelb-manager"` |  |
 | image.tag | string | `"v1.1.0"` |  |
 | imagePullSecrets | list | `[]` |  |
+| kkpintegration.rbac | bool | `false` | Create RBAC for KKP integration. |
 | kubelb.debug | bool | `true` |  |
 | kubelb.enableGatewayAPI | bool | `false` | enableGatewayAPI specifies whether to enable the Gateway API and Gateway Controllers. By default Gateway API is disabled since without Gateway APIs installed the controller cannot start. |
 | kubelb.enableLeaderElection | bool | `true` |  |

diff --git a/charts/kubelb-manager/templates/kkp-rbac.yaml b/charts/kubelb-manager/templates/kkp-rbac.yaml
@@ -0,0 +1,67 @@
+{{- if .Values.kkpintegration.rbac -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubelb-kkp
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubelb-kkp
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  # Required to copy kubelb-ccm-kubeconfig secret for the tenant in the KKP seed cluster.
+  - secrets
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - kubelb.k8c.io
+  resources:
+  - tenants
+  - configs
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - delete
+  - patch
+- apiGroups:
+  - kubelb.k8c.io
+  resources:
+  - routes
+  - loadbalancers
+  - addresses
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubelb-kkp
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubelb-kkp
+subjects:
+  - kind: ServiceAccount
+    name: kubelb-kkp
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kubelb-kkp-token
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    kubernetes.io/service-account.name: kubelb-kkp
+type: kubernetes.io/service-account-token
+{{- end }}
diff --git a/charts/kubelb-manager/values.yaml b/charts/kubelb-manager/values.yaml
@@ -33,6 +33,11 @@ kubelb:
   # -- Propagate all annotations from the LB resource to the LB service.
   propagateAllAnnotations: false
 
+# Create required resources for KKP integration.
+kkpintegration:
+  # -- Create RBAC for KKP integration.
+  rbac: false
+
 #################################################################################
 # Further configurations for the KubeLB Manager.
 #################################################################################