From c7bfd4910d53e2feed560a9df4fa784a2970e6e9 Mon Sep 17 00:00:00 2001 From: Waleed Malik Date: Thu, 5 Dec 2024 16:12:59 +0500 Subject: [PATCH] Generate RBAC for KKP integration using helm chart (#79) Signed-off-by: Waleed Malik --- charts/kubelb-manager/README.md | 1 + charts/kubelb-manager/templates/kkp-rbac.yaml | 67 +++++++++++++++++++ charts/kubelb-manager/values.yaml | 5 ++ 3 files changed, 73 insertions(+) create mode 100644 charts/kubelb-manager/templates/kkp-rbac.yaml diff --git a/charts/kubelb-manager/README.md b/charts/kubelb-manager/README.md index e7c5274..9707d0a 100644 --- a/charts/kubelb-manager/README.md +++ b/charts/kubelb-manager/README.md @@ -35,6 +35,7 @@ helm install kubelb-manager kubelb-manager --namespace kubelb -f values.yaml --c | image.repository | string | `"quay.io/kubermatic/kubelb-manager"` | | | image.tag | string | `"v1.1.0"` | | | imagePullSecrets | list | `[]` | | +| kkpintegration.rbac | bool | `false` | Create RBAC for KKP integration. | | kubelb.debug | bool | `true` | | | kubelb.enableGatewayAPI | bool | `false` | enableGatewayAPI specifies whether to enable the Gateway API and Gateway Controllers. By default Gateway API is disabled since without Gateway APIs installed the controller cannot start. | | kubelb.enableLeaderElection | bool | `true` | | diff --git a/charts/kubelb-manager/templates/kkp-rbac.yaml b/charts/kubelb-manager/templates/kkp-rbac.yaml new file mode 100644 index 0000000..3201ede --- /dev/null +++ b/charts/kubelb-manager/templates/kkp-rbac.yaml @@ -0,0 +1,67 @@ +{{- if .Values.kkpintegration.rbac -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubelb-kkp + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubelb-kkp +rules: +- apiGroups: + - "" + resources: + - namespaces + # Required to copy kubelb-ccm-kubeconfig secret for the tenant in the KKP seed cluster. + - secrets + verbs: + - get + - list +- apiGroups: + - kubelb.k8c.io + resources: + - tenants + - configs + verbs: + - get + - list + - watch + - create + - update + - delete + - patch +- apiGroups: + - kubelb.k8c.io + resources: + - routes + - loadbalancers + - addresses + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubelb-kkp +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubelb-kkp +subjects: + - kind: ServiceAccount + name: kubelb-kkp + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: kubelb-kkp-token + namespace: {{ .Release.Namespace }} + annotations: + kubernetes.io/service-account.name: kubelb-kkp +type: kubernetes.io/service-account-token +{{- end }} diff --git a/charts/kubelb-manager/values.yaml b/charts/kubelb-manager/values.yaml index 6d25704..68e656f 100644 --- a/charts/kubelb-manager/values.yaml +++ b/charts/kubelb-manager/values.yaml @@ -33,6 +33,11 @@ kubelb: # -- Propagate all annotations from the LB resource to the LB service. propagateAllAnnotations: false +# Create required resources for KKP integration. +kkpintegration: + # -- Create RBAC for KKP integration. + rbac: false + ################################################################################# # Further configurations for the KubeLB Manager. #################################################################################