[create-pull-request] automated change

porter-dev · Feb 12, 2024 · 94d90f6 · 94d90f6
1 parent 394e2f2
commit 94d90f6
Show file tree

Hide file tree

Showing 10 changed files with 227 additions and 150 deletions.
diff --git a/addons/kms-chart/Chart.yaml b/addons/kms-chart/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v1
 name: kms-chart
 description: A Helm chart for the ACK service controller for AWS Key Management Service (KMS)
-version: 1.0.8
-appVersion: 1.0.8
+version: 1.0.9
+appVersion: 1.0.9
 home: https://github.com/aws-controllers-k8s/kms-controller
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
 sources:

diff --git a/addons/kms-chart/crds/services.k8s.aws_adoptedresources.yaml b/addons/kms-chart/crds/services.k8s.aws_adoptedresources.yaml
@@ -161,10 +161,10 @@ spec:
                               description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
                               type: string
                             name:
-                              description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names'
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names'
                               type: string
                             uid:
-                              description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids'
+                              description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids'
                               type: string
                           required:
                           - apiVersion

diff --git a/addons/kms-chart/templates/NOTES.txt b/addons/kms-chart/templates/NOTES.txt
@@ -1,5 +1,5 @@
 {{ .Chart.Name }} has been installed.
-This chart deploys "public.ecr.aws/aws-controllers-k8s/kms-controller:1.0.8".
+This chart deploys "public.ecr.aws/aws-controllers-k8s/kms-controller:1.0.9".
 
 Check its status by running:
   kubectl --namespace {{ .Release.Namespace }} get pods -l "app.kubernetes.io/instance={{ .Release.Name }}"

diff --git a/addons/kms-chart/templates/_helpers.tpl b/addons/kms-chart/templates/_helpers.tpl
@@ -46,3 +46,134 @@ If release name contains chart name it will be used as a full name.
 {{- define "aws.credentials.path" -}}
 {{- printf "%s/%s" (include "aws.credentials.secret_mount_path" .) .Values.aws.credentials.secretKey -}}
 {{- end -}}
+
+{{/* The rules a of ClusterRole or Role */}}
+{{- define "controller-role-rules" }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - kms.services.k8s.aws
+  resources:
+  - aliases
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - kms.services.k8s.aws
+  resources:
+  - aliases/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - kms.services.k8s.aws
+  resources:
+  - grants
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - kms.services.k8s.aws
+  resources:
+  - grants/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - kms.services.k8s.aws
+  resources:
+  - keys
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - kms.services.k8s.aws
+  resources:
+  - keys/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - services.k8s.aws
+  resources:
+  - adoptedresources
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - services.k8s.aws
+  resources:
+  - adoptedresources/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - services.k8s.aws
+  resources:
+  - fieldexports
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - services.k8s.aws
+  resources:
+  - fieldexports/status
+  verbs:
+  - get
+  - patch
+  - update
+{{- end }}
diff --git a/addons/kms-chart/templates/caches-role-binding.yaml b/addons/kms-chart/templates/caches-role-binding.yaml
@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ack-namespaces-cache-kms-controller
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: ack-namespaces-cache-kms-controller
+subjects:
+- kind: ServiceAccount
+  name: ack-kms-controller
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ack-configmaps-cache-kms-controller
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  apiGroup: rbac.authorization.k8s.io
+  name: ack-configmaps-cache-kms-controller
+subjects:
+- kind: ServiceAccount
+  name: ack-kms-controller
+  namespace: {{ .Release.Namespace }}
diff --git a/addons/kms-chart/templates/caches-role.yaml b/addons/kms-chart/templates/caches-role.yaml
@@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ack-namespaces-cache-kms-controller
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ack-configmaps-cache-kms-controller
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/addons/kms-chart/templates/cluster-role-binding.yaml b/addons/kms-chart/templates/cluster-role-binding.yaml
@@ -1,21 +1,35 @@
-apiVersion: rbac.authorization.k8s.io/v1
 {{ if eq .Values.installScope "cluster" }}
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ include "app.fullname" . }}
 roleRef:
   kind: ClusterRole
-{{ else }}
+  apiGroup: rbac.authorization.k8s.io
+  name: ack-kms-controller
+subjects:
+- kind: ServiceAccount
+  name: {{ include "service-account.name" . }}
+  namespace: {{ .Release.Namespace }}
+{{ else if .Values.watchNamespace }}
+{{ $namespaces := split "," .Values.watchNamespace }}
+{{ $fullname := include "app.fullname" .  }}
+{{ $releaseNamespace := .Release.Namespace }}
+{{ $serviceAccountName := include "service-account.name" .  }}
+{{ range $namespaces }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ include "app.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  name: {{ $fullname }}
+  namespace: {{ . }}
 roleRef:
   kind: Role
-{{ end }}
   apiGroup: rbac.authorization.k8s.io
   name: ack-kms-controller
 subjects:
 - kind: ServiceAccount
-  name: {{ include "service-account.name" . }}
-  namespace: {{ .Release.Namespace }}
+  name: {{ $serviceAccountName }}
+  namespace: {{ $releaseNamespace }}
+{{ end }}
+{{ end }}