From 94d90f601731181214c7b9622d685396b8c29641 Mon Sep 17 00:00:00 2001 From: d-g-town Date: Mon, 12 Feb 2024 15:07:46 +0000 Subject: [PATCH] [create-pull-request] automated change --- addons/kms-chart/Chart.yaml | 4 +- .../services.k8s.aws_adoptedresources.yaml | 4 +- addons/kms-chart/templates/NOTES.txt | 2 +- addons/kms-chart/templates/_helpers.tpl | 131 ++++++++++++++++ .../templates/caches-role-binding.yaml | 26 +++ addons/kms-chart/templates/caches-role.yaml | 28 ++++ .../templates/cluster-role-binding.yaml | 28 +++- .../templates/cluster-role-controller.yaml | 148 ++---------------- addons/kms-chart/templates/role-writer.yaml | 3 - addons/kms-chart/values.yaml | 3 +- 10 files changed, 227 insertions(+), 150 deletions(-) create mode 100644 addons/kms-chart/templates/caches-role-binding.yaml create mode 100644 addons/kms-chart/templates/caches-role.yaml diff --git a/addons/kms-chart/Chart.yaml b/addons/kms-chart/Chart.yaml index 94ad9ff5..20eda1c5 100644 --- a/addons/kms-chart/Chart.yaml +++ b/addons/kms-chart/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 name: kms-chart description: A Helm chart for the ACK service controller for AWS Key Management Service (KMS) -version: 1.0.8 -appVersion: 1.0.8 +version: 1.0.9 +appVersion: 1.0.9 home: https://github.com/aws-controllers-k8s/kms-controller icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/addons/kms-chart/crds/services.k8s.aws_adoptedresources.yaml b/addons/kms-chart/crds/services.k8s.aws_adoptedresources.yaml index d8d51261..9a12ef7e 100644 --- a/addons/kms-chart/crds/services.k8s.aws_adoptedresources.yaml +++ b/addons/kms-chart/crds/services.k8s.aws_adoptedresources.yaml @@ -161,10 +161,10 @@ spec: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' type: string uid: - description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' type: string required: - apiVersion diff --git a/addons/kms-chart/templates/NOTES.txt b/addons/kms-chart/templates/NOTES.txt index 9831cc32..be2b7e86 100644 --- a/addons/kms-chart/templates/NOTES.txt +++ b/addons/kms-chart/templates/NOTES.txt @@ -1,5 +1,5 @@ {{ .Chart.Name }} has been installed. -This chart deploys "public.ecr.aws/aws-controllers-k8s/kms-controller:1.0.8". +This chart deploys "public.ecr.aws/aws-controllers-k8s/kms-controller:1.0.9". Check its status by running: kubectl --namespace {{ .Release.Namespace }} get pods -l "app.kubernetes.io/instance={{ .Release.Name }}" diff --git a/addons/kms-chart/templates/_helpers.tpl b/addons/kms-chart/templates/_helpers.tpl index 391d5de3..a2724d11 100644 --- a/addons/kms-chart/templates/_helpers.tpl +++ b/addons/kms-chart/templates/_helpers.tpl @@ -46,3 +46,134 @@ If release name contains chart name it will be used as a full name. {{- define "aws.credentials.path" -}} {{- printf "%s/%s" (include "aws.credentials.secret_mount_path" .) .Values.aws.credentials.secretKey -}} {{- end -}} + +{{/* The rules a of ClusterRole or Role */}} +{{- define "controller-role-rules" }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - patch + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - patch + - watch +- apiGroups: + - kms.services.k8s.aws + resources: + - aliases + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - kms.services.k8s.aws + resources: + - aliases/status + verbs: + - get + - patch + - update +- apiGroups: + - kms.services.k8s.aws + resources: + - grants + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - kms.services.k8s.aws + resources: + - grants/status + verbs: + - get + - patch + - update +- apiGroups: + - kms.services.k8s.aws + resources: + - keys + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - kms.services.k8s.aws + resources: + - keys/status + verbs: + - get + - patch + - update +- apiGroups: + - services.k8s.aws + resources: + - adoptedresources + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - services.k8s.aws + resources: + - adoptedresources/status + verbs: + - get + - patch + - update +- apiGroups: + - services.k8s.aws + resources: + - fieldexports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - services.k8s.aws + resources: + - fieldexports/status + verbs: + - get + - patch + - update +{{- end }} \ No newline at end of file diff --git a/addons/kms-chart/templates/caches-role-binding.yaml b/addons/kms-chart/templates/caches-role-binding.yaml new file mode 100644 index 00000000..cd0b6449 --- /dev/null +++ b/addons/kms-chart/templates/caches-role-binding.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ack-namespaces-cache-kms-controller +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: ack-namespaces-cache-kms-controller +subjects: +- kind: ServiceAccount + name: ack-kms-controller + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ack-configmaps-cache-kms-controller + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + apiGroup: rbac.authorization.k8s.io + name: ack-configmaps-cache-kms-controller +subjects: +- kind: ServiceAccount + name: ack-kms-controller + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/addons/kms-chart/templates/caches-role.yaml b/addons/kms-chart/templates/caches-role.yaml new file mode 100644 index 00000000..68a3e0bb --- /dev/null +++ b/addons/kms-chart/templates/caches-role.yaml @@ -0,0 +1,28 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ack-namespaces-cache-kms-controller +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ack-configmaps-cache-kms-controller + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/addons/kms-chart/templates/cluster-role-binding.yaml b/addons/kms-chart/templates/cluster-role-binding.yaml index 202ded85..303e9eeb 100644 --- a/addons/kms-chart/templates/cluster-role-binding.yaml +++ b/addons/kms-chart/templates/cluster-role-binding.yaml @@ -1,21 +1,35 @@ -apiVersion: rbac.authorization.k8s.io/v1 {{ if eq .Values.installScope "cluster" }} +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ include "app.fullname" . }} roleRef: kind: ClusterRole -{{ else }} + apiGroup: rbac.authorization.k8s.io + name: ack-kms-controller +subjects: +- kind: ServiceAccount + name: {{ include "service-account.name" . }} + namespace: {{ .Release.Namespace }} +{{ else if .Values.watchNamespace }} +{{ $namespaces := split "," .Values.watchNamespace }} +{{ $fullname := include "app.fullname" . }} +{{ $releaseNamespace := .Release.Namespace }} +{{ $serviceAccountName := include "service-account.name" . }} +{{ range $namespaces }} +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ include "app.fullname" . }} - namespace: {{ .Release.Namespace }} + name: {{ $fullname }} + namespace: {{ . }} roleRef: kind: Role -{{ end }} apiGroup: rbac.authorization.k8s.io name: ack-kms-controller subjects: - kind: ServiceAccount - name: {{ include "service-account.name" . }} - namespace: {{ .Release.Namespace }} + name: {{ $serviceAccountName }} + namespace: {{ $releaseNamespace }} +{{ end }} +{{ end }} \ No newline at end of file diff --git a/addons/kms-chart/templates/cluster-role-controller.yaml b/addons/kms-chart/templates/cluster-role-controller.yaml index fb445dc1..2dcdba0a 100644 --- a/addons/kms-chart/templates/cluster-role-controller.yaml +++ b/addons/kms-chart/templates/cluster-role-controller.yaml @@ -1,148 +1,28 @@ -apiVersion: rbac.authorization.k8s.io/v1 +{{ $labels := .Values.role.labels }} +{{ $rules := include "controller-role-rules" . }} {{ if eq .Values.installScope "cluster" }} +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null name: ack-kms-controller labels: - {{- range $key, $value := .Values.role.labels }} + {{- range $key, $value := $labels }} {{ $key }}: {{ $value | quote }} {{- end }} -{{ else }} +{{- $rules }} +{{ else if .Values.watchNamespace }} +{{ $namespaces := split "," .Values.watchNamespace }} +{{ range $namespaces }} +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - creationTimestamp: null name: ack-kms-controller + namespace: {{ . }} labels: - {{- range $key, $value := .Values.role.labels }} + {{- range $key, $value := $labels }} {{ $key }}: {{ $value | quote }} {{- end }} - namespace: {{ .Release.Namespace }} +{{- $rules }} {{ end }} -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - patch - - watch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - patch - - watch -- apiGroups: - - kms.services.k8s.aws - resources: - - aliases - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - kms.services.k8s.aws - resources: - - aliases/status - verbs: - - get - - patch - - update -- apiGroups: - - kms.services.k8s.aws - resources: - - grants - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - kms.services.k8s.aws - resources: - - grants/status - verbs: - - get - - patch - - update -- apiGroups: - - kms.services.k8s.aws - resources: - - keys - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - kms.services.k8s.aws - resources: - - keys/status - verbs: - - get - - patch - - update -- apiGroups: - - services.k8s.aws - resources: - - adoptedresources - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - services.k8s.aws - resources: - - adoptedresources/status - verbs: - - get - - patch - - update -- apiGroups: - - services.k8s.aws - resources: - - fieldexports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - services.k8s.aws - resources: - - fieldexports/status - verbs: - - get - - patch - - update +{{ end }} \ No newline at end of file diff --git a/addons/kms-chart/templates/role-writer.yaml b/addons/kms-chart/templates/role-writer.yaml index c5f4a215..8d89415f 100644 --- a/addons/kms-chart/templates/role-writer.yaml +++ b/addons/kms-chart/templates/role-writer.yaml @@ -10,11 +10,8 @@ rules: - kms.services.k8s.aws resources: - aliases - - grants - - keys - verbs: - create - delete diff --git a/addons/kms-chart/values.yaml b/addons/kms-chart/values.yaml index 79b03466..0bc81dfc 100644 --- a/addons/kms-chart/values.yaml +++ b/addons/kms-chart/values.yaml @@ -4,7 +4,7 @@ image: repository: public.ecr.aws/aws-controllers-k8s/kms-controller - tag: 1.0.8 + tag: 1.0.9 pullPolicy: IfNotPresent pullSecrets: [] @@ -107,6 +107,7 @@ installScope: cluster # Set the value of the "namespace" to be watched by the controller # This value is only used when the `installScope` is set to "namespace". If left empty, the default value is the release namespace for the chart. +# You can set multiple namespaces by providing a comma separated list of namespaces. e.g "namespace1,namespace2" watchNamespace: "" resourceTags: