diff --git a/addons/emrcontainers-chart/Chart.yaml b/addons/emrcontainers-chart/Chart.yaml index e6548bb3..5cfaa164 100644 --- a/addons/emrcontainers-chart/Chart.yaml +++ b/addons/emrcontainers-chart/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 name: emrcontainers-chart description: A Helm chart for the ACK service controller for Amazon EMR on EKS (EMRContainers) -version: 1.0.5 -appVersion: 1.0.5 +version: 1.0.6 +appVersion: 1.0.6 home: https://github.com/aws-controllers-k8s/emrcontainers-controller icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/addons/emrcontainers-chart/crds/services.k8s.aws_adoptedresources.yaml b/addons/emrcontainers-chart/crds/services.k8s.aws_adoptedresources.yaml index d8d51261..9a12ef7e 100644 --- a/addons/emrcontainers-chart/crds/services.k8s.aws_adoptedresources.yaml +++ b/addons/emrcontainers-chart/crds/services.k8s.aws_adoptedresources.yaml @@ -161,10 +161,10 @@ spec: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' type: string uid: - description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' type: string required: - apiVersion diff --git a/addons/emrcontainers-chart/templates/NOTES.txt b/addons/emrcontainers-chart/templates/NOTES.txt index f086ddb4..3b939669 100644 --- a/addons/emrcontainers-chart/templates/NOTES.txt +++ b/addons/emrcontainers-chart/templates/NOTES.txt @@ -1,5 +1,5 @@ {{ .Chart.Name }} has been installed. -This chart deploys "public.ecr.aws/aws-controllers-k8s/emrcontainers-controller:1.0.5". +This chart deploys "public.ecr.aws/aws-controllers-k8s/emrcontainers-controller:1.0.6". Check its status by running: kubectl --namespace {{ .Release.Namespace }} get pods -l "app.kubernetes.io/instance={{ .Release.Name }}" diff --git a/addons/emrcontainers-chart/templates/_helpers.tpl b/addons/emrcontainers-chart/templates/_helpers.tpl index 391d5de3..ced54b77 100644 --- a/addons/emrcontainers-chart/templates/_helpers.tpl +++ b/addons/emrcontainers-chart/templates/_helpers.tpl @@ -46,3 +46,114 @@ If release name contains chart name it will be used as a full name. {{- define "aws.credentials.path" -}} {{- printf "%s/%s" (include "aws.credentials.secret_mount_path" .) .Values.aws.credentials.secretKey -}} {{- end -}} + +{{/* The rules a of ClusterRole or Role */}} +{{- define "controller-role-rules" }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - patch + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - patch + - watch +- apiGroups: + - emrcontainers.services.k8s.aws + resources: + - jobruns + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - emrcontainers.services.k8s.aws + resources: + - jobruns/status + verbs: + - get + - patch + - update +- apiGroups: + - emrcontainers.services.k8s.aws + resources: + - virtualclusters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - emrcontainers.services.k8s.aws + resources: + - virtualclusters/status + verbs: + - get + - patch + - update +- apiGroups: + - services.k8s.aws + resources: + - adoptedresources + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - services.k8s.aws + resources: + - adoptedresources/status + verbs: + - get + - patch + - update +- apiGroups: + - services.k8s.aws + resources: + - fieldexports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - services.k8s.aws + resources: + - fieldexports/status + verbs: + - get + - patch + - update +{{- end }} \ No newline at end of file diff --git a/addons/emrcontainers-chart/templates/caches-role-binding.yaml b/addons/emrcontainers-chart/templates/caches-role-binding.yaml new file mode 100644 index 00000000..a6189151 --- /dev/null +++ b/addons/emrcontainers-chart/templates/caches-role-binding.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ack-namespaces-cache-emrcontainers-controller +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: ack-namespaces-cache-emrcontainers-controller +subjects: +- kind: ServiceAccount + name: ack-emrcontainers-controller + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ack-configmaps-cache-emrcontainers-controller + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + apiGroup: rbac.authorization.k8s.io + name: ack-configmaps-cache-emrcontainers-controller +subjects: +- kind: ServiceAccount + name: ack-emrcontainers-controller + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/addons/emrcontainers-chart/templates/caches-role.yaml b/addons/emrcontainers-chart/templates/caches-role.yaml new file mode 100644 index 00000000..891bd565 --- /dev/null +++ b/addons/emrcontainers-chart/templates/caches-role.yaml @@ -0,0 +1,28 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ack-namespaces-cache-emrcontainers-controller +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ack-configmaps-cache-emrcontainers-controller + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/addons/emrcontainers-chart/templates/cluster-role-binding.yaml b/addons/emrcontainers-chart/templates/cluster-role-binding.yaml index df37e181..b07a2bfb 100644 --- a/addons/emrcontainers-chart/templates/cluster-role-binding.yaml +++ b/addons/emrcontainers-chart/templates/cluster-role-binding.yaml @@ -1,21 +1,35 @@ -apiVersion: rbac.authorization.k8s.io/v1 {{ if eq .Values.installScope "cluster" }} +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ include "app.fullname" . }} roleRef: kind: ClusterRole -{{ else }} + apiGroup: rbac.authorization.k8s.io + name: ack-emrcontainers-controller +subjects: +- kind: ServiceAccount + name: {{ include "service-account.name" . }} + namespace: {{ .Release.Namespace }} +{{ else if .Values.watchNamespace }} +{{ $namespaces := split "," .Values.watchNamespace }} +{{ $fullname := include "app.fullname" . }} +{{ $releaseNamespace := .Release.Namespace }} +{{ $serviceAccountName := include "service-account.name" . }} +{{ range $namespaces }} +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ include "app.fullname" . }} - namespace: {{ .Release.Namespace }} + name: {{ $fullname }} + namespace: {{ . }} roleRef: kind: Role -{{ end }} apiGroup: rbac.authorization.k8s.io name: ack-emrcontainers-controller subjects: - kind: ServiceAccount - name: {{ include "service-account.name" . }} - namespace: {{ .Release.Namespace }} + name: {{ $serviceAccountName }} + namespace: {{ $releaseNamespace }} +{{ end }} +{{ end }} \ No newline at end of file diff --git a/addons/emrcontainers-chart/templates/cluster-role-controller.yaml b/addons/emrcontainers-chart/templates/cluster-role-controller.yaml index 611de96b..262808e6 100644 --- a/addons/emrcontainers-chart/templates/cluster-role-controller.yaml +++ b/addons/emrcontainers-chart/templates/cluster-role-controller.yaml @@ -1,128 +1,28 @@ -apiVersion: rbac.authorization.k8s.io/v1 +{{ $labels := .Values.role.labels }} +{{ $rules := include "controller-role-rules" . }} {{ if eq .Values.installScope "cluster" }} +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null name: ack-emrcontainers-controller labels: - {{- range $key, $value := .Values.role.labels }} + {{- range $key, $value := $labels }} {{ $key }}: {{ $value | quote }} {{- end }} -{{ else }} +{{- $rules }} +{{ else if .Values.watchNamespace }} +{{ $namespaces := split "," .Values.watchNamespace }} +{{ range $namespaces }} +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - creationTimestamp: null name: ack-emrcontainers-controller + namespace: {{ . }} labels: - {{- range $key, $value := .Values.role.labels }} + {{- range $key, $value := $labels }} {{ $key }}: {{ $value | quote }} {{- end }} - namespace: {{ .Release.Namespace }} +{{- $rules }} {{ end }} -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - patch - - watch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - patch - - watch -- apiGroups: - - emrcontainers.services.k8s.aws - resources: - - jobruns - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - emrcontainers.services.k8s.aws - resources: - - jobruns/status - verbs: - - get - - patch - - update -- apiGroups: - - emrcontainers.services.k8s.aws - resources: - - virtualclusters - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - emrcontainers.services.k8s.aws - resources: - - virtualclusters/status - verbs: - - get - - patch - - update -- apiGroups: - - services.k8s.aws - resources: - - adoptedresources - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - services.k8s.aws - resources: - - adoptedresources/status - verbs: - - get - - patch - - update -- apiGroups: - - services.k8s.aws - resources: - - fieldexports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - services.k8s.aws - resources: - - fieldexports/status - verbs: - - get - - patch - - update +{{ end }} \ No newline at end of file diff --git a/addons/emrcontainers-chart/templates/role-writer.yaml b/addons/emrcontainers-chart/templates/role-writer.yaml index 4a5a508a..6c414141 100644 --- a/addons/emrcontainers-chart/templates/role-writer.yaml +++ b/addons/emrcontainers-chart/templates/role-writer.yaml @@ -10,9 +10,7 @@ rules: - emrcontainers.services.k8s.aws resources: - jobruns - - virtualclusters - verbs: - create - delete diff --git a/addons/emrcontainers-chart/values.yaml b/addons/emrcontainers-chart/values.yaml index 37efc33b..5681e001 100644 --- a/addons/emrcontainers-chart/values.yaml +++ b/addons/emrcontainers-chart/values.yaml @@ -4,7 +4,7 @@ image: repository: public.ecr.aws/aws-controllers-k8s/emrcontainers-controller - tag: 1.0.5 + tag: 1.0.6 pullPolicy: IfNotPresent pullSecrets: [] @@ -107,6 +107,7 @@ installScope: cluster # Set the value of the "namespace" to be watched by the controller # This value is only used when the `installScope` is set to "namespace". If left empty, the default value is the release namespace for the chart. +# You can set multiple namespaces by providing a comma separated list of namespaces. e.g "namespace1,namespace2" watchNamespace: "" resourceTags: