Optional field for rbac resources (#151)

* Optional field for rbac resources * Feedback changes * Feedback II * rbac to localMgmt in the values file --------- Co-authored-by: Omar Gadelmawla <o.gadelmawla@emagiz.com>
portainer · Oct 18, 2024 · a0248dd · a0248dd
1 parent 5087dd9
commit a0248dd
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 1 deletion.
diff --git a/charts/portainer/README.md b/charts/portainer/README.md
@@ -64,6 +64,7 @@ The following table lists the configurable parameters of the Portainer chart and
 | `nodeSelector` | Used to apply a nodeSelector to the deployment | `{}` |
 | `serviceAccount.annotations` | Annotations to add to the service account | `null` |
 | `serviceAccount.name` | The name of the service account to use | `portainer-sa-clusteradmin` |
+| `localMgmt` | Enables or disables the creation of SA, Roles in local cluster where Portainer runs, only change when you don't need to manage the local cluster through this Portainer instance  | `true` |
 | `service.type` | Service Type for the main Portainer Service; ClusterIP, NodePort and LoadBalancer | `LoadBalancer` |
 | `service.httpPort` | HTTP port for accessing Portainer Web | `9000` |
 | `service.httpNodePort` | Static NodePort for accessing Portainer Web. Specify only if the type is NodePort | `30777` |

diff --git a/charts/portainer/templates/deployment.yaml b/charts/portainer/templates/deployment.yaml
@@ -23,7 +23,9 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.localMgmt }}
       serviceAccountName: {{ include "portainer.serviceAccountName" . }}
+      {{- end }}
       volumes:
         {{- if .Values.persistence.enabled }}
         - name: "data"

diff --git a/charts/portainer/templates/rbac.yaml b/charts/portainer/templates/rbac.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.localMgmt }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -11,4 +12,5 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   namespace: {{ .Release.Namespace }}
-  name: {{ include "portainer.serviceAccountName" . }}
+  name: {{ include "portainer.serviceAccountName" . }}
+{{- end }}
diff --git a/charts/portainer/templates/serviceaccount.yaml b/charts/portainer/templates/serviceaccount.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.localMgmt }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -9,3 +10,4 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+{{- end }}
diff --git a/charts/portainer/values.yaml b/charts/portainer/values.yaml
@@ -25,6 +25,10 @@ serviceAccount:
   annotations: {}
   name: portainer-sa-clusteradmin
 
+# This flag provides the ability to enable or disable RBAC-related resources during the deployment of the Portainer application
+# If you are using Portainer to manage the K8s cluster it is deployed to, this flag must be set to true 
+localMgmt: true
+
 service:
   # Set the httpNodePort and edgeNodePort only if the type is NodePort
   # For Ingress, set the type to be ClusterIP and set ingress.enabled to true