From a0248dda9f93f7081c9f8c5d7641ecb2beffc566 Mon Sep 17 00:00:00 2001 From: eMagiz Date: Fri, 18 Oct 2024 08:25:33 +0200 Subject: [PATCH] Optional field for rbac resources (#151) * Optional field for rbac resources * Feedback changes * Feedback II * rbac to localMgmt in the values file --------- Co-authored-by: Omar Gadelmawla --- charts/portainer/README.md | 1 + charts/portainer/templates/deployment.yaml | 2 ++ charts/portainer/templates/rbac.yaml | 4 +++- charts/portainer/templates/serviceaccount.yaml | 2 ++ charts/portainer/values.yaml | 4 ++++ 5 files changed, 12 insertions(+), 1 deletion(-) diff --git a/charts/portainer/README.md b/charts/portainer/README.md index 5d581b9..7c600d5 100644 --- a/charts/portainer/README.md +++ b/charts/portainer/README.md @@ -64,6 +64,7 @@ The following table lists the configurable parameters of the Portainer chart and | `nodeSelector` | Used to apply a nodeSelector to the deployment | `{}` | | `serviceAccount.annotations` | Annotations to add to the service account | `null` | | `serviceAccount.name` | The name of the service account to use | `portainer-sa-clusteradmin` | +| `localMgmt` | Enables or disables the creation of SA, Roles in local cluster where Portainer runs, only change when you don't need to manage the local cluster through this Portainer instance | `true` | | `service.type` | Service Type for the main Portainer Service; ClusterIP, NodePort and LoadBalancer | `LoadBalancer` | | `service.httpPort` | HTTP port for accessing Portainer Web | `9000` | | `service.httpNodePort` | Static NodePort for accessing Portainer Web. Specify only if the type is NodePort | `30777` | diff --git a/charts/portainer/templates/deployment.yaml b/charts/portainer/templates/deployment.yaml index b1dbbad..9231a29 100644 --- a/charts/portainer/templates/deployment.yaml +++ b/charts/portainer/templates/deployment.yaml @@ -23,7 +23,9 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- if .Values.localMgmt }} serviceAccountName: {{ include "portainer.serviceAccountName" . }} + {{- end }} volumes: {{- if .Values.persistence.enabled }} - name: "data" diff --git a/charts/portainer/templates/rbac.yaml b/charts/portainer/templates/rbac.yaml index 079e080..f28ddca 100644 --- a/charts/portainer/templates/rbac.yaml +++ b/charts/portainer/templates/rbac.yaml @@ -1,3 +1,4 @@ +{{- if .Values.localMgmt }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -11,4 +12,5 @@ roleRef: subjects: - kind: ServiceAccount namespace: {{ .Release.Namespace }} - name: {{ include "portainer.serviceAccountName" . }} \ No newline at end of file + name: {{ include "portainer.serviceAccountName" . }} +{{- end }} \ No newline at end of file diff --git a/charts/portainer/templates/serviceaccount.yaml b/charts/portainer/templates/serviceaccount.yaml index 2b9630e..042996d 100644 --- a/charts/portainer/templates/serviceaccount.yaml +++ b/charts/portainer/templates/serviceaccount.yaml @@ -1,3 +1,4 @@ +{{- if .Values.localMgmt }} apiVersion: v1 kind: ServiceAccount metadata: @@ -9,3 +10,4 @@ metadata: annotations: {{- toYaml . | nindent 4 }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/portainer/values.yaml b/charts/portainer/values.yaml index 7793cfc..e9759e2 100644 --- a/charts/portainer/values.yaml +++ b/charts/portainer/values.yaml @@ -25,6 +25,10 @@ serviceAccount: annotations: {} name: portainer-sa-clusteradmin +# This flag provides the ability to enable or disable RBAC-related resources during the deployment of the Portainer application +# If you are using Portainer to manage the K8s cluster it is deployed to, this flag must be set to true +localMgmt: true + service: # Set the httpNodePort and edgeNodePort only if the type is NodePort # For Ingress, set the type to be ClusterIP and set ingress.enabled to true