diff --git a/charts/cloudquery/Chart.yaml b/charts/cloudquery/Chart.yaml index b38fc49a..abad77f4 100644 --- a/charts/cloudquery/Chart.yaml +++ b/charts/cloudquery/Chart.yaml @@ -14,7 +14,7 @@ sources: maintainers: - name: yevgenypats email: yp@cloudquery.io -version: 38.2.0 +version: 38.2.1 appVersion: 6.20.5 annotations: artifacthub.io/license: MPL-2.0 diff --git a/charts/cloudquery/README.md b/charts/cloudquery/README.md index 3a9f815a..8b8c9204 100644 --- a/charts/cloudquery/README.md +++ b/charts/cloudquery/README.md @@ -1,6 +1,6 @@ # cloudquery -![Version: 38.2.0](https://img.shields.io/badge/Version-38.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 6.20.2](https://img.shields.io/badge/AppVersion-6.20.2-informational?style=flat-square) +![Version: 38.2.1](https://img.shields.io/badge/Version-38.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 6.20.5](https://img.shields.io/badge/AppVersion-6.20.5-informational?style=flat-square) Open source high performance data integration platform designed for security and infrastructure teams. @@ -52,6 +52,12 @@ Kubernetes: `^1.8.0-0` | nameOverride | string | `""` | Partially override common.names.fullname template (will maintain the release name) | | nodeSelector | object | `{}` | Optional. Adds the nodeSelector to the admin pod and cronjob. | | promtail | object | See [values.yaml](./values.yaml) | Promtail sub-chart configuration | +| rbac | object | `{"annotations":{},"apiVersion":"v1","create":false,"labels":{},"name":"cloudquery-read-only"}` | RBAC configuration | +| rbac.annotations | object | `{}` | Additional annotations to be applied to the ClusterRole and ClusterRoleBinding | +| rbac.apiVersion | string | `"v1"` | API version of the ClusterRoleBinding | +| rbac.create | bool | `false` | Create the ClusterRole and ClusterRoleBinding | +| rbac.labels | object | `{}` | Additional labels to be applied to the ClusterRole and ClusterRoleBinding | +| rbac.name | string | `"cloudquery-read-only"` | Name of the ClusterRole and ClusterRoleBinding | | resources.admin | object | `{"requests":{"cpu":"1000m","memory":"1024Mi"}}` | Optional. Resource requests/ limit for admin pod. | | resources.cronJob | object | `{"requests":{"cpu":"1000m","memory":"1024Mi"}}` | Optional. Resource requests/ limit for cronJob. | | schedule | string | `"0 */6 * * *"` | Schedule fetch time Every 6 hours. More information at: https://crontab.guru/#0_0_*_*_* | @@ -66,5 +72,3 @@ Kubernetes: `^1.8.0-0` | volumeMounts | string | `nil` | | | volumes | string | `nil` | | ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/cloudquery/templates/_helpers.tpl b/charts/cloudquery/templates/_helpers.tpl index 7cde3590..96304a33 100644 --- a/charts/cloudquery/templates/_helpers.tpl +++ b/charts/cloudquery/templates/_helpers.tpl @@ -76,6 +76,17 @@ Create the name of the service account to use {{- end }} {{- end }} +{{/* +Create the name of the cluster role to use +*/}} +{{- define "cloudquery.clusterRoleName" -}} +{{- if .Values.rbac.create }} +{{- default (include "cloudquery.fullname" .) .Values.rbac.name }} +{{- else }} +{{- default "default" .Values.rbac.name }} +{{- end }} +{{- end }} + {{/* Return the image to use depending on the AppVersion and image tag defined */}} diff --git a/charts/cloudquery/templates/clusterrole.yaml b/charts/cloudquery/templates/clusterrole.yaml new file mode 100644 index 00000000..8596fbba --- /dev/null +++ b/charts/cloudquery/templates/clusterrole.yaml @@ -0,0 +1,28 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }} +kind: ClusterRole +metadata: + name: {{ include "cloudquery.clusterRoleName" . }} + labels: + {{- include "cloudquery.labels" . | nindent 4 }} + {{- with .Values.rbac.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.rbac.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "*" + resources: + - "*" + verbs: + - get + - list + - nonResourceURLs: + - "*" + verbs: + - get + - list +{{- end }} diff --git a/charts/cloudquery/templates/clusterrolebinding.yaml b/charts/cloudquery/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..7e53883f --- /dev/null +++ b/charts/cloudquery/templates/clusterrolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }} +kind: ClusterRoleBinding +metadata: + name: {{ include "cloudquery.clusterRoleName" . }} + labels: + {{- include "cloudquery.labels" . | nindent 4 }} + {{- with .Values.rbac.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.rbac.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "cloudquery.clusterRoleName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "cloudquery.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/cloudquery/values.yaml b/charts/cloudquery/values.yaml index 2baf9c1c..fc1eb207 100644 --- a/charts/cloudquery/values.yaml +++ b/charts/cloudquery/values.yaml @@ -36,6 +36,19 @@ serviceAccount: # -- Additional custom label for the ServiceAccount labels: {} +# -- RBAC configuration +rbac: + # -- Create the ClusterRole and ClusterRoleBinding + create: false + # -- Name of the ClusterRole and ClusterRoleBinding + name: cloudquery-read-only + # -- API version of the ClusterRoleBinding + apiVersion: v1 + # -- Additional labels to be applied to the ClusterRole and ClusterRoleBinding + labels: {} + # -- Additional annotations to be applied to the ClusterRole and ClusterRoleBinding + annotations: {} + admin: # -- Enable admin container # useful for debugging into cloudquery @@ -112,7 +125,6 @@ volumes: # Optional. Additional volumes to mount in the pod. volumeMounts: - resources: # -- Optional. Resource requests/ limit for admin pod. admin: