Skip to content

Commit 06842e6

Browse files
authored
Merge pull request #5 from vshn/fix/manager-rb-for-sync-cluster-role
Create ClusterRoleBinding to sync ClusterRole for the controller
2 parents 2a716e7 + 74bbb41 commit 06842e6

File tree

2 files changed

+48
-14
lines changed

2 files changed

+48
-14
lines changed

component/main.jsonnet

Lines changed: 45 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,13 @@ local params = inv.parameters.statefulset_resize_controller;
88
local prefix = 'statefulset-resize-';
99

1010
local role = std.parseJson(kap.yaml_load('statefulset-resize-controller/manifests/operator/' + params.manifest_version + '/role.yaml'));
11-
local service_account = std.parseJson(kap.yaml_load('statefulset-resize-controller/manifests/operator/' + params.manifest_version + '/service_account.yaml'));
11+
local service_account = std.parseJson(
12+
kap.yaml_load('statefulset-resize-controller/manifests/operator/' + params.manifest_version + '/service_account.yaml')
13+
) {
14+
metadata+: {
15+
name: prefix + super.name,
16+
},
17+
};
1218
local role_binding = std.parseJson(kap.yaml_load('statefulset-resize-controller/manifests/operator/' + params.manifest_version + '/role_binding.yaml'));
1319
local deployment = std.parseJson(kap.yaml_load('statefulset-resize-controller/manifests/operator/' + params.manifest_version + '/deployment.yaml'));
1420

@@ -23,6 +29,23 @@ local controller_args = [
2329
params.sync_cluster_role,
2430
];
2531

32+
local sync_cluster_role_clusterrolebinding =
33+
if params.sync_cluster_role != '' then
34+
kube.ClusterRoleBinding(service_account.metadata.name + '-sync-cluster-role') {
35+
roleRef: {
36+
apiGroup: 'rbac.authorization.k8s.io',
37+
kind: 'ClusterRole',
38+
name: params.sync_cluster_role,
39+
},
40+
subjects: [
41+
{
42+
kind: 'ServiceAccount',
43+
name: service_account.metadata.name,
44+
namespace: params.namespace,
45+
},
46+
],
47+
};
48+
2649
local objects = [
2750

2851
role {
@@ -42,11 +65,8 @@ local objects = [
4265
namespace: params.namespace,
4366
}, super.subjects),
4467
},
45-
service_account {
46-
metadata+: {
47-
name: prefix + super.name,
48-
},
49-
},
68+
sync_cluster_role_clusterrolebinding,
69+
service_account,
5070
deployment {
5171
metadata+: {
5272
name: prefix + super.name,
@@ -75,11 +95,22 @@ local objects = [
7595
'00_namespace': kube.Namespace(params.namespace),
7696
}
7797
+
78-
{
79-
['10_' + std.asciiLower(obj.kind)]: obj {
80-
metadata+: {
81-
namespace: params.namespace,
82-
},
83-
}
84-
for obj in objects
85-
}
98+
std.foldl(
99+
function(obj, it) obj + it,
100+
[
101+
{
102+
['10_' + std.asciiLower(obj.kind)]+: [
103+
obj {
104+
metadata+: {
105+
namespace: params.namespace,
106+
},
107+
},
108+
],
109+
}
110+
for obj in std.filter(
111+
function(it) it != null,
112+
objects
113+
)
114+
],
115+
{}
116+
)

docs/modules/ROOT/pages/references/parameters.adoc

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,9 @@ This parameter can be used to configure a ClusterRole (by name) which the sync j
4242
The ClusterRole must exist on the cluster.
4343
The component doesn't offer support to deploy an additional ClusterRole.
4444

45+
Additionally, the component creates a `ClusterRoleBinding` to the provided ClusterRole for the statefulset-resize-controller.
46+
This ensures that the controller can create RoleBindings for the provided ClusterRole.
47+
4548
If the parameter is the empty string, no additional ClusterRole is configured for the sync jobs.
4649

4750
For example, this parameter can be used to allow the sync jobs to use a non-default PodSecurityPolicy, by specifying a ClusterRole which allows using that PodSecurityPolicy.

0 commit comments

Comments
 (0)