Closed benashz closed 1 month ago
Extends the Helm chart to create ClusterRole aggregates based of the resource specific viewer and editor roles. See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles for more details.
By default no aggregate ClusterRoles will be installed. See below for examples on how to enable the new feature.
$ helm install [...] \ --set 'controller.rbac.clusterRoleAggregation.viewerRoles={*}' \ --set 'controller.rbac.clusterRoleAggregation.editorRoles={*}'
Selective viewer roles output:
helm template -s templates/clusterrole-aggregated-viewer.yaml \ --set 'controller.rbac.clusterRoleAggregation.viewerRoles={vaultauth,hcpauth}' .
--- # Source: vault-secrets-operator/templates/clusterrole-aggregated-viewer.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: release-name-vault-secrets-operator-aggregate-role-viewer labels: app.kubernetes.io/component: rbac vso.hashicorp.com/role-instance: aggregate-role-viewer vso.hashicorp.com/aggregate-to-editor: "true" helm.sh/chart: vault-secrets-operator-0.6.0 app.kubernetes.io/name: vault-secrets-operator app.kubernetes.io/instance: release-name app.kubernetes.io/version: "0.6.0" app.kubernetes.io/managed-by: Helm aggregationRule: clusterRoleSelectors: - matchLabels: vso.hashicorp.com/role-instance: vaultauth-viewer-role - matchLabels: vso.hashicorp.com/role-instance: hcpauth-viewer-role
Aggregate all viewer roles output:
helm template -s templates/clusterrole-aggregated-viewer.yaml --set 'controller.rbac.clusterRoleAggregation.viewerRoles={*}' .
--- # Source: vault-secrets-operator/templates/clusterrole-aggregated-viewer.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: release-name-vault-secrets-operator-aggregate-role-viewer labels: app.kubernetes.io/component: rbac vso.hashicorp.com/role-instance: aggregate-role-viewer vso.hashicorp.com/aggregate-to-editor: "true" helm.sh/chart: vault-secrets-operator-0.6.0 app.kubernetes.io/name: vault-secrets-operator app.kubernetes.io/instance: release-name app.kubernetes.io/version: "0.6.0" app.kubernetes.io/managed-by: Helm aggregationRule: clusterRoleSelectors: - matchLabels: vso.hashicorp.com/aggregate-to-viewer: "true"
All editor roles output:
helm template -s templates/clusterrole-aggregated-editor.yaml --set 'controller.rbac.clusterRoleAggregation.editorRoles={*}' .
--- # Source: vault-secrets-operator/templates/clusterrole-aggregated-editor.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: release-name-vault-secrets-operator-aggregate-role-editor labels: app.kubernetes.io/component: rbac vso.hashicorp.com/role-instance: aggregate-role-editor helm.sh/chart: vault-secrets-operator-0.6.0 app.kubernetes.io/name: vault-secrets-operator app.kubernetes.io/instance: release-name app.kubernetes.io/version: "0.6.0" app.kubernetes.io/managed-by: Helm aggregationRule: clusterRoleSelectors: - matchLabels: vso.hashicorp.com/aggregate-to-editor: "true"
Extends the Helm chart to create ClusterRole aggregates based of the resource specific viewer and editor roles. See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles for more details.
By default no aggregate ClusterRoles will be installed. See below for examples on how to enable the new feature.
Selective viewer roles output:
Aggregate all viewer roles output:
All editor roles output: