From 2541bf6a6d4dd90ea167188bfb9e08dcbe786a87 Mon Sep 17 00:00:00 2001
From: sutekar <sutekar@vmware.com>
Date: Mon, 25 Jul 2022 00:01:26 +0530
Subject: [PATCH] Adding role, rolebindings, clusterrole for web

---
 templates/web/clusterrole.yaml | 14 ++++++++++++++
 templates/web/deployment.yaml  |  2 ++
 templates/web/role.yaml        | 21 +++++++++++++++++++++
 templates/web/rolebinding.yaml | 17 +++++++++++++++++
 4 files changed, 54 insertions(+)
 create mode 100644 templates/web/clusterrole.yaml
 create mode 100644 templates/web/role.yaml
 create mode 100644 templates/web/rolebinding.yaml

diff --git a/templates/web/clusterrole.yaml b/templates/web/clusterrole.yaml
new file mode 100644
index 0000000..b008794
--- /dev/null
+++ b/templates/web/clusterrole.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "pecan.fullname" . }}-web
+  labels:
+    {{- include "pecan.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["persistentvolumes"]
+  verbs:
+  - get
+  - list
+  - watch
+  - update
\ No newline at end of file
diff --git a/templates/web/deployment.yaml b/templates/web/deployment.yaml
index 5493081..a2cd796 100644
--- a/templates/web/deployment.yaml
+++ b/templates/web/deployment.yaml
@@ -20,6 +20,8 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
     {{- end }}
+      serviceAccountName: {{ include "pecan.fullname" . }}-web
+      automountServiceAccountToken: false
       initContainers:
         - name: check-rabbitmq
           image: "{{ $.Values.image.checks }}"
diff --git a/templates/web/role.yaml b/templates/web/role.yaml
new file mode 100644
index 0000000..9e55413
--- /dev/null
+++ b/templates/web/role.yaml
@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "pecan.fullname" . }}-web
+  labels:
+    {{- include "pecan.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["pods", "endpoints", "Services", "persistentvolumeclaims"]
+  verbs:
+  - list
+  - watch
+  - get
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - list
+  - watch
+  - get
\ No newline at end of file
diff --git a/templates/web/rolebinding.yaml b/templates/web/rolebinding.yaml
new file mode 100644
index 0000000..84755e4
--- /dev/null
+++ b/templates/web/rolebinding.yaml
@@ -0,0 +1,17 @@
+# We bind the role to the pecan-web service account.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "pecan.fullname" . }}-web
+  labels:
+    {{- include "pecan.labels" . | nindent 4 }}
+roleRef:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "pecan.fullname" . }}-web
+- apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "pecan.fullname" . }}-web
+subjects:
+- kind: ServiceAccount
+  name: {{ include "pecan.fullname" . }}-web