Adding roles. rolebindings for pecan-monitor

templates/docs/deployment.yaml

@@ -20,6 +20,8 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
     {{- end }}
+      serviceAccountName: {{ include "pecan.fullname" . }}-docs
+      automountServiceAccountToken: false
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.project }}/docs:{{ .Values.image.tag | default .Chart.AppVersion }}"

templates/docs/role.yaml

@@ -6,7 +6,7 @@ metadata:
     {{- include "pecan.labels" . | nindent 4 }}
 rules:
 - apiGroups: [""]
-  resources: ["pods"]
+  resources: ["pods", "services", "endpoints"]
   verbs:
   - list
   - watch

templates/monitor/deployment.yaml

@@ -20,6 +20,8 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
     {{- end }}
+      serviceAccountName: {{ include "pecan.fullname" . }}-monitor
+      automountServiceAccountToken: false
       initContainers:
         - name: check-rabbitmq
           image: "{{ $.Values.image.checks }}"

templates/monitor/role.yaml

@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "pecan.fullname" . }}-monitor
+  labels:
+    {{- include "pecan.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["pods", "endpoints", "Services"]
+  verbs:
+  - list
+  - watch
+  - get
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - list
+  - watch
+  - get

templates/monitor/rolebinding.yaml

@@ -0,0 +1,14 @@
+# We bind the role to the pecan-monitor service account.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "pecan.fullname" . }}-monitor
+  labels:
+    {{- include "pecan.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "pecan.fullname" . }}-monitor
+subjects:
+- kind: ServiceAccount
+  name: {{ include "pecan.fullname" . }}-monitor