Merge pull request #19 from buttahtoast/fix/rbac

fix: correct rbac for leases

.github/configs/ct.yaml

@@ -3,7 +3,7 @@
 remote: origin
 target-branch: main
 chart-dirs:
-  - helm/
+  - charts/
 chart-repos:
   - buttahtoast=https://buttahtoast.github.io/helm-charts/
   - bitnami=https://charts.bitnami.com/bitnami

.github/workflows/helm-publish.yml

@@ -29,7 +29,7 @@ jobs:
           registry: ghcr.io
           repository: ${{ github.repository_owner }}/charts
           name: "svc-ingress-propagator"
-          path: "./helm"
+          path: "./charts/svc-ingress-propagator/"
           app-version: ${{ steps.extract_version.outputs.version }}
           version: ${{ steps.extract_version.outputs.version }}
           registry-username: ${{ github.actor }}

charts/svc-ingress-propagator/README.md

@@ -0,0 +1,49 @@
+# svc-ingress-propagator
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square)
+
+Ingress Propagation Controller
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` |  |
+| autoscaling.enabled | bool | `false` |  |
+| autoscaling.maxReplicas | int | `100` |  |
+| autoscaling.minReplicas | int | `1` |  |
+| autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
+| fullnameOverride | string | `""` |  |
+| identifier | string | `""` | instance identifier (Defaults to release name) |
+| image.pullPolicy | string | `"IfNotPresent"` |  |
+| image.registry | string | `"ghcr.io"` |  |
+| image.repository | string | `"buttahtoast/svc-ingress-propagator"` |  |
+| image.tag | string | `""` |  |
+| imagePullSecrets | list | `[]` |  |
+| ingressClass.controllerValue | string | `""` | Ingress class controller |
+| ingressClass.create | bool | `true` | Create IngressClass |
+| ingressClass.isDefaultClass | bool | `false` | Cluster default ingress class |
+| ingressClass.name | string | `"propagation"` | Ingress class name |
+| livenessProbe | object | `{"httpGet":{"path":"/healthz","port":10080}}` | Configure the liveness probe using Deployment probe spec |
+| nameOverride | string | `""` |  |
+| nodeSelector | object | `{}` |  |
+| podAnnotations | object | `{}` |  |
+| podSecurityContext | object | `{}` |  |
+| readinessProbe | object | `{"httpGet":{"path":"/readyz","port":10080}}` | Configure the readiness probe using Deployment probe spec |
+| replicaCount | int | `1` |  |
+| resources | object | `{}` |  |
+| securityContext | object | `{}` |  |
+| service.port | int | `80` |  |
+| service.type | string | `"ClusterIP"` |  |
+| serviceAccount.annotations | object | `{}` |  |
+| serviceAccount.create | bool | `true` |  |
+| serviceAccount.name | string | `""` |  |
+| target.ingressClass | string | `"propagated"` | IngressClass on target |
+| target.issuer.name | string | `""` | Issuer name on target cluster |
+| target.issuer.namespaced | bool | `false` | Whether the issuer is namespaced on target cluster |
+| target.kubeconfig | object | `{"secret":{"key":"kubeconfig.yaml","name":"loadbalancer-propagation"}}` | Target Kubeconfig Secret |
+| target.namespace | string | `"ingress-central"` | Namespaced on target |
+| tolerations | list | `[]` |  |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)

helm/templates/ingressclass.yaml → charts/svc-ingress-propagator/templates/ingressclass.yaml

@@ -1,8 +1,10 @@
+{{- if .Values.ingressClass.create }}
 apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   annotations:
     ingressclass.kubernetes.io/is-default-class: {{ .Values.ingressClass.isDefaultClass | quote }}
   name: {{ .Values.ingressClass.name }}
 spec:
-  controller: {{ include "controller.value" $ }}
+  controller: {{ include "controller.value" $ }}
+{{- end }}

charts/svc-ingress-propagator/templates/rbac.yaml

@@ -0,0 +1,86 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "helm.fullname" . }}
+  labels:
+    {{- include "helm.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+    - ""
+  resources:
+    - services
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups:
+    - networking.k8s.io
+  resources:
+    - ingresses
+    - ingressclasses
+  verbs:
+    - get
+    - list
+    - watch
+    - update
+- apiGroups:
+    - ""
+  resources:
+    - events
+  verbs:
+    - list
+    - update
+    - create
+    - patch
+- apiGroups:
+    - networking.k8s.io
+  resources:
+    - ingresses/status
+  verbs:
+    - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "helm.fullname" . }}
+  labels:
+    {{- include "helm.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "helm.fullname" . }}
+subjects:
+  - name: {{ include "helm.serviceAccountName" . }}
+    kind: ServiceAccount
+    namespace: {{ .Release.Namespace | quote }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "helm.fullname" . }}
+  labels:
+    {{- include "helm.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+    - "coordination.k8s.io"
+  resources:
+    - leases
+  verbs:
+    - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "helm.fullname" . }}
+  labels:
+    {{- include "helm.labels" . | nindent 4 }}
+  namespace: {{ .Release.Namespace | quote }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "helm.fullname" . }}
+subjects:
+  - name: {{ include "helm.serviceAccountName" . }}
+    kind: ServiceAccount
+    namespace: {{ .Release.Namespace | quote }}

helm/values.yaml → charts/svc-ingress-propagator/values.yaml

@@ -6,6 +6,8 @@
 identifier: ""
 
 ingressClass:
+  # -- Create IngressClass
+  create: true
   # -- Ingress class name
   name: propagation
   # -- Ingress class controller

hack/target-rbac/README.md

@@ -0,0 +1,17 @@
+# propagation-target
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square)
+
+Resources for target cluster
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| serviceAccount.annotations | object | `{}` |  |
+| serviceAccount.create | bool | `true` |  |
+| serviceAccount.name | string | `""` |  |
+| serviceAccount.token | bool | `true` |  |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)