Change authentik role workaround to use jsonPatch instead of addition…

…alObjects

goauthentik/helm#305

blt/authentik-values.yaml

@@ -21,13 +21,13 @@ server:
       - secretName: auth-blt-chrisproject-org-letsencrypt
         hosts: *HOSTS
 
-worker:
-  # Manually defined ServiceAccount, see `additionalObjects`
-  serviceAccountName: "authentik"
-
 serviceAccount:
-  # doesn't work on OpenShift, see https://github.com/goauthentik/helm/issues/305
-  create: false
+  # -- Create service account. Needed for managed outposts
+  create: true
+  clusterRole:
+    # -- Create a clusterole in addition to a namespaced role.
+    enabled: false
+  fullnameOverride: authentik
 
 geoip:
   # -- enable GeoIP sidecars for the authentik server and worker pods
@@ -99,59 +99,3 @@ redis:
     containerSecurityContext:
       enabled: false
 
-additionalObjects:
-  - apiVersion: v1
-    kind: ServiceAccount
-    metadata: &SA_METADATA
-      name: authentik
-      namespace: '{{ .Release.Namespace }}'
-      labels:
-        app.kubernetes.io/name: '{{ include "authentik.name" . }}'
-        app.kubernetes.io/instance: '{{ .Release.Name }}'
-        app.kubernetes.io/part-of: authentik
-        app.kubernetes.io/managed-by: '{{ .Release.Service }}'
-        helm.sh/chart: '{{ include "authentik.chart" . }}'
-  - apiVersion: rbac.authorization.k8s.io/v1
-    kind: RoleBinding
-    metadata: *SA_METADATA
-    roleRef:
-      apiGroup: rbac.authorization.k8s.io
-      kind: Role
-      name: authentik
-    subjects:
-      - kind: ServiceAccount
-        name: authentik
-        namespace: '{{ .Release.Namespace }}'
-  - apiVersion: rbac.authorization.k8s.io/v1
-    kind: Role
-    metadata: *SA_METADATA
-    rules:
-      - apiGroups:
-          - ""
-        resources:
-          - secrets
-          - services
-          - configmaps
-        verbs: &VERBS_RW
-          - get
-          - create
-          - delete
-          - list
-          - patch
-      - apiGroups:
-          - extensions
-          - apps
-        resources:
-          - deployments
-        verbs: *VERBS_RW
-      - apiGroups:
-          - extensions
-          - networking.k8s.io
-        resources:
-          - ingresses
-        verbs: *VERBS_RW
-      - apiGroups:
-          - monitoring.coreos.com
-        resources:
-          - servicemonitors
-        verbs: *VERBS_RW

blt/helmfile.yaml

@@ -34,4 +34,43 @@ releases:
                 bucket_name: "blt-authentik-media"
                 access_key: {{ fetchSecretValue "ref+k8s://v1/Secret/chris-3114b1/nerc-openstack-ec2/access_key" | quote }}
                 secret_key: {{ fetchSecretValue "ref+k8s://v1/Secret/chris-3114b1/nerc-openstack-ec2/secret_key" | quote }}
-
+    jsonPatches:
+        # workaround for https://github.com/goauthentik/helm/issues/305
+        # patches the Role to remove unnecessary rules for traefik and apiextensions.k8s.io
+      - target:
+          version: v1
+          kind: Role
+          name: authentik
+        patch:
+          - op: replace
+            path: /rules
+            value:
+              - apiGroups:
+                  - ""
+                resources:
+                  - secrets
+                  - services
+                  - configmaps
+                verbs: &VERBS_RW
+                  - get
+                  - create
+                  - delete
+                  - list
+                  - patch
+              - apiGroups:
+                  - extensions
+                  - apps
+                resources:
+                  - deployments
+                verbs: *VERBS_RW
+              - apiGroups:
+                  - extensions
+                  - networking.k8s.io
+                resources:
+                  - ingresses
+                verbs: *VERBS_RW
+              - apiGroups:
+                  - monitoring.coreos.com
+                resources:
+                  - servicemonitors
+                verbs: *VERBS_RW