From eb475ea867f1ddcb138f0bbcb608b1f88f3b21da Mon Sep 17 00:00:00 2001
From: Klavs Klavsen <klavs.klavsen@bec.dk>
Date: Tue, 13 Oct 2020 14:29:17 +0200
Subject: [PATCH] add useExistingRole support.

Signed-off-by: Klavs Klavsen <klavs.klavsen@bec.dk>
---
 charts/grafana/Chart.yaml                        | 2 +-
 charts/grafana/README.md                         | 1 +
 charts/grafana/templates/clusterrole.yaml        | 2 +-
 charts/grafana/templates/clusterrolebinding.yaml | 4 ++++
 charts/grafana/templates/role.yaml               | 2 +-
 charts/grafana/templates/rolebinding.yaml        | 4 ++++
 charts/grafana/values.yaml                       | 2 ++
 7 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/charts/grafana/Chart.yaml b/charts/grafana/Chart.yaml
index 3bbe5c2217..cbe42eea33 100644
--- a/charts/grafana/Chart.yaml
+++ b/charts/grafana/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 name: grafana
-version: 5.7.10
+version: 5.8.10
 appVersion: 7.2.1
 kubeVersion: "^1.8.0-0"
 description: The leading tool for querying and visualizing time series and metrics.
diff --git a/charts/grafana/README.md b/charts/grafana/README.md
index 541f2285e1..3c62ef2b41 100644
--- a/charts/grafana/README.md
+++ b/charts/grafana/README.md
@@ -165,6 +165,7 @@ You have to add --force to your helm upgrade command as the labels of the chart
 | `serviceAccount.nameTest`                 | Service account name to use for test, when empty will be set to created account if `serviceAccount.create` is set else to `default` | `nil` |
 | `rbac.create`                             | Create and use RBAC resources                 | `true`                                                  |
 | `rbac.namespaced`                         | Creates Role and Rolebinding instead of the default ClusterRole and ClusteRoleBindings for the grafana instance  | `false` |
+| `rbac.useExistingRole`                    | Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to the rolename set here. | `nil` |
 | `rbac.pspEnabled`                         | Create PodSecurityPolicy (with `rbac.create`, grant roles permissions as well) | `true`                 |
 | `rbac.pspUseAppArmor`                     | Enforce AppArmor in created PodSecurityPolicy (requires `rbac.pspEnabled`)  | `true`                    |
 | `rbac.extraRoleRules`                     | Additional rules to add to the Role           | []                                                      |
diff --git a/charts/grafana/templates/clusterrole.yaml b/charts/grafana/templates/clusterrole.yaml
index b3ef6ab3bf..f09e06563c 100644
--- a/charts/grafana/templates/clusterrole.yaml
+++ b/charts/grafana/templates/clusterrole.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.rbac.create (not .Values.rbac.namespaced) }}
+{{- if and .Values.rbac.create (not .Values.rbac.namespaced) (not .Values.rbac.useExistingRole) }}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
diff --git a/charts/grafana/templates/clusterrolebinding.yaml b/charts/grafana/templates/clusterrolebinding.yaml
index 8ee08b2aa9..4accbfac04 100644
--- a/charts/grafana/templates/clusterrolebinding.yaml
+++ b/charts/grafana/templates/clusterrolebinding.yaml
@@ -15,6 +15,10 @@ subjects:
     namespace: {{ template "grafana.namespace" . }}
 roleRef:
   kind: ClusterRole
+{{- if (not .Values.rbac.useExistingRole) }}
   name: {{ template "grafana.fullname" . }}-clusterrole
+{{- else }}
+  name: {{ .Values.rbac.useExistingRole }}
+{{- end }}
   apiGroup: rbac.authorization.k8s.io
 {{- end -}}
diff --git a/charts/grafana/templates/role.yaml b/charts/grafana/templates/role.yaml
index c95c1d0424..db853559a1 100644
--- a/charts/grafana/templates/role.yaml
+++ b/charts/grafana/templates/role.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.rbac.create -}}
+{{- if and .Values.rbac.create (not .Values.rbac.useExistingRole) -}}
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
 metadata:
diff --git a/charts/grafana/templates/rolebinding.yaml b/charts/grafana/templates/rolebinding.yaml
index beaf2f003a..3738e580f0 100644
--- a/charts/grafana/templates/rolebinding.yaml
+++ b/charts/grafana/templates/rolebinding.yaml
@@ -13,7 +13,11 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
+{{- if (not .Values.rbac.useExistingRole) }}
   name: {{ template "grafana.fullname" . }}
+{{- else }}
+  name: {{ .Values.rbac.useExistingRole }}
+{{- end }}
 subjects:
 - kind: ServiceAccount
   name: {{ template "grafana.serviceAccountName" . }}
diff --git a/charts/grafana/values.yaml b/charts/grafana/values.yaml
index be5b7912ee..e6eead0fe9 100644
--- a/charts/grafana/values.yaml
+++ b/charts/grafana/values.yaml
@@ -1,5 +1,7 @@
 rbac:
   create: true
+  ## Use an existing ClusterRole/Role (depending on rbac.namespaced false/true)
+  # useExistingRole: name-of-some-(cluster)role
   pspEnabled: true
   pspUseAppArmor: true
   namespaced: false