add option to disable creation of ClusteRole and ClusterRoleBinding

examples/chart/teleport-cluster/templates/clusterrole.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.rbac.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -60,4 +61,5 @@ rules:
   - events
   verbs:
   - create
-{{ end }}
+{{- end -}}
+{{- end -}}

examples/chart/teleport-cluster/templates/clusterrolebinding.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.rbac.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -10,3 +11,4 @@ subjects:
 - kind: ServiceAccount
   name: {{ template "teleport.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
+{{- end -}}

examples/chart/teleport-cluster/values.schema.json

@@ -698,7 +698,19 @@
                 "create": {
                     "$id": "#properties/service/create",
                     "type": "boolean",
-                    "default": true 
+                    "default": true
+                }
+            }
+        },
+        "rbac": {
+            "$id": "#/properties/rbac",
+            "type": "object",
+            "required": [],
+            "properties": {
+                "create": {
+                    "$id": "#properties/rbac/create",
+                    "type": "boolean",
+                    "default": true
                 }
             }
         },

examples/chart/teleport-cluster/values.yaml

@@ -352,6 +352,12 @@ serviceAccount:
   name: ""
   # To set annotations on the service account, use the annotations.serviceAccount value.
 
+# Set to true (default) to create Kubernetes ClusterRole and ClusterRoleBinding.
+rbac:
+  # Specifies whether a ClusterRole and ClusterRoleBinding should be created.
+  # Set to false if your cluster level resources are managed separately.
+  create: true
+
 # Options for the Teleport service
 service:
   type: LoadBalancer

examples/chart/teleport-kube-agent/templates/clusterrole.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.rbac.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -27,3 +28,4 @@ rules:
   - selfsubjectaccessreviews
   verbs:
   - create
+{{- end -}}

examples/chart/teleport-kube-agent/templates/clusterrolebinding.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.rbac.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -14,3 +15,4 @@ subjects:
 - kind: ServiceAccount
   name: {{ template "teleport.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
+{{- end -}}

examples/chart/teleport-kube-agent/values.schema.json

@@ -508,6 +508,35 @@
                 }
             }
         },
+        "serviceAccount": {
+            "$id": "#/properties/serviceAccount",
+            "type": "object",
+            "required": [],
+            "properties": {
+                "name": {
+                    "$id": "#properties/serviceAccount/name",
+                    "type": "string",
+                    "default": ""
+                },
+                "create": {
+                    "$id": "#properties/serviceAccount/create",
+                    "type": "boolean",
+                    "default": true
+                }
+            }
+        },
+        "rbac": {
+            "$id": "#/properties/rbac",
+            "type": "object",
+            "required": [],
+            "properties": {
+                "create": {
+                    "$id": "#properties/rbac/create",
+                    "type": "boolean",
+                    "default": true
+                }
+            }
+        },
         "extraArgs": {
             "$id": "#/properties/extraArgs",
             "type": "array",

examples/chart/teleport-kube-agent/values.yaml

@@ -160,8 +160,8 @@ highAvailability:
 ################################################################
 # Values that must be provided if using persistent storage for Teleport.
 #
-# Assigning a persistent volume to Teleport agent allows the agent to keep session recordings when the pod is restarted if `session_recording` is set to `node` or `proxy`. 
-# The security association between the agent and the Teleport is no longer stored in PV, instead it is stored in a Kubernetes Secret so that the agent does not require PV 
+# Assigning a persistent volume to Teleport agent allows the agent to keep session recordings when the pod is restarted if `session_recording` is set to `node` or `proxy`.
+# The security association between the agent and the Teleport is no longer stored in PV, instead it is stored in a Kubernetes Secret so that the agent does not require PV
 # to survive restarts and rotations while using short-lived joining tokens.
 #
 # Fields:
@@ -201,12 +201,18 @@ serviceAccountName: ""
 # (optional) Kubernetes service account to create/use.
 serviceAccount:
   # Specifies whether a ServiceAccount should be created
-  create: true 
+  create: true
   # The name of the ServiceAccount to use.
   # If not set and serviceAccount.create is true, the name is generated using the release name.
   # If create is false, the name will be used to reference an existing service account.
   name: ""
 
+# Set to true (default) to create Kubernetes ClusterRole and ClusterRoleBinding.
+rbac:
+  # Specifies whether a ClusterRole and ClusterRoleBinding should be created.
+  # Set to false if your cluster level resources are managed separately.
+  create: true
+
 # Name of the Secret to store the teleport join token.
 secretName: teleport-kube-agent-join-token