Make cluster role, role MECE

charts/runbear-worker/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.4
+version: 0.2.5
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/runbear-worker/templates/_helpers.tpl

@@ -91,26 +91,3 @@ Service account name of executor
 {{- default "default" .Values.runbear.executor.serviceAccount.existingServiceAccountName }}
 {{- end }}
 {{- end }}
-
-{{/*
-Cluster role name of executor
-*/}}
-{{- define "runbear-worker.executorClusterRoleName" -}}
-{{- if and .Values.runbear.executor.rbac.create .Values.runbear.executor.rbac.clusterRoleName }}
-{{- $fullName := printf "%s-executor" (include "runbear-worker.fullname" .) -}}
-{{- default $fullName .Values.runbear.executor.rbac.clusterRoleName }}
-{{- else }}
-{{- default "default" .Values.runbear.executor.rbac.existingClusterRoleName }}
-{{- end }}
-{{- end }}
-
-
-{{/*
-Role name of executor
-*/}}
-{{- define "runbear-worker.executorRoleName" -}}
-{{- if and .Values.runbear.executor.rbac.create .Values.runbear.executor.rbac.roleName }}
-{{- $fullName := printf "%s-executor" (include "runbear-worker.fullname" .) -}}
-{{- default $fullName .Values.runbear.executor.rbac.roleName }}
-{{- end }}
-{{- end }}

charts/runbear-worker/templates/executor-clusterrole.yaml

@@ -1,10 +1,10 @@
-{{- if and .Values.runbear.executor.rbac.create .Values.runbear.executor.rbac.clusterRoleName -}}
+{{- if and .Values.runbear.executor.rbac.create (not .Values.runbear.executor.rbac.existingClusterRoleName) (not .Values.runbear.executor.rbac.useRole) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
     {{- include "runbear-worker.labels" . | nindent 4 }}
-  name: {{ include "runbear-worker.executorClusterRoleName" . }}
+  name: {{ include "chart.fullname" . }}
 {{- with .Values.runbear.executor.rbac.clusterRoleRules }}
 rules: {{ toYaml . | nindent 2 -}}
 {{- end }}

charts/runbear-worker/templates/executor-clusterrolebinding.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.runbear.executor.rbac.create .Values.runbear.executor.rbac.clusterRoleName -}}
+{{- if and .Values.runbear.executor.rbac.create (not .Values.runbear.executor.rbac.useRole) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -8,7 +8,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ include "runbear-worker.executorClusterRoleName" . }}
+  name: {{ default (include "runbear-worker.fullname" .) .Values.runbear.executor.rbac.existingClusterRoleName }}
 subjects:
 - kind: ServiceAccount
   name: {{ include "runbear-worker.executorServiceAccountName" . }}

charts/runbear-worker/templates/executor-role.yaml

@@ -1,10 +1,10 @@
-{{- if and .Values.runbear.executor.rbac.create .Values.runbear.executor.rbac.roleName -}}
+{{- if and .Values.runbear.executor.rbac.create .Values.runbear.executor.rbac.useRole }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
     {{- include "runbear-worker.labels" . | nindent 4 }}
-  name: {{ include "runbear-worker.executorRoleName" . }}
+  name: {{ include "runbear-worker.fullname" . }}
 {{- with .Values.runbear.executor.rbac.roleRules }}
 rules: {{ toYaml . | nindent 2 -}}
 {{- end }}

charts/runbear-worker/templates/executor-rolebinding.yaml

@@ -1,14 +1,14 @@
-{{- if and .Values.runbear.executor.rbac.create .Values.runbear.executor.rbac.roleName -}}
+{{- if and .Values.runbear.executor.rbac.create .Values.runbear.executor.rbac.useRole }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ include "runbear-worker.executorServiceAccountName" . }}
+  name: {{ include "runbear-worker.fullname" . }}
   labels:
     {{- include "runbear-worker.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ include "runbear-worker.executorRoleName" . }}
+  name: {{ include "runbear-worker.fullname" . }}
 subjects:
 - kind: ServiceAccount
   name: {{ include "runbear-worker.executorServiceAccountName" . }}

charts/runbear-worker/values.yaml

@@ -78,13 +78,12 @@ runbear:
     # Set up rbac rules for the executor service account.
     # RBAC rules are applied to runbook executions.
     rbac:
+      # Set true to create RBAC resources, false to skip.
       create: true
       # Specify existing clusterrole to bind to the executor service account.
       # i.e. cluster-admin, admin, edit, view
       existingClusterRoleName: edit
 
-      # Either clusterRoleName or roleName must be set.
-      clusterRoleName: "runbear-executor"
       # Specify custom rules for the clusterrole.
       # Not used if existingClusterRoleName is set.
       clusterRoleRules: {}
@@ -95,7 +94,8 @@ runbear:
         #     - pods
         #   verbs: ["get", "list", "watch"]
 
-      roleName: ""
+      # Use role instead of clusterrole.
+      useRole: false
       roleRules: {}
         # - apiGroups: [""]
         #   resources: