1495 2 app repository cluster role (#1498)

* Add kubeapps:controller:apprepository-reader clusterrole and clusterrolebinding * Include namespace in clusterrole name. * Include namespace in clusterrolebinding name. * Put repos-per-namespace behind feature flag * Fix value name.
vmware-tanzu · Feb 4, 2020 · 1dcabc7 · 1dcabc7
1 parent dd6a1b8
commit 1dcabc7
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 5 deletions.
diff --git a/chart/kubeapps/templates/apprepository-rbac.yaml b/chart/kubeapps/templates/apprepository-rbac.yaml
@@ -94,3 +94,45 @@ rules:
     verbs:
       - create
 {{- end -}}
+{{- if .Values.featureFlags.reposPerNamespace -}}
+---
+# Kubeapps can read and watch its own AppRepository resources cluster-wide.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: "kubeapps:controller:apprepository-reader-{{ .Release.Namespace }}"
+  labels:
+    app: {{ template "kubeapps.apprepository.fullname" . }}
+    chart: {{ template "kubeapps.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+rules:
+  - apiGroups:
+      - kubeapps.com
+    resources:
+      - apprepositories
+      - apprepositories/finalizers
+    verbs:
+      - get
+      - list
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: "kubeapps:controller:apprepository-reader-{{ .Release.Namespace }}"
+  labels:
+    app: {{ template "kubeapps.apprepository.fullname" . }}
+    chart: {{ template "kubeapps.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: "kubeapps:controller:apprepository-reader-{{ .Release.Namespace }}"
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kubeapps.apprepository.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}
diff --git a/chart/kubeapps/values.yaml b/chart/kubeapps/values.yaml
@@ -633,3 +633,7 @@ authProxy:
     requests:
       cpu: 25m
       memory: 32Mi
+## Feature flags
+## These are used to switch on in development features or new features not yet released.
+featureFlags:
+  reposPerNamespace: false
diff --git a/script/deploy-dev.mk b/script/deploy-dev.mk
@@ -50,11 +50,12 @@ deploy-dev: deploy-dex deploy-openldap update-apiserver-etc-hosts
 	@echo "to authenticate with the corresponding permissions."
 
 reset-dev:
-	helm delete kubeapps || true
-	helm delete dex || true
-	helm delete ldap || true
-	kubectl delete clusterrole dex || true
-	kubectl delete clusterrolebinding dex || true
+	helm -n kubeapps delete kubeapps || true
+	helm -n dex delete dex || true
+	helm -n ldap delete ldap || true
+	# In case helm installations fail, still delete non-namespaced resources.
+	kubectl delete clusterrole dex kubeapps:controller:apprepository-reader || true
+	kubectl delete clusterrolebinding dex kubeapps:controller:apprepository-reader || true
 	kubectl delete namespace --wait dex ldap kubeapps || true
 	kubectl delete --wait -f ./docs/user/manifests/kubeapps-local-dev-users-rbac.yaml || true