NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commit6238937

authored

feat: add helm var to support RBAC for deploying workspaces in extra namespaces (#19517)

This is a feature to create Role & RoleBinding entries on a pernamespace basis to support deploying workspaces in separate namespace towhere Coder is deployed. The idea behind this is to avoid the creationof custom RBAC entries or the use of ClusterRoles (in order to maintainpriciple of least privilege).> If you have used AI to produce some or all of this PR, please ensureyou have read our [AI Contributionguidelines](https://coder.com/docs/about/contributing/AI_CONTRIBUTING)before submitting.This is a blink assisted PR.Example `helm template` without`coder.serviceAccount.workspaceNamespaces` enabled (existing behaviouras of current release) is below. Outcome = 1 x SA, 1 x Role, 1 xRoleBinding, all in the coder (`.Release.Namespace`) namespace.```➜ coder git:(feat/helm_namespace_rbac_improvements) ✗ helm template -n coder coder . --set coder.image.tag=v2.25.1---...---# Source: coder/templates/rbac.yamlapiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: name: coder-workspace-perms namespace: coderrules: - apiGroups: [""] resources: ["pods"] verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - apps resources: - deployments verbs: - create - delete - deletecollection - get - list - patch - update - watch---# Source: coder/templates/rbac.yamlapiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: name: "coder" namespace: codersubjects: - kind: ServiceAccount name: "coder"roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: coder-workspace-perms---```Example `helm template` *with*`coder.serviceAccount.workspaceNamespaces` enabled is below. Outcome = 1x SA, 1 x Role, 1 x RoleBinding, all in the coder (`.Release.Namespace`)namespace PLUS a Role and RoleBinding in the `dev-ws` namespace witheach of the RoleBindings referencing the coder SA in the coder(`.Release.Namespace`) namespace:```➜ coder git:(feat/helm_namespace_rbac_improvements) ✗ helm template -n coder coder . --set coder.image.tag=v2.25.1 --set-json 'coder.serviceAccount.workspaceNamespaces=[{"name":"dev-ws","workspacePerms":true,"enableDeployments":true,"extraRules":[]}]' ---...---# Source: coder/templates/rbac.yamlapiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: name: coder-workspace-perms namespace: coderrules: - apiGroups: [""] resources: ["pods"] verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - apps resources: - deployments verbs: - create - delete - deletecollection - get - list - patch - update - watch---# Source: coder/templates/rbac.yamlapiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: name: coder-workspace-perms namespace: dev-wsrules: - apiGroups: [""] resources: ["pods"] verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - apps resources: - deployments verbs: - create - delete - deletecollection - get - list - patch - update - watch---# Source: coder/templates/rbac.yamlapiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: name: "coder" namespace: codersubjects: - kind: ServiceAccount name: "coder"roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: coder-workspace-perms---# Source: coder/templates/rbac.yamlapiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: name: "coder" namespace: dev-wssubjects: - kind: ServiceAccount name: "coder" namespace: coderroleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: coder-workspace-perms---```

1 parent8a6852f commit6238937Copy full SHA for 6238937

File tree

10 files changed

+1035

-50

lines changed

helm
- coder
  - templates
    - rbac.yaml
  - tests
    - chart_test.go
    - testdata
  - values.yaml
- libcoder/templates
  - _helpers.tpl
  - _rbac.yaml

10 files changed

+1035

-50

lines changed

`‎helm/coder/templates/rbac.yaml‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-{{ include "libcoder.rbac.tpl" . }}`
	`1`	`+{{ include "libcoder.namespace.rbac.tpl" . }}`

`‎helm/coder/tests/chart_test.go‎`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -129,6 +129,10 @@ var testCases = []testCase{`
`129`	`129`	`name:"pod_securitycontext",`
`130`	`130`	`expectedError:"",`
`131`	`131`	`},`
	`132`	`+{`
	`133`	`+name:"namespace_rbac",`
	`134`	`+expectedError:"",`
	`135`	`+},`
`132`	`136`	`}`
`133`	`137`
`134`	`138`	`typetestCasestruct {`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit6238937

File tree

10 files changed

10 files changed

`‎helm/coder/templates/rbac.yaml‎`

`‎helm/coder/tests/chart_test.go‎`

0 commit comments