NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commitae9822b

committed

feature to create Role & RoleBinding entries on a per namespace basis to support deploying workspaces in separate namespace to where Coder is deployed

1 parentfe8ca2a commitae9822bCopy full SHA for ae9822b

File tree

2 files changed

+78

-0

lines changed

helm
- coder
  - values.yaml
- libcoder/templates
  - _rbac.yaml

2 files changed

+78

-0

lines changed

`‎helm/coder/values.yaml‎`

Lines changed: 10 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -111,6 +111,16 @@ coder:`
`111`	`111`	`# - update`
`112`	`112`	`# - watch`
`113`	`113`
	`114`	`+# coder.serviceAccount.workspaceNamespaces -- Grant this service account permissions`
	`115`	`+# to manage Coder workspaces in specific namespaces without using ClusterRoles.`
	`116`	`+# When enabled, Roles and RoleBindings will be created in each listed namespace`
	`117`	`+# binding to this service account in the release namespace.`
	`118`	`+workspaceNamespaces:`
	`119`	`+enabled:true`
	`120`	`+namespaces:[]`
	`121`	`+# - dev`
	`122`	`+# - staging`
	`123`	`+`
`114`	`124`	`# coder.serviceAccount.annotations -- The Coder service account annotations.`
`115`	`125`	`annotations:{}`
`116`	`126`	`# coder.serviceAccount.name -- The service account name`

`‎helm/libcoder/templates/_rbac.yaml‎`

Lines changed: 68 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -61,4 +61,72 @@ roleRef:`
`61`	`61`	`kind:Role`
`62`	`62`	`name:{{ .Values.coder.serviceAccount.name }}-workspace-perms`
`63`	`63`	`{{- end }}`
	`64`	`+`
	`65`	`+{{- if and .Values.coder.serviceAccount.workspaceNamespaces .Values.coder.serviceAccount.workspaceNamespaces.enabled }}`
	`66`	`+{{- range $ns := .Values.coder.serviceAccount.workspaceNamespaces.namespaces }}`
	`67`	`+{{- if and $ns (ne $ns $.Release.Namespace) }}`
	`68`	`+---`
	`69`	`+apiVersion:rbac.authorization.k8s.io/v1`
	`70`	`+kind:Role`
	`71`	`+metadata:`
	`72`	`+name:{{ $.Values.coder.serviceAccount.name }}-workspace-perms`
	`73`	`+namespace:{{ $ns }}`
	`74`	`+rules:`
	`75`	`+ -apiGroups:[""]`
	`76`	`+resources:["pods"]`
	`77`	`+verbs:`
	`78`	`+ -create`
	`79`	`+ -delete`
	`80`	`+ -deletecollection`
	`81`	`+ -get`
	`82`	`+ -list`
	`83`	`+ -patch`
	`84`	`+ -update`
	`85`	`+ -watch`
	`86`	`+ -apiGroups:[""]`
	`87`	`+resources:["persistentvolumeclaims"]`
	`88`	`+verbs:`
	`89`	`+ -create`
	`90`	`+ -delete`
	`91`	`+ -deletecollection`
	`92`	`+ -get`
	`93`	`+ -list`
	`94`	`+ -patch`
	`95`	`+ -update`
	`96`	`+ -watch`
	`97`	`+{{- if $.Values.coder.serviceAccount.enableDeployments }}`
	`98`	`+ -apiGroups:`
	`99`	`+ -apps`
	`100`	`+resources:`
	`101`	`+ -deployments`
	`102`	`+verbs:`
	`103`	`+ -create`
	`104`	`+ -delete`
	`105`	`+ -deletecollection`
	`106`	`+ -get`
	`107`	`+ -list`
	`108`	`+ -patch`
	`109`	`+ -update`
	`110`	`+ -watch`
	`111`	`+{{- end }}`
	`112`	`+{{- with $.Values.coder.serviceAccount.extraRules }}`
	`113`	`+{{ toYaml . \| nindent 2 }}`
	`114`	`+{{- end }}`
	`115`	`+---`
	`116`	`+apiVersion:rbac.authorization.k8s.io/v1`
	`117`	`+kind:RoleBinding`
	`118`	`+metadata:`
	`119`	`+name:{{ $.Values.coder.serviceAccount.name \| quote }}`
	`120`	`+namespace:{{ $ns }}`
	`121`	`+subjects:`
	`122`	`+ -kind:ServiceAccount`
	`123`	`+name:{{ $.Values.coder.serviceAccount.name \| quote }}`
	`124`	`+namespace:{{ $.Release.Namespace }}`
	`125`	`+roleRef:`
	`126`	`+apiGroup:rbac.authorization.k8s.io`
	`127`	`+kind:Role`
	`128`	`+name:{{ $.Values.coder.serviceAccount.name }}-workspace-perms`
	`129`	`+{{- end }}`
	`130`	`+{{- end }}`
`64`	`131`	`{{- end -}}`
	`132`	`+{{- end -}}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitae9822b

File tree

2 files changed

2 files changed

`‎helm/coder/values.yaml‎`

`‎helm/libcoder/templates/_rbac.yaml‎`

0 commit comments