NotificationsYou must be signed in to change notification settings
Fork1.1k
Star11.4k

fix: fix incorrect rendering of RBAC in Helm chart when workspacePerms=false#20569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

Merged

rowansmithau merged 2 commits intomainfromrowan/helm_rbac_fix

Oct 30, 2025

Merged

fix: fix incorrect rendering of RBAC in Helm chart when workspacePerms=false#20569

rowansmithau merged 2 commits intomainfromrowan/helm_rbac_fix

Oct 30, 2025

+4 −88

Conversation

Copy link

Contributor

rowansmithau commentedOct 30, 2025

closes#20562.

When I addedworkspaceNamespaces it caused an issue whenworkspacePerms is set tofalse in that the Role & RoleBinding was still created.

Update withworkspacePerms=false:

➜  coder git:(rowan/helm_rbac_fix) ✗ helm template coder . --version=2.27.2  --set coder.image.tag=v2.27.2 --set coder.serviceAccount.workspacePerms=false | grep -A11 -B46 RoleBinding➜  coder git:(rowan/helm_rbac_fix) ✗

Update withworkspacePerms=true:

➜  coder git:(rowan/helm_rbac_fix) ✗ helm template coder . --version=2.27.2  --set coder.image.tag=v2.27.2 --set coder.serviceAccount.workspacePerms=true | grep -A12 -B60 RoleBinding# Source: coder/templates/coder.yamlapiVersion: v1kind: ServiceAccountmetadata:  annotations: {}  labels:    app.kubernetes.io/instance: coder    app.kubernetes.io/managed-by: Helm    app.kubernetes.io/name: coder    app.kubernetes.io/part-of: coder    app.kubernetes.io/version: 0.1.0    helm.sh/chart: coder-0.1.0  name: coder  namespace: default---# Source: coder/templates/rbac.yamlapiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:  name: coder-workspace-perms  namespace: defaultrules:  - apiGroups: [""]    resources: ["pods"]    verbs:    - create    - delete    - deletecollection    - get    - list    - patch    - update    - watch  - apiGroups: [""]    resources: ["persistentvolumeclaims"]    verbs:    - create    - delete    - deletecollection    - get    - list    - patch    - update    - watch  - apiGroups:    - apps    resources:    - deployments    verbs:    - create    - delete    - deletecollection    - get    - list    - patch    - update    - watch---# Source: coder/templates/rbac.yamlapiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:  name: "coder"  namespace: defaultsubjects:  - kind: ServiceAccount    name: "coder"roleRef:  apiGroup: rbac.authorization.k8s.io  kind: Role  name: coder-workspace-perms---# Source: coder/templates/service.yaml

Update withworkspacePerms=false andworkspaceNamespaces populated:

➜  coder git:(rowan/helm_rbac_fix) ✗ helm template coder . --version=2.27.2  --set coder.image.tag=v2.27.2 --set coder.serviceAccount.workspacePerms=false --set-json 'coder.serviceAccount.workspaceNamespaces=[{"name":"dev-ws","workspacePerms":true,"enableDeployments":true,"extraRules":[]}]' | grep -A15 -B105 RoleBinding---# Source: coder/templates/coder.yamlapiVersion: v1kind: ServiceAccountmetadata:  annotations: {}  labels:    app.kubernetes.io/instance: coder    app.kubernetes.io/managed-by: Helm    app.kubernetes.io/name: coder    app.kubernetes.io/part-of: coder    app.kubernetes.io/version: 0.1.0    helm.sh/chart: coder-0.1.0  name: coder  namespace: default---# Source: coder/templates/rbac.yamlapiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:  name: coder-workspace-perms  namespace: dev-wsrules:  - apiGroups: [""]    resources: ["pods"]    verbs:    - create    - delete    - deletecollection    - get    - list    - patch    - update    - watch  - apiGroups: [""]    resources: ["persistentvolumeclaims"]    verbs:    - create    - delete    - deletecollection    - get    - list    - patch    - update    - watch  - apiGroups:    - apps    resources:    - deployments    verbs:    - create    - delete    - deletecollection    - get    - list    - patch    - update    - watch---# Source: coder/templates/rbac.yamlapiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:  name: "coder"  namespace: dev-wssubjects:  - kind: ServiceAccount    name: "coder"    namespace: defaultroleRef:  apiGroup: rbac.authorization.k8s.io  kind: Role  name: coder-workspace-perms---# Source: coder/templates/service.yamlapiVersion: v1kind: Service

Update withworkspacePerms=true andworkspaceNamespaces populated:

➜  coder git:(rowan/helm_rbac_fix) ✗ helm template coder . --version=2.27.2  --set coder.image.tag=v2.27.2 --set coder.serviceAccount.workspacePerms=true --set-json 'coder.serviceAccount.workspaceNamespaces=[{"name":"dev-ws","workspacePerms":true,"enableDeployments":true,"extraRules":[]}]' | grep -A15 -B105 RoleBinding             ---# Source: coder/templates/coder.yamlapiVersion: v1kind: ServiceAccountmetadata:  annotations: {}  labels:    app.kubernetes.io/instance: coder    app.kubernetes.io/managed-by: Helm    app.kubernetes.io/name: coder    app.kubernetes.io/part-of: coder    app.kubernetes.io/version: 0.1.0    helm.sh/chart: coder-0.1.0  name: coder  namespace: default---# Source: coder/templates/rbac.yamlapiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:  name: coder-workspace-perms  namespace: defaultrules:  - apiGroups: [""]    resources: ["pods"]    verbs:    - create    - delete    - deletecollection    - get    - list    - patch    - update    - watch  - apiGroups: [""]    resources: ["persistentvolumeclaims"]    verbs:    - create    - delete    - deletecollection    - get    - list    - patch    - update    - watch  - apiGroups:    - apps    resources:    - deployments    verbs:    - create    - delete    - deletecollection    - get    - list    - patch    - update    - watch---# Source: coder/templates/rbac.yamlapiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:  name: coder-workspace-perms  namespace: dev-wsrules:  - apiGroups: [""]    resources: ["pods"]    verbs:    - create    - delete    - deletecollection    - get    - list    - patch    - update    - watch  - apiGroups: [""]    resources: ["persistentvolumeclaims"]    verbs:    - create    - delete    - deletecollection    - get    - list    - patch    - update    - watch  - apiGroups:    - apps    resources:    - deployments    verbs:    - create    - delete    - deletecollection    - get    - list    - patch    - update    - watch---# Source: coder/templates/rbac.yamlapiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:  name: "coder"  namespace: defaultsubjects:  - kind: ServiceAccount    name: "coder"roleRef:  apiGroup: rbac.authorization.k8s.io  kind: Role  name: coder-workspace-perms---# Source: coder/templates/rbac.yamlapiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:  name: "coder"  namespace: dev-wssubjects:  - kind: ServiceAccount    name: "coder"    namespace: defaultroleRef:  apiGroup: rbac.authorization.k8s.io  kind: Role  name: coder-workspace-perms---# Source: coder/templates/service.yamlapiVersion: v1kind: Service➜  coder git:(rowan/helm_rbac_fix) ✗

fix for workspacePerms=false

f581524

rowansmithau self-assigned this

Oct 30, 2025

rowansmithau added the helmArea: helm chart label

Oct 30, 2025

rowansmithau changed the title~~bug: fix on Helm chart for workspacePerms=false incorrectly rendering RBAC when it should not~~fix: fix incorrect rendering of RBAC in Helm chart when workspacePerms=false

Oct 30, 2025

fix test case

e909a99

rowansmithau marked this pull request as ready for review

October 30, 2025 01:11

rowansmithau requested a review fromdeansheather

October 30, 2025 01:11