Exclude unused resources from rbac (#4572)

* adds Helm value option to disable OpenShift finalizers in RBAC

Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>

* excludes unused resources from RBAC definitions

Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>

---------

Signed-off-by: Ricardo Bartels <ricardo.bartels@telekom.de>

deploy/charts/external-secrets/README.md

@@ -126,6 +126,7 @@ The command removes all the Kubernetes components associated with the chart and
 | nameOverride | string | `""` |  |
 | namespaceOverride | string | `""` |  |
 | nodeSelector | object | `{}` |  |
+| openshiftFinalizers | bool | `true` | If true the OpenShift finalizer permissions will be added to RBAC |
 | podAnnotations | object | `{}` | Annotations to add to Pod |
 | podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
 | podLabels | object | `{}` |  |

deploy/charts/external-secrets/templates/rbac.yaml

@@ -17,11 +17,19 @@ rules:
     - "external-secrets.io"
     resources:
     - "secretstores"
+    {{- if .Values.processClusterStore }}
     - "clustersecretstores"
+    {{- end }}
     - "externalsecrets"
+    {{- if .Values.processClusterExternalSecret }}
     - "clusterexternalsecrets"
+    {{- end }}
+    {{- if .Values.processPushSecret }}
     - "pushsecrets"
+    {{- end }}
+    {{- if .Values.processClusterPushSecret }}
     - "clusterpushsecrets"
+    {{- end }}
     verbs:
     - "get"
     - "list"
@@ -31,22 +39,42 @@ rules:
     resources:
     - "externalsecrets"
     - "externalsecrets/status"
+    {{- if .Values.openshiftFinalizers }}
     - "externalsecrets/finalizers"
+    {{- end }}
     - "secretstores"
     - "secretstores/status"
+    {{- if .Values.openshiftFinalizers }}
     - "secretstores/finalizers"
+    {{- end }}
+    {{- if .Values.processClusterStore }}
     - "clustersecretstores"
     - "clustersecretstores/status"
+    {{- if .Values.openshiftFinalizers }}
     - "clustersecretstores/finalizers"
+    {{- end }}
+    {{- end }}
+    {{- if .Values.processClusterExternalSecret }}
     - "clusterexternalsecrets"
     - "clusterexternalsecrets/status"
+    {{- if .Values.openshiftFinalizers }}
     - "clusterexternalsecrets/finalizers"
+    {{- end }}
+    {{- end }}
+    {{- if .Values.processPushSecret }}
     - "pushsecrets"
     - "pushsecrets/status"
+    {{- if .Values.openshiftFinalizers }}
     - "pushsecrets/finalizers"
+    {{- end }}
+    {{- end }}
+    {{- if .Values.processClusterPushSecret }}
     - "clusterpushsecrets"
     - "clusterpushsecrets/status"
+    {{- if .Values.openshiftFinalizers }}
     - "clusterpushsecrets/finalizers"
+    {{- end }}
+    {{- end }}
     verbs:
     - "get"
     - "update"
@@ -134,6 +162,7 @@ rules:
     - "create"
     - "update"
     - "delete"
+  {{- if .Values.processPushSecret }}
   - apiGroups:
     - "external-secrets.io"
     resources:
@@ -142,6 +171,7 @@ rules:
     - "create"
     - "update"
     - "delete"
+  {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
@@ -165,9 +195,15 @@ rules:
     resources:
       - "externalsecrets"
       - "secretstores"
+      {{- if .Values.processClusterStore }}
       - "clustersecretstores"
+      {{- end }}
+      {{- if .Values.processPushSecret }}
       - "pushsecrets"
+      {{- end }}
+      {{- if .Values.processClusterPushSecret }}
       - "clusterpushsecrets"
+      {{- end }}
     verbs:
       - "get"
       - "watch"
@@ -213,9 +249,15 @@ rules:
     resources:
       - "externalsecrets"
       - "secretstores"
+      {{- if .Values.processClusterStore }}
       - "clustersecretstores"
+      {{- end }}
+      {{- if .Values.processPushSecret }}
       - "pushsecrets"
+      {{- end }}
+      {{- if .Values.processClusterPushSecret }}
       - "clusterpushsecrets"
+      {{- end }}
     verbs:
       - "create"
       - "delete"
@@ -333,7 +375,9 @@ rules:
     - "external-secrets.io"
     resources:
     - "externalsecrets"
+    {{- if .Values.processPushSecret }}
     - "pushsecrets"
+    {{- end }}
     verbs:
     - "get"
     - "list"

deploy/charts/external-secrets/values.schema.json

@@ -434,6 +434,9 @@
             "properties": {},
             "type": "object"
         },
+        "openshiftFinalizers": {
+            "type": "boolean"
+        },
         "podAnnotations": {
             "properties": {},
             "type": "object"

deploy/charts/external-secrets/values.yaml

@@ -78,6 +78,9 @@ scopedNamespace: ""
 # and implicitly disable cluster stores and cluster external secrets
 scopedRBAC: false
 
+# -- If true the OpenShift finalizer permissions will be added to RBAC
+openshiftFinalizers: true
+
 # -- if true, the operator will process cluster external secret. Else, it will ignore them.
 processClusterExternalSecret: true