Browse Source

feat(charts): Add aggregateToAdmin toggle (#6586)

Signed-off-by: Richard Ahlquist <richard.jimmy.johansson@gmail.com>
Richard Ahlquist 15 hours ago
parent
commit
eaf9d59a4f

+ 1 - 0
deploy/charts/external-secrets/README.md

@@ -200,6 +200,7 @@ The command removes all the Kubernetes components associated with the chart and
 | processClusterStore | bool | `true` | if true, the operator will process cluster store. Else, it will ignore them. |
 | processPushSecret | bool | `true` | if true, the operator will process push secret. Else, it will ignore them. |
 | processSecretStore | bool | `true` | if true, the operator will process secret store. Else, it will ignore them. |
+| rbac.aggregateToAdmin | bool | `true` | Specifies whether permissions are aggregated to the admin ClusterRole |
 | rbac.aggregateToEdit | bool | `true` | Specifies whether permissions are aggregated to the edit ClusterRole |
 | rbac.aggregateToView | bool | `true` | Specifies whether permissions are aggregated to the view ClusterRole |
 | rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |

+ 4 - 0
deploy/charts/external-secrets/templates/rbac.yaml

@@ -251,7 +251,9 @@ metadata:
     {{- if .Values.rbac.aggregateToEdit }}
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     {{- end }}
+    {{- if .Values.rbac.aggregateToAdmin }}
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- end }}
 rules:
   - apiGroups:
       - "external-secrets.io"
@@ -315,7 +317,9 @@ metadata:
     {{- if .Values.rbac.aggregateToEdit }}
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     {{- end }}
+    {{- if .Values.rbac.aggregateToAdmin }}
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- end }}
 rules:
   - apiGroups:
       - "external-secrets.io"

+ 43 - 3
deploy/charts/external-secrets/tests/rbac_test.yaml

@@ -7,29 +7,69 @@ tests:
       rbac:
         aggregateToView: false
     asserts:
+      - isKind:
+          of: ClusterRole
+        documentSelector:
+          path: metadata.name
+          value: RELEASE-NAME-external-secrets-view
       - notExists:
           path: metadata.labels["rbac.authorization.k8s.io/aggregate-to-view"]
         documentSelector:
-          kind: ClusterRole
           path: metadata.name
           value: RELEASE-NAME-external-secrets-view
+
   - it: should remove the labels aggregate-to-edit to the view and edit ClusterRoles
     set:
       rbac:
         aggregateToEdit: false
     asserts:
+      - isKind:
+          of: ClusterRole
+        documentSelector:
+          path: metadata.name
+          value: RELEASE-NAME-external-secrets-view
       - notExists:
           path: metadata.labels["rbac.authorization.k8s.io/aggregate-to-edit"]
         documentSelector:
-          kind: ClusterRole
           path: metadata.name
           value: RELEASE-NAME-external-secrets-view
+      - isKind:
+          of: ClusterRole
+        documentSelector:
+          path: metadata.name
+          value: RELEASE-NAME-external-secrets-edit
       - notExists:
           path: metadata.labels["rbac.authorization.k8s.io/aggregate-to-edit"]
         documentSelector:
-          kind: ClusterRole
           path: metadata.name
           value: RELEASE-NAME-external-secrets-edit
+
+  - it: should remove the labels aggregate-to-admin to the view and edit ClusterRoles
+    set:
+      rbac:
+        aggregateToAdmin: false
+    asserts:
+      - isKind:
+          of: ClusterRole
+        documentSelector:
+          path: metadata.name
+          value: RELEASE-NAME-external-secrets-view
+      - notExists:
+          path: metadata.labels["rbac.authorization.k8s.io/aggregate-to-admin"]
+        documentSelector:
+          path: metadata.name
+          value: RELEASE-NAME-external-secrets-view
+      - isKind:
+          of: ClusterRole
+        documentSelector:
+          path: metadata.name
+          value: RELEASE-NAME-external-secrets-edit
+      - notExists:
+          path: metadata.labels["rbac.authorization.k8s.io/aggregate-to-admin"]
+        documentSelector:
+          path: metadata.name
+          value: RELEASE-NAME-external-secrets-edit
+
   - it: should not create auth delegator ClusterRoleBinding by default
     documentSelector:
       path: kind

+ 3 - 0
deploy/charts/external-secrets/values.schema.json

@@ -726,6 +726,9 @@
         "rbac": {
             "type": "object",
             "properties": {
+                "aggregateToAdmin": {
+                    "type": "boolean"
+                },
                 "aggregateToEdit": {
                     "type": "boolean"
                 },

+ 3 - 0
deploy/charts/external-secrets/values.yaml

@@ -215,6 +215,9 @@ rbac:
   # -- Specifies whether permissions are aggregated to the edit ClusterRole
   aggregateToEdit: true
 
+  # -- Specifies whether permissions are aggregated to the admin ClusterRole
+  aggregateToAdmin: true
+
 ## -- Extra environment variables to add to container.
 extraEnv: []