Merge pull request #72 from DarkChaos/master

fix(charts/dex): changed RBAC to Namespace aware deployment
dexidp · Apr 5, 2022 · 5d4f5f4 · 5d4f5f4
2 parents c36a6e3 + ad305ed
commit 5d4f5f4
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 7 deletions.
diff --git a/charts/dex/Chart.yaml b/charts/dex/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 type: application
 name: dex
-version: 0.8.0
+version: 0.8.1
 appVersion: "2.31.1"
 kubeVersion: ">=1.14.0-0"
 description: OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors.
@@ -22,7 +22,7 @@ maintainers:
 annotations:
   artifacthub.io/changes: |
     - kind: changed
-      description: Updated Dex version
+      description: "`ClusterRole` and `ClusterRoleBilding` to `Role` and `RoleBinding` to allow Deployments without ClusterPermissions"
   artifacthub.io/images: |
     - name: dex
       image: ghcr.io/dexidp/dex:v2.31.1
diff --git a/charts/dex/README.md b/charts/dex/README.md
@@ -1,6 +1,6 @@
 # dex
 
-![version: 0.8.0](https://img.shields.io/badge/version-0.8.0-informational?style=flat-square) ![type: application](https://img.shields.io/badge/type-application-informational?style=flat-square) ![app version: 2.31.1](https://img.shields.io/badge/app%20version-2.31.1-informational?style=flat-square) ![kube version: >=1.14.0-0](https://img.shields.io/badge/kube%20version->=1.14.0--0-informational?style=flat-square) [![artifact hub](https://img.shields.io/badge/artifact%20hub-dex-informational?style=flat-square)](https://artifacthub.io/packages/helm/dex/dex)
+![version: 0.8.1](https://img.shields.io/badge/version-0.8.1-informational?style=flat-square) ![type: application](https://img.shields.io/badge/type-application-informational?style=flat-square) ![app version: 2.31.1](https://img.shields.io/badge/app%20version-2.31.1-informational?style=flat-square) ![kube version: >=1.14.0-0](https://img.shields.io/badge/kube%20version->=1.14.0--0-informational?style=flat-square) [![artifact hub](https://img.shields.io/badge/artifact%20hub-dex-informational?style=flat-square)](https://artifacthub.io/packages/helm/dex/dex)
 
 OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors.
 
@@ -132,6 +132,7 @@ ingress:
 | serviceAccount.annotations | object | `{}` | Annotations to be added to the service account. |
 | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
 | rbac.create | bool | `true` | Specifies whether RBAC resources should be created. If disabled, the operator is responsible for creating the necessary resources based on the templates. |
+| rbac.createClusterScoped | bool | `true` | Specifies which RBAC resources should be created. If disabled, the operator is responsible for creating the necessary resources (ClusterRole and RoleBinding or CRD's) |
 | podAnnotations | object | `{}` | Annotations to be added to pods. |
 | podDisruptionBudget.enabled | bool | `false` | Enable a [pod distruption budget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) to help dealing with [disruptions](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/). It is **highly recommended** for webhooks as disruptions can prevent launching new pods. |
 | podDisruptionBudget.minAvailable | int/percentage | `nil` | Number or percentage of pods that must remain available. |

diff --git a/charts/dex/templates/rbac.yaml b/charts/dex/templates/rbac.yaml
@@ -1,6 +1,6 @@
 {{- if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   name: {{ include "dex.fullname" . }}
   labels:
@@ -9,15 +9,38 @@ rules:
   - apiGroups: ["dex.coreos.com"]
     resources: ["*"]
     verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "dex.fullname" . }}
+  labels:
+    {{- include "dex.labels" . | nindent 4 }}
+roleRef:
+  kind: Role
+  apiGroup: rbac.authorization.k8s.io
+  name: {{ include "dex.fullname" . }}  
+subjects:
+- kind: ServiceAccount
+  namespace: {{ .Release.Namespace }}
+  name: {{ include "dex.serviceAccountName" . }}
+{{- if .Values.rbac.createClusterScoped }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "dex.fullname" . }}
+  labels:
+    {{- include "dex.labels" . | nindent 4 }}
+rules:
   - apiGroups: ["apiextensions.k8s.io"]
     resources: ["customresourcedefinitions"]
     verbs: ["create"]
-
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
-  name: {{ include "dex.fullname" . }}
+  name: {{ include "dex.fullname" . }}-cluster
   labels:
     {{- include "dex.labels" . | nindent 4 }}
 roleRef:
@@ -29,3 +52,4 @@ subjects:
   namespace: {{ .Release.Namespace }}
   name: {{ include "dex.serviceAccountName" . }}
 {{- end }}
+{{- end }}
diff --git a/charts/dex/values.yaml b/charts/dex/values.yaml
@@ -99,6 +99,10 @@ rbac:
   # If disabled, the operator is responsible for creating the necessary resources based on the templates.
   create: true
 
+  # -- Specifies which RBAC resources should be created.
+  # If disabled, the operator is responsible for creating the necessary resources (ClusterRole and RoleBinding or CRD's)
+  createClusterScoped: true
+
 # -- Annotations to be added to pods.
 podAnnotations: {}