This commit is contained in:
@@ -54,9 +54,12 @@ app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "zitadel-k8s-operator.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
{{- default (include "zitadel-k8s-operator.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- $default := (include "zitadel-k8s-operator.fullname" .) }}
|
||||
{{- with .Values.serviceAccount }}
|
||||
{{- if .create }}
|
||||
{{- default $default .name }}
|
||||
{{- else }}
|
||||
{{- default "default" .Values.serviceAccount.name }}
|
||||
{{- default "default" .name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@@ -79,7 +79,11 @@ spec:
|
||||
}}
|
||||
securityContext: {{- toYaml .Values.controllerManager.manager.containerSecurityContext
|
||||
| nindent 10 }}
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
serviceAccountName: {{ include "zitadel-k8s-operator.fullname" . }}-controller-manager
|
||||
terminationGracePeriodSeconds: 10
|
||||
nodeSelector: {{- toYaml .Values.controllerManager.nodeSelector | nindent 8 }}
|
||||
securityContext: {{- toYaml .Values.controllerManager.podSecurityContext | nindent
|
||||
8 }}
|
||||
serviceAccountName: {{ include "zitadel-k8s-operator.serviceAccountName" . }}
|
||||
terminationGracePeriodSeconds: 10
|
||||
tolerations: {{- toYaml .Values.controllerManager.tolerations | nindent 8 }}
|
||||
topologySpreadConstraints: {{- toYaml .Values.controllerManager.topologySpreadConstraints
|
||||
| nindent 8 }}
|
||||
|
||||
@@ -55,5 +55,5 @@ roleRef:
|
||||
name: '{{ include "zitadel-k8s-operator.fullname" . }}-leader-election-role'
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: '{{ include "zitadel-k8s-operator.fullname" . }}-controller-manager'
|
||||
namespace: '{{ .Release.Namespace }}'
|
||||
name: '{{ include "zitadel-k8s-operator.serviceAccountName" . }}'
|
||||
namespace: '{{ .Release.Namespace }}'
|
||||
|
||||
@@ -128,17 +128,48 @@ rules:
|
||||
- list
|
||||
- patch
|
||||
- watch
|
||||
- apiGroups:
|
||||
- zitadel.github.com
|
||||
resources:
|
||||
- clusters
|
||||
- connections
|
||||
- instances
|
||||
- machineusers
|
||||
- organizations
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- zitadel.github.com
|
||||
resources:
|
||||
- clusters/finalizers
|
||||
- connections/finalizers
|
||||
- instances/finalizers
|
||||
- machineusers/finalizers
|
||||
- organizations/finalizers
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- zitadel.github.com
|
||||
resources:
|
||||
- clusters/status
|
||||
- connections/status
|
||||
- instances/status
|
||||
- machineusers/status
|
||||
- organizations/status
|
||||
verbs:
|
||||
- get
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- zitadel.topmanage.com
|
||||
resources:
|
||||
- actions
|
||||
- apiapps
|
||||
- flows
|
||||
- machineusers
|
||||
- oidcapps
|
||||
- organizations
|
||||
- projects
|
||||
- zitadelclusters
|
||||
- instances
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
@@ -150,27 +181,13 @@ rules:
|
||||
- apiGroups:
|
||||
- zitadel.topmanage.com
|
||||
resources:
|
||||
- actions/finalizers
|
||||
- apiapps/finalizers
|
||||
- flows/finalizers
|
||||
- machineusers/finalizers
|
||||
- oidcapps/finalizers
|
||||
- organizations/finalizers
|
||||
- projects/finalizers
|
||||
- zitadelclusters/finalizers
|
||||
- instances/finalizers
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- zitadel.topmanage.com
|
||||
resources:
|
||||
- actions/status
|
||||
- apiapps/status
|
||||
- flows/status
|
||||
- machineusers/status
|
||||
- oidcapps/status
|
||||
- organizations/status
|
||||
- projects/status
|
||||
- zitadelclusters/status
|
||||
- instances/status
|
||||
verbs:
|
||||
- get
|
||||
- patch
|
||||
@@ -191,5 +208,5 @@ roleRef:
|
||||
name: '{{ include "zitadel-k8s-operator.fullname" . }}-manager-role'
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: '{{ include "zitadel-k8s-operator.fullname" . }}-controller-manager'
|
||||
name: '{{ include "zitadel-k8s-operator.serviceAccountName" . }}'
|
||||
namespace: '{{ .Release.Namespace }}'
|
||||
|
||||
@@ -11,4 +11,4 @@ rules:
|
||||
- nonResourceURLs:
|
||||
- /metrics
|
||||
verbs:
|
||||
- get
|
||||
- get
|
||||
|
||||
@@ -12,6 +12,6 @@ spec:
|
||||
type: {{ .Values.metricsService.type }}
|
||||
selector:
|
||||
control-plane: controller-manager
|
||||
{{- include "zitadel-k8s-operator.selectorLabels" . | nindent 4 }}
|
||||
{{- include "zitadel-k8s-operator.selectorLabels" . | nindent 4 }}
|
||||
ports:
|
||||
{{- .Values.metricsService.ports | toYaml | nindent 2 }}
|
||||
{{- .Values.metricsService.ports | toYaml | nindent 2 }}
|
||||
|
||||
@@ -36,5 +36,5 @@ roleRef:
|
||||
name: '{{ include "zitadel-k8s-operator.fullname" . }}-proxy-role'
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: '{{ include "zitadel-k8s-operator.fullname" . }}-controller-manager'
|
||||
namespace: '{{ .Release.Namespace }}'
|
||||
name: '{{ include "zitadel-k8s-operator.serviceAccountName" . }}'
|
||||
namespace: '{{ .Release.Namespace }}'
|
||||
|
||||
@@ -1,11 +1,13 @@
|
||||
{{ if .Values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "zitadel-k8s-operator.fullname" . }}-controller-manager
|
||||
name: {{ include "zitadel-k8s-operator.serviceAccountName" . }}
|
||||
labels:
|
||||
app.kubernetes.io/component: rbac
|
||||
app.kubernetes.io/created-by: src
|
||||
app.kubernetes.io/part-of: src
|
||||
{{- include "zitadel-k8s-operator.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml .Values.controllerManager.serviceAccount.annotations | nindent 4 }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
|
||||
{{- end }}
|
||||
|
||||
Reference in New Issue
Block a user