From c711ec0b2e12ae793136377ec59e9ce762ef0153 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <thebeaditya@gmail.com>
Date: Fri, 29 Dec 2023 10:49:13 +0545
Subject: [PATCH] feat: rbac on helm

---
 chart/templates/serviceaccount.yaml | 40 ++++++++++++++++++++++++++---
 chart/values.yaml                   | 16 +++++++++++-
 2 files changed, 52 insertions(+), 4 deletions(-)

diff --git a/chart/templates/serviceaccount.yaml b/chart/templates/serviceaccount.yaml
index 730cbc5a..8676b726 100644
--- a/chart/templates/serviceaccount.yaml
+++ b/chart/templates/serviceaccount.yaml
@@ -10,13 +10,13 @@ metadata:
 {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: "{{if .Values.serviceAccount.rbac.cluster_role}}Cluster{{end}}RoleBinding"
 metadata:
   name: {{ template "config-db.serviceAccountName" . }}-rolebinding
   labels: {{- include "config-db.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: "{{if .Values.serviceAccount.rbac.cluster_role}}Cluster{{end}}Role"
   name: {{ template "config-db.serviceAccountName" . }}-role
 subjects:
   - kind: ServiceAccount
@@ -24,11 +24,44 @@ subjects:
     namespace: {{ .Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: "{{if .Values.serviceAccount.rbac.cluster_role}}Cluster{{end}}Role"
 metadata:
   name: {{ template "config-db.serviceAccountName" . }}-role
   labels: {{- include "config-db.labels" . | nindent 4 }}
 rules:
+{{- if .Values.serviceAccount.rbac.secrets}}
+- apiGroups: 
+    - v1
+  resources: 
+    - secrets
+  verbs:
+    - get
+    - list
+{{- end}}
+{{- if .Values.serviceAccount.rbac.configmaps}}
+- apiGroups: 
+    - v1
+  resources: 
+    - configmaps
+  verbs:
+    - get
+    - list
+{{- end}}
+{{- if .Values.serviceAccount.rbac.exec}}
+- apiGroups: [""]
+  resources:
+    - pods/attach
+    - pods/exec
+    - pods/log
+  verbs:
+    - '*'
+{{- end}}
+{{- if .Values.serviceAccount.rbac.tokenRequest}}
+- apiGroups: ['authentication.k8s.io/v1']
+  resources: ['serviceaccounts/token']
+  verbs: ['create']
+{{- end}}
+{{- if .Values.serviceAccount.rbac.readAll}}
 - apiGroups:
   - '*'
   resources:
@@ -37,6 +70,7 @@ rules:
   - "list"
   - "get"
   - "watch"
+{{- end}}
 - apiGroups:
   - configs.flanksource.com
   resources:
diff --git a/chart/values.yaml b/chart/values.yaml
index 15abd60c..62f14bf3 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -43,7 +43,7 @@ db:
     # If you need to set a custom username and password, you can populate a secret named 'postgres-connection' before install
     # with POSTGRES_USER and POSTGRES_PASSWORD
     #
-    # If create:false, a prexisting secret containing the URI to an existing postgres database must be provided
+    # If create:false, a preexisting secret containing the URI to an existing postgres database must be provided
     # The URI must be in the format 'postgresql://"$user":"$password"@"$host"/"$database"'
     create: false
     secretKeyRef:
@@ -78,6 +78,20 @@ serviceAccount:
   create: true
   name: ''
   annotations: {}
+  rbac:
+    # Whether to create cluster-wide or namespaced roles
+    cluster_role: true
+    
+    # for secret management with valueFrom
+    tokenRequest: true
+    secrets: true
+    configmaps: true
+    
+    # for use with kubernetes resource lookups
+    readAll: true
+    
+    # for kubernetesFile lookups
+    exec: true
 
 upstream:
   enabled: false