From 983331c9cdef67ec30a15504294bb50b69bcbe5e Mon Sep 17 00:00:00 2001
From: Matt Ray <github@mattray.dev>
Date: Fri, 6 Oct 2023 18:24:09 +1100
Subject: [PATCH] Imported ClusterRole and ClusterRoleBinding

Signed-off-by: Matt Ray <github@mattray.dev>
---
 .../templates/clusterrole.yaml                |  79 ++++++
 .../templates/clusterrolebinding.yaml         |  18 ++
 .../prometheus-opencost-exporter/values.yaml  | 241 +-----------------
 3 files changed, 100 insertions(+), 238 deletions(-)
 create mode 100644 charts/prometheus-opencost-exporter/templates/clusterrole.yaml
 create mode 100644 charts/prometheus-opencost-exporter/templates/clusterrolebinding.yaml

diff --git a/charts/prometheus-opencost-exporter/templates/clusterrole.yaml b/charts/prometheus-opencost-exporter/templates/clusterrole.yaml
new file mode 100644
index 000000000000..a2dd0551a7ed
--- /dev/null
+++ b/charts/prometheus-opencost-exporter/templates/clusterrole.yaml
@@ -0,0 +1,79 @@
+# Cluster role giving opencost to get, list, watch required resources
+# No write permissions are required
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "prometheus-opencost-exporter.fullname" . }}
+  labels: {{- include "prometheus-opencost-exporter.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources:
+      - configmaps
+      - deployments
+      - nodes
+      - pods
+      - services
+      - resourcequotas
+      - replicationcontrollers
+      - limitranges
+      - persistentvolumeclaims
+      - persistentvolumes
+      - namespaces
+      - endpoints
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - daemonsets
+      - deployments
+      - replicasets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets
+      - deployments
+      - daemonsets
+      - replicasets
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - batch
+    resources:
+      - cronjobs
+      - jobs
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - autoscaling
+    resources:
+      - horizontalpodautoscalers
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - policy
+    resources:
+      - poddisruptionbudgets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - storage.k8s.io
+    resources:
+      - storageclasses
+    verbs:
+      - get
+      - list
+      - watch
diff --git a/charts/prometheus-opencost-exporter/templates/clusterrolebinding.yaml b/charts/prometheus-opencost-exporter/templates/clusterrolebinding.yaml
new file mode 100644
index 000000000000..523056772e9b
--- /dev/null
+++ b/charts/prometheus-opencost-exporter/templates/clusterrolebinding.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.rbac.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "prometheus-opencost-exporter.fullname" . }}
+  labels: {{- include "prometheus-opencost-exporter.labels" . | nindent 4 }}
+  {{- with .Values.annotations }}
+  annotations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "prometheus-opencost-exporter.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "prometheus-opencost-exporter.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/charts/prometheus-opencost-exporter/values.yaml b/charts/prometheus-opencost-exporter/values.yaml
index 3c4b39ebb851..9094e44a97fd 100644
--- a/charts/prometheus-opencost-exporter/values.yaml
+++ b/charts/prometheus-opencost-exporter/values.yaml
@@ -17,241 +17,6 @@ serviceAccount:
   # -- Whether pods running as this service account should have an API token automatically mounted
   automountServiceAccountToken: true
 
-# replicaCount: 1
-
-# image:
-#   repository: quay.io/kubecost1/kubecost-cost-model
-#   # if not set appVersion field from Chart.yaml is used
-#   tag: ""
-#   pullPolicy: IfNotPresent
-
-#   ## Optionally specify an array of imagePullSecrets.
-#   ## Secrets must be manually created in the namespace.
-#   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-#   ##
-#   # pullSecrets:
-#   #   - myRegistrKeySecretName
-
-# service:
-#   type: ClusterIP
-#   port: 9003
-#   targetPort: 9003
-#   name: opencost
-#   labels: {}
-#   annotations: {}
-
-# automountServiceAccountToken: false
-
-# serviceMonitor:
-#   # When set true then use a ServiceMonitor to configure scraping
-#   enabled: false
-#   # Set the namespace the ServiceMonitor should be deployed
-#   namespace: ""
-#   # Set how frequently Prometheus should scrape
-#   scrapeInterval: 30s
-#   # -- HonorLabels chooses the metric's labels on collisions with target labels
-#   honorLabels: true
-#   # -- RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields
-#   relabelings: []
-#   # -- MetricRelabelConfigs to apply to samples before ingestion
-#   metricRelabelings: []
-
-# prometheusRule:
-#   enabled: false
-#   additionalLabels: {}
-#   namespace: ""
-#   rules: []
-#     ## These are just examples rules, please adapt them to your needs.
-#     ## Make sure to constraint the rules to the current prometheus-postgres-exporter service.
-#     # - alert: HugeReplicationLag
-#     #   expr: pg_replication_lag{service="{{ template "prometheus-postgres-exporter.fullname" . }}"} / 3600 > 1
-#     #   for: 1m
-#     #   labels:
-#     #     severity: critical
-#     #   annotations:
-#     #     description: replication for {{ template "prometheus-postgres-exporter.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s).
-#     #     summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s).
-
-# resources: {}
-#   # We usually recommend not to specify default resources and to leave this as a conscious
-#   # choice for the user. This also increases chances charts run on environments with little
-#   # resources, such as Minikube. If you do want to specify resources, uncomment the following
-#   # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-#   # limits:
-#   #   cpu: 100m
-#   #    memory: 128Mi
-#   # requests:
-#   #   cpu: 100m
-#   #   memory: 128Mi
-
-# rbac:
-#   # Specifies whether RBAC resources should be created
-#   create: true
-
-# serviceAccount:
-#   # Specifies whether a ServiceAccount should be created
-#   create: true
-#   # The name of the ServiceAccount to use.
-#   # If not set and create is true, a name is generated using the fullname template
-#   name:
-#   # Add annotations to the ServiceAccount, useful for EKS IAM Roles for Service Accounts or Google Workload Identity.
-#   annotations: {}
-
-# # Add a default ingress to allow namespace access to service.targetPort
-# # Helpful if other NetworkPolicies are configured in the namespace
-# networkPolicy:
-#   # Specifies whether a NetworkPolicy should be created
-#   enabled: false
-#   # Set labels for the NetworkPolicy
-#   labels: {}
-
-# # The securityContext of the pod.
-# # See https://kubernetes.io/docs/concepts/policy/security-context/ for more.
-# podSecurityContext:
-#   runAsGroup: 1001
-#   runAsUser: 1001
-#   runAsNonRoot: true
-#   seccompProfile:
-#     type: RuntimeDefault
-
-# # The securityContext of the container.
-# # See https://kubernetes.io/docs/concepts/policy/security-context/ for more.
-# securityContext:
-#   allowPrivilegeEscalation: false
-#   capabilities:
-#     drop:
-#       - ALL
-#   privileged: false
-#   readOnlyRootFilesystem: true
-
-# hostAliases: []
-#   # Set Host Aliases as per https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/
-#   # - ip: "127.0.0.1"
-#   #   hostnames:
-#   #   - "foo.local"
-#   #   - "bar.local"
-
-# config:
-#   ## The datasource properties on config are passed through helm tpl function.
-#   ## ref: https://helm.sh/docs/developing_charts/#using-the-tpl-function
-#   datasource:
-#     # Specify one of both datasource or datasourceSecret
-#     host: ''
-#     user: postgres
-#     userSecret: {}
-#     # Secret name
-#     #  name:
-#     # User key inside secret
-#     #  key:
-#     # Only one of password, passwordFile, passwordSecret and pgpassfile can be specified
-#     password:
-#     # Specify passwordFile if DB password is stored in a file.
-#     # For example, to use with vault-injector from Hashicorp
-#     passwordFile: ''
-#     # Specify passwordSecret if DB password is stored in secret.
-#     passwordSecret: {}
-#     # Secret name
-#     #  name:
-#     # Password key inside secret
-#     #  key:
-#     pgpassfile: ''
-#     # If pgpassfile is set, it is used to initialize the PGPASSFILE environment variable.
-#     # See https://www.postgresql.org/docs/14/libpq-pgpass.html for more info.
-#     port: "5432"
-#     database: ''
-#     sslmode: disable
-#     extraParams: ''
-#   datasourceSecret: {}
-#     # Specifies if datasource should be sourced from secret value in format: postgresql://login:password@hostname:port/dbname?sslmode=disable
-#     # Multiple Postgres databases can be configured by comma separated postgres connection strings
-#     # Secret name
-#     #  name:
-#     # Connection string key inside secret
-#     #  key:
-#   disableCollectorDatabase: false
-#   disableCollectorBgwriter: false
-#   disableDefaultMetrics: false
-#   disableSettingsMetrics: false
-
-#   # possible values debug, info, warn, error, fatal
-#   logLevel: ""
-#   # possible values logfmt, json
-#   logFormat: ""
-#   extraArgs: []
-
-#   # postgres_exporter.yml
-#   postgresExporter: ""
-#     # auth_modules:
-#     #   first:
-#     #     type: userpass
-#     #     userpass:
-#     #       username: first
-#     #       password: firstpass
-#     #     options:
-#     #       sslmode: disable
-
-# nodeSelector: {}
-
-# tolerations: []
-
-# affinity: {}
-
-# annotations: {}
-
-# podLabels: {}
-
-# # Configurable health checks
-# livenessProbe:
-#   initialDelaySeconds: 0
-#   timeoutSeconds: 3
-
-# readinessProbe:
-#   initialDelaySeconds: 0
-#   timeoutSeconds: 1
-
-# # Labels and annotations to attach to the deployment resource
-# deployment:
-#   labels: {}
-#   annotations: {}
-
-# # ExtraEnvs
-# extraEnvs: []
-#   # - name: EXTRA_ENV
-#   #   value: value
-#   # - name: POD_NAMESPACE
-#   #   valueFrom:
-#   #     fieldRef:
-#   #       fieldPath: metadata.namespace
-
-# # Init containers, e. g. for secrets creation before the exporter
-# initContainers: []
-#   # - name:
-#   #   image:
-#   #   volumeMounts:
-#   #     - name: creds
-#   #       mountPath: /creds
-
-# # Additional sidecar containers, e. g. for a database proxy, such as Google's cloudsql-proxy
-# extraContainers: []
-
-# # Additional volumes, e. g. for secrets used in an extraContainer
-# extraVolumes: []
-# # Uncomment for mounting custom ca-certificates
-# #  - name: ssl-certs
-# #    secret:
-# #      defaultMode: 420
-# #      items:
-# #      - key: ca-certificates.crt
-# #        path: ca-certificates.crt
-# #      secretName: ssl-certs
-
-# # Additional volume mounts
-# extraVolumeMounts: []
-# # Uncomment for mounting custom ca-certificates file into container
-# #  - name: ssl-certs
-# #    mountPath: /etc/ssl/certs/ca-certificates.crt
-# #    subPath: ca-certificates.crt
-
-# podDisruptionBudget:
-#   enabled: false
-#   maxUnavailable: 1
+# Create cluster role policies
+rbac:
+  enabled: true