Skip to content

Commit

Permalink
fix: use cluster role
Browse files Browse the repository at this point in the history
  • Loading branch information
katallaxie authored Sep 17, 2024
1 parent 19c2918 commit 4259468
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 16 deletions.
20 changes: 12 additions & 8 deletions controllers/account_server.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,19 +16,20 @@ import (
// NatsAccountServer takes NatsAccount and serves them to a nats server (cluster)
type NatsAccountServer struct {
client.Client
Scheme *runtime.Scheme
accountMap map[string]string
nc *nats.Conn
Scheme *runtime.Scheme
accounts map[string]string
nc *nats.Conn
}

//+kubebuilder:rbac:groups=natz.zeiss.com,resources=natsaccounts,verbs=get;list;watch;create;update;patch;delete

// NewNatsAccountServer ...
func NewNatsAccountServer(mgr ctrl.Manager, nc *nats.Conn) *NatsAccountServer {
return &NatsAccountServer{
Client: mgr.GetClient(),
Scheme: mgr.GetScheme(),
nc: nc,
Client: mgr.GetClient(),
Scheme: mgr.GetScheme(),
accounts: make(map[string]string),
nc: nc,
}
}

Expand All @@ -41,16 +42,19 @@ func (r *NatsAccountServer) Reconcile(ctx context.Context, req ctrl.Request) (ct
if errors.IsNotFound(err) {
return ctrl.Result{}, nil
}

return ctrl.Result{}, err
}

logger.Info("reconciling account", "account", account.Name)

if account.DeletionTimestamp != nil {
delete(r.accountMap, account.Status.PublicKey)
delete(r.accounts, account.Status.PublicKey)
return ctrl.Result{}, nil
}

if account.Status.JWT != "" && account.Status.PublicKey != "" {
r.accountMap[account.Status.PublicKey] = account.Status.JWT
r.accounts[account.Status.PublicKey] = account.Status.JWT

if r.nc != nil {
go func() {
Expand Down
4 changes: 2 additions & 2 deletions helm/charts/account-server/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ spec:
readOnly: true
securityContext:
allowPrivilegeEscalation: false
{{- toYaml .Values.controller.securityContext | nindent 10 }}
volumes:
- name: "credentials"
secret:
Expand All @@ -43,5 +44,4 @@ spec:
- key: "user.creds"
path: "user.creds"
mode: 420
securityContext:
{{- toYaml .Values.controller.securityContext | nindent 8 }}

9 changes: 5 additions & 4 deletions helm/charts/account-server/templates/rbac.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
kind: ClusterRole
metadata:
name: {{ include "account-server.fullname" . }}
rules:
Expand All @@ -13,13 +13,14 @@ rules:
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
kind: ClusterRoleBinding
metadata:
name: {{ include "account-server.fullname" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
kind: ClusterRole
name: {{ include "account-server.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "account-server.serviceAccountName" . }}
name: {{ include "account-server.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
2 changes: 0 additions & 2 deletions helm/charts/account-server/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -177,8 +177,6 @@ controller:
- NET_BIND_SERVICE
drop:
- all
runAsUser: 0
runAsGroup: 0

serviceAccount:
# -- Create a service account for the natz controller
Expand Down

0 comments on commit 4259468

Please sign in to comment.