diff --git a/addons/sns-chart/Chart.yaml b/addons/sns-chart/Chart.yaml index 7d98c5ba5..f6fd9b458 100644 --- a/addons/sns-chart/Chart.yaml +++ b/addons/sns-chart/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 name: sns-chart description: A Helm chart for the ACK service controller for Amazon Simple Notification Service (SNS) -version: 1.0.6 -appVersion: 1.0.6 +version: 1.0.7 +appVersion: 1.0.7 home: https://github.com/aws-controllers-k8s/sns-controller icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/addons/sns-chart/crds/services.k8s.aws_adoptedresources.yaml b/addons/sns-chart/crds/services.k8s.aws_adoptedresources.yaml index d8d512618..9a12ef7e6 100644 --- a/addons/sns-chart/crds/services.k8s.aws_adoptedresources.yaml +++ b/addons/sns-chart/crds/services.k8s.aws_adoptedresources.yaml @@ -161,10 +161,10 @@ spec: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' type: string uid: - description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' type: string required: - apiVersion diff --git a/addons/sns-chart/crds/sns.services.k8s.aws_platformendpoints.yaml b/addons/sns-chart/crds/sns.services.k8s.aws_platformendpoints.yaml index 34df9039e..6cc258302 100644 --- a/addons/sns-chart/crds/sns.services.k8s.aws_platformendpoints.yaml +++ b/addons/sns-chart/crds/sns.services.k8s.aws_platformendpoints.yaml @@ -36,9 +36,6 @@ spec: description: PlatformEndpointSpec defines the desired state of PlatformEndpoint. properties: customUserData: - description: Arbitrary user data to associate with the endpoint. Amazon - SNS does not use this data. The data must be in UTF-8 format and - less than 2KB. type: string enabled: type: string @@ -47,12 +44,6 @@ spec: is used to create a an endpoint. type: string token: - description: Unique identifier created by the notification service - for an app on a device. The specific name for Token will vary, depending - on which notification service is being used. For example, when using - APNS as the notification service, you need the device token. Alternatively, - when using GCM (Firebase Cloud Messaging) or ADM, the device token - equivalent is called the registration ID. type: string required: - platformApplicationARN diff --git a/addons/sns-chart/templates/NOTES.txt b/addons/sns-chart/templates/NOTES.txt index e8072303a..66ec95e2b 100644 --- a/addons/sns-chart/templates/NOTES.txt +++ b/addons/sns-chart/templates/NOTES.txt @@ -1,5 +1,5 @@ {{ .Chart.Name }} has been installed. -This chart deploys "public.ecr.aws/aws-controllers-k8s/sns-controller:1.0.6". +This chart deploys "public.ecr.aws/aws-controllers-k8s/sns-controller:1.0.7". Check its status by running: kubectl --namespace {{ .Release.Namespace }} get pods -l "app.kubernetes.io/instance={{ .Release.Name }}" diff --git a/addons/sns-chart/templates/_helpers.tpl b/addons/sns-chart/templates/_helpers.tpl index 391d5de33..613fc0e36 100644 --- a/addons/sns-chart/templates/_helpers.tpl +++ b/addons/sns-chart/templates/_helpers.tpl @@ -46,3 +46,196 @@ If release name contains chart name it will be used as a full name. {{- define "aws.credentials.path" -}} {{- printf "%s/%s" (include "aws.credentials.secret_mount_path" .) .Values.aws.credentials.secretKey -}} {{- end -}} + +{{/* The rules a of ClusterRole or Role */}} +{{- define "controller-role-rules" }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - patch + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - patch + - watch +- apiGroups: + - iam.services.k8s.aws + resources: + - policies + verbs: + - get + - list +- apiGroups: + - iam.services.k8s.aws + resources: + - policies/status + verbs: + - get + - list +- apiGroups: + - iam.services.k8s.aws + resources: + - roles + verbs: + - get + - list +- apiGroups: + - iam.services.k8s.aws + resources: + - roles/status + verbs: + - get + - list +- apiGroups: + - kms.services.k8s.aws + resources: + - keys + verbs: + - get + - list +- apiGroups: + - kms.services.k8s.aws + resources: + - keys/status + verbs: + - get + - list +- apiGroups: + - services.k8s.aws + resources: + - adoptedresources + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - services.k8s.aws + resources: + - adoptedresources/status + verbs: + - get + - patch + - update +- apiGroups: + - services.k8s.aws + resources: + - fieldexports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - services.k8s.aws + resources: + - fieldexports/status + verbs: + - get + - patch + - update +- apiGroups: + - sns.services.k8s.aws + resources: + - platformapplications + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - sns.services.k8s.aws + resources: + - platformapplications/status + verbs: + - get + - patch + - update +- apiGroups: + - sns.services.k8s.aws + resources: + - platformendpoints + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - sns.services.k8s.aws + resources: + - platformendpoints/status + verbs: + - get + - patch + - update +- apiGroups: + - sns.services.k8s.aws + resources: + - subscriptions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - sns.services.k8s.aws + resources: + - subscriptions/status + verbs: + - get + - patch + - update +- apiGroups: + - sns.services.k8s.aws + resources: + - topics + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - sns.services.k8s.aws + resources: + - topics/status + verbs: + - get + - patch + - update +{{- end }} \ No newline at end of file diff --git a/addons/sns-chart/templates/caches-role-binding.yaml b/addons/sns-chart/templates/caches-role-binding.yaml new file mode 100644 index 000000000..1ed08a1b7 --- /dev/null +++ b/addons/sns-chart/templates/caches-role-binding.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ack-namespaces-cache-sns-controller +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: ack-namespaces-cache-sns-controller +subjects: +- kind: ServiceAccount + name: ack-sns-controller + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ack-configmaps-cache-sns-controller + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + apiGroup: rbac.authorization.k8s.io + name: ack-configmaps-cache-sns-controller +subjects: +- kind: ServiceAccount + name: ack-sns-controller + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/addons/sns-chart/templates/caches-role.yaml b/addons/sns-chart/templates/caches-role.yaml new file mode 100644 index 000000000..9960aadfe --- /dev/null +++ b/addons/sns-chart/templates/caches-role.yaml @@ -0,0 +1,28 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ack-namespaces-cache-sns-controller +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ack-configmaps-cache-sns-controller + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/addons/sns-chart/templates/cluster-role-binding.yaml b/addons/sns-chart/templates/cluster-role-binding.yaml index b65dac2af..896659867 100644 --- a/addons/sns-chart/templates/cluster-role-binding.yaml +++ b/addons/sns-chart/templates/cluster-role-binding.yaml @@ -1,21 +1,35 @@ -apiVersion: rbac.authorization.k8s.io/v1 {{ if eq .Values.installScope "cluster" }} +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ include "app.fullname" . }} roleRef: kind: ClusterRole -{{ else }} + apiGroup: rbac.authorization.k8s.io + name: ack-sns-controller +subjects: +- kind: ServiceAccount + name: {{ include "service-account.name" . }} + namespace: {{ .Release.Namespace }} +{{ else if .Values.watchNamespace }} +{{ $namespaces := split "," .Values.watchNamespace }} +{{ $fullname := include "app.fullname" . }} +{{ $releaseNamespace := .Release.Namespace }} +{{ $serviceAccountName := include "service-account.name" . }} +{{ range $namespaces }} +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ include "app.fullname" . }} - namespace: {{ .Release.Namespace }} + name: {{ $fullname }} + namespace: {{ . }} roleRef: kind: Role -{{ end }} apiGroup: rbac.authorization.k8s.io name: ack-sns-controller subjects: - kind: ServiceAccount - name: {{ include "service-account.name" . }} - namespace: {{ .Release.Namespace }} + name: {{ $serviceAccountName }} + namespace: {{ $releaseNamespace }} +{{ end }} +{{ end }} \ No newline at end of file diff --git a/addons/sns-chart/templates/cluster-role-controller.yaml b/addons/sns-chart/templates/cluster-role-controller.yaml index e0efa75e2..0e146efe2 100644 --- a/addons/sns-chart/templates/cluster-role-controller.yaml +++ b/addons/sns-chart/templates/cluster-role-controller.yaml @@ -1,210 +1,28 @@ -apiVersion: rbac.authorization.k8s.io/v1 +{{ $labels := .Values.role.labels }} +{{ $rules := include "controller-role-rules" . }} {{ if eq .Values.installScope "cluster" }} +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null name: ack-sns-controller labels: - {{- range $key, $value := .Values.role.labels }} + {{- range $key, $value := $labels }} {{ $key }}: {{ $value | quote }} {{- end }} -{{ else }} +{{- $rules }} +{{ else if .Values.watchNamespace }} +{{ $namespaces := split "," .Values.watchNamespace }} +{{ range $namespaces }} +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - creationTimestamp: null name: ack-sns-controller + namespace: {{ . }} labels: - {{- range $key, $value := .Values.role.labels }} + {{- range $key, $value := $labels }} {{ $key }}: {{ $value | quote }} {{- end }} - namespace: {{ .Release.Namespace }} +{{- $rules }} {{ end }} -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - patch - - watch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - patch - - watch -- apiGroups: - - iam.services.k8s.aws - resources: - - policies - verbs: - - get - - list -- apiGroups: - - iam.services.k8s.aws - resources: - - policies/status - verbs: - - get - - list -- apiGroups: - - iam.services.k8s.aws - resources: - - roles - verbs: - - get - - list -- apiGroups: - - iam.services.k8s.aws - resources: - - roles/status - verbs: - - get - - list -- apiGroups: - - kms.services.k8s.aws - resources: - - keys - verbs: - - get - - list -- apiGroups: - - kms.services.k8s.aws - resources: - - keys/status - verbs: - - get - - list -- apiGroups: - - services.k8s.aws - resources: - - adoptedresources - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - services.k8s.aws - resources: - - adoptedresources/status - verbs: - - get - - patch - - update -- apiGroups: - - services.k8s.aws - resources: - - fieldexports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - services.k8s.aws - resources: - - fieldexports/status - verbs: - - get - - patch - - update -- apiGroups: - - sns.services.k8s.aws - resources: - - platformapplications - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - sns.services.k8s.aws - resources: - - platformapplications/status - verbs: - - get - - patch - - update -- apiGroups: - - sns.services.k8s.aws - resources: - - platformendpoints - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - sns.services.k8s.aws - resources: - - platformendpoints/status - verbs: - - get - - patch - - update -- apiGroups: - - sns.services.k8s.aws - resources: - - subscriptions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - sns.services.k8s.aws - resources: - - subscriptions/status - verbs: - - get - - patch - - update -- apiGroups: - - sns.services.k8s.aws - resources: - - topics - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - sns.services.k8s.aws - resources: - - topics/status - verbs: - - get - - patch - - update +{{ end }} \ No newline at end of file diff --git a/addons/sns-chart/templates/role-writer.yaml b/addons/sns-chart/templates/role-writer.yaml index 0ba833887..55d826b3f 100644 --- a/addons/sns-chart/templates/role-writer.yaml +++ b/addons/sns-chart/templates/role-writer.yaml @@ -10,13 +10,9 @@ rules: - sns.services.k8s.aws resources: - platformapplications - - platformendpoints - - subscriptions - - topics - verbs: - create - delete diff --git a/addons/sns-chart/values.yaml b/addons/sns-chart/values.yaml index ffb010a3a..a5f26638f 100644 --- a/addons/sns-chart/values.yaml +++ b/addons/sns-chart/values.yaml @@ -4,7 +4,7 @@ image: repository: public.ecr.aws/aws-controllers-k8s/sns-controller - tag: 1.0.6 + tag: 1.0.7 pullPolicy: IfNotPresent pullSecrets: [] @@ -107,6 +107,7 @@ installScope: cluster # Set the value of the "namespace" to be watched by the controller # This value is only used when the `installScope` is set to "namespace". If left empty, the default value is the release namespace for the chart. +# You can set multiple namespaces by providing a comma separated list of namespaces. e.g "namespace1,namespace2" watchNamespace: "" resourceTags: