diff --git a/addons/s3-chart/Chart.yaml b/addons/s3-chart/Chart.yaml index 63cc6c8dd..1e4f20e2e 100644 --- a/addons/s3-chart/Chart.yaml +++ b/addons/s3-chart/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 name: s3-chart description: A Helm chart for the ACK service controller for Amazon Simple Storage Service (S3) -version: 1.0.7 -appVersion: 1.0.7 +version: 1.0.8 +appVersion: 1.0.8 home: https://github.com/aws-controllers-k8s/s3-controller icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/addons/s3-chart/crds/services.k8s.aws_adoptedresources.yaml b/addons/s3-chart/crds/services.k8s.aws_adoptedresources.yaml index d8d512618..9a12ef7e6 100644 --- a/addons/s3-chart/crds/services.k8s.aws_adoptedresources.yaml +++ b/addons/s3-chart/crds/services.k8s.aws_adoptedresources.yaml @@ -161,10 +161,10 @@ spec: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' type: string uid: - description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' type: string required: - apiVersion diff --git a/addons/s3-chart/templates/NOTES.txt b/addons/s3-chart/templates/NOTES.txt index b32b68cf4..5f1d3059e 100644 --- a/addons/s3-chart/templates/NOTES.txt +++ b/addons/s3-chart/templates/NOTES.txt @@ -1,5 +1,5 @@ {{ .Chart.Name }} has been installed. -This chart deploys "public.ecr.aws/aws-controllers-k8s/s3-controller:1.0.7". +This chart deploys "public.ecr.aws/aws-controllers-k8s/s3-controller:1.0.8". Check its status by running: kubectl --namespace {{ .Release.Namespace }} get pods -l "app.kubernetes.io/instance={{ .Release.Name }}" diff --git a/addons/s3-chart/templates/_helpers.tpl b/addons/s3-chart/templates/_helpers.tpl index 391d5de33..8d8108785 100644 --- a/addons/s3-chart/templates/_helpers.tpl +++ b/addons/s3-chart/templates/_helpers.tpl @@ -46,3 +46,94 @@ If release name contains chart name it will be used as a full name. {{- define "aws.credentials.path" -}} {{- printf "%s/%s" (include "aws.credentials.secret_mount_path" .) .Values.aws.credentials.secretKey -}} {{- end -}} + +{{/* The rules a of ClusterRole or Role */}} +{{- define "controller-role-rules" }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - patch + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - patch + - watch +- apiGroups: + - s3.services.k8s.aws + resources: + - buckets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - s3.services.k8s.aws + resources: + - buckets/status + verbs: + - get + - patch + - update +- apiGroups: + - services.k8s.aws + resources: + - adoptedresources + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - services.k8s.aws + resources: + - adoptedresources/status + verbs: + - get + - patch + - update +- apiGroups: + - services.k8s.aws + resources: + - fieldexports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - services.k8s.aws + resources: + - fieldexports/status + verbs: + - get + - patch + - update +{{- end }} \ No newline at end of file diff --git a/addons/s3-chart/templates/caches-role-binding.yaml b/addons/s3-chart/templates/caches-role-binding.yaml new file mode 100644 index 000000000..999d2d79d --- /dev/null +++ b/addons/s3-chart/templates/caches-role-binding.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ack-namespaces-cache-s3-controller +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: ack-namespaces-cache-s3-controller +subjects: +- kind: ServiceAccount + name: ack-s3-controller + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ack-configmaps-cache-s3-controller + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + apiGroup: rbac.authorization.k8s.io + name: ack-configmaps-cache-s3-controller +subjects: +- kind: ServiceAccount + name: ack-s3-controller + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/addons/s3-chart/templates/caches-role.yaml b/addons/s3-chart/templates/caches-role.yaml new file mode 100644 index 000000000..5ba0f2471 --- /dev/null +++ b/addons/s3-chart/templates/caches-role.yaml @@ -0,0 +1,28 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ack-namespaces-cache-s3-controller +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ack-configmaps-cache-s3-controller + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/addons/s3-chart/templates/cluster-role-binding.yaml b/addons/s3-chart/templates/cluster-role-binding.yaml index 19b760622..a27eb4659 100644 --- a/addons/s3-chart/templates/cluster-role-binding.yaml +++ b/addons/s3-chart/templates/cluster-role-binding.yaml @@ -1,21 +1,35 @@ -apiVersion: rbac.authorization.k8s.io/v1 {{ if eq .Values.installScope "cluster" }} +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ include "app.fullname" . }} roleRef: kind: ClusterRole -{{ else }} + apiGroup: rbac.authorization.k8s.io + name: ack-s3-controller +subjects: +- kind: ServiceAccount + name: {{ include "service-account.name" . }} + namespace: {{ .Release.Namespace }} +{{ else if .Values.watchNamespace }} +{{ $namespaces := split "," .Values.watchNamespace }} +{{ $fullname := include "app.fullname" . }} +{{ $releaseNamespace := .Release.Namespace }} +{{ $serviceAccountName := include "service-account.name" . }} +{{ range $namespaces }} +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ include "app.fullname" . }} - namespace: {{ .Release.Namespace }} + name: {{ $fullname }} + namespace: {{ . }} roleRef: kind: Role -{{ end }} apiGroup: rbac.authorization.k8s.io name: ack-s3-controller subjects: - kind: ServiceAccount - name: {{ include "service-account.name" . }} - namespace: {{ .Release.Namespace }} + name: {{ $serviceAccountName }} + namespace: {{ $releaseNamespace }} +{{ end }} +{{ end }} \ No newline at end of file diff --git a/addons/s3-chart/templates/cluster-role-controller.yaml b/addons/s3-chart/templates/cluster-role-controller.yaml index 21559e303..ff70a77d2 100644 --- a/addons/s3-chart/templates/cluster-role-controller.yaml +++ b/addons/s3-chart/templates/cluster-role-controller.yaml @@ -1,108 +1,28 @@ -apiVersion: rbac.authorization.k8s.io/v1 +{{ $labels := .Values.role.labels }} +{{ $rules := include "controller-role-rules" . }} {{ if eq .Values.installScope "cluster" }} +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null name: ack-s3-controller labels: - {{- range $key, $value := .Values.role.labels }} + {{- range $key, $value := $labels }} {{ $key }}: {{ $value | quote }} {{- end }} -{{ else }} +{{- $rules }} +{{ else if .Values.watchNamespace }} +{{ $namespaces := split "," .Values.watchNamespace }} +{{ range $namespaces }} +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - creationTimestamp: null name: ack-s3-controller + namespace: {{ . }} labels: - {{- range $key, $value := .Values.role.labels }} + {{- range $key, $value := $labels }} {{ $key }}: {{ $value | quote }} {{- end }} - namespace: {{ .Release.Namespace }} +{{- $rules }} {{ end }} -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - patch - - watch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - patch - - watch -- apiGroups: - - s3.services.k8s.aws - resources: - - buckets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - s3.services.k8s.aws - resources: - - buckets/status - verbs: - - get - - patch - - update -- apiGroups: - - services.k8s.aws - resources: - - adoptedresources - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - services.k8s.aws - resources: - - adoptedresources/status - verbs: - - get - - patch - - update -- apiGroups: - - services.k8s.aws - resources: - - fieldexports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - services.k8s.aws - resources: - - fieldexports/status - verbs: - - get - - patch - - update +{{ end }} \ No newline at end of file diff --git a/addons/s3-chart/templates/role-writer.yaml b/addons/s3-chart/templates/role-writer.yaml index 3593ccdf9..2002b609d 100644 --- a/addons/s3-chart/templates/role-writer.yaml +++ b/addons/s3-chart/templates/role-writer.yaml @@ -10,7 +10,6 @@ rules: - s3.services.k8s.aws resources: - buckets - verbs: - create - delete diff --git a/addons/s3-chart/values.yaml b/addons/s3-chart/values.yaml index e25f7ee9c..fbab10ff5 100644 --- a/addons/s3-chart/values.yaml +++ b/addons/s3-chart/values.yaml @@ -4,7 +4,7 @@ image: repository: public.ecr.aws/aws-controllers-k8s/s3-controller - tag: 1.0.7 + tag: 1.0.8 pullPolicy: IfNotPresent pullSecrets: [] @@ -107,6 +107,7 @@ installScope: cluster # Set the value of the "namespace" to be watched by the controller # This value is only used when the `installScope` is set to "namespace". If left empty, the default value is the release namespace for the chart. +# You can set multiple namespaces by providing a comma separated list of namespaces. e.g "namespace1,namespace2" watchNamespace: "" resourceTags: