From 5b77ae5259f6c52e0cf0528949464afa1493be3e Mon Sep 17 00:00:00 2001
From: Alex Leong <alex@buoyant.io>
Date: Wed, 21 Oct 2020 11:45:56 -0700
Subject: [PATCH] Allow setting a list of service accounts in multicluster
 install (#5113)

Fixes #5098

When setting up multicluster, a target cluster may wish to create multiple service accounts to be used by source clusters' service mirrors.  This allows the target cluster to individually revoke access to each of the source clusters.  When using the Linkerd CLI, this can be accomplished by running the `linkerd multicluster allow` command multiple times to create multiple service accounts.  However, there is no analogous workflow when installing with Helm.

We update the Helm templates to support interpreting the `remoteMirrorServiceAccountName` value as either a single string or a list of strings.  In the case where it is a list, we create a service account and associated RBAC for each entry in the list.

Signed-off-by: Alex Leong <alex@buoyant.io>
---
 charts/linkerd2-multicluster/README.md        |  2 +-
 .../remote-access-service-mirror-rbac.yaml    | 31 +++++++++++--------
 2 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/charts/linkerd2-multicluster/README.md b/charts/linkerd2-multicluster/README.md
index 04c9c1e48..6f418054f 100644
--- a/charts/linkerd2-multicluster/README.md
+++ b/charts/linkerd2-multicluster/README.md
@@ -32,7 +32,7 @@ linkerd2-multicluster chart and their default values.
 |`linkerdVersion`                 | Control plane version                                                                       | latest version                               |
 |`namespace`                      | Service Mirror component namespace                                                          |`linkerd-multicluster`                        |
 |`proxyOutboundPort`              | The port on which the proxy accepts outbound traffic                                        |`4140`                                        |
-|`remoteMirrorServiceAccountName` | The name of the service account used to allow remote clusters to mirror local services      |`linkerd-service-mirror-remote-access-default`|
+|`remoteMirrorServiceAccountName` | The name (or list of names) of the service account(s) used to allow remote clusters to mirror local services      |`linkerd-service-mirror-remote-access-default`|
 |`remoteMirrorServiceAccount`     | If the remote mirror service account should be installed                                    |`true`                                        |
 |`serviceMirror`                  | If the service mirror component should be installed                                         |`true`                                        |
 |`logLevel`                       | Log level for the Multicluster components                                                   |`info`                                        |
diff --git a/charts/linkerd2-multicluster/templates/remote-access-service-mirror-rbac.yaml b/charts/linkerd2-multicluster/templates/remote-access-service-mirror-rbac.yaml
index 6492b8cc2..e19326b9d 100644
--- a/charts/linkerd2-multicluster/templates/remote-access-service-mirror-rbac.yaml
+++ b/charts/linkerd2-multicluster/templates/remote-access-service-mirror-rbac.yaml
@@ -1,12 +1,17 @@
 {{if .Values.remoteMirrorServiceAccount -}}
+{{- $names := .Values.remoteMirrorServiceAccountName -}}
+{{- if not (kindIs "slice" .Values.remoteMirrorServiceAccountName) -}}
+  {{- $names = splitList "," .Values.remoteMirrorServiceAccountName -}}
+{{- end -}}
+{{- range $names -}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{.Values.remoteMirrorServiceAccountName}}
-  namespace: {{.Values.namespace}}
+  name: {{.}}
+  namespace: {{$.Values.namespace}}
   annotations:
-    {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}}
+    {{$.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" $.Values.linkerdVersion) $.Values.cliVersion}}
 rules:
 - apiGroups: [""]
   resources: ["services"]
@@ -19,25 +24,25 @@ rules:
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{.Values.remoteMirrorServiceAccountName}}
-  namespace: {{.Values.namespace}}
+  name: {{.}}
+  namespace: {{$.Values.namespace}}
   annotations:
-    {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}}
+    {{$.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" $.Values.linkerdVersion) $.Values.cliVersion}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{.Values.remoteMirrorServiceAccountName}}
-  namespace: {{.Values.namespace}}
+  name: {{.}}
+  namespace: {{$.Values.namespace}}
   annotations:
-    {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}}
+    {{$.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" $.Values.linkerdVersion) $.Values.cliVersion}}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{.Values.remoteMirrorServiceAccountName}}
+  name: {{.}}
 subjects:
 - kind: ServiceAccount
-  name: {{.Values.remoteMirrorServiceAccountName}}
-  namespace: {{.Values.namespace}}
+  name: {{.}}
+  namespace: {{$.Values.namespace}}
+{{end -}}
 {{end -}}
-