Allow setting a list of service accounts in multicluster install (#5113)

Fixes #5098 When setting up multicluster, a target cluster may wish to create multiple service accounts to be used by source clusters' service mirrors. This allows the target cluster to individually revoke access to each of the source clusters. When using the Linkerd CLI, this can be accomplished by running the `linkerd multicluster allow` command multiple times to create multiple service accounts. However, there is no analogous workflow when installing with Helm. We update the Helm templates to support interpreting the `remoteMirrorServiceAccountName` value as either a single string or a list of strings. In the case where it is a list, we create a service account and associated RBAC for each entry in the list. Signed-off-by: Alex Leong <alex@buoyant.io>
2020-10-21 11:45:56 -07:00 · 2020-10-21 11:45:56 -07:00 · 5b77ae5259
parent 177669b377
commit 5b77ae5259
2 changed files with 19 additions and 14 deletions
--- a/charts/linkerd2-multicluster/README.md
+++ b/charts/linkerd2-multicluster/README.md
@ -32,7 +32,7 @@ linkerd2-multicluster chart and their default values.
 |`linkerdVersion`                 | Control plane version                                                                       | latest version                               |
 |`namespace`                      | Service Mirror component namespace                                                          |`linkerd-multicluster`                        |
 |`proxyOutboundPort`              | The port on which the proxy accepts outbound traffic                                        |`4140`                                        |
-|`remoteMirrorServiceAccountName` | The name of the service account used to allow remote clusters to mirror local services      |`linkerd-service-mirror-remote-access-default`|
+|`remoteMirrorServiceAccountName` | The name (or list of names) of the service account(s) used to allow remote clusters to mirror local services      |`linkerd-service-mirror-remote-access-default`|
 |`remoteMirrorServiceAccount`     | If the remote mirror service account should be installed                                    |`true`                                        |
 |`serviceMirror`                  | If the service mirror component should be installed                                         |`true`                                        |
 |`logLevel`                       | Log level for the Multicluster components                                                   |`info`                                        |
--- a/charts/linkerd2-multicluster/templates/remote-access-service-mirror-rbac.yaml
+++ b/charts/linkerd2-multicluster/templates/remote-access-service-mirror-rbac.yaml
@ -1,12 +1,17 @@
 {{if .Values.remoteMirrorServiceAccount -}}
+{{- $names := .Values.remoteMirrorServiceAccountName -}}
+{{- if not (kindIs "slice" .Values.remoteMirrorServiceAccountName) -}}
+  {{- $names = splitList "," .Values.remoteMirrorServiceAccountName -}}
+{{- end -}}
+{{- range $names -}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{.Values.remoteMirrorServiceAccountName}}
-  namespace: {{.Values.namespace}}
+  name: {{.}}
+  namespace: {{$.Values.namespace}}
  annotations:
-    {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}}
+    {{$.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" $.Values.linkerdVersion) $.Values.cliVersion}}
 rules:
 - apiGroups: [""]
  resources: ["services"]
@ -19,25 +24,25 @@ rules:
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{.Values.remoteMirrorServiceAccountName}}
-  namespace: {{.Values.namespace}}
+  name: {{.}}
+  namespace: {{$.Values.namespace}}
  annotations:
-    {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}}
+    {{$.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" $.Values.linkerdVersion) $.Values.cliVersion}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{.Values.remoteMirrorServiceAccountName}}
-  namespace: {{.Values.namespace}}
+  name: {{.}}
+  namespace: {{$.Values.namespace}}
  annotations:
-    {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}}
+    {{$.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" $.Values.linkerdVersion) $.Values.cliVersion}}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: {{.Values.remoteMirrorServiceAccountName}}
+  name: {{.}}
 subjects:
 - kind: ServiceAccount
-  name: {{.Values.remoteMirrorServiceAccountName}}
-  namespace: {{.Values.namespace}}
+  name: {{.}}
+  namespace: {{$.Values.namespace}}
+{{end -}}
 {{end -}}
-