linkerd2/viz/charts/linkerd-viz/templates/tap-rbac.yaml

135 lines
3.8 KiB
YAML

---
###
### Tap RBAC
###
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-{{.Values.namespace}}-tap
labels:
{{.Values.extensionAnnotation}}: linkerd-viz
component: tap
rules:
- apiGroups: [""]
resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"]
verbs: ["list", "get", "watch"]
- apiGroups: ["extensions", "apps"]
resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
verbs: ["list", "get", "watch"]
- apiGroups: ["extensions", "batch"]
resources: ["cronjobs", "jobs"]
verbs: ["list" , "get", "watch"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-{{.Values.namespace}}-tap-admin
labels:
{{.Values.extensionAnnotation}}: linkerd-viz
component: tap
rules:
- apiGroups: ["tap.linkerd.io"]
resources: ["*"]
verbs: ["watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-{{.Values.namespace}}-tap
labels:
{{.Values.extensionAnnotation}}: linkerd-viz
component: tap
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-{{.Values.namespace}}-tap
subjects:
- kind: ServiceAccount
name: linkerd-tap
namespace: {{.Values.namespace}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: linkerd-{{.Values.namespace}}-tap-auth-delegator
labels:
{{.Values.extensionAnnotation}}: linkerd-viz
component: tap
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: linkerd-tap
namespace: {{.Values.namespace}}
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-tap
namespace: {{.Values.namespace}}
labels:
{{.Values.extensionAnnotation}}: linkerd-viz
component: tap
namespace: {{.Values.namespace}}
{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: linkerd-{{.Values.namespace}}-tap-auth-reader
namespace: kube-system
labels:
{{.Values.extensionAnnotation}}: linkerd-viz
component: tap
namespace: {{.Values.namespace}}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: linkerd-tap
namespace: {{.Values.namespace}}
---
{{- $host := printf "linkerd-tap.%s.svc" .Values.namespace }}
{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }}
{{- if (not .Values.tap.externalSecret) }}
kind: Secret
apiVersion: v1
metadata:
name: linkerd-tap-k8s-tls
namespace: {{ .Values.namespace }}
labels:
{{.Values.extensionAnnotation}}: linkerd-viz
component: tap
namespace: {{.Values.namespace}}
annotations:
{{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}}
type: kubernetes.io/tls
data:
tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.tap.crtPEM)) (empty .Values.tap.crtPEM) }}
tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.tap.keyPEM)) (empty .Values.tap.keyPEM) }}
---
{{- end }}
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.tap.linkerd.io
labels:
{{.Values.extensionAnnotation}}: linkerd-viz
component: tap
spec:
group: tap.linkerd.io
version: v1alpha1
groupPriorityMinimum: 1000
versionPriority: 100
service:
name: linkerd-tap
namespace: {{.Values.namespace}}
{{- if and (.Values.tap.externalSecret) (empty .Values.tap.caBundle) }}
{{- fail "If tap.externalSecret is true then you need to provide tap.caBundle" }}
{{- end }}
caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.tap.caBundle)) (empty .Values.tap.caBundle) }}