[pulsar-helm-chart] branch master updated: To address the function role vs clusterrole issue (#236)

Wed, 12 Jul 2023 08:13:28 -0700 

This is an automated email from the ASF dual-hosted git repository.

lhotari pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar-helm-chart.git


The following commit(s) were added to refs/heads/master by this push:
     new f8ad650  To address the function role vs clusterrole issue (#236)
f8ad650 is described below

commit f8ad65066ef577836551321d275ae8ad8f433073
Author: Brad Shelton <[email protected]>
AuthorDate: Wed Jul 12 10:11:36 2023 -0500

    To address the function role vs clusterrole issue (#236)
    
    * To address the function role vs clusterrole issue
    
    * making backwards compatable
    
    * updated value.yaml to include limit functions to namespace
    
    * Added documentation to clarify the new attribute
    
    * moved limit_to_namespace under functions.rbac
---
 charts/pulsar/templates/broker-rbac.yaml | 17 +++++++++++++++++
 charts/pulsar/values.yaml                |  6 ++++++
 2 files changed, 23 insertions(+)

diff --git a/charts/pulsar/templates/broker-rbac.yaml 
b/charts/pulsar/templates/broker-rbac.yaml
index 6654435..d2145d1 100644
--- a/charts/pulsar/templates/broker-rbac.yaml
+++ b/charts/pulsar/templates/broker-rbac.yaml
@@ -19,9 +19,15 @@
 
 {{- if or .Values.components.functions .Values.extra.functionsAsPods }}
 apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.functions.rbac.limit_to_namespace }}
+kind: Role
+metadata:
+  name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component 
}}-role"
+{{- else}}
 kind: ClusterRole
 metadata:
   name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}"
+{{- end}}
 rules:
 - apiGroups: [""]
   resources:
@@ -46,13 +52,24 @@ metadata:
 ---
 
 apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.functions.rbac.limit_to_namespace }}
+kind: RoleBinding
+metadata:
+  name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component 
}}-rolebinding"
+{{- else}}
 kind: ClusterRoleBinding
 metadata:
   name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}"
+{{- end}}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
+{{- if .Values.functions.rbac.limit_to_namespace }}
+  kind: Role
+  name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component 
}}-role"
+{{- else}}
   kind: ClusterRole
   name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}"
+{{- end}}
 subjects:
 - kind: ServiceAccount
   name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}"
diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml
index 18e9677..a1d410a 100644
--- a/charts/pulsar/values.yaml
+++ b/charts/pulsar/values.yaml
@@ -792,6 +792,12 @@ broker:
 ##
 functions:
   component: functions-worker
+  ## Pulsar: Functions Worker ClusterRole or Role
+  ## templates/broker-rbac.yaml
+  # Default is false which deploys functions with ClusterRole and 
ClusterRoleBinding at the cluster level
+  # Set to true to deploy functions with Role and RoleBinding inside the 
specified namespace
+  rbac:
+    limit_to_namespace: false
 
 ## Pulsar: Proxy Cluster
 ## templates/proxy-statefulset.yaml

Reply via email to