[stable/redis-ha] feat: implement RBAC (helm#11842)

* feat: implement RBAC

Signed-off-by: Vladimir Syromyatnikov <[email protected]>

* fix: typo in README

Signed-off-by: Vladimir Syromyatnikov <[email protected]>

stable/redis-ha/Chart.yaml

@@ -5,7 +5,7 @@ keywords:
 - redis
 - keyvalue
 - database
-version: 3.2.1
+version: 3.3.0
 appVersion: 5.0.3
 description: Highly available Kubernetes implementation of Redis
 icon: https://upload.wikimedia.org/wikipedia/en/thumb/6/6b/Redis_Logo.svg/1200px-Redis_Logo.svg.png

stable/redis-ha/templates/_helpers.tpl

@@ -51,3 +51,13 @@ Example output:
   {{- replace "+" "_" .Chart.Version | printf "%s-%s" .Chart.Name -}}
 {{- end -}}
 
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "redis-ha.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "redis-ha.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}

stable/redis-ha/templates/redis-ha-role.yaml

@@ -0,0 +1,18 @@
+{{- if and .Values.serviceAccount.create  .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "redis-ha.fullname" . }}
+  labels:
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app: {{ template "redis-ha.fullname" . }}
+rules:
+- apiGroups:
+    - ""
+  resources:
+    - endpoints
+  verbs:
+    - get
+{{- end }}

stable/redis-ha/templates/redis-ha-rolebinding.yaml

@@ -0,0 +1,18 @@
+{{- if and .Values.serviceAccount.create .Values.rbac.create }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "redis-ha.fullname" . }}
+  labels:
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app: {{ template "redis-ha.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "redis-ha.serviceAccountName" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "redis-ha.fullname" . }}
+{{- end }}

stable/redis-ha/templates/redis-ha-serviceaccount.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "redis-ha.serviceAccountName" . }}
+  labels:
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app: {{ template "redis-ha.fullname" . }}
+{{- end }}

stable/redis-ha/templates/redis-ha-statefulset.yaml

@@ -48,6 +48,7 @@ spec:
     {{- end }}
       securityContext:
 {{ toYaml .Values.securityContext | indent 8 }}
+      serviceAccountName: {{ template "redis-ha.serviceAccountName" . }}
       initContainers:
 {{- if and .Values.hostPath.path .Values.hostPath.chown }}
       - name: hostpath-chown

stable/redis-ha/values.yaml

@@ -11,6 +11,23 @@ replicas: 3
 ## Custom labels for the redis pod
 labels: {}
 
+## Pods Service Account
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+serviceAccount:
+  ## Specifies whether a ServiceAccount should be created
+  ##
+  create: true
+  ## The name of the ServiceAccount to use.
+  ## If not set and create is true, a name is generated using the redis-ha.fullname template
+  # name:
+
+## Role Based Access
+## Ref: https://kubernetes.io/docs/admin/authorization/rbac/
+##
+
+rbac:
+  create: true
+
 ## Redis specific configuration options
 redis:
   port: 6379