Merge pull request #255 from broadinstitute/okotsopo-PROD-934-gcloud-…

…sqlproxy-psp-flag

[PROD-934] TDR gcloud-sqlproxy conditionally disables PodSecurityPolicies

This is a follow-on to #249 which only made the necessary changes for TDR Bees to be compatible with GKE 1.25. TDR Bees don't use the gcloud-sqlproxy, and the existing rbac.create flag enabled more than just resources associated with PodSecurityPolicies, so I've added an additional rbac.pspEnabled flag to toggle only those resources without impacting other necessary operations (such as SA creation).

Defaulted this value to true to keep existing behavior the same.

We will then disable it for each environment starting with Dev in terra-helmfile, and likely cut it out altogether once everything is stable.

charts/gcloud-sqlproxy/Chart.yaml

@@ -16,4 +16,4 @@ maintainers:
 name: gcloud-sqlproxy
 sources:
 - https://github.com/broadinstitute/datarepo-helm
-version: 0.19.9
+version: 0.19.10

charts/gcloud-sqlproxy/templates/podrunningpolicy.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.rbac.create }}
+{{- if .Values.rbac.create | and .Values.rbac.pspEnabled -}}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:

charts/gcloud-sqlproxy/templates/role.yaml

@@ -13,11 +13,13 @@ rules:
 - apiGroups: [""]
   resources: ["secrets"]
   verbs: ["get", "watch", "list"]
+{{- if .Values.rbac.pspEnabled -}}
 - apiGroups: ['policy']
   resources: ['podsecuritypolicies']
   verbs: ["use"]
   resourceNames:
     - {{ include "gcloud-sqlproxy.fullname" . }}
+{{- end }}
 
 
 {{- end }}

charts/gcloud-sqlproxy/values.yaml

@@ -59,6 +59,7 @@ cloudsql:
 
 rbac:
   create: false
+  pspEnabled: true
 
 ## Specifies service type and option to enable internal LoadBalancer
 ## If service.internalLB is true, service.type should be: LoadBalancer