add namespace whitelist in chart w/o clusterRole

add support for namespace whitelisting in flux helm chart when not using a clusterRole Signed-off-by: Paul Farver <[email protected]>
fluxcd · Jan 9, 2020 · 89b8137 · 89b8137
1 parent c776c18
commit 89b8137
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 19 deletions.
diff --git a/chart/flux/README.md b/chart/flux/README.md
@@ -202,10 +202,11 @@ The following tables lists the configurable parameters of the Flux chart and the
 | `env.secretName`                                  | ``                                                   | Name of the secret that contains environment variables which should be defined in the Flux container (using `envFrom`)
 | `rbac.create`                                     | `true`                                               | If `true`, create and use RBAC resources
 | `rbac.pspEnabled`                                 | `false`                                              | If `true`, create and use a restricted pod security policy for Flux pod(s)
+| `allowedNamespaces`                               | `[]`                                                 | Allow flux to manage resources in the specified namespaces. The namespace flux is deployed in will always be included
 | `serviceAccount.create`                           | `true`                                               | If `true`, create a new service account
 | `serviceAccount.name`                             | `flux`                                               | Service account to be used
 | `serviceAccount.annotations`                      | ``                                                   | Additional Service Account annotations
-| `clusterRole.create`                              | `true`                                               | If `false`, Flux and the Helm Operator will be restricted to the namespace where they are deployed
+| `clusterRole.create`                              | `true`                                               | If `false`, Flux will be restricted to the namespaces given in `allowedNamespaces` and the namespace where it is deployed
 | `service.type`                                    | `ClusterIP`                                          | Service type to be used (exposing the Flux API outside of the cluster is not advised)
 | `service.port`                                    | `3030`                                               | Service port to be used
 | `sync.state`                                      | `git`                                                | Where to keep sync state; either a tag in the upstream repo (`git`), or as an annotation on the SSH secret (`secret`)

diff --git a/chart/flux/templates/deployment.yaml b/chart/flux/templates/deployment.yaml
@@ -175,7 +175,7 @@ spec:
           {{- end }}
           args:
           {{- if not .Values.clusterRole.create }}
-          - --k8s-allow-namespace={{ .Release.Namespace }}
+          - --k8s-allow-namespace={{ join "," (append .Values.allowedNamespaces .Release.Namespace) }}
           {{- end}}
           {{- if .Values.logFormat }}
           - --log-format={{ .Values.logFormat }}

diff --git a/chart/flux/templates/rbac-role.yaml b/chart/flux/templates/rbac-role.yaml
@@ -1,13 +1,15 @@
 {{- if and .Values.rbac.create (eq .Values.clusterRole.create false) -}}
+{{- range $namespace := (append .Values.allowedNamespaces .Release.Namespace) }}
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
 metadata:
-  name: {{ template "flux.fullname" . }}
+  name: {{ template "flux.fullname" $ }}
+  namespace: {{ $namespace }}
   labels:
-    app: {{ template "flux.name" . }}
-    chart: {{ template "flux.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
+    app: {{ template "flux.name" $ }}
+    chart: {{ template "flux.chart" $ }}
+    release: {{ $.Release.Name }}
+    heritage: {{ $.Release.Service }}
 rules:
   - apiGroups:
       - '*'
@@ -19,21 +21,23 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
-  name: {{ template "flux.fullname" . }}
+  name: {{ template "flux.fullname" $ }}
+  namespace: {{ $namespace }}
   labels:
-    app: {{ template "flux.name" . }}
-    chart: {{ template "flux.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
+    app: {{ template "flux.name" $ }}
+    chart: {{ template "flux.chart" $ }}
+    release: {{ $.Release.Name }}
+    heritage: {{ $.Release.Service }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ template "flux.fullname" . }}
+  name: {{ template "flux.fullname" $ }}
 subjects:
-  - name: {{ template "flux.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace | quote }}
+  - name: {{ template "flux.serviceAccountName" $ }}
+    namespace: {{ $.Release.Namespace | quote }}
     kind: ServiceAccount
 ---
+{{- end }}
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:

diff --git a/chart/flux/values.yaml b/chart/flux/values.yaml
@@ -17,6 +17,9 @@ service:
   type: ClusterIP
   port: 3030
 
+# Specifies which namespaces flux should have access to
+allowedNamespaces: []
+
 rbac:
   # Specifies whether RBAC resources should be created
   create: true
@@ -32,10 +35,9 @@ serviceAccount:
   # Annotations for the Service Account
   annotations: {}
 
-# If create is `false` and no name is given, Flux and the Helm
-# Operator will be restricted to the namespace where they are
-# deployed, and the kubeconfig default context will be set to that
-# namespace.
+# If create is `false` and no name is given, Flux will be restricted to 
+# namespaces listed in allowedNamespaces and the namespace where it is
+# deployed, and the kubeconfig default context will be set to that namespace.
 clusterRole:
   create: true
   # The name of a cluster role to bind to; if not set and create is