feat(tbot): K8S Role creation is optional

Fixes gravitational#51181. K8S `Role` & `RoleBinding` are created by default. Their creation does not depends on the `ServiceAccount` creation anymore.
maximumG · Jan 27, 2025 · 236c0c8 · 236c0c8
1 parent 4d7ce45
commit 236c0c8
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 10 deletions.
diff --git a/docs/pages/includes/helm-reference/zz_generated.tbot.mdx b/docs/pages/includes/helm-reference/zz_generated.tbot.mdx
@@ -200,6 +200,21 @@ resources.
 used by the chart. By default, the `ServiceAccount` has the name of the
 Helm release.
 
+## `serviceAccountRole`
+
+`serviceAccountRole` controls the Kubernetes Role and RoleBinding creation
+used by the serviceAccount
+
+### `serviceAccountRole.create`
+
+| Type | Default |
+|------|---------|
+| `bool` | `true` |
+
+`serviceAccountRole.create` controls whether Helm Chart creates the
+Kubernetes `Role` & `RoleBindings` resources for the Kubernetes SA.
+When off, you are responsible for creating the appropriate resources.
+
 ## `imagePullPolicy`
 
 | Type | Default |

diff --git a/examples/chart/tbot/templates/role.yaml b/examples/chart/tbot/templates/role.yaml
@@ -1,6 +1,6 @@
 # This role grants the ability to manage secrets within the namespace - this is
 # necessary for the `kubernetes_secret` destination to work correctly.
-{{ if .Values.serviceAccount.create -}}
+{{ if .Values.serviceAccountRole.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -17,4 +17,4 @@ rules:
   - apiGroups: [""]
     resources: ["secrets"]
     verbs: ["*"]
-{{ end }}
+{{ end }}
diff --git a/examples/chart/tbot/templates/rolebinding.yaml b/examples/chart/tbot/templates/rolebinding.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.serviceAccount.create -}}
+{{- if .Values.serviceAccountRole.create -}}
 # Bind the role to the service account created for tbot.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -20,4 +20,4 @@ roleRef:
   kind: Role
   name:  {{ include "tbot.fullname" . }}
   apiGroup: rbac.authorization.k8s.io
-{{ end }}
+{{ end }}
diff --git a/examples/chart/tbot/tests/role_test.yaml b/examples/chart/tbot/tests/role_test.yaml
@@ -12,9 +12,9 @@ tests:
       - ../.lint/full.yaml
     asserts:
       - matchSnapshot: {}
-  - it: skips creation when service account disabled
+  - it: skips creation when explictely disabled
     set:
-      serviceAccount.create: false
+      serviceAccountRole.create: false
     asserts:
       - hasDocuments:
-          count: 0
+          count: 0
diff --git a/examples/chart/tbot/tests/rolebinding_test.yaml b/examples/chart/tbot/tests/rolebinding_test.yaml
@@ -12,9 +12,9 @@ tests:
       - ../.lint/full.yaml
     asserts:
       - matchSnapshot: {}
-  - it: skips creation when service account disabled
+  - it: skips creation when explictely disabled
     set:
-      serviceAccount.create: false
+      serviceAccountRole.create: false
     asserts:
       - hasDocuments:
-          count: 0
+          count: 0
diff --git a/examples/chart/tbot/values.yaml b/examples/chart/tbot/values.yaml
@@ -116,6 +116,14 @@ serviceAccount:
   # Helm release.
   name: ""
 
+# serviceAccountRole -- controls the Kubernetes Role and RoleBinding creation
+# used by the serviceAccount
+serviceAccountRole:
+  # serviceAccountRole.create(bool) -- controls whether Helm Chart creates the
+  # Kubernetes `Role` & `RoleBindings` resources for the Kubernetes SA.
+  # When off, you are responsible for creating the appropriate resources.
+  create: true
+
 # imagePullPolicy(string) -- sets the pull policy for any pods created by the chart.
 # See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/containers/images/#updating-images)
 # for more details.