remove dedicated options to define RBAC

This offered no real benefit over someone simply having their own rbac.yaml. Adding this as an option to the chart just means we have to continue to support it, and why would we then only support defining custom RBAC and not even other resources? At that point we would become a meta-meta Helm chart and that's just not worth it. On-behalf-of: @SAP [email protected]
kcp-dev · Jan 10, 2025 · f5a4c48 · f5a4c48
1 parent 0b29fd9
commit f5a4c48
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 60 deletions.
diff --git a/charts/api-syncagent/templates/deployment.yaml b/charts/api-syncagent/templates/deployment.yaml
@@ -3,7 +3,7 @@ kind: ServiceAccount
 metadata:
   name: '{{ template "name" . }}'
   labels:
-    app.kubernetes.io/name: kcp-sync-agent
+    app.kubernetes.io/name: kcp-api-syncagent
     app.kubernetes.io/instance: '{{ template "agentname" . }}'
 
 ---
@@ -15,12 +15,12 @@ spec:
   replicas: {{ .Values.replicas | default 1 }}
   selector:
     matchLabels:
-      app.kubernetes.io/name: kcp-sync-agent
+      app.kubernetes.io/name: kcp-api-syncagent
       app.kubernetes.io/instance: '{{ template "agentname" . }}'
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: kcp-sync-agent
+        app.kubernetes.io/name: kcp-api-syncagent
         app.kubernetes.io/instance: '{{ template "agentname" . }}'
         app.kubernetes.io/version: '{{ .Values.image.tag | default .Chart.AppVersion }}'
     spec:

diff --git a/charts/api-syncagent/templates/rbac.yaml b/charts/api-syncagent/templates/rbac.yaml
@@ -1,5 +1,3 @@
-{{- if .Values.rbac.create }}
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -42,8 +40,7 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: '{{ template "name" . }}:{{ .Release.Namespace }}:services'
-  namespace: kdp
+  name: '{{ template "name" . }}:{{ .Release.Namespace }}'
 rules:
   - apiGroups:
       - ""
@@ -55,55 +52,12 @@ rules:
       - watch
       - create
       - update
-  - apiGroups:
-      - services.syncagent.kcp.io
-    resources:
-      - publishedresources
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - services.syncagent.kcp.io
-    resources:
-      - publishedresources/status
-    verbs:
-      - create
-      - get
-      - update
-      - patch
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: '{{ template "name" . }}:{{ .Release.Namespace }}:services'
-  namespace: kdp
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: '{{ template "name" . }}:{{ .Release.Namespace }}:services'
-subjects:
-  - kind: ServiceAccount
-    name: '{{ template "name" . }}'
-    namespace: '{{ .Release.Namespace }}'
-{{- end }}
-
-{{ if .Values.rbac.createClusterRole }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: '{{ template "name" . }}:{{ .Release.Namespace }}'
-  namespace: kdp
-rules: {{ .Values.rbac.rules | toYaml | nindent 2 }}
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: '{{ template "name" . }}:{{ .Release.Namespace }}'
-  namespace: kdp
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -112,4 +66,3 @@ subjects:
   - kind: ServiceAccount
     name: '{{ template "name" . }}'
     namespace: '{{ .Release.Namespace }}'
-{{ end }}
diff --git a/charts/api-syncagent/values.yaml b/charts/api-syncagent/values.yaml
@@ -29,15 +29,6 @@ image:
 
 replicas: 2
 
-rbac:
-  # When set to false, no RBAC will be created.
-  create: true
-  # When set to true, will create a ClusterRole named "<releasename>:<namespace>"
-  # and assign it the configured rules; use this to provide additional permissions
-  # for the Sync Agent.
-  createClusterRole: false
-  rules: []
-
 resources:
   requests:
     cpu: 100m