Add optional serviceAccount.rbac to application chart

chart-tests/application/ci/test-role-binding-values.yaml

@@ -0,0 +1,8 @@
+serviceAccount:
+  rbac:
+    roleBindings:
+      - roleType: ClusterRole
+        roleName: admin
+    clusterRoleBindings:
+      - roleType: ClusterRole
+        roleName: edit

charts/application/Chart.yaml

@@ -7,4 +7,4 @@ maintainers:
   - name: MediaMarktSaturn
     url: https://github.com/MediaMarktSaturn
 appVersion: 1.0.0
-version: 1.16.0
+version: 1.17.0

charts/application/README.md

@@ -1,6 +1,6 @@
 # application
 
-![Version: 1.16.0](https://img.shields.io/badge/Version-1.16.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
+![Version: 1.17.0](https://img.shields.io/badge/Version-1.17.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
 
 Generic application chart with common requirements of a typical workload.
 
@@ -71,6 +71,8 @@ Generic application chart with common requirements of a typical workload.
 | serviceAccount.secretName | string | `nil` |  |
 | serviceAccount.mountPath | string | `"/config/service-account"` |  |
 | serviceAccount.automountServiceAccountToken | bool | `false` |  |
+| serviceAccount.rbac.roleBindings | list | `[]` |  |
+| serviceAccount.rbac.clusterRoleBindings | list | `[]` |  |
 | istio.enabled | bool | `false` |  |
 | istio.tlsMode | string | `"ISTIO_MUTUAL"` |  |
 | istio.ingress.enabled | bool | `true` |  |
@@ -138,7 +140,6 @@ Generic application chart with common requirements of a typical workload.
 | initDefaults.resources.limits.cpu | string | `"500m"` |  |
 | initDefaults.resources.limits.memory | string | `"100Mi"` |  |
 | initDefaults.restartPolicy | string | `"Always"` |  |
-| k8sAPI.role | string | `nil` |  |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)

charts/application/templates/k8s-rolebinding.yaml

@@ -1,15 +1,34 @@
-{{- if or (eq .Values.k8sAPI.role "edit") (eq .Values.k8sAPI.role "view") (eq .Values.k8sAPI.role "admin") }}
+{{- range .Values.serviceAccount.rbac.roleBindings }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
+  name: {{ $.Release.Name }}
+  namespace: {{ $.Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ $.Release.Name }}
+    {{- include "labels" $ | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: {{ .roleType }}
+  name: {{ .roleName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $.Release.Name }}
+    namespace: {{ $.Release.Namespace }}
+{{- end }}
+{{- range .Values.serviceAccount.rbac.clusterRoleBindings }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
   name: {{ $.Release.Name }}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "labels" $ | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ $.Values.k8sAPI.role }}
+  kind: {{ .roleType }}
+  name: {{ .roleName }}
 subjects:
   - kind: ServiceAccount
     name: {{ $.Release.Name }}

charts/application/values.yaml

@@ -141,6 +141,10 @@ serviceAccount:
   mountPath: /config/service-account
   # k8s ServiceAccount.automountServiceAccountToken setting
   automountServiceAccountToken: false
+  # gives the application the defined role binding
+  rbac:
+    roleBindings: []
+    clusterRoleBindings: []
 
 # Pick one of the service mesh configs
 istio:
@@ -367,6 +371,4 @@ initDefaults:
       memory: 100Mi
   restartPolicy: Always
 
-# gives the application access to the k8s API with the defined role ("edit", "view" or "admin")
-k8sAPI:
-  role:
+