fix: monitor rbac (#394)

mikhail-klimko · web-flow · commit e5aaf3a0c9c6 · 2023-09-08T11:32:56.000+03:00
diff --git a/charts/cf-runtime/Chart.yaml b/charts/cf-runtime/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 description: A Helm chart for Codefresh Runner
 name: cf-runtime
-version: 6.1.2
+version: 6.1.3
 keywords:
   - codefresh
   - runner
@@ -14,12 +14,8 @@ maintainers:
     url: https://codefresh-io.github.io/
 annotations:
   artifacthub.io/changes: |
-    - kind: changed
-      description: Updated runner image to `1.10.1`
-    - kind: added
-      description: Add pod monitor for Runner deployment
     - kind: fixed
-      description: Add default nameOverride to .Values.serviceMonitor and .Values.podMonitor to avoid naming collision
+      description: Fix Role(ClusterRole) for monitor
 dependencies:
   - name: cf-common
     repository: https://chartmuseum.codefresh.io/cf-common
diff --git a/charts/cf-runtime/README.md b/charts/cf-runtime/README.md
@@ -1,6 +1,6 @@
 ## Codefresh Runner
 
-![Version: 6.1.2](https://img.shields.io/badge/Version-6.1.2-informational?style=flat-square)
+![Version: 6.1.3](https://img.shields.io/badge/Version-6.1.3-informational?style=flat-square)
 
 Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/installation/codefresh-runner/) to Kubernetes.
 
@@ -23,6 +23,8 @@ Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/insta
   - [Custom global environment variables](#custom-global-environment-variables)
   - [Volume reuse policy](#volume-reuse-policy)
   - [Volume cleaners](#volume-cleaners)
+  - [Rootless DinD](#rootless-dind)
+  - [ARM](#arm)
   - [Openshift](#openshift)
   - [On-premise](#on-premise)
 
@@ -523,6 +525,41 @@ volumeProvisioner:
       INODE_USAGE_THRESHOLD: 60  # default 80
 ```
 
+### Rootless DinD
+
+DinD pod runs a `priviliged` container with **rootfull** docker.
+To run the docker daemon as non-root user (**rootless** mode), change dind image tag:
+
+`values.yaml`
+```yaml
+runtime:
+  dind:
+    image:
+      tag: rootless
+```
+
+### ARM
+
+With the Codefresh Runner, you can run native ARM64v8 builds.
+
+> **Note!**
+> You cannot run both amd64 and arm64 images within the same pipeline. As one pipeline can map only to one runtime, you can run either amd64 or arm64 within the same pipeline.
+
+Provide `nodeSelector` and(or) `tolerations` for dind pods:
+
+`values.yaml`
+```yaml
+runtime:
+  dind:
+    nodeSelector:
+      arch: arm64
+    tolerations:
+    - key: arch
+      operator: Equal
+      value: arm64
+      effect: NoSchedule
+```
+
 ### Openshift
 
 To install Codefresh Runner on OpenShift use the following `values.yaml` example
diff --git a/charts/cf-runtime/README.md.gotmpl b/charts/cf-runtime/README.md.gotmpl
@@ -23,6 +23,8 @@ Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/insta
   - [Custom global environment variables](#custom-global-environment-variables)
   - [Volume reuse policy](#volume-reuse-policy)
   - [Volume cleaners](#volume-cleaners)
+  - [Rootless DinD](#rootless-dind)
+  - [ARM](#arm)
   - [Openshift](#openshift)
   - [On-premise](#on-premise)
 
@@ -523,6 +525,41 @@ volumeProvisioner:
       INODE_USAGE_THRESHOLD: 60  # default 80
 ```
 
+### Rootless DinD
+
+DinD pod runs a `priviliged` container with **rootfull** docker.
+To run the docker daemon as non-root user (**rootless** mode), change dind image tag:
+
+`values.yaml`
+```yaml
+runtime:
+  dind:
+    image:
+      tag: rootless
+```
+
+### ARM
+
+With the Codefresh Runner, you can run native ARM64v8 builds.
+
+> **Note!**
+> You cannot run both amd64 and arm64 images within the same pipeline. As one pipeline can map only to one runtime, you can run either amd64 or arm64 within the same pipeline.
+
+Provide `nodeSelector` and(or) `tolerations` for dind pods:
+
+`values.yaml`
+```yaml
+runtime:
+  dind:
+    nodeSelector:
+      arch: arm64
+    tolerations:
+    - key: arch
+      operator: Equal
+      value: arm64
+      effect: NoSchedule
+```
+
 ### Openshift
 
 To install Codefresh Runner on OpenShift use the following `values.yaml` example
diff --git a/charts/cf-runtime/templates/_components/monitor/_rbac.yaml b/charts/cf-runtime/templates/_components/monitor/_rbac.yaml
@@ -49,7 +49,7 @@ subjects:
     name: {{ include "monitor.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
 roleRef:
-  kind: Role
+  kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }}
   name: {{ include "monitor.fullname" . }}
   apiGroup: rbac.authorization.k8s.io
 {{- end }}
