fix: NVSHAS-9287 rename and add missing properties

neuvector · Aug 15, 2024 · 167e053 · 167e053
1 parent c4395f8
commit 167e053
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 6 deletions.
diff --git a/charts/core/templates/role.yaml b/charts/core/templates/role.yaml
@@ -61,7 +61,7 @@ apiVersion: v1
 {{- end }}
 kind: Role
 metadata:
-  name: neuvector-role-job-creation
+  name: neuvector-binding-job-creation
   namespace: {{ .Release.Namespace }}
   labels:
     chart: {{ template "neuvector.chart" . }}
@@ -94,7 +94,7 @@ apiVersion: v1
 {{- end }}
 kind: Role
 metadata:
-  name: neuvector-role-cert-upgrader
+  name: neuvector-binding-cert-upgrader
   namespace: {{ .Release.Namespace }}
   labels:
     chart: {{ template "neuvector.chart" . }}

diff --git a/charts/core/templates/rolebinding-least.yaml b/charts/core/templates/rolebinding-least.yaml
@@ -92,7 +92,7 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
 {{- end }}
-  name: neuvector-role-job-creation
+  name: neuvector-binding-job-creation
 subjects:
 - kind: ServiceAccount
   name: controller
@@ -111,6 +111,36 @@ apiVersion: rbac.authorization.k8s.io/v1
 apiVersion: v1
 {{- end }}
 kind: RoleBinding
+metadata:
+  name: neuvector-binding-cert-upgrader
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: Helm
+roleRef:
+{{- if not $oc3 }}
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+{{- end }}
+  name: neuvector-binding-cert-upgrader
+subjects:
+- kind: ServiceAccount
+  name: cert-upgrader
+  namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:cert-upgrader
+{{- end }}
+---
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: RoleBinding
 metadata:
   name: neuvector-binding-secret
   namespace: {{ .Release.Namespace }}

diff --git a/charts/core/templates/rolebinding.yaml b/charts/core/templates/rolebinding.yaml
@@ -136,7 +136,7 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
 {{- end }}
-  name: neuvector-role-job-creation
+  name: neuvector-binding-job-creation
 subjects:
 - kind: ServiceAccount
   name: controller
@@ -166,7 +166,7 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
 {{- end }}
-  name: neuvector-role-cert-upgrader
+  name: neuvector-binding-cert-upgrader
 subjects:
 - kind: ServiceAccount
   name: cert-upgrader

diff --git a/test/role_test.go b/test/role_test.go
@@ -98,7 +98,7 @@ func TestRoleBindingLeastPrivilege(t *testing.T) {
 	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/rolebinding-least.yaml"})
 	outs := splitYaml(out)
 
-	if len(outs) != 4 {
+	if len(outs) != 5 {
 		t.Errorf("Resource count is wrong. count=%v\n", len(outs))
 	}
 }