From e7cf676764add1c0346f3e99a9cb327b9cd108db Mon Sep 17 00:00:00 2001
From: atung <andson.tung@suse.com>
Date: Fri, 8 Dec 2023 16:03:11 -0800
Subject: [PATCH 1/2] NVSHAS-7953 Consider refer to defined secrets in
 configMap

---
 .../core/templates/controller-deployment.yaml |  3 ++
 charts/core/templates/role.yaml               | 24 ++++++++++++++
 charts/core/templates/rolebinding-least.yaml  | 32 +++++++++++++++++++
 charts/core/templates/rolebinding.yaml        | 32 +++++++++++++++++++
 4 files changed, 91 insertions(+)
 create mode 100644 charts/core/templates/role.yaml

diff --git a/charts/core/templates/controller-deployment.yaml b/charts/core/templates/controller-deployment.yaml
index 7a242770..143df82d 100644
--- a/charts/core/templates/controller-deployment.yaml
+++ b/charts/core/templates/controller-deployment.yaml
@@ -254,6 +254,9 @@ spec:
               - secret:
                   name: neuvector-init
                   optional: true
+              - secret:
+                  name: neuvector-secret
+                  optional: true
         - name: nv-debug
           hostPath:
             path: /var/nv_debug
diff --git a/charts/core/templates/role.yaml b/charts/core/templates/role.yaml
new file mode 100644
index 00000000..01dc47c4
--- /dev/null
+++ b/charts/core/templates/role.yaml
@@ -0,0 +1,24 @@
+{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
+{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: Role
+metadata:
+  name: neuvector-binding-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: Helm
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
diff --git a/charts/core/templates/rolebinding-least.yaml b/charts/core/templates/rolebinding-least.yaml
index 4f19b62f..427f0dfa 100644
--- a/charts/core/templates/rolebinding-least.yaml
+++ b/charts/core/templates/rolebinding-least.yaml
@@ -37,6 +37,38 @@ userNames:
 
 ---
 
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: RoleBinding
+metadata:
+  name: neuvector-binding-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: Helm
+roleRef:
+{{- if not $oc3 }}
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+{{- end }}
+  name: neuvector-binding-secret
+subjects:
+- kind: ServiceAccount
+  name: controller
+  namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:controller
+{{- end }}
+
+---
+
 {{- if $oc4 }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/charts/core/templates/rolebinding.yaml b/charts/core/templates/rolebinding.yaml
index c2fa8503..23c07f4f 100644
--- a/charts/core/templates/rolebinding.yaml
+++ b/charts/core/templates/rolebinding.yaml
@@ -34,6 +34,38 @@ userNames:
 
 ---
 
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: RoleBinding
+metadata:
+  name: neuvector-binding-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: Helm
+roleRef:
+{{- if not $oc3 }}
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+{{- end }}
+  name: neuvector-binding-secret
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.serviceAccount }}
+  namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
+{{- end }}
+
+---
+
 {{- if $oc4 }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

From 7cd27b2694ea1460fa1297946faadd052045ac77 Mon Sep 17 00:00:00 2001
From: atung <andson.tung@suse.com>
Date: Fri, 8 Dec 2023 16:18:05 -0800
Subject: [PATCH 2/2] NVSHAS-7953 Consider refer to defined secrets in
 configMap

---
 test/role_test.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/role_test.go b/test/role_test.go
index 73033e3a..ecac3bcc 100644
--- a/test/role_test.go
+++ b/test/role_test.go
@@ -18,7 +18,7 @@ func TestRoleBinding(t *testing.T) {
 	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/rolebinding.yaml"})
 	outs := splitYaml(out)
 
-	if len(outs) != 1 {
+	if len(outs) != 2 {
 		t.Errorf("Resource count is wrong. count=%v\n", len(outs))
 	}
 }
@@ -98,7 +98,7 @@ func TestRoleBindingLeastPrivilege(t *testing.T) {
 	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/rolebinding-least.yaml"})
 	outs := splitYaml(out)
 
-	if len(outs) != 1 {
+	if len(outs) != 2 {
 		t.Errorf("Resource count is wrong. count=%v\n", len(outs))
 	}
 }