helm: Support clusteradmin role binding

This enables us to support binding to the clusteradmin role in lieu of having to deploy our own role. Change-Id: I7a6b061bdd65b86f151931009e13c63aaf3692c4
2022-11-30 20:39:11 -08:00 · 2022-11-30 20:39:11 -08:00 · 4a0c3fed99
parent 486efd3659
commit 4a0c3fed99
3 changed files with 9 additions and 0 deletions
--- a/helm/zuul-operator/templates/020-ClusterRole.yaml
+++ b/helm/zuul-operator/templates/020-ClusterRole.yaml
@ -1,3 +1,4 @@
+{{- if not .Values.serviceAccount.clusterAdmin }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@ -124,3 +125,4 @@ rules:
  verbs:
  - get
  - create
+{{- end }}
--- a/helm/zuul-operator/templates/030-ClusterRoleBinding.yaml
+++ b/helm/zuul-operator/templates/030-ClusterRoleBinding.yaml
@ -8,5 +8,9 @@ subjects:
  namespace: {{ .Release.Namespace }}
 roleRef:
  kind: ClusterRole
+{{- if .Values.serviceAccount.clusterAdmin }}
+  name: cluster-admin
+{{- else }}
  name: {{ include "zuul-operator.serviceAccountName" . }}
+{{- end }}
  apiGroup: rbac.authorization.k8s.io
--- a/helm/zuul-operator/values.yaml
+++ b/helm/zuul-operator/values.yaml
@ -13,6 +13,9 @@ fullnameOverride: ""
 serviceAccount:
  # Specifies whether a service account should be created
  create: true
+  # Specifies whether the service account should bind to cluster admin
+  clusterAdmin: false
+
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.