Home Explore Help
Sign In
cecf
/
deploy
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: afab9cf38c
Branches Tags
deploy
/
jenkins
/
templates
/
rbac.yaml

rbac.yaml 5.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149 
  1. {{ if .Values.rbac.create }}
    2. 

  2. {{- $serviceName := include "jenkins.fullname" . -}}
    3. 

  3. 

  4. # This role is used to allow Jenkins scheduling of agents via Kubernetes plugin.
    5. 

  5. apiVersion: rbac.authorization.k8s.io/v1
    6. 

  6. kind: Role
    7. 

  7. metadata:
    8. 

  8.   name: {{ $serviceName }}-schedule-agents
    9. 

  9.   namespace: {{ template "jenkins.agent.namespace" . }}
    10. 

  10.   labels:
    11. 

  11.     "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
    12. 

  12.     {{- if .Values.renderHelmLabels }}
    13. 

  13.     "helm.sh/chart": "{{ template "jenkins.label" .}}"
    14. 

  14.     {{- end }}
    15. 

  15.     "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
    16. 

  16.     "app.kubernetes.io/instance": "{{ .Release.Name }}"
    17. 

  17.     "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
    18. 

  18. rules:
    19. 

  19. - apiGroups: [""]
    20. 

  20.   resources: ["pods", "pods/exec", "pods/log", "persistentvolumeclaims", "events"]
    21. 

  21.   verbs: ["get", "list", "watch"]
    22. 

  22. - apiGroups: [""]
    23. 

  23.   resources: ["pods", "pods/exec", "persistentvolumeclaims"]
    24. 

  24.   verbs: ["create", "delete", "deletecollection", "patch", "update"]
    25. 

  25. 

  26. ---
    27. 

  27. 

  28. # We bind the role to the Jenkins service account. The role binding is created in the namespace
    29. 

  29. # where the agents are supposed to run.
    30. 

  30. apiVersion: rbac.authorization.k8s.io/v1
    31. 

  31. kind: RoleBinding
    32. 

  32. metadata:
    33. 

  33.   name: {{ $serviceName }}-schedule-agents
    34. 

  34.   namespace: {{ template "jenkins.agent.namespace" . }}
    35. 

  35.   labels:
    36. 

  36.     "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
    37. 

  37.     {{- if .Values.renderHelmLabels }}
    38. 

  38.     "helm.sh/chart": "{{ template "jenkins.label" .}}"
    39. 

  39.     {{- end }}
    40. 

  40.     "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
    41. 

  41.     "app.kubernetes.io/instance": "{{ .Release.Name }}"
    42. 

  42.     "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
    43. 

  43. roleRef:
    44. 

  44.   apiGroup: rbac.authorization.k8s.io
    45. 

  45.   kind: Role
    46. 

  46.   name: {{ $serviceName }}-schedule-agents
    47. 

  47. subjects:
    48. 

  48. - kind: ServiceAccount
    49. 

  49.   name: {{ template "jenkins.serviceAccountName" .}}
    50. 

  50.   namespace: {{ template "jenkins.namespace" . }}
    51. 

  51. 

  52. ---
    53. 

  53. 

  54. {{- if .Values.rbac.readSecrets }}
    55. 

  55. # This is needed if you want to use https://jenkinsci.github.io/kubernetes-credentials-provider-plugin/
    56. 

  56. # as it needs permissions to get/watch/list Secrets
    57. 

  57. apiVersion: rbac.authorization.k8s.io/v1
    58. 

  58. kind: Role
    59. 

  59. metadata:
    60. 

  60.   name: {{ template "jenkins.fullname" . }}-read-secrets
    61. 

  61.   namespace: {{ template "jenkins.namespace" . }}
    62. 

  62.   labels:
    63. 

  63.     "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
    64. 

  64.     {{- if .Values.renderHelmLabels }}
    65. 

  65.     "helm.sh/chart": "{{ template "jenkins.label" .}}"
    66. 

  66.     {{- end }}
    67. 

  67.     "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
    68. 

  68.     "app.kubernetes.io/instance": "{{ .Release.Name }}"
    69. 

  69.     "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
    70. 

  70. rules:
    71. 

  71.   - apiGroups: [""]
    72. 

  72.     resources: ["secrets"]
    73. 

  73.     verbs: ["get", "watch", "list"]
    74. 

  74. 

  75. ---
    76. 

  76. 

  77. apiVersion: rbac.authorization.k8s.io/v1
    78. 

  78. kind: RoleBinding
    79. 

  79. metadata:
    80. 

  80.   name: {{ $serviceName }}-read-secrets
    81. 

  81.   namespace: {{ template "jenkins.namespace" . }}
    82. 

  82.   labels:
    83. 

  83.     "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
    84. 

  84.     {{- if .Values.renderHelmLabels }}
    85. 

  85.     "helm.sh/chart": "{{ template "jenkins.label" .}}"
    86. 

  86.     {{- end }}
    87. 

  87.     "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
    88. 

  88.     "app.kubernetes.io/instance": "{{ .Release.Name }}"
    89. 

  89.     "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
    90. 

  90. roleRef:
    91. 

  91.   apiGroup: rbac.authorization.k8s.io
    92. 

  92.   kind: Role
    93. 

  93.   name: {{ template "jenkins.fullname" . }}-read-secrets
    94. 

  94. subjects:
    95. 

  95.   - kind: ServiceAccount
    96. 

  96.     name: {{ template "jenkins.serviceAccountName" . }}
    97. 

  97.     namespace: {{ template "jenkins.namespace" . }}
    98. 

  98. 

  99. ---
    100. 

  100. {{- end}}
    101. 

  101. 

  102. {{- if .Values.controller.sidecars.configAutoReload.enabled }}
    103. 

  103. # The sidecar container which is responsible for reloading configuration changes
    104. 

  104. # needs permissions to watch ConfigMaps
    105. 

  105. apiVersion: rbac.authorization.k8s.io/v1
    106. 

  106. kind: Role
    107. 

  107. metadata:
    108. 

  108.   name: {{ template "jenkins.fullname" . }}-casc-reload
    109. 

  109.   namespace: {{ template "jenkins.namespace" . }}
    110. 

  110.   labels:
    111. 

  111.     "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
    112. 

  112.     {{- if .Values.renderHelmLabels }}
    113. 

  113.     "helm.sh/chart": "{{ template "jenkins.label" .}}"
    114. 

  114.     {{- end }}
    115. 

  115.     "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
    116. 

  116.     "app.kubernetes.io/instance": "{{ .Release.Name }}"
    117. 

  117.     "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
    118. 

  118. rules:
    119. 

  119. - apiGroups: [""]
    120. 

  120.   resources: ["configmaps"]
    121. 

  121.   verbs: ["get", "watch", "list"]
    122. 

  122. 

  123. ---
    124. 

  124. 

  125. apiVersion: rbac.authorization.k8s.io/v1
    126. 

  126. kind: RoleBinding
    127. 

  127. metadata:
    128. 

  128.   name: {{ $serviceName }}-watch-configmaps
    129. 

  129.   namespace: {{ template "jenkins.namespace" . }}
    130. 

  130.   labels:
    131. 

  131.     "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
    132. 

  132.     {{- if .Values.renderHelmLabels }}
    133. 

  133.     "helm.sh/chart": "{{ template "jenkins.label" .}}"
    134. 

  134.     {{- end }}
    135. 

  135.     "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
    136. 

  136.     "app.kubernetes.io/instance": "{{ .Release.Name }}"
    137. 

  137.     "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
    138. 

  138. roleRef:
    139. 

  139.   apiGroup: rbac.authorization.k8s.io
    140. 

  140.   kind: Role
    141. 

  141.   name: {{ template "jenkins.fullname" . }}-casc-reload
    142. 

  142. subjects:
    143. 

  143. - kind: ServiceAccount
    144. 

  144.   name: {{ template "jenkins.serviceAccountName" . }}
    145. 

  145.   namespace: {{ template "jenkins.namespace" . }}
    146. 

  146. 

  147. {{- end}}
    148. 

  148. 

  149. {{ end }}
    150.