From 821fb20ec60439f688aa004f0da2b8e0893149df Mon Sep 17 00:00:00 2001 From: Adam Connelly Date: Fri, 16 Feb 2024 08:29:12 -0500 Subject: [PATCH] fix: don't deploy ClusterRole when metrics not enabled (#48) We were deploying the ClusterRole for kube-rbac-proxy even when the metrics server was not enabled. This doesn't make sense since the kube-rbac-proxy side-car container (and therefore the ClusterRole) are only used to implement authorization for accessing metrics. --- spacelift-workerpool-controller/templates/proxy-rbac.yaml | 4 +++- spacelift-workerpool-controller/values.yaml | 4 ++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/spacelift-workerpool-controller/templates/proxy-rbac.yaml b/spacelift-workerpool-controller/templates/proxy-rbac.yaml index 6901fc4..93b6496 100644 --- a/spacelift-workerpool-controller/templates/proxy-rbac.yaml +++ b/spacelift-workerpool-controller/templates/proxy-rbac.yaml @@ -1,3 +1,4 @@ +{{ if .Values.metricsService.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -37,4 +38,5 @@ roleRef: subjects: - kind: ServiceAccount name: '{{ include "spacelift-workerpool-controller.fullname" . }}-controller-manager' - namespace: '{{ .Release.Namespace }}' \ No newline at end of file + namespace: '{{ .Release.Namespace }}' +{{ end }} diff --git a/spacelift-workerpool-controller/values.yaml b/spacelift-workerpool-controller/values.yaml index 4c98aab..c7e5307 100644 --- a/spacelift-workerpool-controller/values.yaml +++ b/spacelift-workerpool-controller/values.yaml @@ -3,6 +3,10 @@ controllerManager: # and will be able to manage WorkerPools across all namespaces in your cluster. # If you do not want to grant cluster wide permissions to the controller, you can specify a list # of namespaces. That will create a Role per namespace and bind it to the service account used by the controller. + # + # PLEASE NOTE: currently the metrics service requires a ClusterRole in order to function, so + # if `metricsService.enabled` is set to true, a ClusterRole will be created even if you + # specify namespaces. namespaces: [] kubeRbacProxy: args: