freeleaps-ops/freeleaps-secret-operator/helm-pkg/secretOperator/templates/rbac.yaml

{{- if .Values.serviceAccount.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "freeleaps-secret-operator.fullname" . }}
  labels:
    {{- include "freeleaps-secret-operator.labels" . | nindent 4 }}
rules:
  # Core resources
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "list", "watch"]

  # Custom resources - FreeleapsSecretStore (cluster-scoped)
  - apiGroups: ["freeleaps.com"]
    resources: ["freeleapssecretstores"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["freeleaps.com"]
    resources: ["freeleapssecretstores/status"]
    verbs: ["get", "update", "patch"]
  - apiGroups: ["freeleaps.com"]
    resources: ["freeleapssecretstores/finalizers"]
    verbs: ["update"]

  # Custom resources - FreeleapsSecret (namespaced)
  - apiGroups: ["freeleaps.com"]
    resources: ["freeleapssecrets"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["freeleaps.com"]
    resources: ["freeleapssecrets/status"]
    verbs: ["get", "update", "patch"]
  - apiGroups: ["freeleaps.com"]
    resources: ["freeleapssecrets/finalizers"]
    verbs: ["update"]

  # Kopf operator framework requirements
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create"]
  - apiGroups: ["zalando.org"]
    resources: ["clusterkopfpeerings"]
    verbs: ["list", "watch", "patch", "get"]
  - apiGroups: ["kopf.dev"]
    resources: ["clusterkopfpeerings"]
    verbs: ["list", "watch", "patch", "get"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ include "freeleaps-secret-operator.fullname" . }}
  labels:
    {{- include "freeleaps-secret-operator.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ include "freeleaps-secret-operator.fullname" . }}
subjects:
  - kind: ServiceAccount
    name: {{ include "freeleaps-secret-operator.serviceAccountName" . }}
    namespace: {{ .Release.Namespace }}
{{- end }}
feat(helm): add helm package codes for secret operator Signed-off-by: zhenyus <zhenyus@mathmast.com> 2025-08-18 03:24:07 +00:00			`{{- if .Values.serviceAccount.create -}}`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRole`
			`metadata:`
			`name: {{ include "freeleaps-secret-operator.fullname" . }}`
			`labels:`
			`{{- include "freeleaps-secret-operator.labels" . \| nindent 4 }}`
			`rules:`
			`# Core resources`
			`- apiGroups: [""]`
			`resources: ["secrets"]`
			`verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]`
			`- apiGroups: [""]`
			`resources: ["events"]`
			`verbs: ["create", "patch"]`
			`- apiGroups: [""]`
			`resources: ["configmaps"]`
			`verbs: ["get", "list", "watch"]`

			`# Custom resources - FreeleapsSecretStore (cluster-scoped)`
			`- apiGroups: ["freeleaps.com"]`
			`resources: ["freeleapssecretstores"]`
			`verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]`
			`- apiGroups: ["freeleaps.com"]`
			`resources: ["freeleapssecretstores/status"]`
			`verbs: ["get", "update", "patch"]`
			`- apiGroups: ["freeleaps.com"]`
			`resources: ["freeleapssecretstores/finalizers"]`
			`verbs: ["update"]`

			`# Custom resources - FreeleapsSecret (namespaced)`
			`- apiGroups: ["freeleaps.com"]`
			`resources: ["freeleapssecrets"]`
			`verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]`
			`- apiGroups: ["freeleaps.com"]`
			`resources: ["freeleapssecrets/status"]`
			`verbs: ["get", "update", "patch"]`
			`- apiGroups: ["freeleaps.com"]`
			`resources: ["freeleapssecrets/finalizers"]`
			`verbs: ["update"]`

			`# Kopf operator framework requirements`
			`- apiGroups: [""]`
			`resources: ["events"]`
			`verbs: ["create"]`
fix(rbac): update apiGroup for clusterkopfpeerings from 'kopf.dev' to 'zalando.org' in rbac.yaml Signed-off-by: zhenyus <zhenyus@mathmast.com> 2025-08-18 06:43:41 +00:00			`- apiGroups: ["zalando.org"]`
feat(helm): add helm package codes for secret operator Signed-off-by: zhenyus <zhenyus@mathmast.com> 2025-08-18 03:24:07 +00:00			`resources: ["clusterkopfpeerings"]`
			`verbs: ["list", "watch", "patch", "get"]`
feat(rbac): add additional apiGroup for clusterkopfpeerings in rbac.yaml - Introduced a new apiGroup 'kopf.dev' for the 'clusterkopfpeerings' resource, allowing for expanded permissions. - This change enhances the RBAC configuration to support additional functionalities. Signed-off-by: zhenyus <zhenyus@mathmast.com> 2025-08-18 06:45:21 +00:00			`- apiGroups: ["kopf.dev"]`
			`resources: ["clusterkopfpeerings"]`
			`verbs: ["list", "watch", "patch", "get"]`
feat(helm): add helm package codes for secret operator Signed-off-by: zhenyus <zhenyus@mathmast.com> 2025-08-18 03:24:07 +00:00			`- apiGroups: ["apiextensions.k8s.io"]`
			`resources: ["customresourcedefinitions"]`
			`verbs: ["list", "watch"]`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRoleBinding`
			`metadata:`
			`name: {{ include "freeleaps-secret-operator.fullname" . }}`
			`labels:`
			`{{- include "freeleaps-secret-operator.labels" . \| nindent 4 }}`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: ClusterRole`
			`name: {{ include "freeleaps-secret-operator.fullname" . }}`
			`subjects:`
			`- kind: ServiceAccount`
			`name: {{ include "freeleaps-secret-operator.serviceAccountName" . }}`
			`namespace: {{ .Release.Namespace }}`
			`{{- end }}`