freeleaps-ops/freeleaps-devops-reconciler/helm-pkg/reconciler/templates/rbac.yaml

{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "freeleaps-devops-reconciler.fullname" . }}
  labels:
    {{- include "freeleaps-devops-reconciler.labels" . | nindent 4 }}
rules:
  # Core Kubernetes resources
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
  - apiGroups: [""]
    resources: ["secrets", "configmaps"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  
  # Apps resources
  - apiGroups: ["apps"]
    resources: ["deployments", "replicasets"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  
  # Networking resources
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["networkpolicies"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  
  # cert-manager resources
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  
  # Argo CD resources
  - apiGroups: ["argoproj.io"]
    resources: ["applications", "appprojects"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  
  # Custom resources - FreeleapsDevOps
  - apiGroups: ["freeleaps.com"]
    resources: ["devopsprojects", "argosettings", "jenkinssettings", "containerregistries", "gitcredentials", "deploymentrecords", "ingressresources"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["freeleaps.com"]
    resources: ["devopsprojects/status", "argosettings/status", "jenkinssettings/status", "containerregistries/status", "gitcredentials/status", "deploymentrecords/status", "ingressresources/status"]
    verbs: ["get", "update", "patch"]
  - apiGroups: ["freeleaps.com"]
    resources: ["devopsprojects/finalizers", "argosettings/finalizers", "jenkinssettings/finalizers", "containerregistries/finalizers", "gitcredentials/finalizers", "deploymentrecords/finalizers", "ingressresources/finalizers"]
    verbs: ["update"]
  
  # Kopf framework requirements
  - apiGroups: ["zalando.org"]
    resources: ["kopfpeerings"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "list", "watch"]
  
  # Additional rules from values
  {{- with .Values.rbac.additionalRules }}
  {{- toYaml . | nindent 2 }}
  {{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ include "freeleaps-devops-reconciler.fullname" . }}
  labels:
    {{- include "freeleaps-devops-reconciler.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ include "freeleaps-devops-reconciler.fullname" . }}
subjects:
  - kind: ServiceAccount
    name: {{ include "freeleaps-devops-reconciler.serviceAccountName" . }}
    namespace: {{ .Release.Namespace }}
{{- end }}
refactor(devsvc): restructure reconciler Helm chart and remove deprecated files - Deleted Jenkinsfile as CI/CD configuration is now handled differently. - Updated Chart.yaml to reflect new service name and versioning. - Enhanced values.yaml and values.alpha.yaml with comprehensive operator configuration and environment settings. - Removed obsolete templates for deployment, service, ingress, and monitoring. - Streamlined configuration for RabbitMQ, Jenkins, and ArgoCD integration. Signed-off-by: zhenyus <zhenyus@mathmast.com> 2025-07-31 15:21:24 +00:00			`{{- if .Values.rbac.create -}}`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRole`
			`metadata:`
			`name: {{ include "freeleaps-devops-reconciler.fullname" . }}`
			`labels:`
			`{{- include "freeleaps-devops-reconciler.labels" . \| nindent 4 }}`
			`rules:`
			`# Core Kubernetes resources`
			`- apiGroups: [""]`
			`resources: ["events"]`
			`verbs: ["create", "patch"]`
			`- apiGroups: [""]`
			`resources: ["secrets", "configmaps"]`
			`verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]`
			`- apiGroups: [""]`
			`resources: ["namespaces"]`
			`verbs: ["get", "list", "watch"]`
			`- apiGroups: [""]`
			`resources: ["services"]`
			`verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]`

			`# Apps resources`
			`- apiGroups: ["apps"]`
			`resources: ["deployments", "replicasets"]`
			`verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]`

			`# Networking resources`
			`- apiGroups: ["networking.k8s.io"]`
			`resources: ["ingresses"]`
			`verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]`
			`- apiGroups: ["networking.k8s.io"]`
			`resources: ["networkpolicies"]`
			`verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]`

			`# cert-manager resources`
			`- apiGroups: ["cert-manager.io"]`
			`resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]`
			`verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]`

			`# Argo CD resources`
			`- apiGroups: ["argoproj.io"]`
			`resources: ["applications", "appprojects"]`
			`verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]`

			`# Custom resources - FreeleapsDevOps`
			`- apiGroups: ["freeleaps.com"]`
			`resources: ["devopsprojects", "argosettings", "jenkinssettings", "containerregistries", "gitcredentials", "deploymentrecords", "ingressresources"]`
			`verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]`
			`- apiGroups: ["freeleaps.com"]`
			`resources: ["devopsprojects/status", "argosettings/status", "jenkinssettings/status", "containerregistries/status", "gitcredentials/status", "deploymentrecords/status", "ingressresources/status"]`
			`verbs: ["get", "update", "patch"]`
			`- apiGroups: ["freeleaps.com"]`
			`resources: ["devopsprojects/finalizers", "argosettings/finalizers", "jenkinssettings/finalizers", "containerregistries/finalizers", "gitcredentials/finalizers", "deploymentrecords/finalizers", "ingressresources/finalizers"]`
			`verbs: ["update"]`

			`# Kopf framework requirements`
			`- apiGroups: ["zalando.org"]`
			`resources: ["kopfpeerings"]`
			`verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]`
			`- apiGroups: ["apiextensions.k8s.io"]`
			`resources: ["customresourcedefinitions"]`
			`verbs: ["get", "list", "watch"]`

			`# Additional rules from values`
			`{{- with .Values.rbac.additionalRules }}`
			`{{- toYaml . \| nindent 2 }}`
			`{{- end }}`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRoleBinding`
			`metadata:`
			`name: {{ include "freeleaps-devops-reconciler.fullname" . }}`
			`labels:`
			`{{- include "freeleaps-devops-reconciler.labels" . \| nindent 4 }}`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: ClusterRole`
			`name: {{ include "freeleaps-devops-reconciler.fullname" . }}`
			`subjects:`
			`- kind: ServiceAccount`
			`name: {{ include "freeleaps-devops-reconciler.serviceAccountName" . }}`
			`namespace: {{ .Release.Namespace }}`
			`{{- end }}`