fix(istio): add permissions to create tls-certificate in istio ns (#580)

* docs: customization * docs: add lifecycle to all services * docs: indentation per service * helm chart - add only needed config * fixes and adding more configurations * add missing bracket * fix(opendj): non root user permission * fix: user root can't be exploited from within the container * docs: kubernetes fixes * fix: remove ingress.class annotation and add spec.ingressClassName * fix: add ingress to all components * docs: fix typo * fix(istio): add permissions to create tls-certificate in istio ns
GluuFederation · Aug 31, 2023 · 965a7b3 · 965a7b3
1 parent ed49422
commit 965a7b3
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 1 deletion.
diff --git a/pygluu/kubernetes/templates/helm/gluu/charts/config/templates/rolebinding.yaml b/pygluu/kubernetes/templates/helm/gluu/charts/config/templates/rolebinding.yaml
@@ -16,4 +16,26 @@ subjects:
 roleRef:
   kind: Role # this must be Role or ClusterRole
   name: {{ .Release.Namespace }}-gluu-role # this must match the name of the Role or ClusterRole you wish to bind to
-  apiGroup: rbac.authorization.k8s.io
+  apiGroup: rbac.authorization.k8s.io
+
+  ---
+
+{{- if.Values.global.istio.ingress}} 
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: istio-rolebinding
+  namespace: {{.Values.global.istio.namespace | quote}} 
+{{- if .Values.additionalAnnotations }}
+  annotations:
+{{ toYaml .Values.additionalAnnotations | indent 4 }}
+{{- end }}
+subjects:
+- kind: User
+  name: system:serviceaccount:{{ .Release.Namespace }}:default # Name is case sensitive
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role # this must be Role or ClusterRole
+  name: {{ .Release.Namespace }}-istio-role # this must match the name of the Role or ClusterRole you wish to bind to
+  apiGroup: rbac.authorization.k8s.io
+{{- end}}
diff --git a/pygluu/kubernetes/templates/helm/gluu/charts/config/templates/roles.yaml b/pygluu/kubernetes/templates/helm/gluu/charts/config/templates/roles.yaml
@@ -13,3 +13,21 @@ rules:
 - apiGroups: [""] # "" refers to the core API group
   resources: ["configmaps", "secrets", "pods", "pods/exec"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+
+---
+
+{{- if.Values.global.istio.ingress}} 
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Namespace }}-istio-role
+  namespace: {{.Values.global.istio.namespace | quote}} 
+{{- if .Values.additionalAnnotations }}
+  annotations:
+{{ toYaml .Values.additionalAnnotations | indent 4 }}
+{{- end }}
+rules:
+- apiGroups: [""] # "" refers to the core API group
+  resources: ["secrets"]
+  verbs: ["create", "patch"]
+{{- end}}