mirror of
https://github.com/bjw-s-labs/helm-charts.git
synced 2025-07-04 17:07:04 +02:00
a01a89cb13
Co-authored-by: lab-assistant[bot] <180935599+lab-assistant[bot]@users.noreply.github.com>
76 lines
2.7 KiB
Smarty
76 lines
2.7 KiB
Smarty
{{/*
|
|
This template serves as a blueprint for generating RoleBinding objects in Kubernetes.
|
|
*/}}
|
|
{{- define "bjw-s.common.class.rbac.roleBinding" -}}
|
|
{{- $rootContext := .rootContext -}}
|
|
{{- $roleBindingObject := .object -}}
|
|
|
|
{{- $labels := merge
|
|
($roleBindingObject.labels | default dict)
|
|
(include "bjw-s.common.lib.metadata.allLabels" $rootContext | fromYaml)
|
|
-}}
|
|
{{- $annotations := merge
|
|
($roleBindingObject.annotations | default dict)
|
|
(include "bjw-s.common.lib.metadata.globalAnnotations" $rootContext | fromYaml)
|
|
-}}
|
|
{{- $subjects := list -}}
|
|
{{- with $roleBindingObject.subjects -}}
|
|
{{- range $subject := . -}}
|
|
{{- if hasKey . "identifier" -}}
|
|
{{- $subject := include "bjw-s.common.lib.serviceAccount.getByIdentifier" (dict "rootContext" $rootContext "id" .identifier) | fromYaml -}}
|
|
{{- if not $subject }}
|
|
{{- fail (printf "No enabled ServiceAccount found with this identifier. (rolebinding: '%s', identifier: '%s')" $roleBindingObject.identifier .identifier) -}}
|
|
{{- end -}}
|
|
{{- $subject = pick $subject "name" -}}
|
|
{{- $_ := set $subject "kind" "ServiceAccount" -}}
|
|
{{- $_ := set $subject "namespace" $rootContext.Release.Namespace -}}
|
|
{{- $subjects = mustAppend $subjects $subject -}}
|
|
{{- else -}}
|
|
{{- $subject := dict "name" .name "kind" .kind "namespace" .namespace -}}
|
|
{{- $subjects = mustAppend $subjects $subject -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
{{- $subjects = $subjects | uniq | toYaml -}}
|
|
{{- end -}}
|
|
|
|
{{- $role := dict -}}
|
|
{{- with $roleBindingObject.roleRef -}}
|
|
{{- if hasKey . "identifier" -}}
|
|
{{- $role = include "bjw-s.common.lib.rbac.role.getByIdentifier" (dict "rootContext" $rootContext "id" .identifier) | fromYaml -}}
|
|
{{- else -}}
|
|
{{- $_ := set $role "name" .name -}}
|
|
{{- $_ := set $role "type" .kind -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
{{ with $roleBindingObject.type -}}
|
|
kind: {{ . }}
|
|
{{ end -}}
|
|
metadata:
|
|
name: {{ $roleBindingObject.name }}
|
|
{{- with $labels }}
|
|
labels:
|
|
{{- range $key, $value := . }}
|
|
{{- printf "%s: %s" $key (tpl $value $rootContext | toYaml ) | nindent 4 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with $annotations }}
|
|
annotations:
|
|
{{- range $key, $value := . }}
|
|
{{- printf "%s: %s" $key (tpl $value $rootContext | toYaml ) | nindent 4 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{ if eq $roleBindingObject.type "RoleBinding" -}}
|
|
namespace: {{ $rootContext.Release.Namespace }}
|
|
{{- end }}
|
|
roleRef:
|
|
kind: {{ $role.type }}
|
|
name: {{ $role.name }}
|
|
apiGroup: rbac.authorization.k8s.io
|
|
{{ with $subjects -}}
|
|
subjects: {{- tpl . $rootContext | nindent 2 }}
|
|
|
|
{{- end -}}
|
|
|
|
{{- end -}}
|