feat: Add RBAC rules for Kubernetes Deployment tests (#2307)

flanksource · Nov 5, 2024 · 394c1d7 · 394c1d7
1 parent 24e949f
commit 394c1d7
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 2 deletions.
diff --git a/chart/README.md b/chart/README.md
@@ -93,6 +93,7 @@ Kubernetes native, multi-tenant synthetic monitoring system
 | serviceAccount.rbac.exec | bool | `true` |  |
 | serviceAccount.rbac.ingressCreateAndDelete | bool | `true` | for pod canary |
 | serviceAccount.rbac.namespaceCreateAndDelete | bool | `true` | for namespace canary |
+| serviceAccount.rbac.deploymentCreateAndDelete | bool | `true` | for deployment canary |
 | serviceAccount.rbac.podsCreateAndDelete | bool | `true` | for pod and junit canaries |
 | serviceAccount.rbac.readAll | bool | `true` | for use with kubernetes resource lookups |
 | serviceAccount.rbac.secrets | bool | `true` | for secret management with valueFrom |

diff --git a/chart/ci/full-values.yaml b/chart/ci/full-values.yaml
@@ -73,6 +73,7 @@ serviceAccount:
     exec: true
     ingressCreateAndDelete: true
     namespaceCreateAndDelete: true
+    deploymentCreateAndDelete: true
     podsCreateAndDelete: true
     readAll: true
     secrets: true

diff --git a/chart/templates/rbac.yaml b/chart/templates/rbac.yaml
@@ -104,6 +104,20 @@ rules:
     verbs:
       - "*"
   {{- end}}
+  {{- if .Values.serviceAccount.rbac.deploymentCreateAndDelete }}
+  - apiGroups:
+      - "apps"
+    resources:
+      - deployments
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  {{- end }}
   {{- if .Values.serviceAccount.rbac.extra }}
   {{ .Values.serviceAccount.rbac.extra | toYaml | nindent 2 }}
   {{- end}}

diff --git a/chart/values.schema.deref.json b/chart/values.schema.deref.json
@@ -4471,6 +4471,12 @@
               "title": "namespaceCreateAndDelete",
               "type": "boolean"
             },
+            "deploymentCreateAndDelete": {
+              "default": true,
+              "description": "for deployment canary",
+              "title": "deploymentCreateAndDelete",
+              "type": "boolean"
+            },
             "podsCreateAndDelete": {
               "default": true,
               "description": "for pod and junit canaries",
@@ -4508,7 +4514,8 @@
             "podsCreateAndDelete",
             "exec",
             "ingressCreateAndDelete",
-            "namespaceCreateAndDelete"
+            "namespaceCreateAndDelete",
+            "deploymentCreateAndDelete"          
           ],
           "title": "rbac"
         }

diff --git a/chart/values.schema.json b/chart/values.schema.json
@@ -527,6 +527,13 @@
               "title": "namespaceCreateAndDelete",
               "type": "boolean"
             },
+            "deploymentCreateAndDelete": {
+              "default": true,
+              "description": "for deployment canary",
+              "required": [],
+              "title": "deploymentCreateAndDelete",
+              "type": "boolean"
+            },
             "podsCreateAndDelete": {
               "default": true,
               "description": "for pod and junit canaries",
@@ -564,7 +571,8 @@
             "podsCreateAndDelete",
             "exec",
             "ingressCreateAndDelete",
-            "namespaceCreateAndDelete"
+            "namespaceCreateAndDelete",
+            "deploymentCreateAndDelete"
           ],
           "title": "rbac"
         }

diff --git a/chart/values.yaml b/chart/values.yaml
@@ -430,6 +430,9 @@ serviceAccount:
     # -- for namespace canary
     namespaceCreateAndDelete: true
 
+    # -- for deployment canary
+    deploymentCreateAndDelete: true
+
     # @schema
     # required: false
     # default: []