| {{- $auth := .Values.auth -}} |
| {{- $authz := .Values.auth.authorization -}} |
| {{- $authc := .Values.auth.authentication -}} |
| {{- if $auth.enabled }} |
| apiVersion: v1 |
| kind: ServiceAccount |
| metadata: |
| name: {{ template "cp.name" . }}-sa |
| namespace: {{ template "system.namespaces" . }} |
| --- |
| apiVersion: {{ include "rbac.apiVersion" . }} |
| kind: ClusterRole |
| metadata: |
| name: {{ include "cp.name" . }}-clusterrole |
| rules: |
| - apiGroups: |
| - "" |
| resources: |
| - namespaces |
| verbs: |
| - get |
| --- |
| apiVersion: {{ include "rbac.apiVersion" . }} |
| kind: ClusterRoleBinding |
| metadata: |
| name: {{ include "cp.name" . }}-clusterrolebinding |
| roleRef: |
| apiGroup: rbac.authorization.k8s.io |
| kind: ClusterRole |
| name: {{ include "cp.name" . }}-clusterrole |
| subjects: |
| - kind: ServiceAccount |
| name: {{ template "cp.name" . }}-sa |
| namespace: {{ template "system.namespaces" . }} |
| --- |
| apiVersion: dubbo.apache.org/v1alpha1 |
| kind: AuthenticationPolicy |
| metadata: |
| name: {{ template "cp.name" . }}-authentication |
| namespace: {{ template "system.namespaces" . }} |
| spec: |
| action: {{ $authc.action }} |
| PortLevel: |
| - port: {{ $authc.port }} |
| selector: |
| - namespaces: ["dubbo-system"] |
| --- |
| apiVersion: dubbo.apache.org/v1alpha1 |
| kind: AuthorizationPolicy |
| metadata: |
| name: {{ template "cp.name" . }}-authorization |
| namespace: {{ template "system.namespaces" . }} |
| spec: |
| action: {{ $authz.action }} |
| matchType: {{ $authz.matchType }} |
| rules: |
| - from: |
| namespaces: ["dubbo-system"] |
| samples: {{ $authz.samples }} |
| {{- end }} |
| |
