infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/rbac.yaml - incubator-datalab - Git at Google

 {{- if .Release.IsInstall -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ include "step-certificates.fullname" . }}-config
   namespace: {{.Release.Namespace}}
   labels:
     helm.sh/chart: {{ include "step-certificates.chart" . }}
     app.kubernetes.io/name: {{ include "step-certificates.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
 rules:
 - apiGroups: [""]
   resources: ["secrets", "configmaps"]
   verbs: ["get", "create", "update", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: {{ include "step-certificates.fullname" . }}-config
   namespace: {{.Release.Namespace}}
   labels:
     helm.sh/chart: {{ include "step-certificates.chart" . }}
     app.kubernetes.io/name: {{ include "step-certificates.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
 subjects:
 - kind: ServiceAccount
   name: {{ include "step-certificates.fullname" . }}-config
   namespace: {{.Release.Namespace}}
 roleRef:
   kind: Role
   name: {{ include "step-certificates.fullname" . }}-config
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ include "step-certificates.fullname" . }}-config
   labels:
     helm.sh/chart: {{ include "step-certificates.chart" . }}
     app.kubernetes.io/name: {{ include "step-certificates.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
 rules:
 - apiGroups: ["admissionregistration.k8s.io"]
   resources: ["mutatingwebhookconfigurations"]
   verbs: ["get", "create", "update", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ include "step-certificates.fullname" . }}-config
   namespace: {{.Release.Namespace}}
   labels:
     helm.sh/chart: {{ include "step-certificates.chart" . }}
     app.kubernetes.io/name: {{ include "step-certificates.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
 subjects:
 - kind: ServiceAccount
   name: {{ include "step-certificates.fullname" . }}-config
   namespace: {{.Release.Namespace}}
 roleRef:
   kind: ClusterRole
   name: {{ include "step-certificates.fullname" . }}-config
   apiGroup: rbac.authorization.k8s.io
 {{- end -}}
	{{- if .Release.IsInstall -}}
	apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	metadata:
	name: {{ include "step-certificates.fullname" . }}-config
	namespace: {{.Release.Namespace}}
	labels:
	helm.sh/chart: {{ include "step-certificates.chart" . }}
	app.kubernetes.io/name: {{ include "step-certificates.name" . }}
	app.kubernetes.io/instance: {{ .Release.Name }}
	app.kubernetes.io/managed-by: {{ .Release.Service }}
	app.kubernetes.io/version: {{ .Chart.AppVersion }}
	rules:
	- apiGroups: [""]
	resources: ["secrets", "configmaps"]
	verbs: ["get", "create", "update", "patch"]
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: {{ include "step-certificates.fullname" . }}-config
	namespace: {{.Release.Namespace}}
	labels:
	helm.sh/chart: {{ include "step-certificates.chart" . }}
	app.kubernetes.io/name: {{ include "step-certificates.name" . }}
	app.kubernetes.io/instance: {{ .Release.Name }}
	app.kubernetes.io/managed-by: {{ .Release.Service }}
	app.kubernetes.io/version: {{ .Chart.AppVersion }}
	subjects:
	- kind: ServiceAccount
	name: {{ include "step-certificates.fullname" . }}-config
	namespace: {{.Release.Namespace}}
	roleRef:
	kind: Role
	name: {{ include "step-certificates.fullname" . }}-config
	apiGroup: rbac.authorization.k8s.io
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: {{ include "step-certificates.fullname" . }}-config
	labels:
	helm.sh/chart: {{ include "step-certificates.chart" . }}
	app.kubernetes.io/name: {{ include "step-certificates.name" . }}
	app.kubernetes.io/instance: {{ .Release.Name }}
	app.kubernetes.io/managed-by: {{ .Release.Service }}
	app.kubernetes.io/version: {{ .Chart.AppVersion }}
	rules:
	- apiGroups: ["admissionregistration.k8s.io"]
	resources: ["mutatingwebhookconfigurations"]
	verbs: ["get", "create", "update", "patch"]
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: {{ include "step-certificates.fullname" . }}-config
	namespace: {{.Release.Namespace}}
	labels:
	helm.sh/chart: {{ include "step-certificates.chart" . }}
	app.kubernetes.io/name: {{ include "step-certificates.name" . }}
	app.kubernetes.io/instance: {{ .Release.Name }}
	app.kubernetes.io/managed-by: {{ .Release.Service }}
	app.kubernetes.io/version: {{ .Chart.AppVersion }}
	subjects:
	- kind: ServiceAccount
	name: {{ include "step-certificates.fullname" . }}-config
	namespace: {{.Release.Namespace}}
	roleRef:
	kind: ClusterRole
	name: {{ include "step-certificates.fullname" . }}-config
	apiGroup: rbac.authorization.k8s.io
	{{- end -}}