diff --git a/addons/rds-chart/Chart.yaml b/addons/rds-chart/Chart.yaml index 367e56a9a..7475dd8ad 100644 --- a/addons/rds-chart/Chart.yaml +++ b/addons/rds-chart/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 name: rds-chart description: A Helm chart for the ACK service controller for Amazon Relational Database Service (RDS) -version: 1.1.9 -appVersion: 1.1.9 +version: 1.1.10 +appVersion: 1.1.10 home: https://github.com/aws-controllers-k8s/rds-controller icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/addons/rds-chart/crds/services.k8s.aws_adoptedresources.yaml b/addons/rds-chart/crds/services.k8s.aws_adoptedresources.yaml index d8d512618..9a12ef7e6 100644 --- a/addons/rds-chart/crds/services.k8s.aws_adoptedresources.yaml +++ b/addons/rds-chart/crds/services.k8s.aws_adoptedresources.yaml @@ -161,10 +161,10 @@ spec: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' type: string uid: - description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' type: string required: - apiVersion diff --git a/addons/rds-chart/templates/NOTES.txt b/addons/rds-chart/templates/NOTES.txt index ac5211da9..445a3259b 100644 --- a/addons/rds-chart/templates/NOTES.txt +++ b/addons/rds-chart/templates/NOTES.txt @@ -1,5 +1,5 @@ {{ .Chart.Name }} has been installed. -This chart deploys "public.ecr.aws/aws-controllers-k8s/rds-controller:1.1.9". +This chart deploys "public.ecr.aws/aws-controllers-k8s/rds-controller:1.1.10". Check its status by running: kubectl --namespace {{ .Release.Namespace }} get pods -l "app.kubernetes.io/instance={{ .Release.Name }}" diff --git a/addons/rds-chart/templates/_helpers.tpl b/addons/rds-chart/templates/_helpers.tpl index 391d5de33..40b703225 100644 --- a/addons/rds-chart/templates/_helpers.tpl +++ b/addons/rds-chart/templates/_helpers.tpl @@ -46,3 +46,256 @@ If release name contains chart name it will be used as a full name. {{- define "aws.credentials.path" -}} {{- printf "%s/%s" (include "aws.credentials.secret_mount_path" .) .Values.aws.credentials.secretKey -}} {{- end -}} + +{{/* The rules a of ClusterRole or Role */}} +{{- define "controller-role-rules" }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - patch + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - patch + - watch +- apiGroups: + - ec2.services.k8s.aws + resources: + - securitygroups + verbs: + - get + - list +- apiGroups: + - ec2.services.k8s.aws + resources: + - securitygroups/status + verbs: + - get + - list +- apiGroups: + - ec2.services.k8s.aws + resources: + - subnets + verbs: + - get + - list +- apiGroups: + - ec2.services.k8s.aws + resources: + - subnets/status + verbs: + - get + - list +- apiGroups: + - kms.services.k8s.aws + resources: + - keys + verbs: + - get + - list +- apiGroups: + - kms.services.k8s.aws + resources: + - keys/status + verbs: + - get + - list +- apiGroups: + - rds.services.k8s.aws + resources: + - dbclusterparametergroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - rds.services.k8s.aws + resources: + - dbclusterparametergroups/status + verbs: + - get + - patch + - update +- apiGroups: + - rds.services.k8s.aws + resources: + - dbclusters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - rds.services.k8s.aws + resources: + - dbclusters/status + verbs: + - get + - patch + - update +- apiGroups: + - rds.services.k8s.aws + resources: + - dbinstances + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - rds.services.k8s.aws + resources: + - dbinstances/status + verbs: + - get + - patch + - update +- apiGroups: + - rds.services.k8s.aws + resources: + - dbparametergroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - rds.services.k8s.aws + resources: + - dbparametergroups/status + verbs: + - get + - patch + - update +- apiGroups: + - rds.services.k8s.aws + resources: + - dbproxies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - rds.services.k8s.aws + resources: + - dbproxies/status + verbs: + - get + - patch + - update +- apiGroups: + - rds.services.k8s.aws + resources: + - dbsubnetgroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - rds.services.k8s.aws + resources: + - dbsubnetgroups/status + verbs: + - get + - patch + - update +- apiGroups: + - rds.services.k8s.aws + resources: + - globalclusters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - rds.services.k8s.aws + resources: + - globalclusters/status + verbs: + - get + - patch + - update +- apiGroups: + - services.k8s.aws + resources: + - adoptedresources + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - services.k8s.aws + resources: + - adoptedresources/status + verbs: + - get + - patch + - update +- apiGroups: + - services.k8s.aws + resources: + - fieldexports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - services.k8s.aws + resources: + - fieldexports/status + verbs: + - get + - patch + - update +{{- end }} \ No newline at end of file diff --git a/addons/rds-chart/templates/caches-role-binding.yaml b/addons/rds-chart/templates/caches-role-binding.yaml new file mode 100644 index 000000000..b862b2048 --- /dev/null +++ b/addons/rds-chart/templates/caches-role-binding.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ack-namespaces-cache-rds-controller +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: ack-namespaces-cache-rds-controller +subjects: +- kind: ServiceAccount + name: ack-rds-controller + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ack-configmaps-cache-rds-controller + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + apiGroup: rbac.authorization.k8s.io + name: ack-configmaps-cache-rds-controller +subjects: +- kind: ServiceAccount + name: ack-rds-controller + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/addons/rds-chart/templates/caches-role.yaml b/addons/rds-chart/templates/caches-role.yaml new file mode 100644 index 000000000..8266d3b12 --- /dev/null +++ b/addons/rds-chart/templates/caches-role.yaml @@ -0,0 +1,28 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ack-namespaces-cache-rds-controller +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ack-configmaps-cache-rds-controller + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/addons/rds-chart/templates/cluster-role-binding.yaml b/addons/rds-chart/templates/cluster-role-binding.yaml index 8f64d7100..5620f9b9e 100644 --- a/addons/rds-chart/templates/cluster-role-binding.yaml +++ b/addons/rds-chart/templates/cluster-role-binding.yaml @@ -1,21 +1,35 @@ -apiVersion: rbac.authorization.k8s.io/v1 {{ if eq .Values.installScope "cluster" }} +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ include "app.fullname" . }} roleRef: kind: ClusterRole -{{ else }} + apiGroup: rbac.authorization.k8s.io + name: ack-rds-controller +subjects: +- kind: ServiceAccount + name: {{ include "service-account.name" . }} + namespace: {{ .Release.Namespace }} +{{ else if .Values.watchNamespace }} +{{ $namespaces := split "," .Values.watchNamespace }} +{{ $fullname := include "app.fullname" . }} +{{ $releaseNamespace := .Release.Namespace }} +{{ $serviceAccountName := include "service-account.name" . }} +{{ range $namespaces }} +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ include "app.fullname" . }} - namespace: {{ .Release.Namespace }} + name: {{ $fullname }} + namespace: {{ . }} roleRef: kind: Role -{{ end }} apiGroup: rbac.authorization.k8s.io name: ack-rds-controller subjects: - kind: ServiceAccount - name: {{ include "service-account.name" . }} - namespace: {{ .Release.Namespace }} + name: {{ $serviceAccountName }} + namespace: {{ $releaseNamespace }} +{{ end }} +{{ end }} \ No newline at end of file diff --git a/addons/rds-chart/templates/cluster-role-controller.yaml b/addons/rds-chart/templates/cluster-role-controller.yaml index ade910d4b..cd6c1c3ca 100644 --- a/addons/rds-chart/templates/cluster-role-controller.yaml +++ b/addons/rds-chart/templates/cluster-role-controller.yaml @@ -1,270 +1,28 @@ -apiVersion: rbac.authorization.k8s.io/v1 +{{ $labels := .Values.role.labels }} +{{ $rules := include "controller-role-rules" . }} {{ if eq .Values.installScope "cluster" }} +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null name: ack-rds-controller labels: - {{- range $key, $value := .Values.role.labels }} + {{- range $key, $value := $labels }} {{ $key }}: {{ $value | quote }} {{- end }} -{{ else }} +{{- $rules }} +{{ else if .Values.watchNamespace }} +{{ $namespaces := split "," .Values.watchNamespace }} +{{ range $namespaces }} +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - creationTimestamp: null name: ack-rds-controller + namespace: {{ . }} labels: - {{- range $key, $value := .Values.role.labels }} + {{- range $key, $value := $labels }} {{ $key }}: {{ $value | quote }} {{- end }} - namespace: {{ .Release.Namespace }} +{{- $rules }} {{ end }} -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - patch - - watch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - patch - - watch -- apiGroups: - - ec2.services.k8s.aws - resources: - - securitygroups - verbs: - - get - - list -- apiGroups: - - ec2.services.k8s.aws - resources: - - securitygroups/status - verbs: - - get - - list -- apiGroups: - - ec2.services.k8s.aws - resources: - - subnets - verbs: - - get - - list -- apiGroups: - - ec2.services.k8s.aws - resources: - - subnets/status - verbs: - - get - - list -- apiGroups: - - kms.services.k8s.aws - resources: - - keys - verbs: - - get - - list -- apiGroups: - - kms.services.k8s.aws - resources: - - keys/status - verbs: - - get - - list -- apiGroups: - - rds.services.k8s.aws - resources: - - dbclusterparametergroups - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - rds.services.k8s.aws - resources: - - dbclusterparametergroups/status - verbs: - - get - - patch - - update -- apiGroups: - - rds.services.k8s.aws - resources: - - dbclusters - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - rds.services.k8s.aws - resources: - - dbclusters/status - verbs: - - get - - patch - - update -- apiGroups: - - rds.services.k8s.aws - resources: - - dbinstances - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - rds.services.k8s.aws - resources: - - dbinstances/status - verbs: - - get - - patch - - update -- apiGroups: - - rds.services.k8s.aws - resources: - - dbparametergroups - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - rds.services.k8s.aws - resources: - - dbparametergroups/status - verbs: - - get - - patch - - update -- apiGroups: - - rds.services.k8s.aws - resources: - - dbproxies - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - rds.services.k8s.aws - resources: - - dbproxies/status - verbs: - - get - - patch - - update -- apiGroups: - - rds.services.k8s.aws - resources: - - dbsubnetgroups - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - rds.services.k8s.aws - resources: - - dbsubnetgroups/status - verbs: - - get - - patch - - update -- apiGroups: - - rds.services.k8s.aws - resources: - - globalclusters - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - rds.services.k8s.aws - resources: - - globalclusters/status - verbs: - - get - - patch - - update -- apiGroups: - - services.k8s.aws - resources: - - adoptedresources - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - services.k8s.aws - resources: - - adoptedresources/status - verbs: - - get - - patch - - update -- apiGroups: - - services.k8s.aws - resources: - - fieldexports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - services.k8s.aws - resources: - - fieldexports/status - verbs: - - get - - patch - - update +{{ end }} \ No newline at end of file diff --git a/addons/rds-chart/templates/role-writer.yaml b/addons/rds-chart/templates/role-writer.yaml index f004dcede..988b0276f 100644 --- a/addons/rds-chart/templates/role-writer.yaml +++ b/addons/rds-chart/templates/role-writer.yaml @@ -10,19 +10,12 @@ rules: - rds.services.k8s.aws resources: - dbclusters - - dbclusterparametergroups - - dbinstances - - dbparametergroups - - dbproxies - - dbsubnetgroups - - globalclusters - verbs: - create - delete diff --git a/addons/rds-chart/values.yaml b/addons/rds-chart/values.yaml index 4690e4434..f4f541fd4 100644 --- a/addons/rds-chart/values.yaml +++ b/addons/rds-chart/values.yaml @@ -4,7 +4,7 @@ image: repository: public.ecr.aws/aws-controllers-k8s/rds-controller - tag: 1.1.9 + tag: 1.1.10 pullPolicy: IfNotPresent pullSecrets: [] @@ -107,6 +107,7 @@ installScope: cluster # Set the value of the "namespace" to be watched by the controller # This value is only used when the `installScope` is set to "namespace". If left empty, the default value is the release namespace for the chart. +# You can set multiple namespaces by providing a comma separated list of namespaces. e.g "namespace1,namespace2" watchNamespace: "" resourceTags: