fix tenant

2026-03-22 05:41:23 +00:00 · 2024-01-05 10:47:48 +01:00
parent 2b953782aa
commit 34de76aa97
3 changed files with 6 additions and 101 deletions
--- a/packages/apps/tenant/templates/tenant.yaml
+++ b/packages/apps/tenant/templates/tenant.yaml
@@ -2,7 +2,7 @@
 {{- fail (printf "Release name should not contain dashes: %s" .Release.Name) }}
 {{- end }}
 {{- $tenantName := (printf "tenant-%s" .Release.Name) }}
-{{- if hasPrefix "tenant-" .Release.Namespace }}
+{{- if and (ne .Release.Namespace "tenant-root") (hasPrefix "tenant-" .Release.Namespace) }}
 {{- $tenantName = (printf "%s-%s" .Release.Namespace .Release.Name) }}
 {{- end }}
 ---
@@ -45,6 +45,11 @@ metadata:
  name: {{ $tenantName }}
  namespace: {{ $tenantName }}
 subjects:
+{{- if ne .Release.Namespace "tenant-root" }}
+- kind: ServiceAccount
+  name: tenant-root
+  namespace: tenant-root
+{{- end }}
 {{- if hasPrefix "tenant-" .Release.Namespace }}
 {{- $parts := splitList "-" .Release.Namespace }}
 {{- range $i, $v := $parts }}
--- a/packages/system/kubeapps/1.yaml
+++ b/packages/system/kubeapps/1.yaml
@@ -1,27 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: admin
-  namespace: kube-system
---
-apiVersion: v1
-kind: Secret
-type: kubernetes.io/service-account-token
-metadata:
-  name: admin-sa-token
-  namespace: kube-system
-  annotations:
-    kubernetes.io/service-account.name: admin
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: admin
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
- kind: ServiceAccount
-  name: admin
-  namespace: kube-system
--- a/packages/system/kubeapps/2.yaml
+++ b/packages/system/kubeapps/2.yaml
@@ -1,73 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: tenant-client1
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: client1
-  namespace: tenant-client1
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: client1-token
-  namespace: tenant-client1
-  annotations:
-    kubernetes.io/service-account.name: client1
-type: kubernetes.io/service-account-token
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: tenant-admin
-  namespace: tenant-client1
-rules:
- apiGroups: [""]
-  resources: ["*"]
-  verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: ["helm.toolkit.fluxcd.io"]
-  resources: ["helmreleases"]
-  verbs: ["*"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: tenant-admin-binding
-  namespace: tenant-client1
-subjects:
- kind: ServiceAccount
-  name: client1
-  namespace: tenant-client1
-roleRef:
-  kind: Role
-  name: tenant-admin
-  apiGroup: rbac.authorization.k8s.io
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: list-apps
-  namespace: cozy-public
-rules:
- apiGroups: ["source.toolkit.fluxcd.io"]
-  resources: ["helmrepositories"]
-  verbs: ["get", "list"]
- apiGroups: ["source.toolkit.fluxcd.io"]
-  resources: ["helmcharts"]
-  verbs: ["*"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: tenant-admin-binding
-  namespace: cozy-public
-subjects:
- kind: ServiceAccount
-  name: client1
-  namespace: tenant-client1
-roleRef:
-  kind: Role
-  name: list-apps
-  apiGroup: rbac.authorization.k8s.io