From 34de76aa970f9e5f255af64c79af754077c2058e Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Fri, 5 Jan 2024 10:47:48 +0100 Subject: [PATCH] fix tenant --- packages/apps/tenant/templates/tenant.yaml | 7 ++- packages/system/kubeapps/1.yaml | 27 -------- packages/system/kubeapps/2.yaml | 73 ---------------------- 3 files changed, 6 insertions(+), 101 deletions(-) delete mode 100644 packages/system/kubeapps/1.yaml delete mode 100644 packages/system/kubeapps/2.yaml diff --git a/packages/apps/tenant/templates/tenant.yaml b/packages/apps/tenant/templates/tenant.yaml index c2260f5f..a366959c 100644 --- a/packages/apps/tenant/templates/tenant.yaml +++ b/packages/apps/tenant/templates/tenant.yaml @@ -2,7 +2,7 @@ {{- fail (printf "Release name should not contain dashes: %s" .Release.Name) }} {{- end }} {{- $tenantName := (printf "tenant-%s" .Release.Name) }} -{{- if hasPrefix "tenant-" .Release.Namespace }} +{{- if and (ne .Release.Namespace "tenant-root") (hasPrefix "tenant-" .Release.Namespace) }} {{- $tenantName = (printf "%s-%s" .Release.Namespace .Release.Name) }} {{- end }} --- @@ -45,6 +45,11 @@ metadata: name: {{ $tenantName }} namespace: {{ $tenantName }} subjects: +{{- if ne .Release.Namespace "tenant-root" }} +- kind: ServiceAccount + name: tenant-root + namespace: tenant-root +{{- end }} {{- if hasPrefix "tenant-" .Release.Namespace }} {{- $parts := splitList "-" .Release.Namespace }} {{- range $i, $v := $parts }} diff --git a/packages/system/kubeapps/1.yaml b/packages/system/kubeapps/1.yaml deleted file mode 100644 index 6b8917eb..00000000 --- a/packages/system/kubeapps/1.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: admin - namespace: kube-system ---- -apiVersion: v1 -kind: Secret -type: kubernetes.io/service-account-token -metadata: - name: admin-sa-token - namespace: kube-system - annotations: - kubernetes.io/service-account.name: admin ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: admin -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: -- kind: ServiceAccount - name: admin - namespace: kube-system diff --git a/packages/system/kubeapps/2.yaml b/packages/system/kubeapps/2.yaml deleted file mode 100644 index e2fc27ca..00000000 --- a/packages/system/kubeapps/2.yaml +++ /dev/null @@ -1,73 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: tenant-client1 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: client1 - namespace: tenant-client1 ---- -apiVersion: v1 -kind: Secret -metadata: - name: client1-token - namespace: tenant-client1 - annotations: - kubernetes.io/service-account.name: client1 -type: kubernetes.io/service-account-token ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: tenant-admin - namespace: tenant-client1 -rules: -- apiGroups: [""] - resources: ["*"] - verbs: ["get", "list", "watch", "create", "update", "patch"] -- apiGroups: ["helm.toolkit.fluxcd.io"] - resources: ["helmreleases"] - verbs: ["*"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: tenant-admin-binding - namespace: tenant-client1 -subjects: -- kind: ServiceAccount - name: client1 - namespace: tenant-client1 -roleRef: - kind: Role - name: tenant-admin - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: list-apps - namespace: cozy-public -rules: -- apiGroups: ["source.toolkit.fluxcd.io"] - resources: ["helmrepositories"] - verbs: ["get", "list"] -- apiGroups: ["source.toolkit.fluxcd.io"] - resources: ["helmcharts"] - verbs: ["*"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: tenant-admin-binding - namespace: cozy-public -subjects: -- kind: ServiceAccount - name: client1 - namespace: tenant-client1 -roleRef: - kind: Role - name: list-apps - apiGroup: rbac.authorization.k8s.io