Skip to content

Commit a842d33

Browse files
AndrewChubatiukAndrewChubatiuk
committed
k8s-stack: allow setting extra rules for VMAgent SA
1 parent fffbd90 commit a842d33

File tree

3 files changed

+53
-0
lines changed

3 files changed

+53
-0
lines changed

charts/victoria-metrics-k8s-stack/CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
## Next release
22

33
- allow override dashboards and datasources label names and values. See [#2576](https://github.com/VictoriaMetrics/helm-charts/issues/2576).
4+
- allow setting extra roles for VMAgent service account. See [#2586](https://github.com/VictoriaMetrics/helm-charts/issues/2586).
45

56
## 0.63.6
67

charts/victoria-metrics-k8s-stack/templates/victoria-metrics-operator/vmagent/rbac.yaml

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
{{- $app := .Values.vmagent }}
2+
{{- $rbac := $app.rbac }}
3+
{{- if and $app.enabled (.not (empty $rbac.rules)) -}}
4+
{{- $ctx := dict "helm" . "appKey" "vmagent" }}
5+
{{- $fullname := include "vm.managed.fullname" $ctx }}
6+
{{- $ns := include "vm.namespace" $ctx }}
7+
{{- $namespaced := ne (len (index .Values "victoria-metrics-operator" "watchNamespaces")) 0 }}
8+
---
9+
apiVersion: rbac.authorization.k8s.io/v1
10+
kind: {{ ternary "RoleBinding" "ClusterRoleBinding" $namespaced }}
11+
metadata:
12+
name: {{ $fullname }}
13+
{{- if $namespaced }}
14+
namespace: {{ $ns }}
15+
{{- end }}
16+
{{- $_ := set $ctx "extraLabels" $rbac.extraLabels }}
17+
labels: {{ include "vm.labels" $ctx | nindent 4 }}
18+
{{- $_ := unset $ctx "extraLabels" }}
19+
{{- with $rbac.annotations }}
20+
annotations: {{ toYaml . | nindent 4 }}
21+
{{- end }}
22+
roleRef:
23+
apiGroup: rbac.authorization.k8s.io
24+
kind: {{ ternary "Role" "ClusterRole" $namespaced }}
25+
name: {{ $fullname }}
26+
subjects:
27+
- kind: ServiceAccount
28+
name: {{ $fullname }}
29+
namespace: {{ $ns }}
30+
---
31+
apiVersion: rbac.authorization.k8s.io/v1
32+
kind: {{ ternary "Role" "ClusterRole" $namespaced }}
33+
metadata:
34+
name: {{ $fullname }}
35+
{{- if $namespaced }}
36+
namespace: {{ include "vm.namespace" $ctx }}
37+
{{- end }}
38+
{{- $_ := set $ctx "extraLabels" $rbac.extraLabels }}
39+
labels: {{ include "vm.labels" $ctx | nindent 4 }}
40+
{{- $_ := unset $ctx "extraLabels" }}
41+
{{- with $rbac.annotations }}
42+
annotations: {{ toYaml . | nindent 4 }}
43+
{{- end }}
44+
rules: {{ tpl (toYaml $rbac.rules) . | nindent 2 }}
45+
{{- end }}

charts/victoria-metrics-k8s-stack/values.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -921,6 +921,13 @@ vmagent:
921921
labels: {}
922922
# -- VMAgent annotations
923923
annotations: {}
924+
rbac:
925+
# -- Role/RoleBinding annotations
926+
annotations: {}
927+
# -- Role/RoleBinding labels
928+
extraLabels: {}
929+
# -- additional rules for a role
930+
rules: []
924931
# -- Remote write configuration of VMAgent, allowed parameters defined in a [spec](https://docs.victoriametrics.com/operator/api/#vmagentremotewritespec)
925932
additionalRemoteWrites:
926933
[]

0 commit comments

Comments
 (0)