fix

2023-10-15 10:52:10 +02:00
parent e9ea7ee094
commit 5043ee0cda
2 changed files with 67 additions and 31 deletions
--- a/apps/okd/index.yaml
+++ b/apps/okd/index.yaml
@@ -6,6 +6,11 @@ metadata:
  name: okd
  description: null
 options:
+  domain-name:
+    default: your_company.com
+    examples:
+    - your_company.com
+    type: string
  namespaces:
    default: []
    items:
@@ -16,36 +21,6 @@ options:
    examples:
    - false
    type: boolean
-  ingress-class:
-    default: traefik
-    examples:
-    - traefik
-    type: string
-  app-group:
-    default: infra
-    examples:
-    - infra
-    type: string
-  domain:
-    default: your-company
-    examples:
-    - your-company
-    type: string
-  issuer:
-    default: letsencrypt-prod
-    examples:
-    - letsencrypt-prod
-    type: string
-  sub-domain:
-    default: okd
-    examples:
-    - okd
-    type: string
-  domain-name:
-    default: your_company.com
-    examples:
-    - your_company.com
-    type: string
  images:
    default:
      okd:
@@ -89,6 +64,31 @@ options:
            type: string
        type: object
    type: object
+  ingress-class:
+    default: traefik
+    examples:
+    - traefik
+    type: string
+  issuer:
+    default: letsencrypt-prod
+    examples:
+    - letsencrypt-prod
+    type: string
+  sub-domain:
+    default: okd
+    examples:
+    - okd
+    type: string
+  domain:
+    default: your-company
+    examples:
+    - your-company
+    type: string
+  app-group:
+    default: infra
+    examples:
+    - infra
+    type: string
 dependencies:
 - dist: null
  category: share
--- a/apps/okd/rbac.tf
+++ b/apps/okd/rbac.tf
@@ -12,7 +12,7 @@ resource "kubectl_manifest" "okd_sa" {
  EOF
 }

-resource "kubectl_manifest" "okd_crb" {
+resource "kubectl_manifest" "okd_crb_admin" {
  count = var.cluster-admin ? 1 : 0
  yaml_body  = <<-EOF
    apiVersion: rbac.authorization.k8s.io/v1
@@ -66,3 +66,39 @@ resource "kubectl_manifest" "okd_role_bindings" {
      apiGroup: rbac.authorization.k8s.io
  EOF
 }
+
+resource "kubectl_manifest" "okd_clusterrole" {
+  count = length(local.sorted-namespaces)>0 ? 1 : 0
+  yaml_body  = <<-EOF
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRole
+    metadata:
+      name: "${var.namespace}-${var.component}-${var.instance}-list"
+      labels: ${jsonencode(local.common-labels)}
+    rules:
+    - apiGroups: [""]
+      resources: ["namespaces"]
+      resourceNames: ${jsonencode(local.sorted-namespaces)}
+      verbs: ["get", "list"]
+  EOF
+}
+
+resource "kubectl_manifest" "okd_clusterrole_bindings" {
+  count = length(local.sorted-namespaces)>0 ? 1 : 0
+  yaml_body  = <<-EOF
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: "${var.namespace}-${var.component}-${var.instance}-list"
+      namespace: "${local.sorted-namespaces[count.index]}"
+      labels: ${jsonencode(local.common-labels)}
+    subjects:
+    - kind: ServiceAccount
+      name: "${var.component}-${var.instance}"
+      namespace: "${var.namespace}"
+    roleRef:
+      kind: ClusterRole
+      name: "${var.namespace}-${var.component}-${var.instance}-list"
+      apiGroup: rbac.authorization.k8s.io
+  EOF
+}