bbr helm chart rbac enhancements for multi pool management

config/charts/body-based-routing/README.md

@@ -63,6 +63,8 @@ The following table list the configurable parameters of the chart.
 | `bbr.replicas`               | Number of replicas for the deployment. Defaults to `1`.                                                           |
 | `bbr.port`                   | Port serving ext_proc. Defaults to `9004`.                                                                        |
 | `bbr.healthCheckPort`        | Port for health checks. Defaults to `9005`.                                                                       |
+| `bbr.multiNamespace`         | Boolean flag to indicate whether BBR should watch cross namesapce configmaps or only within the namespace it is deployed.
+Defaults to `false`.                                                                       |
 | `bbr.image.name`             | Name of the container image used.                                                                                 |
 | `bbr.image.hub`              | Registry URL where the image is hosted.                                                                           | 
 | `bbr.image.tag`              | Image tag.                                                                                                        |

config/charts/body-based-routing/templates/bbr.yaml

@@ -13,10 +13,11 @@ spec:
       labels:
         app: {{ .Values.bbr.name }}
     spec:
+      serviceAccountName: {{ Values.bbr.name}}-{{ .Release.Name }}
       containers:
       - name: bbr
         image: {{ .Values.bbr.image.hub }}/{{ .Values.bbr.image.name }}:{{ .Values.bbr.image.tag }}
-        imagePullPolicy: {{ .Values.bbr.image.pullPolicy | default "Always" }}
+        imagePullPolicy: {{ .Values.bbr.image.pullPolicy }}
         args:
         - "--streaming"
         # Pass additional flags via the bbr.flags field in values.yaml.

config/charts/body-based-routing/templates/rbac.yaml

@@ -0,0 +1,54 @@
+{{- if .Values.bbr.multiNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: bbr-configmap-reader
+rules:
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get", "list", "watch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: bbr-configmap-reader
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.bbr.name }}-{{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: bbr-configmap-reader
+{{- else }} ## if bbr is set in a single namespace
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Values.bbr.name }}-{{ .Release.Name }}-configmap-reader
+rules:
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Values.bbr.name }}-{{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.bbr.name }}-{{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Values.bbr.name }}-{{ .Release.Name }}-configmap-reader
+{{- end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ Values.bbr.name}}-{{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}

config/charts/body-based-routing/values.yaml

@@ -8,6 +8,7 @@ bbr:
     pullPolicy: Always
   port: 9004
   healthCheckPort: 9005
+  multiNamespace: false
 
   flags:
     # Log verbosity