feat(helm-chart): add service account

helm-chart/kube-manifest-backup/templates/deployment.yaml

@@ -52,7 +52,7 @@ spec:
               value: "{{ .Values.global.localBackupDirectory }}"
             - name: KMB_BACKUP_RESOURCES_YAML_FILE
               value: "{{ .Values.global.backupResourcesFile }}"
-            - name: KMB_S3_BACKUP_BUCKET_NAME
+            - name: KMB_S3_BUCKET_NAME
               value: "{{ .Values.global.s3.bucketName }}"
             - name: KMB_S3_CONFIG_FILE
               value: "{{ .Values.global.s3.configFile }}"

helm-chart/kube-manifest-backup/templates/serviceaccount.yaml

@@ -2,12 +2,93 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "kube-manifest-backup.serviceAccountName" . }}
+  name: {{ .Values.serviceAccount.name | quote }}
   labels:
     {{- include "kube-manifest-backup.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+---
+{{- $global := .Values.global -}}
+{{- $serviceAccountName := .Values.serviceAccount.name -}}
+{{- range $resource := $global.backupResources }}
+{{- if eq (len $resource.namespaces) 1 }}
+{{- if eq (index $resource.namespaces 0) "" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: "{{ $.Release.Name }}-{{ $resource.resource }}-cluster-role"
+rules:
+- apiGroups: ["{{ $resource.group }}"]
+  resources: ["{{ $resource.resource }}"]
+  verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: "{{ $.Release.Name }}-{{ $resource.resource }}-cluster-role-binding"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: "{{ $.Release.Name }}-{{ $resource.resource }}-cluster-role"
+subjects:
+- kind: ServiceAccount
+  name: {{ $serviceAccountName }}
+  namespace: {{ $.Release.Namespace }}
+{{- else }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: "{{ index $resource.namespaces 0 }}-{{ $resource.resource }}-backup-role"
+  namespace: "{{ index $resource.namespaces 0 }}"
+rules:
+- apiGroups: ["{{ $resource.group }}"]
+  resources: ["{{ $resource.resource }}"]
+  verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: "{{ $.Release.Name }}-{{ $resource.resource }}-{{ $resource.group }}-role-binding"
+  namespace: "{{ index $resource.namespaces 0 }}"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: "{{ index $resource.namespaces 0 }}-{{ $resource.resource }}-backup-role"
+subjects:
+- kind: ServiceAccount
+  name: {{ $serviceAccountName }}
+  namespace: {{ $.Release.Namespace }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if $global.privateKey.usePrivateGPGKey }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $.Release.Name }}-private-key-role
+  namespace: {{ $global.privateKey.secretNamespace }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $.Release.Name }}-private-key-role-binding
+  namespace: {{ $global.privateKey.secretNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $.Release.Name }}-private-key-role
+subjects:
+- kind: ServiceAccount
+  name: {{ $serviceAccountName }}
+  namespace: {{ $.Release.Namespace }}
+{{- end }}
 {{- end }}

helm-chart/kube-manifest-backup/values.yaml

@@ -20,8 +20,7 @@ serviceAccount:
   # Annotations to add to the service account
   annotations: {}
   # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name: ""
+  name: "kube-manifest-backup-serviceaccount"
 
 podAnnotations: {}
 podLabels: {}