feat: add rbac support to disable the creation of roles and rolebindi…

…ngs (#327)

Signed-off-by: Engin Diri <engin.diri@ediri.de>

charts/node-red/Chart.yaml

@@ -9,7 +9,7 @@ icon: https://nodered.org/about/resources/media/node-red-icon-2.png
 
 type: application
 
-version: 0.29.0
+version: 0.30.0
 appVersion: 3.1.3
 
 keywords:
@@ -29,7 +29,7 @@ maintainers:
 annotations:
   artifacthub.io/containsSecurityUpdates: "false"
   artifacthub.io/changes: |
-    - change node-red version to 3.1.3
+    - add rbac support to disable the creation of roles and rolebindings
   artifacthub.io/images: |
     - name: node-red
       image: docker.io/nodered/node-red:3.1.3

charts/node-red/README.md

@@ -1,6 +1,6 @@
 # node-red ⚙
 
-![Version: 0.28.1](https://img.shields.io/badge/Version-0.28.1-informational?style=for-the-badge) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=for-the-badge) ![AppVersion: 3.0.2](https://img.shields.io/badge/AppVersion-3.0.2-informational?style=for-the-badge)
+![Version: 0.29.0](https://img.shields.io/badge/Version-0.29.0-informational?style=for-the-badge) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=for-the-badge) ![AppVersion: 3.1.3](https://img.shields.io/badge/AppVersion-3.1.3-informational?style=for-the-badge)
 
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/node-red&style=for-the-badge)](https://artifacthub.io/packages/search?repo=node-red)
 [![SIT](https://img.shields.io/badge/SIT-awesome-blueviolet.svg?style=for-the-badge)](https://jobs.schwarz)
@@ -16,7 +16,7 @@ A Helm chart for Node-Red, a low-code programming for event-driven applications
 To install the chart using the OCI artifact, run:
 
 ```bash
-helm install node-red oci://ghcr.io/schwarzit/charts/node-red --version 0.28.1
+helm install node-red oci://ghcr.io/schwarzit/charts/node-red --version 0.29.0
 ```
 
 ## Usage
@@ -32,7 +32,7 @@ helm repo update
 To install the chart with the release name node-red run:
 
 ```bash
-helm install node-red node-red/node-red --version 0.28.1
+helm install node-red node-red/node-red --version 0.29.0
 ```
 
 After a few seconds, node-red should be running.
@@ -63,7 +63,6 @@ The command removes all the Kubernetes components associated with the chart and
 | affinity | object | `{}` | The affinity constraint |
 | clusterRoleRules.enabled | bool | `false` | Enable custom rules for the application controller's ClusterRole resource default: false |
 | clusterRoleRules.rules | list | `[]` | List of custom rules for the application controller's ClusterRole resource default: [] |
-| createClusterRole | bool | `false` | Create a ClusterRole resource for the node-red pod. default: false |
 | deploymentAnnotations | object | `{}` | Deployment annotations |
 | deploymentStrategy | string | `""` | Specifies the strategy used to replace old Pods by new ones, default: `RollingUpdate` |
 | env | list | `[]` | node-red env, see more environment variables in the [node-red documentation](https://nodered.org/docs/getting-started/docker) |
@@ -110,6 +109,8 @@ The command removes all the Kubernetes components associated with the chart and
 | podSecurityContext | object | `{"fsGroup":1000,"runAsUser":1000}` | Pod Security Context see [values.yaml](values.yaml) |
 | podSecurityContext.fsGroup | int | `1000` | node-red group is 1000 |
 | podSecurityContext.runAsUser | int | `1000` | node-red user is 1000 |
+| rbac.createClusterRole | bool | `false` | Create a ClusterRole resource for the node-red pod. default: false |
+| rbac.enabled | bool | `true` |  |
 | readinessProbe | object | `{"httpGet":{"path":"/","port":"http"}}` | Readiness probe for the Deployment |
 | resources | object | `{"limits":{"cpu":"500m","memory":"5123Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | CPU/Memory resource requests/limits |
 | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":10003,"runAsNonRoot":true,"runAsUser":10003,"seccompProfile":{"type":"RuntimeDefault"}}` | Security Context see [values.yaml](values.yaml) |

charts/node-red/templates/clusterrole.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.createClusterRole }}
+{{- if .Values.rbac.createClusterRole }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

charts/node-red/templates/clusterrolebinding.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.createClusterRole }}
+{{- if .Values.rbac.createClusterRole }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:

charts/node-red/templates/role.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.rbac.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -16,3 +17,4 @@ rules:
       - get
       - list
       - watch
+{{- end }}

charts/node-red/templates/rolebinding.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.rbac.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -13,3 +14,4 @@ subjects:
   - kind: ServiceAccount
     name: {{ include "node-red.serviceAccountName" . }}
     namespace: {{ .Release.Namespace | quote }}
+{{- end }}

charts/node-red/values.yaml

@@ -15,6 +15,13 @@ image:
   # -- The image tag to pull, default: `Chart.appVersion`
   tag: ""
 
+rbac:
+  # If enabled, roles will be created and bound to the service account. default: true
+  enabled: true
+  # -- Create a ClusterRole resource for the node-red pod. default: false
+  createClusterRole: false
+
+
 # -- The image pull secrets
 imagePullSecrets: ""
 
@@ -255,8 +262,6 @@ extraSidecars: []
 #    image: busybox
 #    command: ["/bin/sh", "-c", "echo hello from sidecar"]
 
-# -- Create a ClusterRole resource for the node-red pod. default: false
-createClusterRole: false
 
 ## -- Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource.
 clusterRoleRules: