96 lines
1.8 KiB
YAML
96 lines
1.8 KiB
YAML
{{- if .Values.updater.enabled -}}
|
|
{{- $updater := mustMergeOverwrite (mustDeepCopy .Values) .Values.updater -}}
|
|
{{- if $updater.rbac.create -}}
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: {{ .Release.Name }}-updater
|
|
namespace: {{ .Release.Namespace }}
|
|
{{- if $updater.extraLabels.role }}
|
|
labels: {{- toYaml $updater.extraLabels.role | nindent 4 }}
|
|
{{- end }}
|
|
rules:
|
|
# the updater needs to list pods to check their health
|
|
# it also needs to delete pods to unstuck Statefulset rollouts
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
- delete
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods/status
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
# the updater needs to get the secret created by the agent containing the
|
|
# maintenance window
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
- watch
|
|
- list
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
- get
|
|
resourceNames:
|
|
- {{ .Release.Name }}-shared-state
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- events
|
|
verbs:
|
|
- create
|
|
- patch
|
|
# the controller in the updater must be able to watch deployments and
|
|
# statefulsets and get the one it should reconcile
|
|
- apiGroups:
|
|
- "apps"
|
|
resources:
|
|
- deployments
|
|
- statefulsets
|
|
- deployments/status
|
|
- statefulsets/status
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
# However the updater should only update the agent it is watching
|
|
- apiGroups:
|
|
- "apps"
|
|
resources:
|
|
- deployments
|
|
- statefulsets
|
|
verbs:
|
|
- update
|
|
resourceNames:
|
|
- {{ .Release.Name }}
|
|
- apiGroups:
|
|
- coordination.k8s.io
|
|
resources:
|
|
- leases
|
|
verbs:
|
|
- create
|
|
- apiGroups:
|
|
- coordination.k8s.io
|
|
resourceNames:
|
|
- {{ .Release.Name }}
|
|
resources:
|
|
- leases
|
|
verbs:
|
|
- get
|
|
- update
|
|
{{- end -}}
|
|
{{- end -}}
|