rbac fix

2026-01-07 22:53:55 -05:00 · 2025-08-27 19:54:31 +02:00
parent af2f21fe93
commit 1165b05e8a
16 changed files with 21 additions and 486 deletions
--- a/helm-charts/secrets-operator/Chart.yaml
+++ b/helm-charts/secrets-operator/Chart.yaml
@@ -13,9 +13,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: v0.10.2
+version: v0.10.3
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v0.10.2"
+appVersion: "v0.10.3"
--- a/helm-charts/secrets-operator/templates/infisicaldynamicsecret-admin-rbac.yaml
+++ b/helm-charts/secrets-operator/templates/infisicaldynamicsecret-admin-rbac.yaml
@@ -1,49 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-kind: Role
-{{- else }}
-kind: ClusterRole
-{{- end }}
-metadata:
-  name: {{ include "secrets-operator.fullname" . }}-infisicaldynamicsecret-admin-role
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  namespace: {{ .Values.scopedNamespace | quote }}
-  {{- end }}
-  labels:
-  {{- include "secrets-operator.labels" . | nindent 4 }}
-rules:
- apiGroups:
-  - secrets.infisical.com
-  resources:
-  - infisicaldynamicsecrets
-  verbs:
-  - '*'
- apiGroups:
-  - secrets.infisical.com
-  resources:
-  - infisicaldynamicsecrets/status
-  verbs:
-  - get
---
-apiVersion: rbac.authorization.k8s.io/v1
-{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-kind: RoleBinding
-{{- else }}
-kind: ClusterRoleBinding
-{{- end }}
-metadata:
-  name: {{ include "secrets-operator.fullname" . }}-infisicaldynamicsecret-admin-rolebinding
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  namespace: {{ .Values.scopedNamespace | quote }}
-  {{- end }}
-  labels:
-
-  {{- include "secrets-operator.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  kind: Role
-  {{- else }}
-  kind: ClusterRole
-  {{- end }}
-  name: '{{ include "secrets-operator.fullname" . }}-infisicaldynamicsecret-admin-role'
--- a/helm-charts/secrets-operator/templates/infisicaldynamicsecret-editor-rbac.yaml
+++ b/helm-charts/secrets-operator/templates/infisicaldynamicsecret-editor-rbac.yaml
@@ -1,55 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-kind: Role
-{{- else }}
-kind: ClusterRole
-{{- end }}
-metadata:
-  name: {{ include "secrets-operator.fullname" . }}-infisicaldynamicsecret-editor-role
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  namespace: {{ .Values.scopedNamespace | quote }}
-  {{- end }}
-  labels:
-  {{- include "secrets-operator.labels" . | nindent 4 }}
-rules:
- apiGroups:
-  - secrets.infisical.com
-  resources:
-  - infisicaldynamicsecrets
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
- apiGroups:
-  - secrets.infisical.com
-  resources:
-  - infisicaldynamicsecrets/status
-  verbs:
-  - get
---
-apiVersion: rbac.authorization.k8s.io/v1
-{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-kind: RoleBinding
-{{- else }}
-kind: ClusterRoleBinding
-{{- end }}
-metadata:
-  name: {{ include "secrets-operator.fullname" . }}-infisicaldynamicsecret-editor-rolebinding
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  namespace: {{ .Values.scopedNamespace | quote }}
-  {{- end }}
-  labels:
-
-  {{- include "secrets-operator.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  kind: Role
-  {{- else }}
-  kind: ClusterRole
-  {{- end }}
-  name: '{{ include "secrets-operator.fullname" . }}-infisicaldynamicsecret-editor-role'
--- a/helm-charts/secrets-operator/templates/infisicaldynamicsecret-viewer-rbac.yaml
+++ b/helm-charts/secrets-operator/templates/infisicaldynamicsecret-viewer-rbac.yaml
@@ -1,51 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-kind: Role
-{{- else }}
-kind: ClusterRole
-{{- end }}
-metadata:
-  name: {{ include "secrets-operator.fullname" . }}-infisicaldynamicsecret-viewer-role
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  namespace: {{ .Values.scopedNamespace | quote }}
-  {{- end }}
-  labels:
-  {{- include "secrets-operator.labels" . | nindent 4 }}
-rules:
- apiGroups:
-  - secrets.infisical.com
-  resources:
-  - infisicaldynamicsecrets
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - secrets.infisical.com
-  resources:
-  - infisicaldynamicsecrets/status
-  verbs:
-  - get
---
-apiVersion: rbac.authorization.k8s.io/v1
-{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-kind: RoleBinding
-{{- else }}
-kind: ClusterRoleBinding
-{{- end }}
-metadata:
-  name: {{ include "secrets-operator.fullname" . }}-infisicaldynamicsecret-viewer-rolebinding
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  namespace: {{ .Values.scopedNamespace | quote }}
-  {{- end }}
-  labels:
-
-  {{- include "secrets-operator.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  kind: Role
-  {{- else }}
-  kind: ClusterRole
-  {{- end }}
-  name: '{{ include "secrets-operator.fullname" . }}-infisicaldynamicsecret-viewer-role'
--- a/helm-charts/secrets-operator/templates/infisicalpushsecretsecret-admin-rbac.yaml
+++ b/helm-charts/secrets-operator/templates/infisicalpushsecretsecret-admin-rbac.yaml
@@ -1,49 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-kind: Role
-{{- else }}
-kind: ClusterRole
-{{- end }}
-metadata:
-  name: {{ include "secrets-operator.fullname" . }}-infisicalpushsecretsecret-admin-role
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  namespace: {{ .Values.scopedNamespace | quote }}
-  {{- end }}
-  labels:
-  {{- include "secrets-operator.labels" . | nindent 4 }}
-rules:
- apiGroups:
-  - secrets.infisical.com
-  resources:
-  - infisicalpushsecretsecrets
-  verbs:
-  - '*'
- apiGroups:
-  - secrets.infisical.com
-  resources:
-  - infisicalpushsecretsecrets/status
-  verbs:
-  - get
---
-apiVersion: rbac.authorization.k8s.io/v1
-{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-kind: RoleBinding
-{{- else }}
-kind: ClusterRoleBinding
-{{- end }}
-metadata:
-  name: {{ include "secrets-operator.fullname" . }}-infisicalpushsecretsecret-admin-rolebinding
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  namespace: {{ .Values.scopedNamespace | quote }}
-  {{- end }}
-  labels:
-
-  {{- include "secrets-operator.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  kind: Role
-  {{- else }}
-  kind: ClusterRole
-  {{- end }}
-  name: '{{ include "secrets-operator.fullname" . }}-infisicalpushsecretsecret-admin-role'
--- a/helm-charts/secrets-operator/templates/infisicalpushsecretsecret-editor-rbac.yaml
+++ b/helm-charts/secrets-operator/templates/infisicalpushsecretsecret-editor-rbac.yaml
@@ -1,55 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-kind: Role
-{{- else }}
-kind: ClusterRole
-{{- end }}
-metadata:
-  name: {{ include "secrets-operator.fullname" . }}-infisicalpushsecretsecret-editor-role
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  namespace: {{ .Values.scopedNamespace | quote }}
-  {{- end }}
-  labels:
-  {{- include "secrets-operator.labels" . | nindent 4 }}
-rules:
- apiGroups:
-  - secrets.infisical.com
-  resources:
-  - infisicalpushsecretsecrets
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
- apiGroups:
-  - secrets.infisical.com
-  resources:
-  - infisicalpushsecretsecrets/status
-  verbs:
-  - get
---
-apiVersion: rbac.authorization.k8s.io/v1
-{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-kind: RoleBinding
-{{- else }}
-kind: ClusterRoleBinding
-{{- end }}
-metadata:
-  name: {{ include "secrets-operator.fullname" . }}-infisicalpushsecretsecret-editor-rolebinding
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  namespace: {{ .Values.scopedNamespace | quote }}
-  {{- end }}
-  labels:
-
-  {{- include "secrets-operator.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  kind: Role
-  {{- else }}
-  kind: ClusterRole
-  {{- end }}
-  name: '{{ include "secrets-operator.fullname" . }}-infisicalpushsecretsecret-editor-role'
--- a/helm-charts/secrets-operator/templates/infisicalpushsecretsecret-viewer-rbac.yaml
+++ b/helm-charts/secrets-operator/templates/infisicalpushsecretsecret-viewer-rbac.yaml
@@ -1,51 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-kind: Role
-{{- else }}
-kind: ClusterRole
-{{- end }}
-metadata:
-  name: {{ include "secrets-operator.fullname" . }}-infisicalpushsecretsecret-viewer-role
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  namespace: {{ .Values.scopedNamespace | quote }}
-  {{- end }}
-  labels:
-  {{- include "secrets-operator.labels" . | nindent 4 }}
-rules:
- apiGroups:
-  - secrets.infisical.com
-  resources:
-  - infisicalpushsecretsecrets
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - secrets.infisical.com
-  resources:
-  - infisicalpushsecretsecrets/status
-  verbs:
-  - get
---
-apiVersion: rbac.authorization.k8s.io/v1
-{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-kind: RoleBinding
-{{- else }}
-kind: ClusterRoleBinding
-{{- end }}
-metadata:
-  name: {{ include "secrets-operator.fullname" . }}-infisicalpushsecretsecret-viewer-rolebinding
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  namespace: {{ .Values.scopedNamespace | quote }}
-  {{- end }}
-  labels:
-
-  {{- include "secrets-operator.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  kind: Role
-  {{- else }}
-  kind: ClusterRole
-  {{- end }}
-  name: '{{ include "secrets-operator.fullname" . }}-infisicalpushsecretsecret-viewer-role'
--- a/helm-charts/secrets-operator/templates/infisicalsecret-admin-rbac.yaml
+++ b/helm-charts/secrets-operator/templates/infisicalsecret-admin-rbac.yaml
@@ -1,49 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-kind: Role
-{{- else }}
-kind: ClusterRole
-{{- end }}
-metadata:
-  name: {{ include "secrets-operator.fullname" . }}-infisicalsecret-admin-role
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  namespace: {{ .Values.scopedNamespace | quote }}
-  {{- end }}
-  labels:
-  {{- include "secrets-operator.labels" . | nindent 4 }}
-rules:
- apiGroups:
-  - secrets.infisical.com
-  resources:
-  - infisicalsecrets
-  verbs:
-  - '*'
- apiGroups:
-  - secrets.infisical.com
-  resources:
-  - infisicalsecrets/status
-  verbs:
-  - get
---
-apiVersion: rbac.authorization.k8s.io/v1
-{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-kind: RoleBinding
-{{- else }}
-kind: ClusterRoleBinding
-{{- end }}
-metadata:
-  name: {{ include "secrets-operator.fullname" . }}-infisicalsecret-admin-rolebinding
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  namespace: {{ .Values.scopedNamespace | quote }}
-  {{- end }}
-  labels:
-
-  {{- include "secrets-operator.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  kind: Role
-  {{- else }}
-  kind: ClusterRole
-  {{- end }}
-  name: '{{ include "secrets-operator.fullname" . }}-infisicalsecret-admin-role'
--- a/helm-charts/secrets-operator/templates/infisicalsecret-editor-rbac.yaml
+++ b/helm-charts/secrets-operator/templates/infisicalsecret-editor-rbac.yaml
@@ -1,55 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-kind: Role
-{{- else }}
-kind: ClusterRole
-{{- end }}
-metadata:
-  name: {{ include "secrets-operator.fullname" . }}-infisicalsecret-editor-role
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  namespace: {{ .Values.scopedNamespace | quote }}
-  {{- end }}
-  labels:
-  {{- include "secrets-operator.labels" . | nindent 4 }}
-rules:
- apiGroups:
-  - secrets.infisical.com
-  resources:
-  - infisicalsecrets
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
- apiGroups:
-  - secrets.infisical.com
-  resources:
-  - infisicalsecrets/status
-  verbs:
-  - get
---
-apiVersion: rbac.authorization.k8s.io/v1
-{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-kind: RoleBinding
-{{- else }}
-kind: ClusterRoleBinding
-{{- end }}
-metadata:
-  name: {{ include "secrets-operator.fullname" . }}-infisicalsecret-editor-rolebinding
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  namespace: {{ .Values.scopedNamespace | quote }}
-  {{- end }}
-  labels:
-
-  {{- include "secrets-operator.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  kind: Role
-  {{- else }}
-  kind: ClusterRole
-  {{- end }}
-  name: '{{ include "secrets-operator.fullname" . }}-infisicalsecret-editor-role'
--- a/helm-charts/secrets-operator/templates/infisicalsecret-viewer-rbac.yaml
+++ b/helm-charts/secrets-operator/templates/infisicalsecret-viewer-rbac.yaml
@@ -1,51 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-kind: Role
-{{- else }}
-kind: ClusterRole
-{{- end }}
-metadata:
-  name: {{ include "secrets-operator.fullname" . }}-infisicalsecret-viewer-role
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  namespace: {{ .Values.scopedNamespace | quote }}
-  {{- end }}
-  labels:
-  {{- include "secrets-operator.labels" . | nindent 4 }}
-rules:
- apiGroups:
-  - secrets.infisical.com
-  resources:
-  - infisicalsecrets
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - secrets.infisical.com
-  resources:
-  - infisicalsecrets/status
-  verbs:
-  - get
---
-apiVersion: rbac.authorization.k8s.io/v1
-{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-kind: RoleBinding
-{{- else }}
-kind: ClusterRoleBinding
-{{- end }}
-metadata:
-  name: {{ include "secrets-operator.fullname" . }}-infisicalsecret-viewer-rolebinding
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  namespace: {{ .Values.scopedNamespace | quote }}
-  {{- end }}
-  labels:
-
-  {{- include "secrets-operator.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  kind: Role
-  {{- else }}
-  kind: ClusterRole
-  {{- end }}
-  name: '{{ include "secrets-operator.fullname" . }}-infisicalsecret-viewer-role'
--- a/helm-charts/secrets-operator/values.yaml
+++ b/helm-charts/secrets-operator/values.yaml
@@ -12,7 +12,7 @@ controllerManager:
      readOnlyRootFilesystem: true
    image:
      repository: infisical/kubernetes-operator
-      tag: v0.10.2
+      tag: v0.10.3
    resources:
      limits:
        cpu: 500m