hashicorp · payalsu · Aug 7, 2024 · Aug 13, 2024 · Aug 30, 2024 · Aug 30, 2024
@@ -1,3 +1,9 @@
+## 1.6.0 
+
+FEATURES:
+
+* helm: Add Support for global rbac flag to decouple Consul-RBAC installation.
+
 ## 1.5.1 (July 16, 2024)
 
 SECURITY:

@@ -1,4 +1,5 @@
 {{- if .Values.global.acls.manageSystemACLs }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -16,3 +17,4 @@ rules:
   verbs:
   - get
 {{- end }}
+{{- end }}
@@ -1,4 +1,5 @@
 {{- if .Values.global.acls.manageSystemACLs }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -37,3 +38,4 @@ subjects:
   name: {{ template "consul.fullname" . }}-auth-method
   namespace: {{ .Release.Namespace }}
 {{- end }}
+{{- end }}
@@ -1,4 +1,5 @@
 {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -41,3 +42,4 @@ rules:
 rules: []
 {{- end }}
 {{- end }}
+{{- end }}
@@ -1,4 +1,5 @@
 {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -18,3 +19,4 @@ subjects:
   - kind: ServiceAccount
     name: {{ template "consul.fullname" . }}-client
 {{- end }}
+{{- end }}
@@ -1,4 +1,5 @@
 {{- if (and .Values.global.openshift.enabled (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }}
+{{- if .Values.global.rbac.create }}
 apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
 metadata:
@@ -59,3 +60,4 @@ volumes:
 - projected
 - secret
 {{- end}}
+{{- end }}
@@ -1,4 +1,5 @@
 {{- if .Values.connectInject.cni.enabled }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -36,3 +37,4 @@ rules:
   - use
 {{- end }}
 {{- end }}
+{{- end }}
@@ -1,4 +1,5 @@
 {{- if .Values.connectInject.cni.enabled }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -18,3 +19,4 @@ subjects:
   name: {{ template "consul.fullname" . }}-cni
   namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }}
 {{- end }}
+{{- end }}
@@ -1,4 +1,5 @@
 {{- if (and (.Values.connectInject.cni.enabled) (.Values.global.openshift.enabled)) }}
+{{- if .Values.global.rbac.create }}
 apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
 metadata:
@@ -53,3 +54,4 @@ volumes:
 - projected
 - secret
 {{- end }}
+{{- end }}
@@ -1,4 +1,5 @@
 {{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
+{{- if .Values.global.rbac.create }}
 # The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -213,3 +214,4 @@ rules:
     - use
   {{- end }}
 {{- end }}
+{{- end }}
@@ -1,4 +1,5 @@
 {{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -17,4 +18,5 @@ subjects:
 - kind: ServiceAccount
   name: {{ template "consul.fullname" . }}-connect-injector
   namespace: {{ .Release.Namespace }}
+{{- end }}
 {{- end }}
@@ -1,4 +1,5 @@
 {{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -39,3 +40,4 @@ rules:
   - create
   - patch
 {{- end }}
+{{- end }}
@@ -1,4 +1,5 @@
 {{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -19,3 +20,4 @@ subjects:
   name: {{ template "consul.fullname" . }}-connect-injector
   namespace: {{ .Release.Namespace }}
 {{- end }}
+{{- end }}
@@ -1,4 +1,5 @@
 {{- if .Values.global.federation.createFederationSecret }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -47,3 +48,4 @@ rules:
       - {{ template "consul.fullname" . }}-create-federation-secret
   {{- end }}
 {{- end }}
+{{- end }}
@@ -1,4 +1,5 @@
 {{- if .Values.global.federation.createFederationSecret }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -21,3 +22,4 @@ subjects:
 - kind: ServiceAccount
   name: {{ template "consul.fullname" . }}-create-federation-secret
 {{- end }}
+{{- end }}
@@ -1,4 +1,5 @@
 {{- if .Values.global.metrics.datadog.enabled }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -35,4 +36,5 @@ rules:
       - {{ .Release.Namespace }}-datadog-agent-metrics-acl-token
     verbs: [ "get", "watch", "list" ]
 {{- end }}
+{{- end }}
 {{- end }}
@@ -1,4 +1,5 @@
 {{- if .Values.global.metrics.datadog.enabled }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -23,4 +24,5 @@ roleRef:
   kind: Role
   name: {{ template "consul.fullname" . }}-datadog-metrics
   apiGroup: ""
+{{- end }}
 {{- end }}
@@ -1,4 +1,5 @@
 {{- if (or (and (ne (.Values.dns.proxy.enabled | toString) "-") .Values.dns.proxy.enabled) (and (eq (.Values.dns.proxy.enabled | toString) "-") .Values.global.enabled)) }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -31,4 +32,5 @@ rules:
   {{- else }}
 rules: []
   {{- end }}
+{{- end }}
 {{- end }}
@@ -1,4 +1,5 @@
 {{- if (or (and (ne (.Values.dns.proxy.enabled | toString) "-") .Values.dns.proxy.enabled) (and (eq (.Values.dns.proxy.enabled | toString) "-") .Values.global.enabled)) }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -18,3 +19,4 @@ subjects:
     name: {{ template "consul.fullname" . }}-dns-proxy
     namespace: {{ .Release.Namespace }}
 {{- end }}
+{{- end }}
@@ -1,5 +1,6 @@
 {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
 {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -35,3 +36,4 @@ rules: []
 {{- end }}
 {{- end }}
 {{- end }}
+{{- end }}
@@ -1,5 +1,6 @@
 {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
 {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -20,3 +21,4 @@ subjects:
     name: {{ template "consul.fullname" . }}-enterprise-license
 {{- end }}
 {{- end }}
+{{- end }}
@@ -1,4 +1,5 @@
 {{- if .Values.connectInject.enabled }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -33,3 +34,4 @@ rules:
       - use
 {{- end }}
 {{- end }}
+{{- end }}
@@ -1,4 +1,5 @@
 {{- if .Values.connectInject.enabled }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -17,4 +18,5 @@ subjects:
   - kind: ServiceAccount
     name: {{ template "consul.fullname" . }}-gateway-cleanup
     namespace: {{ .Release.Namespace }}
+{{- end }}
 {{- end }}
@@ -1,4 +1,5 @@
 {{- if .Values.connectInject.enabled }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -35,3 +36,4 @@ rules:
       - use
 {{- end }}
 {{- end }}
+{{- end }}
@@ -1,4 +1,5 @@
 {{- if .Values.connectInject.enabled }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -17,4 +18,5 @@ subjects:
   - kind: ServiceAccount
     name: {{ template "consul.fullname" . }}-gateway-resources
     namespace: {{ .Release.Namespace }}
+{{- end }}
 {{- end }}
@@ -1,4 +1,5 @@
 {{- if .Values.global.gossipEncryption.autoGenerate }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -30,3 +31,4 @@ rules:
     - {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
 {{- end }}
 {{- end }}
+{{- end }}
@@ -1,4 +1,5 @@
 {{- if .Values.global.gossipEncryption.autoGenerate }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -21,3 +22,4 @@ subjects:
 - kind: ServiceAccount
   name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
 {{- end }}
+{{- end }}
@@ -1,5 +1,5 @@
 {{- if .Values.ingressGateways.enabled }}
-
+{{- if .Values.global.rbac.create }}
 {{- $root := . }}
 {{- $defaults := .Values.ingressGateways.defaults }}
 
@@ -44,3 +44,4 @@ rules:
 ---
 {{- end }}
 {{- end }}
+{{- end }}
@@ -1,4 +1,5 @@
 {{- if .Values.ingressGateways.enabled }}
+{{- if .Values.global.rbac.create }}
 {{- $root := . }}
 {{- range .Values.ingressGateways.gateways }}
 apiVersion: rbac.authorization.k8s.io/v1
@@ -23,3 +24,4 @@ subjects:
 ---
 {{- end }}
 {{- end }}
+{{- end }}
@@ -1,4 +1,5 @@
 {{- if .Values.meshGateway.enabled }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -32,3 +33,4 @@ rules:
 rules: []
 {{- end }}
 {{- end }}
+{{- end }}
@@ -1,4 +1,5 @@
 {{- if .Values.meshGateway.enabled }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -18,3 +19,4 @@ subjects:
     name: {{ template "consul.fullname" . }}-mesh-gateway
     namespace: {{ .Release.Namespace }}
 {{- end }}
+{{- end }}
@@ -1,5 +1,6 @@
 {{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}}
 {{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -33,3 +34,4 @@ rules:
       - use
 {{- end }}
 {{- end }}
+{{- end }}
@@ -1,5 +1,6 @@
 {{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}}
 {{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }}
+{{- if .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -22,3 +23,4 @@ subjects:
   - kind: ServiceAccount
     name: {{ template "consul.fullname" . }}-partition-init
 {{- end }}
+{{- end }}