fix: chart rbac (#152)

DoodleScheduling · Dec 6, 2023 · b7d2e9c · b7d2e9c
1 parent 48fa91f
commit b7d2e9c
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -377,6 +377,9 @@ spec:
       serviceAccount: keycloakrealm-default
 ```
 
+**Note**: The proxy needs read access to keycloakrealms as well as patch access to the /status subresource.
+In the example above there is a ClusterRole called keycloakrealm-proxy granting just that. This ClusterRole also is bundled in the helm chart, you may use {releaseName}-proxy for the RoleBinding.
+
 ## Installation
 
 ### Helm

diff --git a/chart/keycloak-controller/templates/clusterrole.yaml b/chart/keycloak-controller/templates/clusterrole.yaml
@@ -1,6 +1,20 @@
 {{- if .Values.clusterRBAC.enabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
+metadata:
+  name: {{ template "keycloak-controller.fullname" . }}-proxy
+rules:
+- apiGroups: ["keycloak.infra.doodle.com"]
+  resources:
+  - keycloakrealms
+  verbs: ["get"]
+- apiGroups: ["keycloak.infra.doodle.com"]
+  resources:
+  - keycloakrealms/status
+  verbs: ["get", "update", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
   name: {{ template "keycloak-controller.fullname" . }}
   labels:
@@ -11,14 +25,6 @@ metadata:
   annotations:
     {{- toYaml .Values.annotations | nindent 4 }}
 rules:
-- apiGroups:
-  - ""
-  resources:
-    - secrets
-  verbs:
-    - get
-    - list
-    - watch
 - apiGroups:
   - "keycloak.infra.doodle.com"
   resources:
@@ -55,4 +61,28 @@ rules:
   - patch
   - update
   - watch
-{{- end }}
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+{{- end }}