chore: elevate cosi rbac (#1546)

* chore: elevate cosi rbac Signed-off-by: Tarun Gupta Akirala <[email protected]> * fix: simplify heredoc format Signed-off-by: Tarun Gupta Akirala <[email protected]> --------- Signed-off-by: Tarun Gupta Akirala <[email protected]>
mesosphere · Jan 28, 2025 · 6834b6e · 6834b6e
1 parent f5a80bb
commit 6834b6e
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 15 deletions.
diff --git a/stable/cosi-bucket-kit/Chart.yaml b/stable/cosi-bucket-kit/Chart.yaml
@@ -8,8 +8,8 @@ keywords:
   - bucket
   - storage
   - ceph
-version: 0.0.1-alpha.2
-appVersion: 0.0.1-alpha.2
+version: 0.0.1-alpha.3
+appVersion: 0.0.1-alpha.3
 maintainers:
   - name: takirala
   - name: mhrabovcin
diff --git a/stable/cosi-bucket-kit/templates/job-readiness.yaml b/stable/cosi-bucket-kit/templates/job-readiness.yaml
@@ -11,32 +11,30 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: ClusterRole
 metadata:
   name: {{ .Release.Name }}-readiness
-  namespace: {{ .Release.Namespace }}
   annotations:
     "helm.sh/hook": post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 rules:
   - apiGroups: [ "" ]
     resources: [ "configmaps" ]
-    verbs: [ "get", "list", "create", "patch"] # A new configmap is created for harbor
+    verbs: [ "get", "list", "create", "patch"] # A new configmap is created for harbor (in a different namespace than helm release namespace).
   - apiGroups: [ "" ]
     resources: [ "secrets" ]
     verbs: [ "get", "list", "patch" ] # Existing secrets are updated for kubecost and harbor.
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: ClusterRoleBinding
 metadata:
   name: {{ .Release.Name }}-readiness
-  namespace: {{ .Release.Namespace }}
   annotations:
     "helm.sh/hook": post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
+  kind: ClusterRole
   name: {{ .Release.Name }}-readiness
 subjects:
 - kind: ServiceAccount
@@ -186,13 +184,13 @@ spec:
                 --dry-run=client -o yaml | kubectl apply -f -
               # Create a configmap with the name of the secret from above.
               kubectl create configmap {{ $cmName }} -n {{ $cmNamespace }} \
-                --from-file=values.yaml=<(cat <<EOF
-                persistence:
-                  imageChartStorage:
-                    type: s3
-                    s3:
-                      existingSecret: {{ .credentialsSecretName }}
-                EOF
+                --from-file=values.yaml=<(cat <<'EOF'
+              persistence:
+                imageChartStorage:
+                  type: s3
+                  s3:
+                    existingSecret: {{ .credentialsSecretName }}
+              EOF
                 ) \
                 --dry-run=client -o yaml | kubectl apply -f -
               {{- end }}