Heimdall RBAC update (#100)

* Fix heimdall2 bug (#63) Co-authored-by: Adam Toy <adam.toy@rancherfederal.com> * bump chart versions (#65) Co-authored-by: Adam Toy <adam.toy@rancherfederal.com> * Update stigatron (#67) Co-authored-by: Adam Toy <adam.toy@rancherfederal.com> * Update heimdall to v0.1.24 * rev * Update heimdall2 ref * Add rancher chart (#72) Co-authored-by: Adam Toy <adam.toy@rancherfederal.com> * add rancher 2.7.1 (#74) * add rancher 2.7.1 * Fix --------- Co-authored-by: Adam Toy <adam.toy@rancherfederal.com> * AUTOMATION: SSF Prod Chart Update for heimdall2 * AUTOMATION: SSF Prod Chart Update for heimdall2 * AUTOMATION: SSF Prod Chart Update for heimdall2 * AUTOMATION: SSF Prod Chart Update for heimdall2 * AUTOMATION: SSF Prod Chart Update for stigatron-ui * AUTOMATION: SSF Prod Chart Update for heimdall2 * AUTOMATION: SSF Prod Chart Update for stigatron * DRAFT: Airgapped docs update 1 (#77) * update airgapped-docs charts for k8s 1.21 support * Clean up hauler navlink * AUTOMATION: SSF Prod Chart Update for heimdall2 * AUTOMATION: SSF Prod Chart Update for heimdall2 * AUTOMATION: SSF Prod Chart Update for heimdall2 * AUTOMATION: SSF Prod Chart Update for heimdall2 * AUTOMATION: SSF Prod Chart Update for stigatron-ui * AUTOMATION: SSF Prod Chart Update for heimdall2 * AUTOMATION: SSF Prod Chart Update for stigatron --------- Co-authored-by: Adam Toy <adam.toy@rancherfederal.com> Co-authored-by: Carbide SSF <carbide@rancherfederal.com> * Update airgapped-docs with fixes (#79) Co-authored-by: Adam Toy <adam.toy@rancherfederal.com> * AUTOMATION: SSF Prod Chart Update for stigatron-ui * Rancher 2.7.2 (#81) * Add rancher 2.7.2 * udpate shell version --------- Co-authored-by: Adam Toy <adam.toy@rancherfederal.com> * AUTOMATION: SSF Prod Chart Update for heimdall2 * update with stigatron-0.1.1 (#83) * update (#84) * heimdall 0.1.1 update (#86) * bump heimdall for stigatron (#88) * AUTOMATION: SSF Prod Chart Update for heimdall2 * AUTOMATION: SSF Prod Chart Update for heimdall2 * AUTOMATION: SSF Prod Chart Update for heimdall2 * AUTOMATION: SSF Prod Chart Update for heimdall2 * Update rancher to v2.7.3 (#90) Co-authored-by: Adam Toy <adam.toy@rancherfederal.com> * AUTOMATION: SSF Prod Chart Update for heimdall2 * AUTOMATION: SSF Prod Chart Update for heimdall2 * AUTOMATION: SSF Prod Chart Update for heimdall2 * update heimdall rbac (#94) * Stigatron heimdall update (#96) * Change to release branch * update heimdall dep * update * update stigatron chart * AUTOMATION: SSF Prod Chart Update for heimdall2 * Update heimdall rbac for impersonation namespace (#99) Co-authored-by: Adam Toy <adam.toy@rancherfederal.com> --------- Co-authored-by: Adam Toy <adam.toy@rancherfederal.com> Co-authored-by: Carbide SSF <carbide@rancherfederal.com>
rancherfederal · May 26, 2023 · 9f8b0f0 · 9f8b0f0
1 parent a666b98
commit 9f8b0f0
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 2 deletions.
diff --git a/charts/heimdall2/Chart.yaml b/charts/heimdall2/Chart.yaml
@@ -3,5 +3,5 @@ name: heimdall2
 description: Rancher Government Heimdall2 Tool
 icon: https://raw.githubusercontent.com/rancherfederal/carbide-docs/main/static/img/carbide-logo.svg
 type: application
-version: 0.1.39
+version: 0.1.41
 appVersion: "0.1.1"
diff --git a/charts/heimdall2/templates/heimdall-rbac.yaml b/charts/heimdall2/templates/heimdall-rbac.yaml
@@ -20,6 +20,16 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
+metadata:
+  name: {{ include "heimdall.fullname" . }}-impersonation-role
+  namespace: {{ .Values.heimdall.impersonationNamespace }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets", "namespaces"]
+  verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
 metadata:
   name: {{ include "heimdall.fullname" . }}-rancher-role
   namespace: {{ .Values.heimdall.rancherNamespace }}
@@ -72,6 +82,20 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "heimdall.fullname" . }}-impersonation-rb
+  namespace: {{ .Values.heimdall.impersonationNamespace }}
+subjects:
+- kind: ServiceAccount
+  namespace: {{ .Release.Namespace }}
+  name: {{ include "heimdall.fullname" . }}-sa
+roleRef:
+  kind: Role
+  name: {{ include "heimdall.fullname" . }}-impersonation-role
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ include "heimdall.fullname" . }}-rancher-crb

diff --git a/charts/heimdall2/values.yaml b/charts/heimdall2/values.yaml
@@ -49,7 +49,7 @@ heimdall:
     axios: ""
   rcidf: # rancher-cluster-id-finder
     name: carbide/rcidf
-    tag: "0.1.1"
+    tag: "0.1.2"
   databaseName: "heimdall"
   # repository: mitre/heimdall2
   # tag: 2.6.32
@@ -62,6 +62,7 @@ heimdall:
     port: 80
   jwtExpireTime: 1d
   fleetNamespace: cattle-fleet-system
+  impersonationNamespace: cattle-impersonation-system
   rancherNamespace: cattle-system
   localLoginDisabled: true
   # secret as in "secret value" not k8s secret