fix: metrics rbac (#26)

raffis · web-flow · commit c65e1122f8d8 · 2023-07-11T16:05:56.000+02:00
diff --git a/chart/k8soauth2-proxy-controller/Chart.yaml b/chart/k8soauth2-proxy-controller/Chart.yaml
@@ -13,4 +13,4 @@ keywords:
 name: k8soauth2-proxy-controller
 sources:
 - https://github.com/DoodleScheduling/k8soauth2-proxy-controller
-version: 0.2.4
+version: 0.2.5
diff --git a/chart/k8soauth2-proxy-controller/templates/deployment.yaml b/chart/k8soauth2-proxy-controller/templates/deployment.yaml
@@ -88,7 +88,7 @@ spec:
         - --upstream=http://127.0.0.1:{{ .Values.metricsPort }}
         - --logtostderr=true
         - --v=0
-        image: quay.io/brancz/kube-rbac-proxy:v0.14.0
+        image: {{ .Values.kubeRBACProxy.image }}
         imagePullPolicy: IfNotPresent
         name: kube-rbac-proxy
         ports:
diff --git a/chart/k8soauth2-proxy-controller/templates/metrics-rbac.yaml b/chart/k8soauth2-proxy-controller/templates/metrics-rbac.yaml
@@ -16,6 +16,24 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
+metadata:
+  name: {{ include "k8soauth2-proxy-controller.fullname" . }}-metrics
+  labels:
+    app.kubernetes.io/name: {{ include "k8soauth2-proxy-controller.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    helm.sh/chart: {{ include "k8soauth2-proxy-controller.chart" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "k8soauth2-proxy-controller.fullname" . }}-metrics-reader
+subjects:
+- kind: ServiceAccount
+  name: {{ template "k8soauth2-proxy-controller.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
 metadata:
   name: {{ include "k8soauth2-proxy-controller.fullname" . }}-proxy
   labels:
diff --git a/chart/k8soauth2-proxy-controller/values.yaml b/chart/k8soauth2-proxy-controller/values.yaml
@@ -132,13 +132,19 @@ prometheusRule:
 
 kubeRBACProxy:
   enabled: true
-
+  image: quay.io/brancz/kube-rbac-proxy:v0.14.2
   securityContext:
     allowPrivilegeEscalation: false
     capabilities:
       drop: ["all"]
     readOnlyRootFilesystem: true
 
   resources: {}
+  # limits:
+  #   cpu: 500m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 5m
+  #   memory: 64Mi
 
 tolerations: []
