remove option to configure specific secret names

Author: kishorj

helm/aws-load-balancer-controller/README.md

@@ -234,5 +234,4 @@ The default values set by the application itself can be confirmed [here](https:/
 | `serviceMonitor.enabled`                       | Specifies whether a service monitor should be created, requires the ServiceMonitor CRD to be installed   | `false`                                                                            |
 | `serviceMonitor.additionalLabels`              | Labels to add to the service account                                                                     | `{}`                                                                               |
 | `serviceMonitor.interval`                      | Prometheus scrape interval                                                                               | `1m`                                                                               |
-| `clusterSecretsPermissions.allowAllSecrets`    | If `true`, controller has access to all secrets in the cluster.                                          | `false`                                                                            |
-| `clusterSecretsPermissions.secretNames`        | Names of the specific secret resources controller should have access to for OIDC feature                 | `[]`                                                                               |
+| `clusterSecretsPermissions.allowAllSecrets`    | If `true`, controller has access to all secrets in the cluster.                                          | `false`                                                                            |

helm/aws-load-balancer-controller/templates/rbac.yaml

@@ -63,14 +63,6 @@ rules:
 - apiGroups: [""]
   resources: [secrets]
   verbs: [get, list, watch]
-{{- else if .Values.clusterSecretsPermissions.secretNames }}
-- apiGroups: [""]
-  resources: [secrets]
-{{- with .Values.clusterSecretsPermissions.secretNames }}
-  resourceNames:
-{{- toYaml . | nindent 4 }}
-{{- end }}
-  verbs: [get, list, watch]
 {{- end }}
 - apiGroups: ["elbv2.k8s.aws", "", "extensions", "networking.k8s.io"]
   resources: [targetgroupbindings/status, pods/status, services/status, ingresses/status]

helm/aws-load-balancer-controller/values.yaml

@@ -268,11 +268,10 @@ serviceMonitor:
   interval: 1m
 
 # clusterSecretsPermissions lets you configure RBAC permissions for secret resources
-# This is required only if you use the OIDC feature, and we recommend specifying specific
-# secret names instead of allowing all secrets.
+# Access to secrets resource is required only if you use the OIDC feature, and instead of
+# enabling access to all secrets, we recommend configuring namespaced role/rolebinding.
+# This option is for backwards compatibility only, and will potentially be deprecated in future.
 clusterSecretsPermissions:
   # allowAllSecrets allows the controller to access all secrets in the cluster.
   # This is to get backwards compatible behavior, but *NOT* recommended for security reasons
-  allowAllSecrets: false
-  # secretNames specifies the names of the secret resources the controller should have access to
-  secretNames: []
+  allowAllSecrets: false