CORE-18638 Add permission for ingress controller to read IngressClass (#5268)

davidcurrie · web-flow · commit b02a4e495cf6 · 2023-12-15T17:37:59.000Z
diff --git a/charts/corda-lib/templates/_nginx.tpl b/charts/corda-lib/templates/_nginx.tpl
@@ -2,6 +2,13 @@
 {{- printf "%s-nginx" . }}
 {{- end }}
 
+{{- define "corda.nginxClusterUniqueName" -}}
+{{- $workerName := index . 1 }}
+{{- with ( index . 0 ) }}
+{{- printf "%s-%s" .Release.Namespace ( include "corda.nginxName" $workerName ) }}
+{{- end }}
+{{- end }}
+
 {{- define "corda.nginxComponent" -}}
 {{ printf "%s-nginx" . }}
 {{- end }}
@@ -56,6 +63,37 @@ data:
   allow-snippet-annotations: "false"
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    {{- include "corda.nginxLabels" ( list . $workerName ) | nindent 4 }}
+  name: {{ include "corda.nginxClusterUniqueName" ( list . $workerName ) | quote }}
+rules:
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingressclasses
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    {{- include "corda.nginxLabels" ( list . $workerName ) | nindent 4 }}
+  name: {{ include "corda.nginxClusterUniqueName" ( list . $workerName ) | quote }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "corda.nginxClusterUniqueName" ( list . $workerName ) | quote }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "corda.nginxName" $workerName | quote }}
+    namespace: {{ .Release.Namespace | quote }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
