freeleaps-ops/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/clientRbac/namespace-scope.yaml

{{- /*
These are the namespace-scoped rbac roles + bindings that will be used by users
who want to use telepresence once its components have been set
up in the cluster.
*/}}
{{- with .Values.clientRbac }}
{{- if .create }}
{{- $subjects := .subjects }}
{{- if (not $subjects) }}
  {{- /* fail comes out really ugly if we just do fail "the message here" */}}
  {{- $msg := "You must set clientRbac.subjects to a list of valid rbac subjects. See the kubernetes docs for more: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjects" }}
  {{- fail $msg }}
{{- end }}
{{- $namespaces := .namespaces }}
{{- if not $namespaces }}
  {{ $namespaces = fromJsonArray (include "traffic-manager.namespaces" $) }}
{{- end }}
{{- $name := include "telepresence.clientRbacName" $ }}
{{- $labels := include "telepresence.labels" $ | nindent 4 }}
{{- range $namespaces }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name:  {{ $name }}
  namespace: {{ . }}
  labels:
    {{- $labels }}
rules:
{{ include "telepresence.clientRbacInterceptRules" $ }}

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ $name }}
  namespace: {{ . }}
  labels:
    {{- $labels }}
subjects:
{{- toYaml $subjects | nindent 0}}
roleRef:
  kind: Role
  name: {{ $name }}
  apiGroup: rbac.authorization.k8s.io

{{- end }}

{{- $managerNamespace := include "traffic-manager.namespace" $ }}
{{- if and $namespaces (not (has $managerNamespace $namespaces)) }}
{{- /*
This is required only if the client should be permitted to gather the traffic-manager logs, and it
is only required when the traffic-manager isn't managing its own namespace.
*/}}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: traffic-manager-logs
  namespace: {{ $managerNamespace }}
  labels:
    {{- $labels }}
rules:
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: traffic-manager-logs
  namespace: {{ $managerNamespace }}
  labels:
    {{- $labels }}
subjects:
{{ toYaml $subjects }}
roleRef:
  kind: Role
  name: traffic-manager-logs
  apiGroup: rbac.authorization.k8s.io

{{- end }}
{{- end }}
{{- end }}
fix: update Jenkins token in gitea webhook configuration Signed-off-by: zhenyus <zhenyus@mathmast.com> 2025-07-24 08:51:35 +00:00			`{{- /*`
			`These are the namespace-scoped rbac roles + bindings that will be used by users`
			`who want to use telepresence once its components have been set`
			`up in the cluster.`
			`*/}}`
			`{{- with .Values.clientRbac }}`
			`{{- if .create }}`
			`{{- $subjects := .subjects }}`
			`{{- if (not $subjects) }}`
			`{{- /* fail comes out really ugly if we just do fail "the message here" */}}`
			`{{- $msg := "You must set clientRbac.subjects to a list of valid rbac subjects. See the kubernetes docs for more: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjects" }}`
			`{{- fail $msg }}`
			`{{- end }}`
			`{{- $namespaces := .namespaces }}`
			`{{- if not $namespaces }}`
			`{{ $namespaces = fromJsonArray (include "traffic-manager.namespaces" $) }}`
			`{{- end }}`
			`{{- $name := include "telepresence.clientRbacName" $ }}`
			`{{- $labels := include "telepresence.labels" $ \| nindent 4 }}`
			`{{- range $namespaces }}`
			`---`
			`kind: Role`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`metadata:`
			`name: {{ $name }}`
			`namespace: {{ . }}`
			`labels:`
			`{{- $labels }}`
			`rules:`
			`{{ include "telepresence.clientRbacInterceptRules" $ }}`

			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: RoleBinding`
			`metadata:`
			`name: {{ $name }}`
			`namespace: {{ . }}`
			`labels:`
			`{{- $labels }}`
			`subjects:`
			`{{- toYaml $subjects \| nindent 0}}`
			`roleRef:`
			`kind: Role`
			`name: {{ $name }}`
			`apiGroup: rbac.authorization.k8s.io`

			`{{- end }}`

			`{{- $managerNamespace := include "traffic-manager.namespace" $ }}`
			`{{- if and $namespaces (not (has $managerNamespace $namespaces)) }}`
			`{{- /*`
			`This is required only if the client should be permitted to gather the traffic-manager logs, and it`
			`is only required when the traffic-manager isn't managing its own namespace.`
			`*/}}`
			`---`
			`kind: Role`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`metadata:`
			`name: traffic-manager-logs`
			`namespace: {{ $managerNamespace }}`
			`labels:`
			`{{- $labels }}`
			`rules:`
			`- apiGroups: [""]`
			`resources: ["pods/log"]`
			`verbs: ["get"]`

			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: RoleBinding`
			`metadata:`
			`name: traffic-manager-logs`
			`namespace: {{ $managerNamespace }}`
			`labels:`
			`{{- $labels }}`
			`subjects:`
			`{{ toYaml $subjects }}`
			`roleRef:`
			`kind: Role`
			`name: traffic-manager-logs`
			`apiGroup: rbac.authorization.k8s.io`

			`{{- end }}`
			`{{- end }}`
			`{{- end }}`