This PR fixes#1367 with the minimum needed (plus the basics of
annotations and labels, since some clusters need those for extra
verifications, OPA, Kyverno, etc.).
The added role is the minimum access I could get away with (tested each
verb and resource individually), since the Kubernetes go library seems
to use list and get even when not strictly necessary.
I've defaulted to inactive, setting the serviceAccount.rbac.create=true
will create the Role and roleBinding.
The changes only affect the woodpecker-agent chart, as the
woodpecker-server chart currently does nothing directly
# Tests
- [x] non default namespace (roleBindung uses namespace in a not
automatically rewritten position)
- [x] rbac.create enabled and disabled (nothing changes for disabled,
since the templates use a guard)
- [x] custom serviceAccount name
- [x] both roleBinding and role with no annotations, no lables, single
a&l, multiple each
- [x] helm deploy to Kubernetes, with all settings mentioned above
# Documentation
Added in the comments of the values.yaml. Taking it into the docs might
be helpful, but the Kubernetes section in the next docs is fairly empty,
possibly open a new issue and solve when the chart for next is mostly
done.
This allows:
- resource spec for the dind container different from the main agent
- environment variables for the dind container can also be specified in values, e.g. to change the default driver if one so wishes
- crucially: specifying a different dind image