better support for the validatingWebhook

Signed-off-by: Travis Glenn Hansen <[email protected]>

stable/snapshot-controller/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.4
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

stable/snapshot-controller/templates/rbac-snapshot-controller.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.rbac.enabled }}
+{{- if .Values.controller.rbac.enabled }}
 # RBAC file for the snapshot controller.
 #
 # The snapshot controller implements the control loop for CSI snapshot functionality.

stable/snapshot-controller/templates/rbac-snapshot-webhook.yaml

@@ -0,0 +1,36 @@
+{{- if .Values.validatingWebhook.rbac.enabled }}
+# RBAC file for the snapshot webhook.
+#
+# The snapshot webhook implements the validation and admission for CSI snapshot functionality.
+# It should be installed as part of the base Kubernetes distribution in an appropriate
+# namespace for components implementing base system functionality. For installing with
+# Vanilla Kubernetes, kube-system makes sense for the namespace.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: snapshot-webhook
+  namespace: {{ .Release.Namespace | quote }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: snapshot-webhook-runner
+rules:
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotclasses"]
+    verbs: ["get", "list", "watch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: snapshot-webhook-role
+subjects:
+  - kind: ServiceAccount
+    name: snapshot-webhook
+    namespace: {{ .Release.Namespace | quote }}
+roleRef:
+  kind: ClusterRole
+  name: snapshot-webhook-runner
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

stable/snapshot-controller/templates/setup-snapshot-controller.yaml

@@ -33,7 +33,7 @@ spec:
       labels:
         app: snapshot-controller
     spec:
-      {{- if .Values.rbac.enabled }}
+      {{- if .Values.controller.rbac.enabled }}
       serviceAccount: snapshot-controller
       {{- end }}
       containers:

stable/snapshot-controller/templates/webhook.yaml

@@ -17,6 +17,9 @@ spec:
       labels:
         app: snapshot-validation
     spec:
+      {{- if .Values.validatingWebhook.rbac.enabled }}
+      serviceAccountName: snapshot-webhook
+      {{- end }}
       containers:
       - name: snapshot-validation
         image: {{ .Values.validatingWebhook.image.repository }}:{{ .Values.validatingWebhook.image.tag }}

stable/snapshot-controller/values.yaml

@@ -7,11 +7,12 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
-rbac:
-  enabled: true
 
 controller:
   enabled: true
+  rbac:
+    enabled: true
+
   replicaCount: 3
   image:
     repository: k8s.gcr.io/sig-storage/snapshot-controller
@@ -27,10 +28,12 @@ controller:
 
 validatingWebhook:
   enabled: false
+  rbac:
+    enabled: true
   replicaCount: 3
   image:
     repository: k8s.gcr.io/sig-storage/snapshot-validation-webhook
     pullPolicy: IfNotPresent
     # Overrides the image tag whose default is the chart appVersion.
-    tag: v5.0.1
+    tag: v6.0.1