[opsportal] allow posting to /ops/portal/graphql (#405)

update kube-oidc-proxy to 0.2.0
mesosphere · Feb 5, 2020 · 1b9a4b3 · 1b9a4b3
1 parent bb48a78
commit 1b9a4b3
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 7 deletions.
diff --git a/stable/opsportal/Chart.yaml b/stable/opsportal/Chart.yaml
@@ -3,7 +3,7 @@ appVersion: 1.0.0
 home: https://github.com/mesosphere/charts
 description: OpsPortal Chart
 name: opsportal
-version: 0.2.0
+version: 0.2.1
 maintainers:
   - name: hectorj2f
   - name: alejandroEsc

diff --git a/stable/opsportal/templates/ingress-opsportal-roles.yaml b/stable/opsportal/templates/ingress-opsportal-roles.yaml
@@ -32,9 +32,17 @@ rules:
 - nonResourceURLs:
   - {{ .Values.opsportalRBAC.path | trimSuffix "/"}}
   - {{ .Values.opsportalRBAC.path | trimSuffix "/" }}/*
+  - {{ .Values.opsportalRBAC.graphqlPath | trimSuffix "/"}}
   verbs:
   - get
   - head
+# Posting to graphql is required for ops portal viewing
+- nonResourceURLs:
+    - {{ .Values.opsportalRBAC.graphqlPath | trimSuffix "/"}}
+  verbs:
+    - get
+    - head
+    - post
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/stable/opsportal/values.yaml b/stable/opsportal/values.yaml
@@ -49,6 +49,7 @@ kommander-ui:
 opsportalRBAC:
   enabled: true
   path: /ops/portal
+  graphqlPath: /ops/portal/graphql
 
 kibanaRBAC:
   enabled: true

diff --git a/staging/kube-oidc-proxy/Chart.yaml b/staging/kube-oidc-proxy/Chart.yaml
@@ -1,9 +1,9 @@
 apiVersion: v1
-appVersion: "v0.1.1"
+appVersion: "v0.2.0"
 description: A Helm chart for kube-oidc-proxy
 home: https://github.com/mesosphere/charts
 name: kube-oidc-proxy
-version: 0.1.8
+version: 0.1.9
 sources:
 - https://github.com/jetstack/kube-oidc-proxy
 maintainers:

diff --git a/staging/kube-oidc-proxy/templates/clusterrole.yaml b/staging/kube-oidc-proxy/templates/clusterrole.yaml
@@ -29,8 +29,23 @@ rules:
   - "userextras/scopes"
   verbs:
   - "impersonate"
+- apiGroups:
+    - "authentication.k8s.io"
+  resources:
+    - "tokenreviews"
+  verbs:
+    - "create"
+    - "get"
+    - "list"
+    - "watch"
+    - "update"
 # kube-oidc-proxy init container requires to list services in order to get
 # load balancer hostname
-- apiGroups: [""]
-  resources: ["services"]
-  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - "services"
+  verbs:
+  - "get"
+  - "list"
+  - "watch"
diff --git a/staging/kube-oidc-proxy/values.yaml b/staging/kube-oidc-proxy/values.yaml
@@ -6,7 +6,7 @@ replicaCount: 1
 
 image:
   repository: quay.io/jetstack/kube-oidc-proxy
-  tag: v0.1.1
+  tag: v0.2.0
   pullPolicy: IfNotPresent
 
 imagePullSecrets: []