UNCLASSIFIED - NO CUI

Skip to content

Add ability to provide a custom verb list to the wait job

Andrew Kesterson requested to merge add_waitjob_role_verbs into master

General MR

Summary

This MR provides the ability to give the gluon waitjob role permission to perform additional verbs on the granted resources.

This also corrects some portions of the documentation that incorrectly list the values as waitjob (lower case) when in reality it is waitJob (camel case).

Relevant logs/screenshots

When provided with yaml like this:

waitJob:
  enabled: true
  scripts:
    image: bitnami/kubectl:1.29
  permissions:
    apiGroups:
      - external-secrets.io
      - generators.external-secrets.io
    resources: 
      - acraccesstokens
      - clusterexternalsecrets
      - clustersecretstores
      - ecrauthorizationtokens
      - externalsecrets
      - fakes
      - gcraccesstokens
      - githubaccesstokens
      - passwords
      - pushsecrets
      - secretstores
      - vaultdynamicsecrets
      - webhooks
    verbs:
      - create
      - delete
      - get 
      - list 
      - watch

I get resources like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    helm.sh/hook: post-install,post-upgrade
    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation, hook-failed
    helm.sh/hook-weight: "-5"
  creationTimestamp: "2024-11-07T15:13:19Z"
  labels:
    app.kubernetes.io/instance: external-secrets
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: external-secrets
    app.kubernetes.io/version: v0.10.2
    helm.sh/chart: external-secrets-0.10.2-bb.4
  name: external-secrets-wait-job-role
  namespace: external-secrets
  resourceVersion: "1992"
  uid: cd7f30a0-1a36-4190-a435-d1efab6c48d5
rules:
- apiGroups:
  - external-secrets.io
  - generators.external-secrets.io
  resources:
  - acraccesstokens
  - clusterexternalsecrets
  - clustersecretstores
  - ecrauthorizationtokens
  - externalsecrets
  - fakes
  - gcraccesstokens
  - githubaccesstokens
  - passwords
  - pushsecrets
  - secretstores
  - vaultdynamicsecrets
  - webhooks
  verbs:
  - create
  - delete
  - get
  - list
  - watch

When no verbs are provided in the yaml, I get the default watch, list, get

And the wait script can do its jobs as expected

Linked Issue

No issue, spawned from IL4 mattermost thread

Upgrade Notices

N/A

Edited by Andrew Kesterson

Merge request reports