fix: simplify rbac creation

Signed-off-by: Ievgenii Shepeliuk <[email protected]>

charts/opa/templates/mgmt-clusterrolebinding.yaml → charts/opa/templates/mgmt-rbac.yaml

@@ -1,4 +1,22 @@
-{{- if (and .Values.rbac.create .Values.mgmt.enabled) -}}
+{{- if and .Values.rbac.create .Values.mgmt.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: {{ template "opa.name" . }}
+    chart: {{ template "opa.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    component: mgmt
+  name: {{ template "opa.mgmtfullname" . }}
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get", "list", "watch"]
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -17,4 +35,4 @@ subjects:
   - kind: ServiceAccount
     name: {{ template "opa.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
-{{- end -}}
+{{- end }}

charts/opa/values.yaml

@@ -190,19 +190,8 @@ nodeSelector: {}
 resources: {}
 
 rbac:
-  # If true, create & use RBAC resources
-  #
+  # If true, create RBAC resources
   create: true
-  rules:
-    cluster: []
-    # - apiGroups:
-    #     - ""
-    #   resources:
-    #   - namespaces
-    #   verbs:
-    #   - get
-    #   - list
-    #   - watch
 
 serviceAccount:
   # Specifies whether a ServiceAccount should be created