From dd4f5fbb8f5d3884231b9286aabb23262991a6f8 Mon Sep 17 00:00:00 2001
From: Ievgenii Shepeliuk <eshepelyuk@gmail.com>
Date: Mon, 30 Aug 2021 13:11:38 +0300
Subject: [PATCH] fix: simplify rbac creation

Signed-off-by: Ievgenii Shepeliuk <eshepelyuk@gmail.com>
---
 charts/opa/templates/mgmt-clusterrole.yaml    | 14 ------------
 ...clusterrolebinding.yaml => mgmt-rbac.yaml} | 22 +++++++++++++++++--
 charts/opa/values.yaml                        | 13 +----------
 3 files changed, 21 insertions(+), 28 deletions(-)
 delete mode 100644 charts/opa/templates/mgmt-clusterrole.yaml
 rename charts/opa/templates/{mgmt-clusterrolebinding.yaml => mgmt-rbac.yaml} (50%)

diff --git a/charts/opa/templates/mgmt-clusterrole.yaml b/charts/opa/templates/mgmt-clusterrole.yaml
deleted file mode 100644
index 53c20c01a..000000000
--- a/charts/opa/templates/mgmt-clusterrole.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-{{- if (and .Values.rbac.create .Values.mgmt.enabled) -}}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app: {{ template "opa.name" . }}
-    chart: {{ template "opa.chart" . }}
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-    component: mgmt
-  name: {{ template "opa.mgmtfullname" . }}
-rules:
-{{ toYaml .Values.rbac.rules.cluster | indent 2 }}
-{{- end -}}
diff --git a/charts/opa/templates/mgmt-clusterrolebinding.yaml b/charts/opa/templates/mgmt-rbac.yaml
similarity index 50%
rename from charts/opa/templates/mgmt-clusterrolebinding.yaml
rename to charts/opa/templates/mgmt-rbac.yaml
index 6ac50885b..1da09513c 100644
--- a/charts/opa/templates/mgmt-clusterrolebinding.yaml
+++ b/charts/opa/templates/mgmt-rbac.yaml
@@ -1,4 +1,22 @@
-{{- if (and .Values.rbac.create .Values.mgmt.enabled) -}}
+{{- if and .Values.rbac.create .Values.mgmt.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: {{ template "opa.name" . }}
+    chart: {{ template "opa.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    component: mgmt
+  name: {{ template "opa.mgmtfullname" . }}
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get", "list", "watch"]
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -17,4 +35,4 @@ subjects:
   - kind: ServiceAccount
     name: {{ template "opa.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
-{{- end -}}
+{{- end }}
diff --git a/charts/opa/values.yaml b/charts/opa/values.yaml
index ea19dc82f..33c59c2bb 100644
--- a/charts/opa/values.yaml
+++ b/charts/opa/values.yaml
@@ -190,19 +190,8 @@ nodeSelector: {}
 resources: {}
 
 rbac:
-  # If true, create & use RBAC resources
-  #
+  # If true, create RBAC resources
   create: true
-  rules:
-    cluster: []
-    # - apiGroups:
-    #     - ""
-    #   resources:
-    #   - namespaces
-    #   verbs:
-    #   - get
-    #   - list
-    #   - watch
 
 serviceAccount:
   # Specifies whether a ServiceAccount should be created