feat(helm): add labels and additional rolebinding SA for certmanager (#90)

Co-authored-by: Frederic Spiers <[email protected]>

Author: ixxeL2097

helm/ggbridge/templates/rbac.yaml

@@ -6,6 +6,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ printf "%s-issuer" $fullname }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "ggbridge.labels" . | nindent 4 }}
   {{- if or .Values.commonAnnotations .Values.serviceAccount.annotations }}
@@ -18,6 +19,8 @@ kind: Role
 metadata:
   name: {{ printf "%s-issuer" $fullname }}
   namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "ggbridge.labels" . | nindent 4 }}
 rules:
   - apiGroups: ['']
     resources: ['serviceaccounts/token']
@@ -29,10 +32,17 @@ kind: RoleBinding
 metadata:
   name: {{ printf "%s-issuer" $fullname }}
   namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "ggbridge.labels" . | nindent 4 }}
 subjects:
   - kind: ServiceAccount
     name: {{ .Values.tls.certManager.serviceAccount }}
     namespace: {{ .Values.tls.certManager.namespace }}
+  {{- if .Values.tls.certManager.issuer.spec.vault.auth.kubernetes.serviceAccountRef }}
+  - kind: ServiceAccount
+    name: {{ .Values.tls.certManager.issuer.spec.vault.auth.kubernetes.serviceAccountRef.name }}
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -42,6 +52,9 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ printf "%s-issuer-token" $fullname }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "ggbridge.labels" . | nindent 4 }}
   annotations:
     kubernetes.io/service-account.name: {{ printf "%s-issuer" $fullname }}
 type: kubernetes.io/service-account-token
@@ -50,6 +63,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ printf "%s-issuer" $fullname }}-token-reviewer
+  labels:
+    {{- include "ggbridge.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -66,6 +81,8 @@ kind: Role
 metadata:
   name: {{ printf "%s-cert-manager" $fullname }}
   namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "ggbridge.labels" . | nindent 4 }}
 rules:
   - apiGroups:
       - ''
@@ -99,6 +116,8 @@ kind: RoleBinding
 metadata:
   name: {{ printf "%s-cert-manager" $fullname }}
   namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "ggbridge.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role

helm/ggbridge/templates/serviceaccount.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "ggbridge.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "ggbridge.labels" . | nindent 4 }}
   {{- if or .Values.commonAnnotations .Values.serviceAccount.annotations }}
@@ -17,6 +18,7 @@ metadata:
   labels:
     {{- include "ggbridge.labels" . | nindent 4 }}
   name: {{ include "ggbridge.fullname" . }}
+  namespace: {{ .Release.Namespace }}
 rules:
   - apiGroups:
       - ''
@@ -32,6 +34,9 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: {{ include "ggbridge.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "ggbridge.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role