X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=blobdiff_plain;f=ric-platform%2F50-RIC-Platform%2Fhelm%2Fappmgr%2Ftemplates%2Fserviceaccount.yaml;h=4fd198bc7489e79bbb6f31c6cb8df35e2dedb803;hb=f1e9d069ec4ae0e35202b1d508f2652986036342;hp=6164f73d29f3fbe0c35662516fa76c7d03e61cee;hpb=b361b2091909dc2e77d4d172b95c210f8b1b2abb;p=it%2Fdep.git

diff --git a/ric-platform/50-RIC-Platform/helm/appmgr/templates/serviceaccount.yaml b/ric-platform/50-RIC-Platform/helm/appmgr/templates/serviceaccount.yaml
index 6164f73d..4fd198bc 100644
--- a/ric-platform/50-RIC-Platform/helm/appmgr/templates/serviceaccount.yaml
+++ b/ric-platform/50-RIC-Platform/helm/appmgr/templates/serviceaccount.yaml
@@ -1,3 +1,6 @@
+{{- $tillerKey := .Values.appmgr.tillerkey | default "ricxapp" }}
+{{- $topCtx :=  . }}
+{{- $ctx := dict "ctx" $topCtx "key" $tillerKey }}
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -8,22 +11,55 @@ metadata:
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
 metadata:
-  name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.helmrepositorytillernamespace" . }}-access
-  namespace: {{ include "common.helmrepositorytillernamespace" . }}
+  name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.tillerNameSpace" $ctx }}-access
+  namespace: {{ include "common.tillerDeployNameSpace" $ctx }}
 rules:
 - apiGroups: [""]
-  resources: ["pods", "pods/portforward"]
-  verbs: ["get", "list", "create"]
+  resources: ["pods/portforward"]
+  verbs: ["create"]
+- apiGroups: [""]  
+  resources: ["pods", "configmaps", "deployments", "services"]
+  verbs: ["get", "list", "create", "delete"]
+{{- if or (eq (include "common.tillerTLSVerify" $ctx) "true" )  (eq (include "common.tillerTLSAuthenticate" $ctx) "true") }}
+- apiGroups: [""]
+  resources: ["secrets"]
+  resourceNames: [ {{ include "common.tillerHelmClientTLSSecret" $ctx | quote }} ]
+  verbs: ["get"]
+{{- end }}  
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.tillerNameSpace" $ctx }}-access
+  namespace: {{ include "common.tillerDeployNameSpace" $ctx }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.tillerNameSpace" $ctx }}-access
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "common.serviceaccountname.appmgr" . }}
+    namespace: {{ include "common.namespace.platform" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.tillerNameSpace" $ctx }}-getappconfig
+  namespace: {{ include "common.tillerNameSpace" $ctx }}
+rules:
+- apiGroups: [""]  
+  resources: ["configmaps"]
+  verbs: ["get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
-  name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.helmrepositorytillernamespace" .}}-access
-  namespace: {{ include "common.helmrepositorytillernamespace" . }}
+  name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.namespace.xapp" . }}-getappconfig
+  namespace: {{ include "common.tillerNameSpace" $ctx }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.helmrepositorytillernamespace" .}}-access
+  name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.tillerNameSpace" $ctx }}-getappconfig
 subjects:
   - kind: ServiceAccount
     name: {{ include "common.serviceaccountname.appmgr" . }}