fix: fix incorrect rendering of RBAC in Helm chart when workspacePerms=false (#20569)

2026-06-02 20:48:20 +00:00 · 2025-10-31 05:22:23 +11:00
parent d80b5fc8ed
commit 30d2fc8bfc
3 changed files with 4 additions and 88 deletions
@@ -117,34 +117,6 @@ rules:
 # Source: coder/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
-metadata:
-  name: coder-workspace-perms
-  namespace: test-namespace2
-rules:
-  - apiGroups:
-    - apps
-    resources:
-    - deployments
-    verbs:
-    - create
-    - delete
-    - deletecollection
-    - get
-    - list
-    - patch
-    - update
-    - watch
-  - apiGroups:
-    - networking.k8s.io
-    resources:
-    - ingresses
-    verbs:
-    - get
-    - list
---
-# Source: coder/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
 metadata:
  name: coder-workspace-perms
  namespace: test-namespace3
@@ -262,21 +234,6 @@ roleRef:
 # Source: coder/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
-metadata:
-  name: "coder"
-  namespace: test-namespace2
-subjects:
-  - kind: ServiceAccount
-    name: "coder"
-    namespace: default
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: coder-workspace-perms
---
-# Source: coder/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
 metadata:
  name: "coder"
  namespace: test-namespace3
@@ -117,34 +117,6 @@ rules:
 # Source: coder/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
-metadata:
-  name: coder-workspace-perms
-  namespace: test-namespace2
-rules:
-  - apiGroups:
-    - apps
-    resources:
-    - deployments
-    verbs:
-    - create
-    - delete
-    - deletecollection
-    - get
-    - list
-    - patch
-    - update
-    - watch
-  - apiGroups:
-    - networking.k8s.io
-    resources:
-    - ingresses
-    verbs:
-    - get
-    - list
---
-# Source: coder/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
 metadata:
  name: coder-workspace-perms
  namespace: test-namespace3
@@ -262,21 +234,6 @@ roleRef:
 # Source: coder/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
-metadata:
-  name: "coder"
-  namespace: test-namespace2
-subjects:
-  - kind: ServiceAccount
-    name: "coder"
-    namespace: coder
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: coder-workspace-perms
---
-# Source: coder/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
 metadata:
  name: "coder"
  namespace: test-namespace3
@@ -1,7 +1,9 @@
 {{- define "libcoder.rbac.forNamespace" -}}
  {{- $nsPerms := ternary .workspacePerms .Top.Values.coder.serviceAccount.workspacePerms (hasKey . "workspacePerms") -}}
-  {{- $nsDeploy := ternary .enableDeployments .Top.Values.coder.serviceAccount.enableDeployments (hasKey . "enableDeployments") -}}
-  {{- $nsExtra := ternary .extraRules .Top.Values.coder.serviceAccount.extraRules (hasKey . "extraRules") -}}
+  {{- $nsDeployRaw := ternary .enableDeployments .Top.Values.coder.serviceAccount.enableDeployments (hasKey . "enableDeployments") -}}
+  {{- $nsExtraRaw := ternary .extraRules .Top.Values.coder.serviceAccount.extraRules (hasKey . "extraRules") -}}
+  {{- $nsDeploy := and $nsPerms $nsDeployRaw -}}
+  {{- $nsExtra := ternary $nsExtraRaw (list) $nsPerms -}}

  {{- if or $nsPerms (or $nsDeploy $nsExtra) }}
 ---