From 30d2fc8bfcb7ffab5a405b7ec07fe1eca34062a4 Mon Sep 17 00:00:00 2001 From: Rowan Smith Date: Fri, 31 Oct 2025 05:22:23 +1100 Subject: [PATCH] fix: fix incorrect rendering of RBAC in Helm chart when workspacePerms=false (#20569) --- .../tests/testdata/namespace_rbac.golden | 43 ------------------- .../testdata/namespace_rbac_coder.golden | 43 ------------------- helm/libcoder/templates/_rbac.yaml | 6 ++- 3 files changed, 4 insertions(+), 88 deletions(-) diff --git a/helm/coder/tests/testdata/namespace_rbac.golden b/helm/coder/tests/testdata/namespace_rbac.golden index 68650a02b3..57a4ba3e2b 100644 --- a/helm/coder/tests/testdata/namespace_rbac.golden +++ b/helm/coder/tests/testdata/namespace_rbac.golden @@ -117,34 +117,6 @@ rules: # Source: coder/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role -metadata: - name: coder-workspace-perms - namespace: test-namespace2 -rules: - - apiGroups: - - apps - resources: - - deployments - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list ---- -# Source: coder/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role metadata: name: coder-workspace-perms namespace: test-namespace3 @@ -262,21 +234,6 @@ roleRef: # Source: coder/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding -metadata: - name: "coder" - namespace: test-namespace2 -subjects: - - kind: ServiceAccount - name: "coder" - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: coder-workspace-perms ---- -# Source: coder/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding metadata: name: "coder" namespace: test-namespace3 diff --git a/helm/coder/tests/testdata/namespace_rbac_coder.golden b/helm/coder/tests/testdata/namespace_rbac_coder.golden index 239eb73f8e..2687504879 100644 --- a/helm/coder/tests/testdata/namespace_rbac_coder.golden +++ b/helm/coder/tests/testdata/namespace_rbac_coder.golden @@ -117,34 +117,6 @@ rules: # Source: coder/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role -metadata: - name: coder-workspace-perms - namespace: test-namespace2 -rules: - - apiGroups: - - apps - resources: - - deployments - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list ---- -# Source: coder/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role metadata: name: coder-workspace-perms namespace: test-namespace3 @@ -262,21 +234,6 @@ roleRef: # Source: coder/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding -metadata: - name: "coder" - namespace: test-namespace2 -subjects: - - kind: ServiceAccount - name: "coder" - namespace: coder -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: coder-workspace-perms ---- -# Source: coder/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding metadata: name: "coder" namespace: test-namespace3 diff --git a/helm/libcoder/templates/_rbac.yaml b/helm/libcoder/templates/_rbac.yaml index 73ba2bd4e1..633a8252e8 100644 --- a/helm/libcoder/templates/_rbac.yaml +++ b/helm/libcoder/templates/_rbac.yaml @@ -1,7 +1,9 @@ {{- define "libcoder.rbac.forNamespace" -}} {{- $nsPerms := ternary .workspacePerms .Top.Values.coder.serviceAccount.workspacePerms (hasKey . "workspacePerms") -}} - {{- $nsDeploy := ternary .enableDeployments .Top.Values.coder.serviceAccount.enableDeployments (hasKey . "enableDeployments") -}} - {{- $nsExtra := ternary .extraRules .Top.Values.coder.serviceAccount.extraRules (hasKey . "extraRules") -}} + {{- $nsDeployRaw := ternary .enableDeployments .Top.Values.coder.serviceAccount.enableDeployments (hasKey . "enableDeployments") -}} + {{- $nsExtraRaw := ternary .extraRules .Top.Values.coder.serviceAccount.extraRules (hasKey . "extraRules") -}} + {{- $nsDeploy := and $nsPerms $nsDeployRaw -}} + {{- $nsExtra := ternary $nsExtraRaw (list) $nsPerms -}} {{- if or $nsPerms (or $nsDeploy $nsExtra) }} ---