coder/helm/libcoder/templates/_rbac.yaml

{{- define "libcoder.rbac.forNamespace" -}}
  {{- $nsPerms := ternary .workspacePerms .Top.Values.coder.serviceAccount.workspacePerms (hasKey . "workspacePerms") -}}
  {{- $nsDeploy := ternary .enableDeployments .Top.Values.coder.serviceAccount.enableDeployments (hasKey . "enableDeployments") -}}
  {{- $nsExtra := ternary .extraRules .Top.Values.coder.serviceAccount.extraRules (hasKey . "extraRules") -}}

  {{- if or $nsPerms (or $nsDeploy $nsExtra) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ .Top.Values.coder.serviceAccount.name }}-workspace-perms
  namespace: {{ .NS }}
rules:
{{- if $nsPerms }}
{{ include "libcoder.rbac.rules.basic" .Top | trimPrefix "\n" | indent 2 }}
{{- end }}
{{- if $nsDeploy }}
{{ include "libcoder.rbac.rules.deployments" .Top | trimPrefix "\n" | indent 2 }}
{{- end }}
{{- if $nsExtra }}
  {{- if kindIs "slice" $nsExtra }}
{{ toYaml $nsExtra | trimPrefix "\n" | indent 2 }}
  {{- else }}
{{ toYaml (list $nsExtra) | trimPrefix "\n" | indent 2 }}
  {{- end }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ .Top.Values.coder.serviceAccount.name | quote }}
  namespace: {{ .NS }}
subjects:
  - kind: ServiceAccount
    name: {{ .Top.Values.coder.serviceAccount.name | quote }}
    {{- if ne .NS .Top.Release.Namespace }}
    namespace: {{ .Top.Release.Namespace }}
    {{- end }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ .Top.Values.coder.serviceAccount.name }}-workspace-perms
  {{- end }}
{{- end -}}

{{- define "libcoder.rbac.core" -}}
  {{- $top := . -}}
  {{- $rootPerms := $top.Values.coder.serviceAccount.workspacePerms | default false -}}
  {{- $rootDeploy := $top.Values.coder.serviceAccount.enableDeployments | default false -}}
  {{- $rootExtra  := $top.Values.coder.serviceAccount.extraRules | default (list) -}}

  {{- $rootParams := dict
        "Top" $top
        "NS"  $top.Release.Namespace
        "workspacePerms" $rootPerms
        "enableDeployments" $rootDeploy
        "extraRules" $rootExtra -}}
  {{ include "libcoder.rbac.forNamespace" $rootParams }}

  {{- $wsnsRaw := get $top.Values.coder.serviceAccount "workspaceNamespaces" -}}
  {{- $extra := default (list) $wsnsRaw -}}

  {{- range $_, $ns := $extra }}
    {{- $nsName := ternary $ns.name $ns (kindIs "map" $ns) -}}
    {{- if $nsName }}
      {{- $params := dict "Top" $top "NS" $nsName -}}
      {{- if kindIs "map" $ns }}
        {{- if hasKey $ns "workspacePerms" }}{{- $_ := set $params "workspacePerms" $ns.workspacePerms }}{{- else }}{{- $_ := set $params "workspacePerms" $rootPerms }}{{- end }}
        {{- if hasKey $ns "enableDeployments" }}{{- $_ := set $params "enableDeployments" $ns.enableDeployments }}{{- else }}{{- $_ := set $params "enableDeployments" $rootDeploy }}{{- end }}
        {{- if hasKey $ns "extraRules" }}{{- $_ := set $params "extraRules" $ns.extraRules }}{{- else }}{{- $_ := set $params "extraRules" $rootExtra }}{{- end }}
      {{- else }}
        {{- $_ := set $params "workspacePerms" $rootPerms -}}
        {{- $_ := set $params "enableDeployments" $rootDeploy -}}
        {{- $_ := set $params "extraRules" $rootExtra -}}
      {{- end }}
      {{ include "libcoder.rbac.forNamespace" $params }}
    {{- end }}
  {{- end }}
{{- end -}}

{{- define "libcoder.rbac.tpl" -}}
  {{- if not .Values.coder.serviceAccount.disableCreate -}}
  {{ include "libcoder.rbac.core" . }}
  {{- end }}
{{- end -}}

{{- define "libcoder.namespace.rbac.tpl" -}}
  {{ include "libcoder.rbac.core" . }}
{{- end -}}