Add clusterRole generator function

2025-10-26 10:23:04 +01:00 · 2019-10-09 11:52:00 -03:00 · 2019-10-09 11:52:00 -03:00 · 47711c5ed6
commit 47711c5ed6
parent 42ffee2d4c
2 changed files with 34 additions and 22 deletions
--- a/arm_exporter.jsonnet
+++ b/arm_exporter.jsonnet
@ -26,28 +26,16 @@ local utils = import 'utils.libsonnet';
      clusterRoleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'arm-exporter', namespace: $._config.namespace }]),

    clusterRole:
-      local clusterRole = k.rbac.v1.clusterRole;
-      local policyRule = clusterRole.rulesType;
-
-      local authenticationRole = policyRule.new() +
-                                 policyRule.withApiGroups(['authentication.k8s.io']) +
-                                 policyRule.withResources([
-                                   'tokenreviews',
-                                 ]) +
-                                 policyRule.withVerbs(['create']);
-
-      local authorizationRole = policyRule.new() +
-                                policyRule.withApiGroups(['authorization.k8s.io']) +
-                                policyRule.withResources([
-                                  'subjectaccessreviews',
-                                ]) +
-                                policyRule.withVerbs(['create']);
-
-      local rules = [authenticationRole, authorizationRole];
-
-      clusterRole.new() +
-      clusterRole.mixin.metadata.withName('arm-exporter') +
-      clusterRole.withRules(rules),
+      utils.newClusterRole('arm-exporter', [
+        {apis: ['authentication.k8s.io'],
+         res: ['tokenreviews'],
+         verbs: ['create']
+        },
+        {apis: ['authorization.k8s.io'],
+         res: ['subjectaccessreviews'],
+         verbs: ['create']
+        }
+      ]),

    serviceAccount:
      local serviceAccount = k.core.v1.serviceAccount;
--- a/utils.libsonnet
+++ b/utils.libsonnet
@ -11,6 +11,30 @@ local vars = import 'vars.jsonnet';
        aux(arr, i + 1, running + arr[i]) tailstrict;
    aux(objs, 0, {}),

+  // Creates ClusterRoles
+  // roles format example: {apis: ['authentication.k8s.io'],
+  //                        res: ['tokenreviews'],
+  //                        verbs: ['create']
+  //                       }
+    newClusterRole(name, roles):: (
+      local clusterRole = k.rbac.v1.clusterRole;
+      local policyRule = clusterRole.rulesType;
+
+      local p(apigroups, resources, verbs) = policyRule.new() +
+                  policyRule.withApiGroups([a for a in apigroups]) +
+                  policyRule.withResources([r for r in resources]) +
+                  policyRule.withVerbs([v for v in verbs]);
+
+      local r = [ p(pol.apis, pol.res, pol.verbs) for pol in roles ];
+
+      local rules = r;
+
+      local c = clusterRole.new() +
+        clusterRole.mixin.metadata.withName(name) +
+        clusterRole.withRules(rules);
+      c
+    ),
+
  // Creates endpoint objects
  newEndpoint(name, namespace, ips, portName, portNumber):: (
    local endpoints = k.core.v1.endpoints;