Hangar/chart/templates/serviceaccount-backend.yaml

{{- if .Values.backend.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ include "hangar.backend.serviceAccountName" . }}
  labels:
    {{- include "hangar.labels" . | nindent 4 }}
  {{- with .Values.backend.serviceAccount.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "hangar.backend.serviceAccountName" . }}
  labels:
    {{- include "hangar.labels" . | nindent 4 }}
  {{- with .Values.backend.serviceAccount.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
rules:
- apiGroups: [""]
  resources: ["services", "secrets"]
  verbs: ["get"]
- apiGroups: [""]
  resources: ["endpoints", "configmaps", "services", "pods"]
  verbs: ["create", "update", "get", "patch", "watch", "list"]
- apiGroups: ["coordination.k8s.io"]
  resources: ["leases"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ include "hangar.backend.serviceAccountName" . }}
  labels:
    {{- include "hangar.labels" . | nindent 4 }}
  {{- with .Values.backend.serviceAccount.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
subjects:
- kind: ServiceAccount
  name: {{ include "hangar.backend.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
roleRef:
  kind: Role
  name: {{ include "hangar.backend.serviceAccountName" . }}
  apiGroup: rbac.authorization.k8s.io
{{- end }}