diff --git a/operations/helm/charts/alloy/ci/rbac-empty-rules-values.yaml b/operations/helm/charts/alloy/ci/rbac-empty-rules-values.yaml new file mode 100644 index 0000000000..752651ac5b --- /dev/null +++ b/operations/helm/charts/alloy/ci/rbac-empty-rules-values.yaml @@ -0,0 +1,5 @@ +# Test case for empty RBAC rules arrays +rbac: + create: true + rules: [] + clusterRules: [] diff --git a/operations/helm/charts/alloy/templates/rbac.yaml b/operations/helm/charts/alloy/templates/rbac.yaml index 6f5e394fd2..e5ba9468bd 100644 --- a/operations/helm/charts/alloy/templates/rbac.yaml +++ b/operations/helm/charts/alloy/templates/rbac.yaml @@ -11,7 +11,11 @@ metadata: {{- include "alloy.labels" $ | nindent 4 }} app.kubernetes.io/component: rbac rules: + {{- if $.Values.rbac.rules }} {{- $.Values.rbac.rules | toYaml | nindent 2 }} + {{- else }} + [] + {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -40,8 +44,12 @@ metadata: {{- include "alloy.labels" . | nindent 4 }} app.kubernetes.io/component: rbac rules: + {{- if or .Values.rbac.rules .Values.rbac.clusterRules }} {{- .Values.rbac.rules | toYaml | nindent 2 }} {{- .Values.rbac.clusterRules | toYaml | nindent 2 }} + {{- else }} + [] + {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/operations/helm/tests/rbac-empty-rules/alloy/templates/configmap.yaml b/operations/helm/tests/rbac-empty-rules/alloy/templates/configmap.yaml new file mode 100644 index 0000000000..62d8c8642f --- /dev/null +++ b/operations/helm/tests/rbac-empty-rules/alloy/templates/configmap.yaml @@ -0,0 +1,44 @@ +--- +# Source: alloy/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: alloy + namespace: default + labels: + helm.sh/chart: alloy + app.kubernetes.io/name: alloy + app.kubernetes.io/instance: alloy + app.kubernetes.io/version: "vX.Y.Z" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: config +data: + config.alloy: |- + logging { + level = "info" + format = "logfmt" + } + + discovery.kubernetes "pods" { + role = "pod" + } + + discovery.kubernetes "nodes" { + role = "node" + } + + discovery.kubernetes "services" { + role = "service" + } + + discovery.kubernetes "endpoints" { + role = "endpoints" + } + + discovery.kubernetes "endpointslices" { + role = "endpointslice" + } + + discovery.kubernetes "ingresses" { + role = "ingress" + } diff --git a/operations/helm/tests/rbac-empty-rules/alloy/templates/controllers/daemonset.yaml b/operations/helm/tests/rbac-empty-rules/alloy/templates/controllers/daemonset.yaml new file mode 100644 index 0000000000..0e117afe78 --- /dev/null +++ b/operations/helm/tests/rbac-empty-rules/alloy/templates/controllers/daemonset.yaml @@ -0,0 +1,76 @@ +--- +# Source: alloy/templates/controllers/daemonset.yaml +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: alloy + namespace: default + labels: + helm.sh/chart: alloy + app.kubernetes.io/name: alloy + app.kubernetes.io/instance: alloy + app.kubernetes.io/version: "vX.Y.Z" + app.kubernetes.io/managed-by: Helm +spec: + minReadySeconds: 10 + selector: + matchLabels: + app.kubernetes.io/name: alloy + app.kubernetes.io/instance: alloy + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: alloy + labels: + app.kubernetes.io/name: alloy + app.kubernetes.io/instance: alloy + spec: + serviceAccountName: alloy + containers: + - name: alloy + image: docker.io/grafana/alloy:v1.11.3 + imagePullPolicy: IfNotPresent + args: + - run + - /etc/alloy/config.alloy + - --storage.path=/tmp/alloy + - --server.http.listen-addr=0.0.0.0:12345 + - --server.http.ui-path-prefix=/ + - --stability.level=generally-available + env: + - name: ALLOY_DEPLOY_MODE + value: "helm" + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + ports: + - containerPort: 12345 + name: http-metrics + readinessProbe: + httpGet: + path: /-/ready + port: 12345 + scheme: HTTP + initialDelaySeconds: 10 + timeoutSeconds: 1 + volumeMounts: + - name: config + mountPath: /etc/alloy + - name: config-reloader + image: quay.io/prometheus-operator/prometheus-config-reloader:v0.81.0 + args: + - --watched-dir=/etc/alloy + - --reload-url=http://localhost:12345/-/reload + volumeMounts: + - name: config + mountPath: /etc/alloy + resources: + requests: + cpu: 10m + memory: 50Mi + dnsPolicy: ClusterFirst + volumes: + - name: config + configMap: + name: alloy diff --git a/operations/helm/tests/rbac-empty-rules/alloy/templates/rbac.yaml b/operations/helm/tests/rbac-empty-rules/alloy/templates/rbac.yaml new file mode 100644 index 0000000000..2c6fbdf066 --- /dev/null +++ b/operations/helm/tests/rbac-empty-rules/alloy/templates/rbac.yaml @@ -0,0 +1,36 @@ +--- +# Source: alloy/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: alloy + labels: + helm.sh/chart: alloy + app.kubernetes.io/name: alloy + app.kubernetes.io/instance: alloy + app.kubernetes.io/version: "vX.Y.Z" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: rbac +rules: + [] +--- +# Source: alloy/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: alloy + labels: + helm.sh/chart: alloy + app.kubernetes.io/name: alloy + app.kubernetes.io/instance: alloy + app.kubernetes.io/version: "vX.Y.Z" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: rbac +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: alloy +subjects: + - kind: ServiceAccount + name: alloy + namespace: default diff --git a/operations/helm/tests/rbac-empty-rules/alloy/templates/service.yaml b/operations/helm/tests/rbac-empty-rules/alloy/templates/service.yaml new file mode 100644 index 0000000000..8780c6ce89 --- /dev/null +++ b/operations/helm/tests/rbac-empty-rules/alloy/templates/service.yaml @@ -0,0 +1,25 @@ +--- +# Source: alloy/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: alloy + namespace: default + labels: + helm.sh/chart: alloy + app.kubernetes.io/name: alloy + app.kubernetes.io/instance: alloy + app.kubernetes.io/version: "vX.Y.Z" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: networking +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: alloy + app.kubernetes.io/instance: alloy + internalTrafficPolicy: Cluster + ports: + - name: http-metrics + port: 12345 + targetPort: 12345 + protocol: "TCP" diff --git a/operations/helm/tests/rbac-empty-rules/alloy/templates/serviceaccount.yaml b/operations/helm/tests/rbac-empty-rules/alloy/templates/serviceaccount.yaml new file mode 100644 index 0000000000..eef45c7520 --- /dev/null +++ b/operations/helm/tests/rbac-empty-rules/alloy/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +--- +# Source: alloy/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: true +metadata: + name: alloy + namespace: default + labels: + helm.sh/chart: alloy + app.kubernetes.io/name: alloy + app.kubernetes.io/instance: alloy + app.kubernetes.io/version: "vX.Y.Z" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: rbac