freeleaps-ops/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/trafficManagerRbac/cluster-scope.yaml

{{- with .Values }}
{{- if and .managerRbac.create (not (include "traffic-manager.namespaced" $)) }}
{{- /*
This file contains all cluster-scoped permissions that the traffic manager needs.
This will be larger if namespaced: false, or smaller if it is true
This will also likely expand over time as we move more things from the clients
domain into the traffic-manager.  But the good news there is that it will
require less permissions in clientRbac.yaml
*/}}
{{- $roleName := (printf "traffic-manager-%s" (include "traffic-manager.namespace" $)) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ $roleName }}
  labels:
    {{- include "telepresence.labels" $ | nindent 4 }}
rules:
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - update {{/* Only needed for upgrade of older versions */}}
- apiGroups:
  - ""
  resources:
  - nodes
  - services
  - namespaces
  - pods
  verbs:
  - list
  - get
  - watch
{{- if .agentInjector.enabled }}
- apiGroups:
  - ""
  resources:
  - pods/eviction
  verbs:
  - create
{{- end }}
- apiGroups:
  - ""
  resources:
  - pods/log
  verbs:
  - get
- apiGroups:
  - "apps"
  resources:
  - deployments
  - replicasets
  - statefulsets
  verbs:
  - get
  - list
  - watch
{{- if .agentInjector.enabled }}
  - patch
{{- end }}
{{- if .workloads.argoRollouts.enabled }}
- apiGroups:
  - "argoproj.io"
  resources:
  - rollouts
  verbs:
  - get
  - list
  - watch
{{- if .agentInjector.enabled }}
  - patch
{{- end }}
{{- end }}
- apiGroups:
    - "events.k8s.io"
  resources:
    - events
  verbs:
    - get
    - watch
- apiGroups:
    - "networking.k8s.io"
  resources:
    - servicecidrs
  verbs:
    - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ $roleName }}
  labels:
    {{- include "telepresence.labels" $ | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ $roleName }}
subjects:
- kind: ServiceAccount
  name: traffic-manager
  namespace: {{ include "traffic-manager.namespace" $ }}
{{- end }}
{{- end }}
fix: update Jenkins token in gitea webhook configuration Signed-off-by: zhenyus <zhenyus@mathmast.com> 2025-07-24 08:51:35 +00:00			`{{- with .Values }}`
			`{{- if and .managerRbac.create (not (include "traffic-manager.namespaced" $)) }}`
			`{{- /*`
			`This file contains all cluster-scoped permissions that the traffic manager needs.`
			`This will be larger if namespaced: false, or smaller if it is true`
			`This will also likely expand over time as we move more things from the clients`
			`domain into the traffic-manager. But the good news there is that it will`
			`require less permissions in clientRbac.yaml`
			`*/}}`
			`{{- $roleName := (printf "traffic-manager-%s" (include "traffic-manager.namespace" $)) }}`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRole`
			`metadata:`
			`name: {{ $roleName }}`
			`labels:`
			`{{- include "telepresence.labels" $ \| nindent 4 }}`
			`rules:`
			`- apiGroups:`
			`- ""`
			`resources:`
			`- services`
			`verbs:`
			`- update {{/* Only needed for upgrade of older versions */}}`
			`- apiGroups:`
			`- ""`
			`resources:`
			`- nodes`
			`- services`
			`- namespaces`
			`- pods`
			`verbs:`
			`- list`
			`- get`
			`- watch`
			`{{- if .agentInjector.enabled }}`
			`- apiGroups:`
			`- ""`
			`resources:`
			`- pods/eviction`
			`verbs:`
			`- create`
			`{{- end }}`
			`- apiGroups:`
			`- ""`
			`resources:`
			`- pods/log`
			`verbs:`
			`- get`
			`- apiGroups:`
			`- "apps"`
			`resources:`
			`- deployments`
			`- replicasets`
			`- statefulsets`
			`verbs:`
			`- get`
			`- list`
			`- watch`
			`{{- if .agentInjector.enabled }}`
			`- patch`
			`{{- end }}`
			`{{- if .workloads.argoRollouts.enabled }}`
			`- apiGroups:`
			`- "argoproj.io"`
			`resources:`
			`- rollouts`
			`verbs:`
			`- get`
			`- list`
			`- watch`
			`{{- if .agentInjector.enabled }}`
			`- patch`
			`{{- end }}`
			`{{- end }}`
			`- apiGroups:`
			`- "events.k8s.io"`
			`resources:`
			`- events`
			`verbs:`
			`- get`
			`- watch`
			`- apiGroups:`
			`- "networking.k8s.io"`
			`resources:`
			`- servicecidrs`
			`verbs:`
			`- list`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRoleBinding`
			`metadata:`
			`name: {{ $roleName }}`
			`labels:`
			`{{- include "telepresence.labels" $ \| nindent 4 }}`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: ClusterRole`
			`name: {{ $roleName }}`
			`subjects:`
			`- kind: ServiceAccount`
			`name: traffic-manager`
			`namespace: {{ include "traffic-manager.namespace" $ }}`
			`{{- end }}`
			`{{- end }}`