[cilium] add custom vars for clusterrole cilium operator (#10267)

1 year ago · 0405af1107
3 changed files with 58 additions and 0 deletions
--- a/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
+++ b/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
@ -243,3 +243,22 @@

 # -- Whether to enable CNP status updates.
 # cilium_disable_cnp_status_updates: true
+
+# A list of extra rules variables to add to clusterrole for cilium operator, formatted like:
+#   cilium_clusterrole_rules_operator_extra_vars:
+#     - apiGroups:
+#       - '""'
+#       resources:
+#       - pods
+#       verbs:
+#       - delete
+#     - apiGroups:
+#       - '""'
+#       resources:
+#       - nodes
+#       verbs:
+#       - list
+#       - watch
+#       resourceNames:
+#       - toto
+# cilium_clusterrole_rules_operator_extra_vars: []
--- a/roles/network_plugin/cilium/defaults/main.yml
+++ b/roles/network_plugin/cilium/defaults/main.yml
@ -290,3 +290,22 @@ cilium_certgen_args:
  hubble-relay-client-cert-validity-duration: 94608000s
  hubble-relay-client-cert-secret-name: hubble-relay-client-certs
  hubble-relay-server-cert-generate: false
+
+# A list of extra rules variables to add to clusterrole for cilium operator, formatted like:
+#   cilium_clusterrole_rules_operator_extra_vars:
+#     - apiGroups:
+#       - '""'
+#       resources:
+#       - pods
+#       verbs:
+#       - delete
+#     - apiGroups:
+#       - '""'
+#       resources:
+#       - nodes
+#       verbs:
+#       - list
+#       - watch
+#       resourceNames:
+#       - toto
+cilium_clusterrole_rules_operator_extra_vars: []
--- a/roles/network_plugin/cilium/templates/cilium-operator/cr.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-operator/cr.yml.j2
@ -147,3 +147,23 @@ rules:
  - ciliumnetworkpolicies.cilium.io
  - ciliumnodes.cilium.io
 {% endif %}
+{% for rules in cilium_clusterrole_rules_operator_extra_vars %}
+- apiGroups:
+{% for api in rules['apiGroups'] %}
+  - {{ api }}
+{% endfor %}
+  resources:
+{% for resource in rules['resources'] %}
+  - {{ resource }}
+{% endfor %}
+  verbs:
+{% for verb in rules['verbs'] %}
+  - {{ verb }}
+{% endfor %}
+{% if 'resourceNames' in rules %}
+  resourceNames:
+{% for resourceName in rules['resourceNames'] %}
+  - {{ resourceName }}
+{% endfor %}
+{% endif %}
+{% endfor %}