C
Coder.com14mo ago
Garrett Primm

Modify coder serviceaccount when deploying with helm charts

Hello, I'm using helm charts and argocd to deploy coder. I have a use case where I'm trying to use kubernetes to deploy additional workspaces with coder, the coder serviceaccount is trying to access an apigroup provided by a custom operator for deploying another application. I can modify the role directly, but argocd detects a change to the configuration and overwrites the additional permissions. I don't believe the helm chart supports adding custom role permissions. If it does can someone provide guidance on how I would do that?
6 Replies
Codercord
Codercord14mo ago
<#1158805502730440817>
Category
Other
Product
Coder OSS (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
Cian
Cian14mo ago
Hmm, instead of modifying the coder-workspace-perms role, maybe you could add an extra Role and RoleBinding for the coder serviceaccount into extraTemplates in the Helm values?
Cian
Cian14mo ago
https://github.com/coder/coder/blob/main/helm/coder/values.yaml#L320 Something like this? 
[...]
extraTemplates: |
  apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    name: coder-extra-perms
    namespace: coder-namespace
  rules:
  - apiGroups:
    - "acme.com"
    resources:
    - widgets
    verbs:
    - get
    - list
    - watch
  ---
  apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: coder-extra-perms
    namespace: coder-namespace
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: coder-extra-perms
  subjects:
  - kind: ServiceAccount
    name: coder
  ---
[...]
extraTemplates: |
  apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    name: coder-extra-perms
    namespace: coder-namespace
  rules:
  - apiGroups:
    - "acme.com"
    resources:
    - widgets
    verbs:
    - get
    - list
    - watch
  ---
  apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: coder-extra-perms
    namespace: coder-namespace
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: coder-extra-perms
  subjects:
  - kind: ServiceAccount
    name: coder
  ---
GitHub
coder/helm/coder/values.yaml at main · coder/coder
Provision remote development environments via Terraform - coder/coder
Garrett Primm
Garrett PrimmOP14mo ago
I’ll try this out tomorrow! Ty
Phorcys
Phorcys14mo ago
hey @Garrett Primm, have you had any luck ?
Mukesh_11#11
Mukesh_11#115mo ago
clusterRole
Want results from more Discord servers?
Add your server