feat: add rbac support

closes hashicorp#20

templates/sync-cluster-role-binding.yaml

@@ -0,0 +1,21 @@
+{{- $rbacEnabled := (or (and (ne (.Values.rbac.enabled | toString) "-") .Values.rbac.enabled) (and (eq (.Values.rbac.enabled | toString) "-") .Values.rbac.enabled)) }}
+{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }}
+{{- if (and $rbacEnabled $syncEnabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: consul:sync
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: consul:sync
+subjects:
+  - kind: Group
+    name: system:serviceaccounts:{{ .Release.Namespace }}
+    apiGroup: rbac.authorization.k8s.io
+{{- end }}

templates/sync-cluster-role.yaml

@@ -0,0 +1,25 @@
+{{- $rbacEnabled := (or (and (ne (.Values.rbac.enabled | toString) "-") .Values.rbac.enabled) (and (eq (.Values.rbac.enabled | toString) "-") .Values.rbac.enabled)) }}
+{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }}
+{{- if (and $rbacEnabled $syncEnabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: consul:sync
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+rules:
+  - apiGroups: [""]
+    resources:
+      - services
+      - endpoints
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+      - patch
+      - delete
+{{- end }}

test/unit/sync-cluster-role-binding.bats

@@ -0,0 +1,56 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "sync/ClusterRoleBinding: disabled by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/sync-cluster-role-binding.yaml  \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "sync/ClusterRoleBinding: enable with global.enabled false" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/sync-cluster-role-binding.yaml  \
+      --set 'global.enabled=false' \
+      --set 'syncCatalog.enabled=true' \
+      --set 'rbac.enabled=true' \
+      . | tee /dev/stderr |
+      yq -s 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "sync/ClusterRoleBinding: disable with syncCatalog.enabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/sync-cluster-role-binding.yaml  \
+      --set 'syncCatalog.enabled=false' \
+      --set 'rbac.enabled=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "sync/ClusterRoleBinding: disable with rbac.enabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/sync-cluster-role-binding.yaml  \
+      --set 'syncCatalog.enabled=true' \
+      --set 'rbac.enabled=false' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "sync/ClusterRoleBinding: disable with global.enabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/sync-cluster-role-binding.yaml  \
+      --set 'global.enabled=false' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}

test/unit/sync-cluster-role.bats

@@ -0,0 +1,56 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "sync/ClusterRole: disabled by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/sync-cluster-role.yaml  \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "sync/ClusterRole: enable with global.enabled false" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/sync-cluster-role.yaml  \
+      --set 'global.enabled=false' \
+      --set 'syncCatalog.enabled=true' \
+      --set 'rbac.enabled=true' \
+      . | tee /dev/stderr |
+      yq -s 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "sync/ClusterRole: disable with syncCatalog.enabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/sync-cluster-role.yaml  \
+      --set 'syncCatalog.enabled=false' \
+      --set 'rbac.enabled=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "sync/ClusterRole: disable with rbac.enabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/sync-cluster-role.yaml  \
+      --set 'syncCatalog.enabled=true' \
+      --set 'rbac.enabled=false' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "sync/ClusterRole: disable with global.enabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/sync-cluster-role.yaml  \
+      --set 'global.enabled=false' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}

values.yaml

@@ -186,3 +186,8 @@ connectInject:
     # defaults but can be customized if necessary.
     certName: tls.crt
     keyName: tls.key
+
+# Enabling rbac will create cluster roles and cluster role bindings to allow the
+# syncCatalog service to communicate with the kubernetes api to get/create services
+rbac:
+  enabled: false