fix(helm): create namespaced RBAC when sidecar is enabled (#16776)

Signed-off-by: Tsubasa Nagasawa <[email protected]>
Signed-off-by: Jay Clifford <[email protected]>
Co-authored-by: J Stickler <[email protected]>
Co-authored-by: Jay Clifford <[email protected]>

Author: 3 people

production/helm/loki/CHANGELOG.md

@@ -13,14 +13,14 @@ Entries should include a reference to the pull request that introduced the chang
 
 [//]: # (<AUTOMATED_UPDATES_LOCATOR> : do not remove this line. This locator is used by the CI pipeline to automatically create a changelog entry for each new Loki release. Add other chart versions and respective changelog entries bellow this line.)
 
+- [BUGFIX] Create missing RBAC for the rules sidecar when RBAC is namespaced
 - [FEATURE] Allow setting custom labels for ingester statefulsets [#18536](https://github.com/grafana/loki/pull/18536)
 - [BUGFIX] Ensure the scc is actually allowing to use hostPath volumes when the rbac.sccAllowHostDirVolumePlugin is set to true
 - [BUGFIX] Fix serviceName in zone-aware ingester statefulsets [#18558](https://github.com/grafana/loki/pull/18558)
 - [FEATURE] Added support for chunk-cache-l2 [#17556](https://github.com/grafana/loki/pull/17556)
 - [ENHANCEMENT] Add FOLDER_ANNOTATATION logic for sidecar container. [#13289](https://github.com/grafana/loki/pull/13289)
 - [ENHANCEMENT] Add configurable `livenessProbe` and `startupProbe` for admin-api. [#18546](https://github.com/grafana/loki/pull/18546)
 - [FEATURE] Added support for chunk-cache-l2 [#17556](https://github.com/grafana/loki/pull/17556)
-- [ENHANCEMENT] Add FOLDER_ANNOTATATION logic for sidecar container. [#13289](https://github.com/grafana/loki/pull/13289)
 - [ENHANCEMENT] Expose Loki UI in pure ingress. [18400](https://github.com/grafana/loki/pull/18400)
 
 ## 6.33.0

production/helm/loki/templates/role.yaml

@@ -1,13 +1,13 @@
-{{- if or .Values.rbac.pspEnabled .Values.rbac.sccEnabled }}
+{{- if or (or .Values.rbac.pspEnabled .Values.rbac.sccEnabled) (and .Values.rbac.namespaced .Values.sidecar.rules.enabled) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ include "loki.name" . }}
   namespace: {{ $.Release.Namespace }}
   labels:
     {{- include "loki.labels" . | nindent 4 }}
-{{- if .Values.rbac.pspEnabled }}
 rules:
+  {{- if .Values.rbac.pspEnabled }}
   - apiGroups:
       - policy
     resources:
@@ -16,9 +16,8 @@ rules:
       - use
     resourceNames:
       - {{ include "loki.name" . }}
-{{- end }}
-{{- if .Values.rbac.sccEnabled }}
-rules:
+  {{- end }}
+  {{- if .Values.rbac.sccEnabled }}
   - apiGroups:
       - security.openshift.io
     resources:
@@ -27,10 +26,10 @@ rules:
       - use
     resourceNames:
       - {{ include "loki.name" . }}
+  {{- end }}
   {{- if and .Values.rbac.namespaced .Values.sidecar.rules.enabled }}
   - apiGroups: [""] # "" indicates the core API group
     resources: ["configmaps", "secrets"]
     verbs: ["get", "watch", "list"]
   {{- end }}
 {{- end }}
-{{- end }}

production/helm/loki/templates/rolebinding.yaml

@@ -1,4 +1,4 @@
-{{- if or .Values.rbac.pspEnabled .Values.rbac.sccEnabled }}
+{{- if or (or .Values.rbac.pspEnabled .Values.rbac.sccEnabled) (and .Values.rbac.namespaced .Values.sidecar.rules.enabled) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata: