From 5d7343112bbf426222be3ad8a4825b0ed43ff4cf Mon Sep 17 00:00:00 2001
From: Zachary Blasczyk <zachary.blasczyk@wandb.com>
Date: Fri, 10 Jan 2025 19:42:53 -0600
Subject: [PATCH] implement roles

---
 charts/operator-wandb/values.yaml            | 12 ++++++++++++
 charts/wandb-base/templates/role.yaml        | 12 ++++++++++++
 charts/wandb-base/templates/rolebinding.yaml | 16 ++++++++++++++++
 charts/wandb-base/values.yaml                |  4 ++++
 4 files changed, 44 insertions(+)
 create mode 100644 charts/wandb-base/templates/role.yaml
 create mode 100644 charts/wandb-base/templates/rolebinding.yaml

diff --git a/charts/operator-wandb/values.yaml b/charts/operator-wandb/values.yaml
index a8191aa2..9f34f125 100644
--- a/charts/operator-wandb/values.yaml
+++ b/charts/operator-wandb/values.yaml
@@ -773,6 +773,18 @@ settingsMigrationHook:
   install: false
   service:
     enabled: false
+  role:
+    create: true
+    rules:
+      - apiGroups:
+          - ""
+        resources:
+          - secrets
+        verbs:
+          - get
+          - list
+          - update
+          - patch
   env:
     SMH_FILE_STORE:
       value: '{{ (include "wandb.bucket" . | fromYaml).url }}'
diff --git a/charts/wandb-base/templates/role.yaml b/charts/wandb-base/templates/role.yaml
new file mode 100644
index 00000000..69d5e906
--- /dev/null
+++ b/charts/wandb-base/templates/role.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.role.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "wandb-base.fullname" .}}
+  labels:
+    {{- include "wandb-base.labels" . | nindent 4 }}
+rules:
+    {{- with .Values.role.rules }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end }}
diff --git a/charts/wandb-base/templates/rolebinding.yaml b/charts/wandb-base/templates/rolebinding.yaml
new file mode 100644
index 00000000..747fdb44
--- /dev/null
+++ b/charts/wandb-base/templates/rolebinding.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.role.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "wandb-base.fullname" . }}
+  labels:
+    {{- include "wandb-base.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "wandb-base.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "wandb-base.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/charts/wandb-base/values.yaml b/charts/wandb-base/values.yaml
index 4184a67c..4adf0491 100644
--- a/charts/wandb-base/values.yaml
+++ b/charts/wandb-base/values.yaml
@@ -27,6 +27,10 @@ serviceAccount:
   annotations: {}
   name: ""
 
+role:
+  create: false
+  rules: []
+
 podAnnotations: {}
 podLabels: {}