feat(agent): create a clusterrolebinding if the clusterrole cluster-m…

…onitoring-view exists

charts/agent/Chart.yaml

@@ -30,4 +30,4 @@ sources:
 - https://app.sysdigcloud.com/#/settings/user
 - https://github.com/draios/sysdig
 type: application
-version: 1.29.2
+version: 1.29.3

charts/agent/templates/clusterrolebinding-cluster-monitoring-view.yaml

@@ -0,0 +1,17 @@
+{{- $clusterRole := lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "cluster-monitoring-view" -}}
+{{- if and .Values.rbac.create $clusterRole }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "agent.fullname" .}}-cluster-monitoring-view
+  labels:
+{{ include "agent.labels" . | indent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "agent.serviceAccountName" .}}
+    namespace: {{ include "agent.namespace" . }}
+roleRef:
+  kind: ClusterRole
+  name: cluster-monitoring-view
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

charts/agent/tests/clusterrolebinding-cluster-monitoring-view-exist_test.yaml

@@ -0,0 +1,46 @@
+suite: Agent Cluster Role Binding cluster-monitoring-view (exist)
+templates:
+  - templates/clusterrolebinding-cluster-monitoring-view.yaml
+kubernetesProvider:
+  scheme:
+    "rbac.authorization.k8s.io/v1/ClusterRole":
+      gvr:
+        group: "rbac.authorization.k8s.io"
+        version: "v1"
+        resource: "clusterroles"
+      namespaced: false
+  objects:
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRole
+    metadata:
+      name: cluster-monitoring-view
+
+tests:
+  - it: Does not create the ClusterRoleBinding if rbac.create is false
+    set:
+      rbac:
+        create: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: Does create the ClusterRoleBinding if the ClusterRole exists
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          apiVersion: rbac.authorization.k8s.io/v1
+          kind: ClusterRoleBinding
+          name: RELEASE-NAME-agent-cluster-monitoring-view
+      - contains:
+          path: subjects
+          content:
+            kind: ServiceAccount
+            namespace: NAMESPACE
+            name: RELEASE-NAME-agent
+      - equal:
+          path: roleRef
+          value:
+            kind: ClusterRole
+            name: cluster-monitoring-view
+            apiGroup: rbac.authorization.k8s.io

charts/agent/tests/clusterrolebinding-cluster-monitoring-view-not-exist_test.yaml

@@ -0,0 +1,8 @@
+suite: Agent Cluster Role Binding cluster-monitoring-view (not exist)
+templates:
+  - templates/clusterrolebinding-cluster-monitoring-view.yaml
+tests:
+  - it: Does not create the ClusterRoleBinding if the ClusterRole does not exist
+    asserts:
+      - hasDocuments:
+          count: 0