67 lines
1.8 KiB
YAML
67 lines
1.8 KiB
YAML
{{- if .Values.create | default false }}
|
|
apiVersion: iam.services.k8s.aws/v1alpha1
|
|
kind: Role
|
|
metadata:
|
|
name: {{ include "pod-identity.fullname" . }}
|
|
annotations:
|
|
argocd.argoproj.io/sync-wave: "-2"
|
|
spec:
|
|
name: {{ include "pod-identity.fullname" . }}
|
|
assumeRolePolicyDocument: |
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"Service": "pods.eks.amazonaws.com"
|
|
},
|
|
"Action": [
|
|
"sts:TagSession",
|
|
"sts:AssumeRole"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
description: {{ .Values.podIdentityRole.description }}
|
|
|
|
{{- if .Values.podIdentityRole.managedPolicies }}
|
|
policies:
|
|
{{- if and (.Values.podIdentityPolicyCreate | default false) .Values.podIdentityRole.managedPolicies }}
|
|
- "arn:aws:iam::{{ $.Values.accountId }}:policy/{{ include "pod-identity.fullname" . }}"
|
|
{{- end }}
|
|
{{- range .Values.podIdentityRole.managedPolicies }}
|
|
- "{{ . }}"
|
|
{{- end }}
|
|
|
|
{{- else if .Values.podIdentityRole.policyRefs }}
|
|
policyRefs:
|
|
{{- if .Values.podIdentityPolicyCreate | default true }}
|
|
- from:
|
|
name: "{{ include "pod-identity.fullname" . }}"
|
|
{{- end }}
|
|
{{- range .Values.podIdentityRole.policyRefs }}
|
|
- from:
|
|
name: "{{ .name }}"
|
|
{{- if .namespace }}
|
|
namespace: "{{ .namespace }}"
|
|
{{- end }}
|
|
{{- end }}
|
|
|
|
{{- else }}
|
|
policyRefs:
|
|
- from:
|
|
name: "{{ include "pod-identity.fullname" . }}"
|
|
{{- end }}
|
|
|
|
{{- if .Values.podIdentityRole.inlinePolicies }}
|
|
inlinePolicies:
|
|
{{ .Values.podIdentityRole.inlinePolicies | toYaml | nindent 4 }}
|
|
{{- end }}
|
|
|
|
{{- if .Values.podIdentityRole.tags }}
|
|
tags:
|
|
{{ .Values.podIdentityRole.tags | toYaml | nindent 4 }}
|
|
{{- end }}
|
|
{{- end }}
|