feat(helm): new value to opt-out from cluster-wide view access to secrets

erikgb · erikgb · commit 87365ef01e61 · 2025-01-30T21:23:15.000+01:00
diff --git a/charts/gitops-server/templates/role.yaml b/charts/gitops-server/templates/role.yaml
@@ -15,6 +15,7 @@ rules:
     {{- with .Values.rbac.impersonationResourceNames }}
     resourceNames: {{ . | toJson }}
     {{- end }}
+    {{- if .Values.rbac.viewSecretsEnabled }}
   # Access to enterprise entitlement
   - apiGroups: [""]
     resources: [ "secrets" ]
@@ -26,6 +27,7 @@ rules:
     {{- with (or .Values.rbac.viewSecretsResourceNames .Values.rbac.viewSecrets) }}
     resourceNames: {{ . | toJson }}
     {{- end }}
+    {{- end }}
 
   # The service account needs to read namespaces to know where it can query
   - apiGroups: [ "" ]
diff --git a/charts/gitops-server/values.yaml b/charts/gitops-server/values.yaml
@@ -63,6 +63,9 @@ rbac:
   impersonationResourceNames: []
   # -- Limit the type of principal that can be impersonated
   impersonationResources: ["users", "groups"]
+  # -- Specifies whether the service account should have cluster-wide view access to secrets.
+  # If enabled, the secrets permitted to read can be limited by name with `viewSecretsResourceNames`.
+  viewSecretsEnabled: true
   # -- If non-empty, this limits the secrets that can be accessed by
   # the service account to the specified ones, e.g. `['weave-gitops-enterprise-credentials']`
   viewSecretsResourceNames: ["cluster-user-auth", "oidc-auth"]
