harness · Israphel · Mar 27, 2025 · May 9, 2025
@@ -71,18 +71,6 @@ Fetch access level using kubernetes permission value
   {{- end }}
 {{- end }}
 
-
-{{/*
-Check if custom role is provided in k8sPermissionsType
-*/}}
-{{- define "harness-delegate-ng.useCustomRole" -}}
-  {{- if or (or (eq .Values.k8sPermissionsType "CLUSTER_ADMIN") (eq .Values.k8sPermissionsType "CLUSTER_VIEWER") ) (eq .Values.k8sPermissionsType "NAMESPACE_ADMIN") }}
-  {{- print "false" }}
-  {{- else }}
-  {{- print "true" }}
-  {{- end }}
-{{- end }}
-
 {{/*
 Memory assigned to container in Mi
 */}}
@@ -140,4 +128,4 @@ Usage:
             {{- tpl (.value | toYaml) .context }}
         {{- end }}
     {{- end }}
-{{- end -}}
+{{- end -}}
@@ -1,4 +1,4 @@
-{{- if or (eq .Values.k8sPermissionsType "CLUSTER_ADMIN") (eq .Values.k8sPermissionsType "CLUSTER_VIEWER")}}
+{{- if and .Values.k8sPermissionsType (or (eq .Values.k8sPermissionsType "CLUSTER_ADMIN") (eq .Values.k8sPermissionsType "CLUSTER_VIEWER")) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:

@@ -0,0 +1,23 @@
+{{- if and (ne (.Values.CustomClusterRole | default "") "") (or (not .Values.k8sPermissionsType) (eq .Values.k8sPermissionsType "")) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "harness-delegate-ng.fullname" . }}-custom-clusterRoleBinding
+  labels:
+    {{- include "harness-delegate-ng.labels" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+      {{- include "harness-delegate-ng.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations:
+    {{- include "harness-delegate-ng.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "harness-delegate-ng.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ .Values.CustomClusterRole }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
@@ -1,4 +1,4 @@
-{{- if eq (include "harness-delegate-ng.useCustomRole" .) "true" }}
+{{- if and (ne (.Values.CustomRole | default "") "") (or (not .Values.k8sPermissionsType) (eq .Values.k8sPermissionsType "")) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -19,6 +19,6 @@ subjects:
     namespace: {{ .Release.Namespace }}
 roleRef:
   kind: Role
-  name: {{ .Values.k8sPermissionsType}}
+  name: {{ .Values.CustomRole }}
   apiGroup: rbac.authorization.k8s.io
 {{- end }}
@@ -1,4 +1,4 @@
-{{- if eq .Values.k8sPermissionsType "NAMESPACE_ADMIN" }}
+{{- if and .Values.k8sPermissionsType (eq .Values.k8sPermissionsType "NAMESPACE_ADMIN") }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:

@@ -1,5 +1,5 @@
 {{- $roleBindingName := print .Release.Namespace "-harness-namespace-admin" -}}
-{{- if eq .Values.k8sPermissionsType "NAMESPACE_ADMIN" }}
+{{- if and .Values.k8sPermissionsType (eq .Values.k8sPermissionsType "NAMESPACE_ADMIN") }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:

@@ -87,12 +87,24 @@ livenessProbe:
 description: ""
 tags: ""
 
-# Permissions for installed delegate, could be CLUSTER_ADMIN, CLUSTER_VIEWER or NAMESPACE_ADMIN
-# For using custom role: Create role in kubernetes cluster and refer role in k8sPermissionsType field.
-# for example if your custom role name is custom-role, then you need to add
-#k8sPermissionsType: "custom-role"
+# Specifies the permissions to assign to the installed delegate.
+# Accepted values: CLUSTER_ADMIN, CLUSTER_VIEWER, NAMESPACE_ADMIN
+#
+# CLUSTER_ADMIN: Grants a ClusterRoleBinding to the built-in 'cluster-admin' role.
+# CLUSTER_VIEWER: Grants a ClusterRoleBinding to the built-in 'view' role.
+# NAMESPACE_ADMIN: Creates and binds a custom Role with full access to the specified namespace.
+#
+# Leave empty to use a custom Role or ClusterRole (see CustomRole/CustomClusterRole below).
 k8sPermissionsType: "CLUSTER_ADMIN"
 
+# Name of a custom Role to bind to the delegate.
+# Cannot be used if k8sPermissionsType is set.
+CustomRole: ""
+
+# Name of a custom ClusterRole to bind to the delegate.
+# Cannot be used if k8sPermissionsType is set.
+CustomClusterRole: ""
+
 # Number of pod replica running delegate image
 replicas: 1