From f8ad65066ef577836551321d275ae8ad8f433073 Mon Sep 17 00:00:00 2001
From: Brad Shelton <bradley.shelton03@gmail.com>
Date: Wed, 12 Jul 2023 10:11:36 -0500
Subject: [PATCH] To address the function role vs clusterrole issue (#236)

* To address the function role vs clusterrole issue

* making backwards compatable

* updated value.yaml to include limit functions to namespace

* Added documentation to clarify the new attribute

* moved limit_to_namespace under functions.rbac
---
 charts/pulsar/templates/broker-rbac.yaml | 17 +++++++++++++++++
 charts/pulsar/values.yaml                |  6 ++++++
 2 files changed, 23 insertions(+)

diff --git a/charts/pulsar/templates/broker-rbac.yaml b/charts/pulsar/templates/broker-rbac.yaml
index 6654435..d2145d1 100644
--- a/charts/pulsar/templates/broker-rbac.yaml
+++ b/charts/pulsar/templates/broker-rbac.yaml
@@ -19,9 +19,15 @@
 
 {{- if or .Values.components.functions .Values.extra.functionsAsPods }}
 apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.functions.rbac.limit_to_namespace }}
+kind: Role
+metadata:
+  name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}-role"
+{{- else}}
 kind: ClusterRole
 metadata:
   name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}"
+{{- end}}
 rules:
 - apiGroups: [""]
   resources:
@@ -46,13 +52,24 @@ metadata:
 ---
 
 apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.functions.rbac.limit_to_namespace }}
+kind: RoleBinding
+metadata:
+  name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}-rolebinding"
+{{- else}}
 kind: ClusterRoleBinding
 metadata:
   name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}"
+{{- end}}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
+{{- if .Values.functions.rbac.limit_to_namespace }}
+  kind: Role
+  name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}-role"
+{{- else}}
   kind: ClusterRole
   name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}"
+{{- end}}
 subjects:
 - kind: ServiceAccount
   name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}"
diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml
index 18e9677..a1d410a 100644
--- a/charts/pulsar/values.yaml
+++ b/charts/pulsar/values.yaml
@@ -792,6 +792,12 @@ broker:
 ##
 functions:
   component: functions-worker
+  ## Pulsar: Functions Worker ClusterRole or Role
+  ## templates/broker-rbac.yaml
+  # Default is false which deploys functions with ClusterRole and ClusterRoleBinding at the cluster level
+  # Set to true to deploy functions with Role and RoleBinding inside the specified namespace
+  rbac:
+    limit_to_namespace: false
 
 ## Pulsar: Proxy Cluster
 ## templates/proxy-statefulset.yaml