From 3f9515a1600124ef317109acb924d1a26fd4ac11 Mon Sep 17 00:00:00 2001
From: Stefan Reimer <stefan@zero-downtime.net>
Date: Mon, 18 May 2020 18:12:02 +0100
Subject: [PATCH] Add ServiceAccount and roles to allow namespace annotation

---
 charts/kubezero-kiam/Chart.yaml               |  2 +-
 .../kubezero-kiam/templates/postsync-ns.yaml  | 48 ++++++++++++++++++-
 2 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/charts/kubezero-kiam/Chart.yaml b/charts/kubezero-kiam/Chart.yaml
index 5313592..2dceee6 100644
--- a/charts/kubezero-kiam/Chart.yaml
+++ b/charts/kubezero-kiam/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-kiam
 description: KubeZero Umbrella Chart for Kiam
 type: application
-version: 0.2.1
+version: 0.2.2
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/logo_small.png
 keywords:
diff --git a/charts/kubezero-kiam/templates/postsync-ns.yaml b/charts/kubezero-kiam/templates/postsync-ns.yaml
index a8dbdcb..441c070 100644
--- a/charts/kubezero-kiam/templates/postsync-ns.yaml
+++ b/charts/kubezero-kiam/templates/postsync-ns.yaml
@@ -1,3 +1,49 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: {{ .name }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/part-of: kubezero
+  name: kiam-namespace-annotate
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: {{ .name }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/part-of: kubezero
+  name: kiam-namespace-annotate
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - update
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: {{ .name }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/part-of: kubezero
+  name: kiam-namespace-annotate
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kiam-namespace-annotate
+subjects:
+  - kind: ServiceAccount
+    name: kiam-namespace-annotate
+    namespace: kube-system
+---
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -14,7 +60,7 @@ metadata:
 spec:
   template:
     spec:
-      serviceAccountName: default
+      serviceAccountName: kiam-namespace-annotate
       containers:
         - name: kubectl
           image: "bitnami/kubectl:latest"