1 files changed, 60 insertions, 0 deletions

diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..2a89c4b9e3
--- /dev/null
+++ b/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml
@@ -0,0 +1,60 @@
+{{- if or .Values.serviceAccount.enabled -}}
+{{- $fullName := include "oauth2-proxy.fullname" .  -}}
+{{- $saName := include "oauth2-proxy.serviceAccountName" . -}}
+{{- $name := include "oauth2-proxy.name" . -}}
+{{- $namespace := include "oauth2-proxy.namespace" $ -}}
+{{- $labels := include "oauth2-proxy.labels" . -}}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    app: {{ $name }}
+{{- $labels | indent 4 }}
+  name: {{ $saName }}
+  namespace: {{ $namespace }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+{{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }}
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $fullName }}-watch-redis
+  namespace: {{ $namespace }}
+  labels:
+    app: {{ $name }}
+    {{- $labels | nindent 4 }}
+rules:
+- apiGroups:
+    - ""
+  resources:
+    - pods
+  resourceNames:
+    - "{{ include "oauth2-proxy.redis.fullname" . }}-master-0"
+  verbs:
+    - get
+    - list
+    - watch
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $saName }}-watch-redis
+  namespace: {{ $namespace }}
+  labels:
+    app: {{ $name }}
+    {{- $labels | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ $saName }}
+  apiGroup: ""
+roleRef:
+  kind: Role
+  name: {{ $fullName }}-watch-redis
+  apiGroup: ""
+{{- end -}}
+{{- end -}}