feat: support adding additional rules to the clusterrole

Author: malhussan

main.tf

@@ -15,13 +15,15 @@ resource "kubernetes_namespace" "meshcloud" {
 }
 
 module "meshcloud-service-account-meshfed-metering" {
-  count     = var.metering_enabled ? 1 : 0
-  source    = "./modules/meshcloud-service-account-meshfed-metering"
-  namespace = kubernetes_namespace.meshcloud.metadata.0.name
+  count            = var.metering_enabled ? 1 : 0
+  source           = "./modules/meshcloud-service-account-meshfed-metering"
+  namespace        = kubernetes_namespace.meshcloud.metadata.0.name
+  additional_rules = var.metering_additional_rules
 }
 
 module "meshcloud-service-account-meshfed-replicator" {
-  count     = var.replicator_enabled ? 1 : 0
-  source    = "./modules/meshcloud-service-account-meshfed-replicator"
-  namespace = kubernetes_namespace.meshcloud.metadata.0.name
+  count            = var.replicator_enabled ? 1 : 0
+  source           = "./modules/meshcloud-service-account-meshfed-replicator"
+  namespace        = kubernetes_namespace.meshcloud.metadata.0.name
+  additional_rules = var.replicator_additional_rules
 }

modules/meshcloud-service-account-meshfed-metering/module.tf

@@ -36,6 +36,18 @@ resource "kubernetes_cluster_role" "meshfed-metering" {
     resources  = ["pods", "persistentvolumeclaims"]
     verbs      = ["get", "list"]
   }
+
+  dynamic "rule" {
+    for_each = var.additional_rules
+    content {
+      api_groups        = rule.value.api_groups
+      resources         = rule.value.resources
+      verbs             = rule.value.verbs
+      resource_names    = rule.value.resource_names
+      non_resource_urls = rule.value.non_resource_urls
+    }
+  }
+
 }
 
 # meshfed_metering role binding

modules/meshcloud-service-account-meshfed-metering/variables.tf

@@ -1,3 +1,14 @@
 variable "namespace" {
   type = string
-}
+}
+
+variable "additional_rules" {
+  type = list(object({
+    api_groups        = list(string)
+    resources         = list(string)
+    verbs             = list(string)
+    resource_names    = optional(list(string))
+    non_resource_urls = optional(list(string))
+  }))
+  default = []
+}

modules/meshcloud-service-account-meshfed-replicator/module.tf

@@ -70,6 +70,17 @@ resource "kubernetes_cluster_role" "meshfed-service" {
     verbs          = ["bind"]
     resource_names = ["admin", "edit", "view"]
   }
+
+  dynamic "rule" {
+    for_each = var.additional_rules
+    content {
+      api_groups        = rule.value.api_groups
+      resources         = rule.value.resources
+      verbs             = rule.value.verbs
+      resource_names    = rule.value.resource_names
+      non_resource_urls = rule.value.non_resource_urls
+    }
+  }
 }
 
 # meshfed_service role binding

modules/meshcloud-service-account-meshfed-replicator/variables.tf

@@ -1,3 +1,14 @@
 variable "namespace" {
   type = string
-}
+}
+
+variable "additional_rules" {
+  type = list(object({
+    api_groups        = list(string)
+    resources         = list(string)
+    verbs             = list(string)
+    resource_names    = optional(list(string))
+    non_resource_urls = optional(list(string))
+  }))
+  default = []
+}

variables.tf

@@ -3,7 +3,29 @@ variable "metering_enabled" {
   default = true
 }
 
+variable "metering_additional_rules" {
+  type = list(object({
+    api_groups        = list(string)
+    resources         = list(string)
+    verbs             = list(string)
+    resource_names    = optional(list(string))
+    non_resource_urls = optional(list(string))
+  }))
+  default = []
+}
+
 variable "replicator_enabled" {
   type    = bool
   default = true
 }
+
+variable "replicator_additional_rules" {
+  type = list(object({
+    api_groups        = list(string)
+    resources         = list(string)
+    verbs             = list(string)
+    resource_names    = optional(list(string))
+    non_resource_urls = optional(list(string))
+  }))
+  default = []
+}