[COMMON][SA] Add default role creation to ServiceAccount

Adds an option "createDefaultRoles" to create roles instead
of using the roles-wrapper

Issue-ID: OOM-3233

Change-Id: I03eb95b641034637fa218010025b2c452aba09d1
Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>
diff --git a/kubernetes/common/serviceAccount/Chart.yaml b/kubernetes/common/serviceAccount/Chart.yaml
index f214dce..7afd31f 100644
--- a/kubernetes/common/serviceAccount/Chart.yaml
+++ b/kubernetes/common/serviceAccount/Chart.yaml
@@ -1,6 +1,7 @@
 # Copyright © 2017 Amdocs, Bell Canada
 # Modifications Copyright © 2021 Orange
 # Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2023 Deutsche Telekom AG
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -17,7 +18,7 @@
 apiVersion: v2
 description: Template used to create the right Service Accounts / Role / RoleBinding
 name: serviceAccount
-version: 13.0.0
+version: 13.0.1
 
 dependencies:
   - name: common
diff --git a/kubernetes/common/serviceAccount/templates/role-binding.yaml b/kubernetes/common/serviceAccount/templates/role-binding.yaml
index 7c272ae..11593cc 100644
--- a/kubernetes/common/serviceAccount/templates/role-binding.yaml
+++ b/kubernetes/common/serviceAccount/templates/role-binding.yaml
@@ -1,5 +1,6 @@
 {{/*
 # Copyright © 2020 Orange
+# Modifications Copyright © 2023 Deutsche Telekom AG
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -18,7 +19,7 @@
 {{- range $role_type := $dot.Values.roles }}
 {{/* retrieve the names for generic roles */}}
 {{ $name := printf "%s-%s" (include "common.release" $dot) $role_type }}
-{{- if not (has $role_type $dot.Values.defaultRoles) }}
+{{- if or (not (has $role_type $dot.Values.defaultRoles)) ($dot.Values.global.createDefaultRoles) ($dot.Values.createDefaultRoles) }}
 {{ $name = include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }}
 {{- end }}
 ---
@@ -36,4 +37,3 @@
   name: {{ $name }}
   apiGroup: rbac.authorization.k8s.io
 {{- end }}
-
diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml
index 2055885..1b686f5 100644
--- a/kubernetes/common/serviceAccount/templates/role.yaml
+++ b/kubernetes/common/serviceAccount/templates/role.yaml
@@ -1,5 +1,6 @@
 {{/*
 # Copyright © 2020 Orange
+# Modifications Copyright © 2023 Deutsche Telekom AG
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -37,5 +38,111 @@
   verbs:
   - create
 {{-     end }}
+{{-   else if or ($dot.Values.global.createDefaultRoles) ($dot.Values.createDefaultRoles) }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }}
+  namespace: {{ include "common.namespace" $dot }}
+rules:
+{{-     if eq $role_type "read" }}
+- apiGroups:
+  - "" # "" indicates the core API group
+  - apps
+  - batch
+  - extensions
+  resources:
+  - pods
+  - deployments
+  - deployments/status
+  - jobs
+  - jobs/status
+  - statefulsets
+  - replicasets
+  - replicasets/status
+  - daemonsets
+  verbs:
+  - get
+  - watch
+  - list
+{{-     else  }}
+{{-       if eq $role_type "create" }}
+- apiGroups:
+  - "" # "" indicates the core API group
+  - apps
+  - batch
+  - extensions
+  resources:
+  - pods
+  - deployments
+  - deployments/status
+  - jobs
+  - jobs/status
+  - statefulsets
+  - replicasets
+  - replicasets/status
+  - daemonsets
+  - secrets
+  - services
+  verbs:
+  - get
+  - watch
+  - list
+- apiGroups:
+  - "" # "" indicates the core API group
+  - apps
+  resources:
+  - statefulsets
+  - configmaps
+  verbs:
+  - patch
+- apiGroups:
+  - "" # "" indicates the core API group
+  - apps
+  resources:
+  - deployments
+  - secrets
+  - services
+  - pods
+  verbs:
+  - create
+- apiGroups:
+  - "" # "" indicates the core API group
+  - apps
+  resources:
+  - pods
+  - persistentvolumeclaims
+  - secrets
+  - deployments
+  - services
+  verbs:
+  - delete
+- apiGroups:
+  - "" # "" indicates the core API group
+  - apps
+  resources:
+  - pods/exec
+  verbs:
+  - create
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  verbs:
+  - create
+  - delete
+{{-       else }}
+# if you don't match read or create, then you're not allowed to use API
+# except to see basic information about yourself
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - selfsubjectaccessreviews
+  - selfsubjectrulesreviews
+  verbs:
+  - create
+{{-       end }}
+{{-     end }}
 {{-   end }}
 {{- end }}
diff --git a/kubernetes/common/serviceAccount/values.yaml b/kubernetes/common/serviceAccount/values.yaml
index 22faeb6..4c9f75f 100644
--- a/kubernetes/common/serviceAccount/values.yaml
+++ b/kubernetes/common/serviceAccount/values.yaml
@@ -1,4 +1,5 @@
 # Copyright © 2020 Samsung Electronics
+# Modifications Copyright © 2023 Deutsche Telekom AG
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,13 +13,21 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Default roles will be created by roles wrapper
-# It won't work if roles wrapper is disabled.
+# Global flag to enable the creation of default roles instead of using
+# common roles-wrapper
+global:
+  createDefaultRoles: false
+
+# Default roles will be created by roles wrapper,
+# if "createDefaultRoles=false"
 roles:
   - nothing
 # - read
 # - create
 
+# Flag to enable the creation of default roles instead of using
+# common roles-wrapper
+createDefaultRoles: false
 defaultRoles:
   - nothing
   - read