From 498b5d68f65eb5af6d4d082bd33ea4faa8266ce4 Mon Sep 17 00:00:00 2001
From: 3u13r <lc@edgeless.systems>
Date: Thu, 19 Oct 2023 10:57:59 +0200
Subject: [PATCH] helm: add gcp ccm permissions for internal LBs (#2474)

* helm: add gcp ccm permissions
---
 cli/internal/helm/BUILD.bazel                      |  1 +
 .../ccm/templates/gcp-clusterrolebinding.yaml      | 14 ++++++++++++++
 .../ccm/templates/gcp-clusterrolebinding.yaml      | 12 ++++++++++++
 3 files changed, 27 insertions(+)
 create mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-clusterrolebinding.yaml
 create mode 100644 cli/internal/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-clusterrolebinding.yaml

diff --git a/cli/internal/helm/BUILD.bazel b/cli/internal/helm/BUILD.bazel
index c70f184306..323b1760f6 100644
--- a/cli/internal/helm/BUILD.bazel
+++ b/cli/internal/helm/BUILD.bazel
@@ -411,6 +411,7 @@ go_library(
         "charts/edgeless/csi/charts/aws-csi-driver/templates/storageclass_integrity.yaml",
         "charts/edgeless/csi/charts/aws-csi-driver/templates/volumesnapshotclass.yaml",
         "charts/edgeless/csi/charts/aws-csi-driver/values.yaml",
+        "charts/edgeless/constellation-services/charts/ccm/templates/gcp-clusterrolebinding.yaml",
     ],
     importpath = "github.com/edgelesssys/constellation/v2/cli/internal/helm",
     visibility = ["//cli:__subpackages__"],
diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-clusterrolebinding.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-clusterrolebinding.yaml
new file mode 100644
index 0000000000..ce516ba283
--- /dev/null
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-clusterrolebinding.yaml
@@ -0,0 +1,14 @@
+{{- if eq .Values.csp "GCP" -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:cloud-provider
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: cloud-provider
+    namespace: {{ .Release.Namespace }}
+{{- end -}}
diff --git a/cli/internal/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-clusterrolebinding.yaml b/cli/internal/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-clusterrolebinding.yaml
new file mode 100644
index 0000000000..f54d4c8706
--- /dev/null
+++ b/cli/internal/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:cloud-provider
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: cloud-provider
+    namespace: testNamespace