fix: fix incorrect rendering of RBAC in Helm chart when workspacePerms=false #20569

rowansmithau · 2025-10-30T00:41:33Z

closes #20562.

When I added workspaceNamespaces it caused an issue when workspacePerms is set to false in that the Role & RoleBinding was still created.

Update with workspacePerms=false:

➜  coder git:(rowan/helm_rbac_fix) ✗ helm template coder . --version=2.27.2  --set coder.image.tag=v2.27.2 --set coder.serviceAccount.workspacePerms=false | grep -A11 -B46 RoleBinding
➜  coder git:(rowan/helm_rbac_fix) ✗

Update with workspacePerms=true:

➜  coder git:(rowan/helm_rbac_fix) ✗ helm template coder . --version=2.27.2  --set coder.image.tag=v2.27.2 --set coder.serviceAccount.workspacePerms=true | grep -A12 -B60 RoleBinding

# Source: coder/templates/coder.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations: {}
  labels:
    app.kubernetes.io/instance: coder
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: coder
    app.kubernetes.io/part-of: coder
    app.kubernetes.io/version: 0.1.0
    helm.sh/chart: coder-0.1.0
  name: coder
  namespace: default
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: coder-workspace-perms
  namespace: default
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - apps
    resources:
    - deployments
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: "coder"
  namespace: default
subjects:
  - kind: ServiceAccount
    name: "coder"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: coder-workspace-perms
---
# Source: coder/templates/service.yaml

Update with workspacePerms=false and workspaceNamespaces populated:

➜  coder git:(rowan/helm_rbac_fix) ✗ helm template coder . --version=2.27.2  --set coder.image.tag=v2.27.2 --set coder.serviceAccount.workspacePerms=false --set-json 'coder.serviceAccount.workspaceNamespaces=[{"name":"dev-ws","workspacePerms":true,"enableDeployments":true,"extraRules":[]}]' | grep -A15 -B105 RoleBinding
---
# Source: coder/templates/coder.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations: {}
  labels:
    app.kubernetes.io/instance: coder
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: coder
    app.kubernetes.io/part-of: coder
    app.kubernetes.io/version: 0.1.0
    helm.sh/chart: coder-0.1.0
  name: coder
  namespace: default
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: coder-workspace-perms
  namespace: dev-ws
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - apps
    resources:
    - deployments
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: "coder"
  namespace: dev-ws
subjects:
  - kind: ServiceAccount
    name: "coder"
    namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: coder-workspace-perms
---
# Source: coder/templates/service.yaml
apiVersion: v1
kind: Service

Update with workspacePerms=true and workspaceNamespaces populated:

➜  coder git:(rowan/helm_rbac_fix) ✗ helm template coder . --version=2.27.2  --set coder.image.tag=v2.27.2 --set coder.serviceAccount.workspacePerms=true --set-json 'coder.serviceAccount.workspaceNamespaces=[{"name":"dev-ws","workspacePerms":true,"enableDeployments":true,"extraRules":[]}]' | grep -A15 -B105 RoleBinding             
---
# Source: coder/templates/coder.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations: {}
  labels:
    app.kubernetes.io/instance: coder
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: coder
    app.kubernetes.io/part-of: coder
    app.kubernetes.io/version: 0.1.0
    helm.sh/chart: coder-0.1.0
  name: coder
  namespace: default
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: coder-workspace-perms
  namespace: default
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - apps
    resources:
    - deployments
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: coder-workspace-perms
  namespace: dev-ws
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - apps
    resources:
    - deployments
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: "coder"
  namespace: default
subjects:
  - kind: ServiceAccount
    name: "coder"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: coder-workspace-perms
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: "coder"
  namespace: dev-ws
subjects:
  - kind: ServiceAccount
    name: "coder"
    namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: coder-workspace-perms
---
# Source: coder/templates/service.yaml
apiVersion: v1
kind: Service
➜  coder git:(rowan/helm_rbac_fix) ✗

david-fraley · 2025-10-30T19:11:24Z

/cherry-pick release/2.27

fix for workspacePerms=false

f581524

rowansmithau self-assigned this Oct 30, 2025

rowansmithau added the helm Area: helm chart label Oct 30, 2025

rowansmithau changed the title ~~bug: fix on Helm chart for workspacePerms=false incorrectly rendering RBAC when it should not~~ fix: fix incorrect rendering of RBAC in Helm chart when workspacePerms=false Oct 30, 2025

fix test case

e909a99

rowansmithau marked this pull request as ready for review October 30, 2025 01:11

rowansmithau requested a review from deansheather October 30, 2025 01:11

deansheather approved these changes Oct 30, 2025

View reviewed changes

rowansmithau merged commit 30d2fc8 into main Oct 30, 2025
32 checks passed

rowansmithau deleted the rowan/helm_rbac_fix branch October 30, 2025 18:22

github-actions bot locked and limited conversation to collaborators Oct 30, 2025

stirby added cherry-pick/v2.28 Needs to be cherry-picked to the 2.28 release branch helm Area: helm chart cherry-pick/v2.27 Items to be pulled in for the v2.27 release. and removed helm Area: helm chart labels Oct 30, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix: fix incorrect rendering of RBAC in Helm chart when workspacePerms=false #20569

fix: fix incorrect rendering of RBAC in Helm chart when workspacePerms=false #20569

rowansmithau commented Oct 30, 2025

Uh oh!

Uh oh!

david-fraley commented Oct 30, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

fix: fix incorrect rendering of RBAC in Helm chart when workspacePerms=false #20569

fix: fix incorrect rendering of RBAC in Helm chart when workspacePerms=false #20569

Conversation

rowansmithau commented Oct 30, 2025

Uh oh!

Uh oh!

david-fraley commented Oct 30, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants