From 4ac10b9876037d1a7dbb1c2b4c2ebb24ce8f8565 Mon Sep 17 00:00:00 2001
From: Jonathan Mosco <jonny.mosco@gmail.com>
Date: Wed, 16 Oct 2024 17:03:06 -0400
Subject: [PATCH] change to using extraRules

---
 README.md                             | 11 +++++------
 charts/localstack/templates/role.yaml | 17 ++++++++++-------
 charts/localstack/values.yaml         |  7 -------
 3 files changed, 15 insertions(+), 20 deletions(-)

diff --git a/README.md b/README.md
index b0fe4a9..15b5f40 100644
--- a/README.md
+++ b/README.md
@@ -103,15 +103,14 @@ The cluster contains several default security context constraints (SCCs). The av
 
 Example:
 
-
 ```yaml
 role:
   create: true
-
-scc:
-  resourceNames:
-    - privileged
-    - hostnetwork
+  extraRoles:
+    - apiGroups: ["security.openshift.io"]
+      resources: ["securitycontextconstraints"]
+      resourceNames: ["anyuid"]
+      verbs: ["use"]
 ```
 
 For a more comprehensive overview, see the official SCC documentation: [OpenShift SCCs](https://docs.openshift.com/container-platform/4.16/authentication/managing-security-context-constraints.html)
diff --git a/charts/localstack/templates/role.yaml b/charts/localstack/templates/role.yaml
index 6dc6157..507905c 100644
--- a/charts/localstack/templates/role.yaml
+++ b/charts/localstack/templates/role.yaml
@@ -19,12 +19,15 @@ rules:
 - apiGroups: [""]
   resources: ["services"]
   verbs: ["get", "list"]
-{{- if .Values.scc }}
-- apiGroups: ["security.openshift.io"]
-  resources: ["securitycontextconstraints"]
-  resourceNames:
-    {{- range .Values.scc.resourceNames }}
-    - {{ . | quote }}
-  verbs: ["use"]
+{{- if .Values.role.extraRoles }}
+  {{- range .Values.role.extraRoles }}
+- apiGroups: {{ toJson .apiGroups | nindent 2 }}
+  resources: {{ toJson .resources | nindent 2 }}
+  {{- if .resourceNames }}
+  resourceNames: {{ toJson .resourceNames | nindent 2 }}
+  {{- end }}
+  verbs: {{ toJson .verbs | nindent 2 }}
+  {{- end }}
 {{- end }}
 {{- end }}
+
diff --git a/charts/localstack/values.yaml b/charts/localstack/values.yaml
index f7b065d..8622b49 100644
--- a/charts/localstack/values.yaml
+++ b/charts/localstack/values.yaml
@@ -45,13 +45,6 @@ role:
   # If not set and create is true, a name is generated using the fullname template
   name: ""
 
-## OpenShift Security Context Constraints.  When set to 'true' it will add SecurityContextConstraings (SCC)
-## to the role
-scc:
-  resourceNames:
-    - anyuid
-    - nonroot
-
 podLabels: {}
 
 podAnnotations: {}