bug: Helm chart (v2.27 and up) inadvertently rendering roles and rolebindings although coder.serviceAccount.workspacePerms is set to false #20562
Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
Reported by customer on ticket 4568.
When deploying the chart with coder.serviceAccount.workspacePerms=false, the chart still renders and applies Role and RoleBinding resources related to workspace permissions. Prior to v2.27.0, setting this value to false prevented these RBAC objects from being rendered. The following PR seems to have been added in v2.27.0: #19517 - It was merged in the v2.27.0 release which aligns with the reproduction.
Relevant Log Output
Expected Behavior
If values.yaml sets:
coder:
serviceAccount:
workspacePerms: false
…then no Roles/RoleBindings associated with workspace permissions should be rendered or installed.
Steps to Reproduce
- Use Helm with chart v2.27.0 or newer.
- Render templates:
helm template coder coder-v2/coder \
--version 2.27.0 \
--namespace coder \
--set coder.serviceAccount.workspacePerms=false
- Observe that Role/RoleBinding manifests are present in the output:
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: coder-workspace-perms
namespace: coder
rules:
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "coder"
namespace: coder
subjects:
- kind: ServiceAccount
name: "coder"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: coder-workspace-perms
---
- Install and confirm RBAC objects are created:
helm install coder coder/coder --version 2.27.0 --namespace coder --create-namespace \
--set coder.serviceAccount.workspacePerms=false
kubectl get role,rolebinding -n coder
Environment
- Host OS: N/A
- Coder version: v2.27 and above
Additional Context
No response