feat(argo-events): Add aggregate-roles (sync with upstream manifests) (#1143)

Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>

charts/argo-events/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 description: A Helm chart to install Argo-Events in k8s Cluster
 name: argo-events
-version: 1.11.0
+version: 1.12.0
 keywords:
   - argo-events
   - sensor-controller
@@ -17,4 +17,4 @@ icon: https://argoproj.github.io/argo-events/assets/logo.png
 home: https://github.com/argoproj/argo-helm
 annotations:
   artifacthub.io/changes: |
-    - "[Changed]: Update to Argo Events 1.6.0"
+    - "[Added]: Add aggregate-roles (sync with upstream manifests)"

charts/argo-events/README.md

@@ -33,8 +33,11 @@ You can install the CRDs manually from `crds` folder.
 |-----|------|---------|-------------|
 | additionalSaNamespaces | list | `[]` | Create service accounts in additional namespaces specified The SA will always be created in the release namespaces |
 | additionalServiceAccountRules | list | (See [values.yaml]) | Additional rules |
+| createAggregateRoles | bool | `true` | Create clusterroles that extend existing clusterroles to interact with argo-events CRDs. Only applies for cluster-wide installation (`singleNamespace: true`) |
+| fullnameOverride | string | `""` | String to fully override "argo-events.fullname" template |
 | imagePullPolicy | string | `"Always"` | The image pull policy |
 | imagePullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry |
+| nameOverride | string | `""` | String to partially override "argo-events.fullname" template |
 | registry | string | `"quay.io"` | docker registry |
 | securityContext | object | `{"runAsNonRoot":true,"runAsUser":9731}` | Common PodSecurityContext for all controllers |
 | serviceAccount | string | `"argo-events-sa"` | ServiceAccount to use for running controller. |

charts/argo-events/templates/_helpers.tpl

@@ -1,16 +1,26 @@
 {{/* vim: set filetype=mustache: */}}
+
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
+{{- define "argo-events.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
 
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
 */}}
-{{- define "fullname" -}}
-{{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
+{{- define "argo-events.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/argo-events/templates/aggregate-roles.yaml

@@ -0,0 +1,83 @@
+{{- if and .Values.createAggregateRoles (not .Values.singleNamespace) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  name: {{ include "argo-events.fullname" . }}-aggregate-to-admin
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - sensors
+      - sensors/finalizers
+      - sensors/status
+      - eventsources
+      - eventsources/finalizers
+      - eventsources/status
+      - eventbus
+      - eventbus/finalizers
+      - eventbus/status
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: {{ include "argo-events.fullname" . }}-aggregate-to-edit
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - sensors
+      - sensors/finalizers
+      - sensors/status
+      - eventsources
+      - eventsources/finalizers
+      - eventsources/status
+      - eventbus
+      - eventbus/finalizers
+      - eventbus/status
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: {{ include "argo-events.fullname" . }}-aggregate-to-view
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - sensors
+      - sensors/finalizers
+      - sensors/status
+      - eventsources
+      - eventsources/finalizers
+      - eventsources/status
+      - eventbus
+      - eventbus/finalizers
+      - eventbus/status
+    verbs:
+      - get
+      - list
+      - watch
+{{- end }}

charts/argo-events/values.yaml

@@ -1,3 +1,9 @@
+# -- String to partially override "argo-events.fullname" template
+nameOverride: ""
+
+# -- String to fully override "argo-events.fullname" template
+fullnameOverride: ""
+
 # -- docker registry
 registry: quay.io
 
@@ -36,6 +42,10 @@ additionalServiceAccountRules:
   resources:
     - customresourcedefinitions
 
+# -- Create clusterroles that extend existing clusterroles to interact with argo-events CRDs.
+# Only applies for cluster-wide installation (`singleNamespace: true`)
+createAggregateRoles: true
+
 # -- Whether to run in namespaced scope.
 # Set `singleNamespace` to false to have the controllers
 # listen on all namespaces.  Otherwise the controllers will listen