Added a general flag providerRBAC.enabled to toggle all of the providers

Signed-off-by: Richard Johansson <richard.jimmy.johansson@gmail.com>
2023-01-19 13:59:58 +01:00 · 2023-01-19 13:59:58 +01:00 · 30dcd535ad
commit 30dcd535ad
parent 83a4d3b400
4 changed files with 39 additions and 32 deletions
--- a/charts/argo-rollouts/README.md
+++ b/charts/argo-rollouts/README.md
@ -43,12 +43,6 @@ If dashboard is installed by `--set dashboard.enabled=true`, checkout the argo-r
 | clusterInstall | bool | `true` | `false` runs controller in namespaced mode (does not require cluster RBAC) |
 | crdAnnotations | object | `{}` | Annotations to be added to all CRDs |
 | createClusterAggregateRoles | bool | `true` | flag to enable creation of cluster aggregate roles (requires cluster RBAC) |
-| enabledProviders.ambassador | bool | `true` | Adds RBAC for the Ambassador provider |
-| enabledProviders.awsAppMesh | bool | `true` | Adds RBAC for the AWS App Mesh provider |
-| enabledProviders.awsLoadBalancerController | bool | `true` | Adds RBAC for the AWS Load Balancer Controller provider |
-| enabledProviders.istio | bool | `true` | Adds RBAC for the Istio provider |
-| enabledProviders.smi | bool | `true` | Adds RBAC for the SMI provider |
-| enabledProviders.traefik | bool | `true` | Adds RBAC for the Traefik provider |
 | extraObjects | list | `[]` | Additional manifests to deploy within the chart. A list of objects. |
 | fullnameOverride | string | `nil` | String to fully override "argo-rollouts.fullname" template |
 | imagePullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry. Registry secret names as an array. |
@ -61,6 +55,13 @@ If dashboard is installed by `--set dashboard.enabled=true`, checkout the argo-r
 | notifications.secret.items | object | `{}` | Generic key:value pairs to be inserted into the notifications secret |
 | notifications.templates | object | `{}` | Notification templates |
 | notifications.triggers | object | `{}` | The trigger defines the condition when the notification should be sent |
+| providerRBAC.enabled | bool | `true` | Adds provider-specific RBAC rules to the controller Role and ClusterRole |
+| providerRBAC.providers.ambassador | bool | `true` | Adds RBAC rules for the Ambassador provider |
+| providerRBAC.providers.awsAppMesh | bool | `true` | Adds RBAC rules for the AWS App Mesh provider |
+| providerRBAC.providers.awsLoadBalancerController | bool | `true` | Adds RBAC rules for the AWS Load Balancer Controller provider |
+| providerRBAC.providers.istio | bool | `true` | Adds RBAC rules for the Istio provider |
+| providerRBAC.providers.smi | bool | `true` | Adds RBAC rules for the SMI provider |
+| providerRBAC.providers.traefik | bool | `true` | Adds RBAC rules for the Traefik provider |

 ### Controller

--- a/charts/argo-rollouts/templates/controller/clusterrole.yaml
+++ b/charts/argo-rollouts/templates/controller/clusterrole.yaml
@ -154,7 +154,8 @@ rules:
  - update
  - patch
  - delete
-{{- if .Values.enabledProviders.istio }}
+{{- if .Values.providerRBAC.enabled }}
+{{- if .Values.providerRBAC.providers.istio }}
 # virtualservice/destinationrule access needed for using the Istio provider
 - apiGroups:
  - networking.istio.io
@ -168,7 +169,7 @@ rules:
  - patch
  - list
 {{- end }}
-{{- if .Values.enabledProviders.smi }}
+{{- if .Values.providerRBAC.providers.smi }}
 # trafficsplit access needed for using the SMI provider
 - apiGroups:
  - split.smi-spec.io
@ -181,7 +182,7 @@ rules:
  - update
  - patch
 {{- end }}
-{{- if .Values.enabledProviders.ambassador }}
+{{- if .Values.providerRBAC.providers.ambassador }}
 # ambassador access needed for Ambassador provider
 - apiGroups:
  - getambassador.io
@ -197,7 +198,7 @@ rules:
  - list
  - delete
 {{- end }}
-{{- if .Values.enabledProviders.awsLoadBalancerController }}
+{{- if .Values.providerRBAC.providers.awsLoadBalancerController }}
 # Endpoints and TargetGroupBindings needed for ALB target group verification when using AWS Load Balancer Controller
 - apiGroups:
  - ""
@ -213,7 +214,7 @@ rules:
  - list
  - get
 {{- end }}
-{{- if .Values.enabledProviders.awsAppMesh }}
+{{- if .Values.providerRBAC.providers.awsAppMesh }}
 # AppMesh virtualservices/virtualrouter CRD read-only access needed for using the App Mesh provider
 - apiGroups:
  - appmesh.k8s.aws
@ -236,7 +237,7 @@ rules:
  - update
  - patch
 {{- end }}
-{{- if .Values.enabledProviders.traefik }}
+{{- if .Values.providerRBAC.providers.traefik }}
 # Traefik access needed when using the Traefik provider
 - apiGroups:
  - traefik.containo.us
@ -248,3 +249,4 @@ rules:
  - update
 {{- end }}
 {{- end }}
+{{- end }}
--- a/charts/argo-rollouts/templates/controller/role.yaml
+++ b/charts/argo-rollouts/templates/controller/role.yaml
@ -154,7 +154,8 @@ rules:
  - update
  - patch
  - delete
-{{- if .Values.enabledProviders.istio }}
+{{- if .Values.providerRBAC.enabled }}
+{{- if .Values.providerRBAC.providers.istio }}
 # virtualservice/destinationrule access needed for using the Istio provider
 - apiGroups:
  - networking.istio.io
@ -168,7 +169,7 @@ rules:
  - patch
  - list
 {{- end }}
-{{- if .Values.enabledProviders.smi }}
+{{- if .Values.providerRBAC.providers.smi }}
 # trafficsplit access needed for using the SMI provider
 - apiGroups:
  - split.smi-spec.io
@ -181,7 +182,7 @@ rules:
  - update
  - patch
 {{- end }}
-{{- if .Values.enabledProviders.ambassador }}
+{{- if .Values.providerRBAC.providers.ambassador }}
 # ambassador access needed for Ambassador provider
 - apiGroups:
  - getambassador.io
@ -197,7 +198,7 @@ rules:
  - list
  - delete
 {{- end }}
-{{- if .Values.enabledProviders.awsLoadBalancerController }}
+{{- if .Values.providerRBAC.providers.awsLoadBalancerController }}
 # Endpoints and TargetGroupBindings needed for ALB target group verification when using AWS Load Balancer Controller
 - apiGroups:
  - ""
@ -213,7 +214,7 @@ rules:
  - list
  - get
 {{- end }}
-{{- if .Values.enabledProviders.awsAppMesh }}
+{{- if .Values.providerRBAC.providers.awsAppMesh }}
 # AppMesh virtualservices/virtualrouter CRD read-only access needed for using the App Mesh provider
 - apiGroups:
  - appmesh.k8s.aws
@ -236,7 +237,7 @@ rules:
  - update
  - patch
 {{- end }}
-{{- if .Values.enabledProviders.traefik }}
+{{- if .Values.providerRBAC.providers.traefik }}
 # Traefik access needed when using the Traefik provider
 - apiGroups:
  - traefik.containo.us
@ -248,3 +249,4 @@ rules:
  - update
 {{- end }}
 {{- end }}
+{{- end }}
--- a/charts/argo-rollouts/values.yaml
+++ b/charts/argo-rollouts/values.yaml
@ -190,20 +190,22 @@ podLabels: {}
 imagePullSecrets: []
 # - name: argo-pull-secret

-## Adds provider-specific RBAC permissions to the controller role and cluster role
-enabledProviders:
-  # -- Adds RBAC for the Istio provider
-  istio: true
-  # -- Adds RBAC for the SMI provider
-  smi: true
-  # -- Adds RBAC for the Ambassador provider
-  ambassador: true
-  # -- Adds RBAC for the AWS Load Balancer Controller provider
-  awsLoadBalancerController: true
-  # -- Adds RBAC for the AWS App Mesh provider
-  awsAppMesh: true
-  # -- Adds RBAC for the Traefik provider
-  traefik: true
+providerRBAC:
+  # -- Adds provider-specific RBAC rules to the controller Role and ClusterRole
+  enabled: true
+  providers:
+    # -- Adds RBAC rules for the Istio provider
+    istio: true
+    # -- Adds RBAC rules for the SMI provider
+    smi: true
+    # -- Adds RBAC rules for the Ambassador provider
+    ambassador: true
+    # -- Adds RBAC rules for the AWS Load Balancer Controller provider
+    awsLoadBalancerController: true
+    # -- Adds RBAC rules for the AWS App Mesh provider
+    awsAppMesh: true
+    # -- Adds RBAC rules for the Traefik provider
+    traefik: true

 dashboard:
  # -- Deploy dashboard server