diff --git a/charts/argo-rollouts/README.md b/charts/argo-rollouts/README.md index d37ba7b2..8b8c4f3e 100644 --- a/charts/argo-rollouts/README.md +++ b/charts/argo-rollouts/README.md @@ -43,12 +43,6 @@ If dashboard is installed by `--set dashboard.enabled=true`, checkout the argo-r | clusterInstall | bool | `true` | `false` runs controller in namespaced mode (does not require cluster RBAC) | | crdAnnotations | object | `{}` | Annotations to be added to all CRDs | | createClusterAggregateRoles | bool | `true` | flag to enable creation of cluster aggregate roles (requires cluster RBAC) | -| enabledProviders.ambassador | bool | `true` | Adds RBAC for the Ambassador provider | -| enabledProviders.awsAppMesh | bool | `true` | Adds RBAC for the AWS App Mesh provider | -| enabledProviders.awsLoadBalancerController | bool | `true` | Adds RBAC for the AWS Load Balancer Controller provider | -| enabledProviders.istio | bool | `true` | Adds RBAC for the Istio provider | -| enabledProviders.smi | bool | `true` | Adds RBAC for the SMI provider | -| enabledProviders.traefik | bool | `true` | Adds RBAC for the Traefik provider | | extraObjects | list | `[]` | Additional manifests to deploy within the chart. A list of objects. | | fullnameOverride | string | `nil` | String to fully override "argo-rollouts.fullname" template | | imagePullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry. Registry secret names as an array. | @@ -61,6 +55,13 @@ If dashboard is installed by `--set dashboard.enabled=true`, checkout the argo-r | notifications.secret.items | object | `{}` | Generic key:value pairs to be inserted into the notifications secret | | notifications.templates | object | `{}` | Notification templates | | notifications.triggers | object | `{}` | The trigger defines the condition when the notification should be sent | +| providerRBAC.enabled | bool | `true` | Adds provider-specific RBAC rules to the controller Role and ClusterRole | +| providerRBAC.providers.ambassador | bool | `true` | Adds RBAC rules for the Ambassador provider | +| providerRBAC.providers.awsAppMesh | bool | `true` | Adds RBAC rules for the AWS App Mesh provider | +| providerRBAC.providers.awsLoadBalancerController | bool | `true` | Adds RBAC rules for the AWS Load Balancer Controller provider | +| providerRBAC.providers.istio | bool | `true` | Adds RBAC rules for the Istio provider | +| providerRBAC.providers.smi | bool | `true` | Adds RBAC rules for the SMI provider | +| providerRBAC.providers.traefik | bool | `true` | Adds RBAC rules for the Traefik provider | ### Controller diff --git a/charts/argo-rollouts/templates/controller/clusterrole.yaml b/charts/argo-rollouts/templates/controller/clusterrole.yaml index 453f0dab..7564067a 100644 --- a/charts/argo-rollouts/templates/controller/clusterrole.yaml +++ b/charts/argo-rollouts/templates/controller/clusterrole.yaml @@ -154,7 +154,8 @@ rules: - update - patch - delete -{{- if .Values.enabledProviders.istio }} +{{- if .Values.providerRBAC.enabled }} +{{- if .Values.providerRBAC.providers.istio }} # virtualservice/destinationrule access needed for using the Istio provider - apiGroups: - networking.istio.io @@ -168,7 +169,7 @@ rules: - patch - list {{- end }} -{{- if .Values.enabledProviders.smi }} +{{- if .Values.providerRBAC.providers.smi }} # trafficsplit access needed for using the SMI provider - apiGroups: - split.smi-spec.io @@ -181,7 +182,7 @@ rules: - update - patch {{- end }} -{{- if .Values.enabledProviders.ambassador }} +{{- if .Values.providerRBAC.providers.ambassador }} # ambassador access needed for Ambassador provider - apiGroups: - getambassador.io @@ -197,7 +198,7 @@ rules: - list - delete {{- end }} -{{- if .Values.enabledProviders.awsLoadBalancerController }} +{{- if .Values.providerRBAC.providers.awsLoadBalancerController }} # Endpoints and TargetGroupBindings needed for ALB target group verification when using AWS Load Balancer Controller - apiGroups: - "" @@ -213,7 +214,7 @@ rules: - list - get {{- end }} -{{- if .Values.enabledProviders.awsAppMesh }} +{{- if .Values.providerRBAC.providers.awsAppMesh }} # AppMesh virtualservices/virtualrouter CRD read-only access needed for using the App Mesh provider - apiGroups: - appmesh.k8s.aws @@ -236,7 +237,7 @@ rules: - update - patch {{- end }} -{{- if .Values.enabledProviders.traefik }} +{{- if .Values.providerRBAC.providers.traefik }} # Traefik access needed when using the Traefik provider - apiGroups: - traefik.containo.us @@ -248,3 +249,4 @@ rules: - update {{- end }} {{- end }} +{{- end }} diff --git a/charts/argo-rollouts/templates/controller/role.yaml b/charts/argo-rollouts/templates/controller/role.yaml index 10092cce..6c1fd203 100644 --- a/charts/argo-rollouts/templates/controller/role.yaml +++ b/charts/argo-rollouts/templates/controller/role.yaml @@ -154,7 +154,8 @@ rules: - update - patch - delete -{{- if .Values.enabledProviders.istio }} +{{- if .Values.providerRBAC.enabled }} +{{- if .Values.providerRBAC.providers.istio }} # virtualservice/destinationrule access needed for using the Istio provider - apiGroups: - networking.istio.io @@ -168,7 +169,7 @@ rules: - patch - list {{- end }} -{{- if .Values.enabledProviders.smi }} +{{- if .Values.providerRBAC.providers.smi }} # trafficsplit access needed for using the SMI provider - apiGroups: - split.smi-spec.io @@ -181,7 +182,7 @@ rules: - update - patch {{- end }} -{{- if .Values.enabledProviders.ambassador }} +{{- if .Values.providerRBAC.providers.ambassador }} # ambassador access needed for Ambassador provider - apiGroups: - getambassador.io @@ -197,7 +198,7 @@ rules: - list - delete {{- end }} -{{- if .Values.enabledProviders.awsLoadBalancerController }} +{{- if .Values.providerRBAC.providers.awsLoadBalancerController }} # Endpoints and TargetGroupBindings needed for ALB target group verification when using AWS Load Balancer Controller - apiGroups: - "" @@ -213,7 +214,7 @@ rules: - list - get {{- end }} -{{- if .Values.enabledProviders.awsAppMesh }} +{{- if .Values.providerRBAC.providers.awsAppMesh }} # AppMesh virtualservices/virtualrouter CRD read-only access needed for using the App Mesh provider - apiGroups: - appmesh.k8s.aws @@ -236,7 +237,7 @@ rules: - update - patch {{- end }} -{{- if .Values.enabledProviders.traefik }} +{{- if .Values.providerRBAC.providers.traefik }} # Traefik access needed when using the Traefik provider - apiGroups: - traefik.containo.us @@ -248,3 +249,4 @@ rules: - update {{- end }} {{- end }} +{{- end }} diff --git a/charts/argo-rollouts/values.yaml b/charts/argo-rollouts/values.yaml index ec76486d..f0c12dda 100644 --- a/charts/argo-rollouts/values.yaml +++ b/charts/argo-rollouts/values.yaml @@ -190,20 +190,22 @@ podLabels: {} imagePullSecrets: [] # - name: argo-pull-secret -## Adds provider-specific RBAC permissions to the controller role and cluster role -enabledProviders: - # -- Adds RBAC for the Istio provider - istio: true - # -- Adds RBAC for the SMI provider - smi: true - # -- Adds RBAC for the Ambassador provider - ambassador: true - # -- Adds RBAC for the AWS Load Balancer Controller provider - awsLoadBalancerController: true - # -- Adds RBAC for the AWS App Mesh provider - awsAppMesh: true - # -- Adds RBAC for the Traefik provider - traefik: true +providerRBAC: + # -- Adds provider-specific RBAC rules to the controller Role and ClusterRole + enabled: true + providers: + # -- Adds RBAC rules for the Istio provider + istio: true + # -- Adds RBAC rules for the SMI provider + smi: true + # -- Adds RBAC rules for the Ambassador provider + ambassador: true + # -- Adds RBAC rules for the AWS Load Balancer Controller provider + awsLoadBalancerController: true + # -- Adds RBAC rules for the AWS App Mesh provider + awsAppMesh: true + # -- Adds RBAC rules for the Traefik provider + traefik: true dashboard: # -- Deploy dashboard server