From 38900afada6cbc51e469d53fbf20ebba6f1cb07b Mon Sep 17 00:00:00 2001
From: Connor Given <47261237+congiv@users.noreply.github.com>
Date: Tue, 26 Mar 2024 04:35:50 -0400
Subject: [PATCH] feat(argo-rollouts): add minimum RBAC for Gateway API (#2599)

---
 charts/argo-rollouts/Chart.yaml               |  4 +--
 charts/argo-rollouts/README.md                |  1 +
 .../templates/controller/clusterrole.yaml     | 27 +++++++++++++++
 .../templates/controller/role.yaml            | 33 +++++++++++++++++--
 charts/argo-rollouts/values.yaml              |  2 ++
 5 files changed, 62 insertions(+), 5 deletions(-)

diff --git a/charts/argo-rollouts/Chart.yaml b/charts/argo-rollouts/Chart.yaml
index 740aba28..307965b9 100644
--- a/charts/argo-rollouts/Chart.yaml
+++ b/charts/argo-rollouts/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: v1.6.6
 description: A Helm chart for Argo Rollouts
 name: argo-rollouts
-version: 2.35.0
+version: 2.35.1
 home: https://github.com/argoproj/argo-helm
 icon: https://argoproj.github.io/argo-rollouts/assets/logo.png
 keywords:
@@ -19,4 +19,4 @@ annotations:
     url: https://argoproj.github.io/argo-helm/pgp_keys.asc
   artifacthub.io/changes: |
     - kind: added
-      description: Added Deployment labels
+      description: Allow minimum set of RBAC rules for Gateway API resources
diff --git a/charts/argo-rollouts/README.md b/charts/argo-rollouts/README.md
index 0bd3560a..eb30e7ee 100644
--- a/charts/argo-rollouts/README.md
+++ b/charts/argo-rollouts/README.md
@@ -68,6 +68,7 @@ For full list of changes please check ArtifactHub [changelog].
 | providerRBAC.providers.awsAppMesh | bool | `true` | Adds RBAC rules for the AWS App Mesh provider |
 | providerRBAC.providers.awsLoadBalancerController | bool | `true` | Adds RBAC rules for the AWS Load Balancer Controller provider |
 | providerRBAC.providers.contour | bool | `true` | Adds RBAC rules for the Contour provider, see `https://github.com/argoproj-labs/rollouts-plugin-trafficrouter-contour/blob/main/README.md` |
+| providerRBAC.providers.gatewayAPI | bool | `true` | Adds RBAC rules for the Gateway API provider |
 | providerRBAC.providers.glooPlatform | bool | `true` | Adds RBAC rules for the Gloo Platform provider, see `https://github.com/argoproj-labs/rollouts-plugin-trafficrouter-glooplatform/blob/main/README.md` |
 | providerRBAC.providers.istio | bool | `true` | Adds RBAC rules for the Istio provider |
 | providerRBAC.providers.smi | bool | `true` | Adds RBAC rules for the SMI provider |
diff --git a/charts/argo-rollouts/templates/controller/clusterrole.yaml b/charts/argo-rollouts/templates/controller/clusterrole.yaml
index a60070b3..a80708b6 100644
--- a/charts/argo-rollouts/templates/controller/clusterrole.yaml
+++ b/charts/argo-rollouts/templates/controller/clusterrole.yaml
@@ -94,11 +94,22 @@ rules:
   - ""
   resources:
   - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
   - configmaps
   verbs:
   - get
   - list
   - watch
+{{- if .Values.providerRBAC.providers.gatewayAPI }}
+  - create
+  - update
+{{- end }}  
 # pod list/update needed for updating ephemeral data
 - apiGroups:
   - ""
@@ -276,6 +287,22 @@ rules:
   verbs:
   - '*'
 {{- end }}
+{{- if .Values.providerRBAC.providers.gatewayAPI }}
+  # Access needed when using the Gateway API provider
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - httproutes
+  - tcproutes
+  - tlsroutes
+  - udproutes
+  - grpcroutes
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+{{- end }}
 {{- with .Values.providerRBAC.additionalRules }}
 {{ toYaml .  }}
 {{- end }}
diff --git a/charts/argo-rollouts/templates/controller/role.yaml b/charts/argo-rollouts/templates/controller/role.yaml
index dc656cde..584587b9 100644
--- a/charts/argo-rollouts/templates/controller/role.yaml
+++ b/charts/argo-rollouts/templates/controller/role.yaml
@@ -95,11 +95,22 @@ rules:
   - ""
   resources:
   - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
   - configmaps
   verbs:
   - get
   - list
   - watch
+{{- if .Values.providerRBAC.providers.gatewayAPI }}
+  - create
+  - update
+{{- end }}  
 # pod list/update needed for updating ephemeral data
 - apiGroups:
   - ""
@@ -259,11 +270,27 @@ rules:
 {{- if .Values.providerRBAC.providers.glooPlatform }}
   # Access needed when using the Gloo Platform provider
 - apiGroups:
-    - networking.gloo.solo.io
+  - networking.gloo.solo.io
   resources:
-    - routetables
+  - routetables
   verbs:
-    - '*'
+  - '*'
+{{- end }}
+{{- if .Values.providerRBAC.providers.gatewayAPI }}
+  # Access needed when using the Gateway API provider
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - httproutes
+  - tcproutes
+  - tlsroutes
+  - udproutes
+  - grpcroutes
+  verbs:
+  - get
+  - list
+  - watch
+  - update
 {{- end }}
 {{- end }}
 {{- end }}
diff --git a/charts/argo-rollouts/values.yaml b/charts/argo-rollouts/values.yaml
index 9cc4042d..8f3f10b4 100644
--- a/charts/argo-rollouts/values.yaml
+++ b/charts/argo-rollouts/values.yaml
@@ -277,6 +277,8 @@ providerRBAC:
     contour: true
     # -- Adds RBAC rules for the Gloo Platform provider, see `https://github.com/argoproj-labs/rollouts-plugin-trafficrouter-glooplatform/blob/main/README.md`
     glooPlatform: true
+    # -- Adds RBAC rules for the Gateway API provider
+    gatewayAPI: true
   # -- Additional RBAC rules for others providers
   additionalRules: []