feat(argo-rollouts): add minimum RBAC for Gateway API (#2599)

charts/argo-rollouts/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: v1.6.6
 description: A Helm chart for Argo Rollouts
 name: argo-rollouts
-version: 2.35.0
+version: 2.35.1
 home: https://github.com/argoproj/argo-helm
 icon: https://argoproj.github.io/argo-rollouts/assets/logo.png
 keywords:
@@ -19,4 +19,4 @@ annotations:
     url: https://argoproj.github.io/argo-helm/pgp_keys.asc
   artifacthub.io/changes: |
     - kind: added
-      description: Added Deployment labels
+      description: Allow minimum set of RBAC rules for Gateway API resources

charts/argo-rollouts/README.md

@@ -68,6 +68,7 @@ For full list of changes please check ArtifactHub [changelog].
 | providerRBAC.providers.awsAppMesh | bool | `true` | Adds RBAC rules for the AWS App Mesh provider |
 | providerRBAC.providers.awsLoadBalancerController | bool | `true` | Adds RBAC rules for the AWS Load Balancer Controller provider |
 | providerRBAC.providers.contour | bool | `true` | Adds RBAC rules for the Contour provider, see `https://github.com/argoproj-labs/rollouts-plugin-trafficrouter-contour/blob/main/README.md` |
+| providerRBAC.providers.gatewayAPI | bool | `true` | Adds RBAC rules for the Gateway API provider |
 | providerRBAC.providers.glooPlatform | bool | `true` | Adds RBAC rules for the Gloo Platform provider, see `https://github.com/argoproj-labs/rollouts-plugin-trafficrouter-glooplatform/blob/main/README.md` |
 | providerRBAC.providers.istio | bool | `true` | Adds RBAC rules for the Istio provider |
 | providerRBAC.providers.smi | bool | `true` | Adds RBAC rules for the SMI provider |

charts/argo-rollouts/templates/controller/clusterrole.yaml

@@ -94,11 +94,22 @@ rules:
   - ""
   resources:
   - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
   - configmaps
   verbs:
   - get
   - list
   - watch
+{{- if .Values.providerRBAC.providers.gatewayAPI }}
+  - create
+  - update
+{{- end }}  
 # pod list/update needed for updating ephemeral data
 - apiGroups:
   - ""
@@ -276,6 +287,22 @@ rules:
   verbs:
   - '*'
 {{- end }}
+{{- if .Values.providerRBAC.providers.gatewayAPI }}
+  # Access needed when using the Gateway API provider
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - httproutes
+  - tcproutes
+  - tlsroutes
+  - udproutes
+  - grpcroutes
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+{{- end }}
 {{- with .Values.providerRBAC.additionalRules }}
 {{ toYaml .  }}
 {{- end }}

charts/argo-rollouts/templates/controller/role.yaml

@@ -95,11 +95,22 @@ rules:
   - ""
   resources:
   - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
   - configmaps
   verbs:
   - get
   - list
   - watch
+{{- if .Values.providerRBAC.providers.gatewayAPI }}
+  - create
+  - update
+{{- end }}  
 # pod list/update needed for updating ephemeral data
 - apiGroups:
   - ""
@@ -259,11 +270,27 @@ rules:
 {{- if .Values.providerRBAC.providers.glooPlatform }}
   # Access needed when using the Gloo Platform provider
 - apiGroups:
-    - networking.gloo.solo.io
+  - networking.gloo.solo.io
   resources:
-    - routetables
+  - routetables
   verbs:
-    - '*'
+  - '*'
+{{- end }}
+{{- if .Values.providerRBAC.providers.gatewayAPI }}
+  # Access needed when using the Gateway API provider
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - httproutes
+  - tcproutes
+  - tlsroutes
+  - udproutes
+  - grpcroutes
+  verbs:
+  - get
+  - list
+  - watch
+  - update
 {{- end }}
 {{- end }}
 {{- end }}

charts/argo-rollouts/values.yaml

@@ -277,6 +277,8 @@ providerRBAC:
     contour: true
     # -- Adds RBAC rules for the Gloo Platform provider, see `https://github.com/argoproj-labs/rollouts-plugin-trafficrouter-glooplatform/blob/main/README.md`
     glooPlatform: true
+    # -- Adds RBAC rules for the Gateway API provider
+    gatewayAPI: true
   # -- Additional RBAC rules for others providers
   additionalRules: []