From 4dd31571b3ce2d90bd3598ca020e70cd887c6d23 Mon Sep 17 00:00:00 2001 From: Richard Johansson Date: Fri, 20 Jan 2023 17:41:52 +0100 Subject: [PATCH] feat(argo-rollouts): Added flags to toggle provider-specific RBAC (#1777) * Toggle for provider-specific RBAC + Added missing RBAC rules Signed-off-by: Richard Johansson * Updated docs with new Helm values Signed-off-by: Richard Johansson * Added a general flag providerRBAC.enabled to toggle all of the providers Signed-off-by: Richard Johansson * Aligned with main Signed-off-by: Richard Johansson * Corrected inline comments Signed-off-by: Richard Johansson * Fixed incorrect inline comments Signed-off-by: Richard Johansson Signed-off-by: Richard Johansson --- charts/argo-rollouts/Chart.yaml | 4 ++-- charts/argo-rollouts/README.md | 8 ++++++++ .../templates/controller/clusterrole.yaml | 20 ++++++++++++++++++- .../templates/controller/role.yaml | 20 ++++++++++++++++++- charts/argo-rollouts/values.yaml | 20 +++++++++++++++++++ 5 files changed, 68 insertions(+), 4 deletions(-) diff --git a/charts/argo-rollouts/Chart.yaml b/charts/argo-rollouts/Chart.yaml index 89ff80ef..a9968a4f 100644 --- a/charts/argo-rollouts/Chart.yaml +++ b/charts/argo-rollouts/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: v1.4.0 description: A Helm chart for Argo Rollouts name: argo-rollouts -version: 2.22.0 +version: 2.22.1 home: https://github.com/argoproj/argo-helm icon: https://argoproj.github.io/argo-rollouts/assets/logo.png keywords: @@ -15,4 +15,4 @@ maintainers: url: https://argoproj.github.io/ annotations: artifacthub.io/changes: | - - "[Changed]: Upgrade ArgoRollouts to v1.4.0" + - "[Added]: Flags to toggle provider-specific RBAC rules in Role and ClusterRole" diff --git a/charts/argo-rollouts/README.md b/charts/argo-rollouts/README.md index 43f68a05..73581f4e 100644 --- a/charts/argo-rollouts/README.md +++ b/charts/argo-rollouts/README.md @@ -55,6 +55,14 @@ If dashboard is installed by `--set dashboard.enabled=true`, checkout the argo-r | notifications.secret.items | object | `{}` | Generic key:value pairs to be inserted into the notifications secret | | notifications.templates | object | `{}` | Notification templates | | notifications.triggers | object | `{}` | The trigger defines the condition when the notification should be sent | +| providerRBAC.enabled | bool | `true` | Toggles addition of provider-specific RBAC rules to the controller Role and ClusterRole | +| providerRBAC.providers.ambassador | bool | `true` | Adds RBAC rules for the Ambassador provider | +| providerRBAC.providers.apisix | bool | `true` | Adds RBAC rules for the Apisix provider | +| providerRBAC.providers.awsAppMesh | bool | `true` | Adds RBAC rules for the AWS App Mesh provider | +| providerRBAC.providers.awsLoadBalancerController | bool | `true` | Adds RBAC rules for the AWS Load Balancer Controller provider | +| providerRBAC.providers.istio | bool | `true` | Adds RBAC rules for the Istio provider | +| providerRBAC.providers.smi | bool | `true` | Adds RBAC rules for the SMI provider | +| providerRBAC.providers.traefik | bool | `true` | Adds RBAC rules for the Traefik provider | ### Controller diff --git a/charts/argo-rollouts/templates/controller/clusterrole.yaml b/charts/argo-rollouts/templates/controller/clusterrole.yaml index eaaadd24..964daed3 100644 --- a/charts/argo-rollouts/templates/controller/clusterrole.yaml +++ b/charts/argo-rollouts/templates/controller/clusterrole.yaml @@ -149,6 +149,8 @@ rules: - update - patch - delete +{{- if .Values.providerRBAC.enabled }} +{{- if .Values.providerRBAC.providers.istio }} # virtualservice/destinationrule access needed for using the Istio provider - apiGroups: - networking.istio.io @@ -161,6 +163,8 @@ rules: - update - patch - list +{{- end }} +{{- if .Values.providerRBAC.providers.smi }} # trafficsplit access needed for using the SMI provider - apiGroups: - split.smi-spec.io @@ -172,6 +176,8 @@ rules: - get - update - patch +{{- end }} +{{- if .Values.providerRBAC.providers.ambassador }} # ambassador access needed for Ambassador provider - apiGroups: - getambassador.io @@ -186,7 +192,9 @@ rules: - update - list - delete -# Endpoints and TargetGroupBindings needed for ALB target group verification +{{- end }} +{{- if .Values.providerRBAC.providers.awsLoadBalancerController }} +# Endpoints and TargetGroupBindings needed for ALB target group verification when using AWS Load Balancer Controller - apiGroups: - "" resources: @@ -200,6 +208,8 @@ rules: verbs: - list - get +{{- end }} +{{- if .Values.providerRBAC.providers.awsAppMesh }} # AppMesh virtualservices/virtualrouter CRD read-only access needed for using the App Mesh provider - apiGroups: - appmesh.k8s.aws @@ -221,6 +231,9 @@ rules: - list - update - patch +{{- end }} +{{- if .Values.providerRBAC.providers.traefik }} +# Traefik access needed when using the Traefik provider - apiGroups: - traefik.containo.us resources: @@ -229,6 +242,9 @@ rules: - watch - get - update +{{- end }} +{{- if .Values.providerRBAC.providers.apisix }} +# Access needed when using the Apisix provider - apiGroups: - apisix.apache.org resources: @@ -238,3 +254,5 @@ rules: - get - update {{- end }} +{{- end }} +{{- end }} diff --git a/charts/argo-rollouts/templates/controller/role.yaml b/charts/argo-rollouts/templates/controller/role.yaml index 8c7aa9d4..72ebdbc9 100644 --- a/charts/argo-rollouts/templates/controller/role.yaml +++ b/charts/argo-rollouts/templates/controller/role.yaml @@ -149,6 +149,8 @@ rules: - update - patch - delete +{{- if .Values.providerRBAC.enabled }} +{{- if .Values.providerRBAC.providers.istio }} # virtualservice/destinationrule access needed for using the Istio provider - apiGroups: - networking.istio.io @@ -161,6 +163,8 @@ rules: - update - patch - list +{{- end }} +{{- if .Values.providerRBAC.providers.smi }} # trafficsplit access needed for using the SMI provider - apiGroups: - split.smi-spec.io @@ -172,6 +176,8 @@ rules: - get - update - patch +{{- end }} +{{- if .Values.providerRBAC.providers.ambassador }} # ambassador access needed for Ambassador provider - apiGroups: - getambassador.io @@ -186,7 +192,9 @@ rules: - update - list - delete -# Endpoints and TargetGroupBindings needed for ALB target group verification +{{- end }} +{{- if .Values.providerRBAC.providers.awsLoadBalancerController }} +# Endpoints and TargetGroupBindings needed for ALB target group verification when using AWS Load Balancer Controller - apiGroups: - "" resources: @@ -200,6 +208,8 @@ rules: verbs: - list - get +{{- end }} +{{- if .Values.providerRBAC.providers.awsAppMesh }} # AppMesh virtualservices/virtualrouter CRD read-only access needed for using the App Mesh provider - apiGroups: - appmesh.k8s.aws @@ -221,6 +231,9 @@ rules: - list - update - patch +{{- end }} +{{- if .Values.providerRBAC.providers.traefik }} +# Traefik access needed when using the Traefik provider - apiGroups: - traefik.containo.us resources: @@ -229,6 +242,9 @@ rules: - watch - get - update +{{- end }} +{{- if .Values.providerRBAC.providers.apisix }} +# Access needed when using the Apisix provider - apiGroups: - apisix.apache.org resources: @@ -238,3 +254,5 @@ rules: - get - update {{- end }} +{{- end }} +{{- end }} diff --git a/charts/argo-rollouts/values.yaml b/charts/argo-rollouts/values.yaml index 43d322c2..eb077221 100644 --- a/charts/argo-rollouts/values.yaml +++ b/charts/argo-rollouts/values.yaml @@ -190,6 +190,26 @@ podLabels: {} imagePullSecrets: [] # - name: argo-pull-secret +providerRBAC: + # -- Toggles addition of provider-specific RBAC rules to the controller Role and ClusterRole + enabled: true + # providerRBAC.enabled must be true in order to toggle the individual providers + providers: + # -- Adds RBAC rules for the Istio provider + istio: true + # -- Adds RBAC rules for the SMI provider + smi: true + # -- Adds RBAC rules for the Ambassador provider + ambassador: true + # -- Adds RBAC rules for the AWS Load Balancer Controller provider + awsLoadBalancerController: true + # -- Adds RBAC rules for the AWS App Mesh provider + awsAppMesh: true + # -- Adds RBAC rules for the Traefik provider + traefik: true + # -- Adds RBAC rules for the Apisix provider + apisix: true + dashboard: # -- Deploy dashboard server enabled: false