feat(argo-rollouts): Added flags to toggle provider-specific RBAC (#1777)

* Toggle for provider-specific RBAC + Added missing RBAC rules Signed-off-by: Richard Johansson <richard.jimmy.johansson@gmail.com> * Updated docs with new Helm values Signed-off-by: Richard Johansson <richard.jimmy.johansson@gmail.com> * Added a general flag providerRBAC.enabled to toggle all of the providers Signed-off-by: Richard Johansson <richard.jimmy.johansson@gmail.com> * Aligned with main Signed-off-by: Richard Johansson <richard.jimmy.johansson@gmail.com> * Corrected inline comments Signed-off-by: Richard Johansson <richard.jimmy.johansson@gmail.com> * Fixed incorrect inline comments Signed-off-by: Richard Johansson <richard.jimmy.johansson@gmail.com> Signed-off-by: Richard Johansson <richard.jimmy.johansson@gmail.com>
2023-01-20 17:41:52 +01:00 · 2023-01-20 17:41:52 +01:00 · 4dd31571b3
commit 4dd31571b3
parent 9905dcca8e
5 changed files with 68 additions and 4 deletions
--- a/charts/argo-rollouts/Chart.yaml
+++ b/charts/argo-rollouts/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: v1.4.0
 description: A Helm chart for Argo Rollouts
 name: argo-rollouts
-version: 2.22.0
+version: 2.22.1
 home: https://github.com/argoproj/argo-helm
 icon: https://argoproj.github.io/argo-rollouts/assets/logo.png
 keywords:
@ -15,4 +15,4 @@ maintainers:
    url: https://argoproj.github.io/
 annotations:
  artifacthub.io/changes: |
-    - "[Changed]: Upgrade ArgoRollouts to v1.4.0"
+    - "[Added]: Flags to toggle provider-specific RBAC rules in Role and ClusterRole"
--- a/charts/argo-rollouts/README.md
+++ b/charts/argo-rollouts/README.md
@ -55,6 +55,14 @@ If dashboard is installed by `--set dashboard.enabled=true`, checkout the argo-r
 | notifications.secret.items | object | `{}` | Generic key:value pairs to be inserted into the notifications secret |
 | notifications.templates | object | `{}` | Notification templates |
 | notifications.triggers | object | `{}` | The trigger defines the condition when the notification should be sent |
 | providerRBAC.enabled | bool | `true` | Toggles addition of provider-specific RBAC rules to the controller Role and ClusterRole |
 | providerRBAC.providers.ambassador | bool | `true` | Adds RBAC rules for the Ambassador provider |
 | providerRBAC.providers.apisix | bool | `true` | Adds RBAC rules for the Apisix provider |
 | providerRBAC.providers.awsAppMesh | bool | `true` | Adds RBAC rules for the AWS App Mesh provider |
 | providerRBAC.providers.awsLoadBalancerController | bool | `true` | Adds RBAC rules for the AWS Load Balancer Controller provider |
 | providerRBAC.providers.istio | bool | `true` | Adds RBAC rules for the Istio provider |
 | providerRBAC.providers.smi | bool | `true` | Adds RBAC rules for the SMI provider |
 | providerRBAC.providers.traefik | bool | `true` | Adds RBAC rules for the Traefik provider |
 ### Controller
--- a/charts/argo-rollouts/templates/controller/clusterrole.yaml
+++ b/charts/argo-rollouts/templates/controller/clusterrole.yaml
@ -149,6 +149,8 @@ rules:
  - update
  - patch
  - delete
 {{- if .Values.providerRBAC.enabled }}
 {{- if .Values.providerRBAC.providers.istio }}
 # virtualservice/destinationrule access needed for using the Istio provider
 - apiGroups:
  - networking.istio.io
@ -161,6 +163,8 @@ rules:
  - update
  - patch
  - list
 {{- end }}
 {{- if .Values.providerRBAC.providers.smi }}
 # trafficsplit access needed for using the SMI provider
 - apiGroups:
  - split.smi-spec.io
@ -172,6 +176,8 @@ rules:
  - get
  - update
  - patch
 {{- end }}
 {{- if .Values.providerRBAC.providers.ambassador }}
 # ambassador access needed for Ambassador provider
 - apiGroups:
  - getambassador.io
@ -186,7 +192,9 @@ rules:
  - update
  - list
  - delete
-# Endpoints and TargetGroupBindings needed for ALB target group verification
+{{- end }}
 {{- if .Values.providerRBAC.providers.awsLoadBalancerController }}
 # Endpoints and TargetGroupBindings needed for ALB target group verification when using AWS Load Balancer Controller
 - apiGroups:
  - ""
  resources:
@ -200,6 +208,8 @@ rules:
  verbs:
  - list
  - get
 {{- end }}
 {{- if .Values.providerRBAC.providers.awsAppMesh }}
 # AppMesh virtualservices/virtualrouter CRD read-only access needed for using the App Mesh provider
 - apiGroups:
  - appmesh.k8s.aws
@ -221,6 +231,9 @@ rules:
  - list
  - update
  - patch
 {{- end }}
 {{- if .Values.providerRBAC.providers.traefik }}
 # Traefik access needed when using the Traefik provider
 - apiGroups:
  - traefik.containo.us
  resources:
@ -229,6 +242,9 @@ rules:
  - watch
  - get
  - update
 {{- end }}
 {{- if .Values.providerRBAC.providers.apisix }}
 # Access needed when using the Apisix provider
 - apiGroups:
  - apisix.apache.org
  resources:
@ -238,3 +254,5 @@ rules:
  - get
  - update
 {{- end }}
 {{- end }}
 {{- end }}
--- a/charts/argo-rollouts/templates/controller/role.yaml
+++ b/charts/argo-rollouts/templates/controller/role.yaml
@ -149,6 +149,8 @@ rules:
  - update
  - patch
  - delete
 {{- if .Values.providerRBAC.enabled }}
 {{- if .Values.providerRBAC.providers.istio }}
 # virtualservice/destinationrule access needed for using the Istio provider
 - apiGroups:
  - networking.istio.io
@ -161,6 +163,8 @@ rules:
  - update
  - patch
  - list
 {{- end }}
 {{- if .Values.providerRBAC.providers.smi }}
 # trafficsplit access needed for using the SMI provider
 - apiGroups:
  - split.smi-spec.io
@ -172,6 +176,8 @@ rules:
  - get
  - update
  - patch
 {{- end }}
 {{- if .Values.providerRBAC.providers.ambassador }}
 # ambassador access needed for Ambassador provider
 - apiGroups:
  - getambassador.io
@ -186,7 +192,9 @@ rules:
  - update
  - list
  - delete
-# Endpoints and TargetGroupBindings needed for ALB target group verification
+{{- end }}
 {{- if .Values.providerRBAC.providers.awsLoadBalancerController }}
 # Endpoints and TargetGroupBindings needed for ALB target group verification when using AWS Load Balancer Controller
 - apiGroups:
  - ""
  resources:
@ -200,6 +208,8 @@ rules:
  verbs:
  - list
  - get
 {{- end }}
 {{- if .Values.providerRBAC.providers.awsAppMesh }}
 # AppMesh virtualservices/virtualrouter CRD read-only access needed for using the App Mesh provider
 - apiGroups:
  - appmesh.k8s.aws
@ -221,6 +231,9 @@ rules:
  - list
  - update
  - patch
 {{- end }}
 {{- if .Values.providerRBAC.providers.traefik }}
 # Traefik access needed when using the Traefik provider
 - apiGroups:
  - traefik.containo.us
  resources:
@ -229,6 +242,9 @@ rules:
  - watch
  - get
  - update
 {{- end }}
 {{- if .Values.providerRBAC.providers.apisix }}
 # Access needed when using the Apisix provider
 - apiGroups:
  - apisix.apache.org
  resources:
@ -238,3 +254,5 @@ rules:
  - get
  - update
 {{- end }}
 {{- end }}
 {{- end }}
--- a/charts/argo-rollouts/values.yaml
+++ b/charts/argo-rollouts/values.yaml
@ -190,6 +190,26 @@ podLabels: {}
 imagePullSecrets: []
 # - name: argo-pull-secret
 providerRBAC:
  # -- Toggles addition of provider-specific RBAC rules to the controller Role and ClusterRole
  enabled: true
  # providerRBAC.enabled must be true in order to toggle the individual providers
  providers:
    # -- Adds RBAC rules for the Istio provider
    istio: true
    # -- Adds RBAC rules for the SMI provider
    smi: true
    # -- Adds RBAC rules for the Ambassador provider
    ambassador: true
    # -- Adds RBAC rules for the AWS Load Balancer Controller provider
    awsLoadBalancerController: true
    # -- Adds RBAC rules for the AWS App Mesh provider
    awsAppMesh: true
    # -- Adds RBAC rules for the Traefik provider
    traefik: true
    # -- Adds RBAC rules for the Apisix provider
    apisix: true
 dashboard:
  # -- Deploy dashboard server
  enabled: false