DevFW-CICD/argocd-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(argo-rollouts): Align permissions for controller's ClusterRole / Role (#2830)

Browse source 
* fix(argo-rollouts): Align permissions for controller's ClusterRole / Role

Signed-off-by: yu-croco <yu.croco@gmail.com>

* fix(argo-rollouts): correct typo

Signed-off-by: yu-croco <yu.croco@gmail.com>

---------

Signed-off-by: yu-croco <yu.croco@gmail.com>
This commit is contained in:
Aikawa 2024-08-12 17:58:01 +09:00 committed by GitHub
parent a7e5915b21
commit 4f4fb956d3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 312 additions and 590 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
charts/argo-rollouts/Chart.yaml
View file

@ -2,7 +2,7 @@ apiVersion: v2
appVersion: v1.7.1 appVersion: v1.7.1
description: A Helm chart for Argo Rollouts description: A Helm chart for Argo Rollouts
name: argo-rollouts name: argo-rollouts
version: 2.37.3 version: 2.37.4
home: https://github.com/argoproj/argo-helm home: https://github.com/argoproj/argo-helm
icon: https://argoproj.github.io/argo-rollouts/assets/logo.png icon: https://argoproj.github.io/argo-rollouts/assets/logo.png
keywords: keywords:
@ -18,5 +18,5 @@ annotations:
fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
url: https://argoproj.github.io/argo-helm/pgp_keys.asc url: https://argoproj.github.io/argo-helm/pgp_keys.asc
artifacthub.io/changes: | artifacthub.io/changes: |
- kind: added - kind: fixed
description: Added setting to disable creation of the notifications ConfigMap description: Align permissions for controller's ClusterRole and Role

307
charts/argo-rollouts/templates/_helpers.tpl
View file

@ -109,3 +109,310 @@ Return the appropriate apiVersion for pod disruption budget
{{- print "policy/v1" -}} {{- print "policy/v1" -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{/*
Return the rules for controller's Role and ClusterRole
*/}}
{{- define "argo-rollouts.controller.roleRules" -}}
- apiGroups:
- argoproj.io
resources:
- rollouts
- rollouts/status
- rollouts/finalizers
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- argoproj.io
resources:
- analysisruns
- analysisruns/finalizers
- experiments
- experiments/finalizers
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- argoproj.io
resources:
- analysistemplates
- clusteranalysistemplates
verbs:
- get
- list
- watch
# replicaset access needed for managing ReplicaSets
- apiGroups:
- apps
resources:
- replicasets
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
# deployments and podtemplates read access needed for workload reference support
- apiGroups:
- ""
- apps
resources:
- deployments
- podtemplates
verbs:
- get
- list
- watch
# services patch needed to update selector of canary/stable/active/preview services
# services create needed to create and delete services for experiments
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- patch
- create
- delete
# leases create/get/update needed for leader election
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
# secret read access to run analysis templates which reference secrets
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
{{- if .Values.providerRBAC.providers.gatewayAPI }}
- create
- update
{{- end }}
# pod list/update needed for updating ephemeral data
- apiGroups:
- ""
resources:
- pods
verbs:
- list
- update
- watch
# pods eviction needed for restart
- apiGroups:
- ""
resources:
- pods/eviction
verbs:
- create
# event write needed for emitting events
- apiGroups:
- ""
resources:
- events
verbs:
- create
- update
- patch
# ingress patch needed for managing ingress annotations, create needed for nginx canary
- apiGroups:
- networking.k8s.io
- extensions
resources:
- ingresses
verbs:
- create
- get
- list
- watch
- update
- patch
# job access needed for analysis template job metrics
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
{{- if .Values.providerRBAC.enabled }}
{{- if .Values.providerRBAC.providers.istio }}
# virtualservice/destinationrule access needed for using the Istio provider
- apiGroups:
- networking.istio.io
resources:
- virtualservices
- destinationrules
verbs:
- watch
- get
- update
- patch
- list
{{- end }}
{{- if .Values.providerRBAC.providers.smi }}
# trafficsplit access needed for using the SMI provider
- apiGroups:
- split.smi-spec.io
resources:
- trafficsplits
verbs:
- create
- watch
- get
- update
- patch
{{- end }}
{{- if .Values.providerRBAC.providers.ambassador }}
# ambassador access needed for Ambassador provider
- apiGroups:
- getambassador.io
- x.getambassador.io
resources:
- mappings
- ambassadormappings
verbs:
- create
- watch
- get
- update
- list
- delete
{{- end }}
{{- if .Values.providerRBAC.providers.awsLoadBalancerController }}
# Endpoints and TargetGroupBindings needed for ALB target group verification when using AWS Load Balancer Controller
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
- apiGroups:
- elbv2.k8s.aws
resources:
- targetgroupbindings
verbs:
- list
- get
{{- end }}
{{- if .Values.providerRBAC.providers.awsAppMesh }}
# AppMesh virtualservices/virtualrouter CRD read-only access needed for using the App Mesh provider
- apiGroups:
- appmesh.k8s.aws
resources:
- virtualservices
verbs:
- watch
- get
- list
# AppMesh virtualnode CRD r/w access needed for using the App Mesh provider
- apiGroups:
- appmesh.k8s.aws
resources:
- virtualnodes
- virtualrouters
verbs:
- watch
- get
- list
- update
- patch
{{- end }}
{{- if .Values.providerRBAC.providers.traefik }}
# Traefik access needed when using the Traefik provider
- apiGroups:
- traefik.containo.us
- traefik.io
resources:
- traefikservices
verbs:
- watch
- get
- update
{{- end }}
{{- if .Values.providerRBAC.providers.apisix }}
# Access needed when using the Apisix provider
- apiGroups:
- apisix.apache.org
resources:
- apisixroutes
verbs:
- watch
- get
- update
{{- end }}
{{- if .Values.providerRBAC.providers.contour }}
# Access needed when using the Contour provider
- apiGroups:
- projectcontour.io
resources:
- httpproxies
verbs:
- get
- list
- watch
- update
{{- end }}
{{- if .Values.providerRBAC.providers.glooPlatform }}
# Access needed when using the Gloo Platform provider
- apiGroups:
- networking.gloo.solo.io
resources:
- routetables
verbs:
- '*'
{{- end }}
{{- if .Values.providerRBAC.providers.gatewayAPI }}
# Access needed when using the Gateway API provider
- apiGroups:
- gateway.networking.k8s.io
resources:
- httproutes
- tcproutes
- tlsroutes
- udproutes
- grpcroutes
verbs:
- get
- list
- watch
- update
{{- end }}
{{- with .Values.providerRBAC.additionalRules }}
{{ toYaml . }}
{{- end }}
{{- end }}
{{- end -}}

302
charts/argo-rollouts/templates/controller/clusterrole.yaml
View file

@ -7,305 +7,5 @@ metadata:
app.kubernetes.io/component: {{ .Values.controller.component }} app.kubernetes.io/component: {{ .Values.controller.component }}
{{- include "argo-rollouts.labels" . | nindent 4 }} {{- include "argo-rollouts.labels" . | nindent 4 }}
rules: rules:
- apiGroups: {{- include "argo-rollouts.controller.roleRules" . | nindent 2 }}
- argoproj.io
resources:
- rollouts
- rollouts/status
- rollouts/finalizers
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- argoproj.io
resources:
- analysisruns
- analysisruns/finalizers
- experiments
- experiments/finalizers
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- argoproj.io
resources:
- analysistemplates
- clusteranalysistemplates
verbs:
- get
- list
- watch
# replicaset access needed for managing ReplicaSets
- apiGroups:
- apps
resources:
- replicasets
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
# deployments and podtemplates read access needed for workload reference support
- apiGroups:
- ""
- apps
resources:
- deployments
- podtemplates
verbs:
- get
- list
- watch
# services patch needed to update selector of canary/stable/active/preview services
# services create needed to create and delete services for experiments
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- patch
- create
- delete
# leases create/get/update needed for leader election
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
# secret read access to run analysis templates which reference secrets
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
{{- if .Values.providerRBAC.providers.gatewayAPI }}
- create
- update
{{- end }}
# pod list/update needed for updating ephemeral data
- apiGroups:
- ""
resources:
- pods
verbs:
- list
- update
- watch
# pods eviction needed for restart
- apiGroups:
- ""
resources:
- pods/eviction
verbs:
- create
# event write needed for emitting events
- apiGroups:
- ""
resources:
- events
verbs:
- create
- update
- patch
# ingress patch needed for managing ingress annotations, create needed for nginx canary
- apiGroups:
- networking.k8s.io
- extensions
resources:
- ingresses
verbs:
- create
- get
- list
- watch
- update
- patch
# job access needed for analysis template job metrics
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
{{- if .Values.providerRBAC.enabled }}
{{- if .Values.providerRBAC.providers.istio }}
# virtualservice/destinationrule access needed for using the Istio provider
- apiGroups:
- networking.istio.io
resources:
- virtualservices
- destinationrules
verbs:
- watch
- get
- update
- patch
- list
{{- end }}
{{- if .Values.providerRBAC.providers.smi }}
# trafficsplit access needed for using the SMI provider
- apiGroups:
- split.smi-spec.io
resources:
- trafficsplits
verbs:
- create
- watch
- get
- update
- patch
{{- end }}
{{- if .Values.providerRBAC.providers.ambassador }}
# ambassador access needed for Ambassador provider
- apiGroups:
- getambassador.io
- x.getambassador.io
resources:
- mappings
- ambassadormappings
verbs:
- create
- watch
- get
- update
- list
- delete
{{- end }}
{{- if .Values.providerRBAC.providers.awsLoadBalancerController }}
# Endpoints and TargetGroupBindings needed for ALB target group verification when using AWS Load Balancer Controller
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
- apiGroups:
- elbv2.k8s.aws
resources:
- targetgroupbindings
verbs:
- list
- get
{{- end }}
{{- if .Values.providerRBAC.providers.awsAppMesh }}
# AppMesh virtualservices/virtualrouter CRD read-only access needed for using the App Mesh provider
- apiGroups:
- appmesh.k8s.aws
resources:
- virtualservices
verbs:
- watch
- get
- list
# AppMesh virtualnode CRD r/w access needed for using the App Mesh provider
- apiGroups:
- appmesh.k8s.aws
resources:
- virtualnodes
- virtualrouters
verbs:
- watch
- get
- list
- update
- patch
{{- end }}
{{- if .Values.providerRBAC.providers.traefik }}
# Traefik access needed when using the Traefik provider
- apiGroups:
- traefik.containo.us
- traefik.io
resources:
- traefikservices
verbs:
- watch
- get
- update
{{- end }}
{{- if .Values.providerRBAC.providers.apisix }}
# Access needed when using the Apisix provider
- apiGroups:
- apisix.apache.org
resources:
- apisixroutes
verbs:
- watch
- get
- update
{{- end }}
{{- if .Values.providerRBAC.providers.contour }}
# Access needed when using the Contour provider
- apiGroups:
- projectcontour.io
resources:
- httpproxies
verbs:
- get
- list
- watch
- update
{{- end }}
{{- if .Values.providerRBAC.providers.glooPlatform }}
# Access needed when using the Gloo Platform provider
- apiGroups:
- networking.gloo.solo.io
resources:
- routetables
verbs:
- '*'
{{- end }}
{{- if .Values.providerRBAC.providers.gatewayAPI }}
# Access needed when using the Gateway API provider
- apiGroups:
- gateway.networking.k8s.io
resources:
- httproutes
- tcproutes
- tlsroutes
- udproutes
- grpcroutes
verbs:
- get
- list
- watch
- update
{{- end }}
{{- with .Values.providerRBAC.additionalRules }}
{{ toYaml . }}
{{- end }}
{{- end }}
{{- end }} {{- end }}

287
charts/argo-rollouts/templates/controller/role.yaml
View file

@ -8,290 +8,5 @@ metadata:
app.kubernetes.io/component: {{ .Values.controller.component }} app.kubernetes.io/component: {{ .Values.controller.component }}
{{- include "argo-rollouts.labels" . | nindent 4 }} {{- include "argo-rollouts.labels" . | nindent 4 }}
rules: rules:
- apiGroups: {{- include "argo-rollouts.controller.roleRules" . | nindent 2 }}
- argoproj.io
resources:
- rollouts
- rollouts/status
- rollouts/finalizers
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- argoproj.io
resources:
- analysisruns
- analysisruns/finalizers
- experiments
- experiments/finalizers
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- argoproj.io
resources:
- analysistemplates
- clusteranalysistemplates
verbs:
- get
- list
- watch
# replicaset access needed for managing ReplicaSets
- apiGroups:
- apps
resources:
- replicasets
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
# deployments and podtemplates read access needed for workload reference support
- apiGroups:
- ""
- apps
resources:
- deployments
- podtemplates
verbs:
- get
- list
- watch
# services patch needed to update selector of canary/stable/active/preview services
# services create needed to create and delete services for experiments
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- patch
- create
- delete
# leases create/get/update needed for leader election
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
# secret read access to run analysis templates which reference secrets
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
{{- if .Values.providerRBAC.providers.gatewayAPI }}
- create
- update
{{- end }}
# pod list/update needed for updating ephemeral data
- apiGroups:
- ""
resources:
- pods
verbs:
- list
- update
- watch
# pods eviction needed for restart
- apiGroups:
- ""
resources:
- pods/eviction
verbs:
- create
# event write needed for emitting events
- apiGroups:
- ""
resources:
- events
verbs:
- create
- update
- patch
# ingress patch needed for managing ingress annotations, create needed for nginx canary
- apiGroups:
- networking.k8s.io
- extensions
resources:
- ingresses
verbs:
- create
- get
- list
- watch
- update
- patch
# job access needed for analysis template job metrics
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
{{- if .Values.providerRBAC.enabled }}
{{- if .Values.providerRBAC.providers.istio }}
# virtualservice/destinationrule access needed for using the Istio provider
- apiGroups:
- networking.istio.io
resources:
- virtualservices
- destinationrules
verbs:
- watch
- get
- update
- patch
- list
{{- end }}
{{- if .Values.providerRBAC.providers.smi }}
# trafficsplit access needed for using the SMI provider
- apiGroups:
- split.smi-spec.io
resources:
- trafficsplits
verbs:
- create
- watch
- get
- update
- patch
{{- end }}
{{- if .Values.providerRBAC.providers.ambassador }}
# ambassador access needed for Ambassador provider
- apiGroups:
- getambassador.io
- x.getambassador.io
resources:
- mappings
- ambassadormappings
verbs:
- create
- watch
- get
- update
- list
- delete
{{- end }}
{{- if .Values.providerRBAC.providers.awsLoadBalancerController }}
# Endpoints and TargetGroupBindings needed for ALB target group verification when using AWS Load Balancer Controller
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
- apiGroups:
- elbv2.k8s.aws
resources:
- targetgroupbindings
verbs:
- list
- get
{{- end }}
{{- if .Values.providerRBAC.providers.awsAppMesh }}
# AppMesh virtualservices/virtualrouter CRD read-only access needed for using the App Mesh provider
- apiGroups:
- appmesh.k8s.aws
resources:
- virtualservices
verbs:
- watch
- get
- list
# AppMesh virtualnode CRD r/w access needed for using the App Mesh provider
- apiGroups:
- appmesh.k8s.aws
resources:
- virtualnodes
- virtualrouters
verbs:
- watch
- get
- list
- update
- patch
{{- end }}
{{- if .Values.providerRBAC.providers.traefik }}
# Traefik access needed when using the Traefik provider
- apiGroups:
- traefik.containo.us
- traefik.io
resources:
- traefikservices
verbs:
- watch
- get
- update
{{- end }}
{{- if .Values.providerRBAC.providers.apisix }}
# Access needed when using the Apisix provider
- apiGroups:
- apisix.apache.org
resources:
- apisixroutes
verbs:
- watch
- get
- update
{{- end }}
{{- if .Values.providerRBAC.providers.glooPlatform }}
# Access needed when using the Gloo Platform provider
- apiGroups:
- networking.gloo.solo.io
resources:
- routetables
verbs:
- '*'
{{- end }}
{{- if .Values.providerRBAC.providers.gatewayAPI }}
# Access needed when using the Gateway API provider
- apiGroups:
- gateway.networking.k8s.io
resources:
- httproutes
- tcproutes
- tlsroutes
- udproutes
- grpcroutes
verbs:
- get
- list
- watch
- update
{{- end }}
{{- end }}
{{- end }} {{- end }}