From 66f90b168aa42ed7b1e560f41757b11d69fc9f44 Mon Sep 17 00:00:00 2001 From: congiv Date: Sat, 23 Mar 2024 10:50:37 -0400 Subject: [PATCH] feat(argo-rollouts): add minimum RBAC for Gateway API Signed-off-by: congiv --- charts/argo-rollouts/Chart.yaml | 4 +-- .../templates/controller/clusterrole.yaml | 27 +++++++++++++++ .../templates/controller/role.yaml | 33 +++++++++++++++++-- charts/argo-rollouts/values.yaml | 2 ++ 4 files changed, 61 insertions(+), 5 deletions(-) diff --git a/charts/argo-rollouts/Chart.yaml b/charts/argo-rollouts/Chart.yaml index 740aba28..307965b9 100644 --- a/charts/argo-rollouts/Chart.yaml +++ b/charts/argo-rollouts/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: v1.6.6 description: A Helm chart for Argo Rollouts name: argo-rollouts -version: 2.35.0 +version: 2.35.1 home: https://github.com/argoproj/argo-helm icon: https://argoproj.github.io/argo-rollouts/assets/logo.png keywords: @@ -19,4 +19,4 @@ annotations: url: https://argoproj.github.io/argo-helm/pgp_keys.asc artifacthub.io/changes: | - kind: added - description: Added Deployment labels + description: Allow minimum set of RBAC rules for Gateway API resources diff --git a/charts/argo-rollouts/templates/controller/clusterrole.yaml b/charts/argo-rollouts/templates/controller/clusterrole.yaml index a60070b3..a80708b6 100644 --- a/charts/argo-rollouts/templates/controller/clusterrole.yaml +++ b/charts/argo-rollouts/templates/controller/clusterrole.yaml @@ -94,11 +94,22 @@ rules: - "" resources: - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: - configmaps verbs: - get - list - watch +{{- if .Values.providerRBAC.providers.gatewayAPI }} + - create + - update +{{- end }} # pod list/update needed for updating ephemeral data - apiGroups: - "" @@ -276,6 +287,22 @@ rules: verbs: - '*' {{- end }} +{{- if .Values.providerRBAC.providers.gatewayAPI }} + # Access needed when using the Gateway API provider +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + - tcproutes + - tlsroutes + - udproutes + - grpcroutes + verbs: + - get + - list + - watch + - update +{{- end }} {{- with .Values.providerRBAC.additionalRules }} {{ toYaml . }} {{- end }} diff --git a/charts/argo-rollouts/templates/controller/role.yaml b/charts/argo-rollouts/templates/controller/role.yaml index dc656cde..584587b9 100644 --- a/charts/argo-rollouts/templates/controller/role.yaml +++ b/charts/argo-rollouts/templates/controller/role.yaml @@ -95,11 +95,22 @@ rules: - "" resources: - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: - configmaps verbs: - get - list - watch +{{- if .Values.providerRBAC.providers.gatewayAPI }} + - create + - update +{{- end }} # pod list/update needed for updating ephemeral data - apiGroups: - "" @@ -259,11 +270,27 @@ rules: {{- if .Values.providerRBAC.providers.glooPlatform }} # Access needed when using the Gloo Platform provider - apiGroups: - - networking.gloo.solo.io + - networking.gloo.solo.io resources: - - routetables + - routetables verbs: - - '*' + - '*' +{{- end }} +{{- if .Values.providerRBAC.providers.gatewayAPI }} + # Access needed when using the Gateway API provider +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + - tcproutes + - tlsroutes + - udproutes + - grpcroutes + verbs: + - get + - list + - watch + - update {{- end }} {{- end }} {{- end }} diff --git a/charts/argo-rollouts/values.yaml b/charts/argo-rollouts/values.yaml index 9cc4042d..8f3f10b4 100644 --- a/charts/argo-rollouts/values.yaml +++ b/charts/argo-rollouts/values.yaml @@ -277,6 +277,8 @@ providerRBAC: contour: true # -- Adds RBAC rules for the Gloo Platform provider, see `https://github.com/argoproj-labs/rollouts-plugin-trafficrouter-glooplatform/blob/main/README.md` glooPlatform: true + # -- Adds RBAC rules for the Gateway API provider + gatewayAPI: true # -- Additional RBAC rules for others providers additionalRules: []