From ebf9fe6eef112579b66c436af97fa08be9bef811 Mon Sep 17 00:00:00 2001 From: Richard Johansson Date: Thu, 19 Jan 2023 11:48:24 +0100 Subject: [PATCH] Toggle for provider-specific RBAC + Added missing RBAC rules Signed-off-by: Richard Johansson --- charts/argo-rollouts/Chart.yaml | 6 +- .../templates/controller/clusterrole.yaml | 28 ++++- .../templates/controller/role.yaml | 101 +++++++++++++++++- charts/argo-rollouts/values.yaml | 15 +++ 4 files changed, 144 insertions(+), 6 deletions(-) diff --git a/charts/argo-rollouts/Chart.yaml b/charts/argo-rollouts/Chart.yaml index 913a190a..7b1330ee 100644 --- a/charts/argo-rollouts/Chart.yaml +++ b/charts/argo-rollouts/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: v1.3.1 description: A Helm chart for Argo Rollouts name: argo-rollouts -version: 2.21.2 +version: 2.21.3 home: https://github.com/argoproj/argo-helm icon: https://argoproj.github.io/argo-rollouts/assets/logo.png keywords: @@ -15,4 +15,6 @@ maintainers: url: https://argoproj.github.io/ annotations: artifacthub.io/changes: | - - "[Added]: Add support for topologySpreadConstraints" + - "[Added]: Flag to toggle provider specific RBAC rules in Role and ClusterRole" + - "[Fixed]: Added missing RBAC rules in Role so that it aligns with ClusterRole" + - "[Fixed]: Added missing RBAC rules for Traefik provider" diff --git a/charts/argo-rollouts/templates/controller/clusterrole.yaml b/charts/argo-rollouts/templates/controller/clusterrole.yaml index b8fdf475..453f0dab 100644 --- a/charts/argo-rollouts/templates/controller/clusterrole.yaml +++ b/charts/argo-rollouts/templates/controller/clusterrole.yaml @@ -89,7 +89,9 @@ rules: - create - get - update -# secret access to run analysis templates which reference secrets, allow init containers to manipulate secrets +# secret read access to run analysis templates which reference secrets +# secret write access to allow init containers to manipulate secrets +# configmap access to read notification-engine configuration - apiGroups: - "" resources: @@ -110,6 +112,7 @@ rules: verbs: - list - update + - watch # pods eviction needed for restart - apiGroups: - "" @@ -151,6 +154,7 @@ rules: - update - patch - delete +{{- if .Values.enabledProviders.istio }} # virtualservice/destinationrule access needed for using the Istio provider - apiGroups: - networking.istio.io @@ -163,6 +167,8 @@ rules: - update - patch - list +{{- end }} +{{- if .Values.enabledProviders.smi }} # trafficsplit access needed for using the SMI provider - apiGroups: - split.smi-spec.io @@ -174,6 +180,8 @@ rules: - get - update - patch +{{- end }} +{{- if .Values.enabledProviders.ambassador }} # ambassador access needed for Ambassador provider - apiGroups: - getambassador.io @@ -188,7 +196,9 @@ rules: - update - list - delete -# Endpoints and TargetGroupBindings needed for ALB target group verification +{{- end }} +{{- if .Values.enabledProviders.awsLoadBalancerController }} +# Endpoints and TargetGroupBindings needed for ALB target group verification when using AWS Load Balancer Controller - apiGroups: - "" resources: @@ -202,6 +212,8 @@ rules: verbs: - list - get +{{- end }} +{{- if .Values.enabledProviders.awsAppMesh }} # AppMesh virtualservices/virtualrouter CRD read-only access needed for using the App Mesh provider - apiGroups: - appmesh.k8s.aws @@ -224,3 +236,15 @@ rules: - update - patch {{- end }} +{{- if .Values.enabledProviders.traefik }} +# Traefik access needed when using the Traefik provider +- apiGroups: + - traefik.containo.us + resources: + - traefikservices + verbs: + - watch + - get + - update +{{- end }} +{{- end }} diff --git a/charts/argo-rollouts/templates/controller/role.yaml b/charts/argo-rollouts/templates/controller/role.yaml index 81ce8542..10092cce 100644 --- a/charts/argo-rollouts/templates/controller/role.yaml +++ b/charts/argo-rollouts/templates/controller/role.yaml @@ -56,7 +56,19 @@ rules: - update - patch - delete +# deployments and podtemplates read access needed for workload reference support +- apiGroups: + - "" + - apps + resources: + - deployments + - podtemplates + verbs: + - get + - list + - watch # services patch needed to update selector of canary/stable/active/preview services +# services create needed to create and delete services for experiments - apiGroups: - "" resources: @@ -66,7 +78,19 @@ rules: - list - watch - patch -# secret access to run analysis templates which reference secrets + - create + - delete +# leases create/get/update needed for leader election +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +# secret read access to run analysis templates which reference secrets +# secret write access to allow init containers to manipulate secrets # configmap access to read notification-engine configuration - apiGroups: - "" @@ -88,6 +112,7 @@ rules: verbs: - list - update + - watch # pods eviction needed for restart - apiGroups: - "" @@ -129,16 +154,21 @@ rules: - update - patch - delete -# virtualservice access needed for using the Istio provider +{{- if .Values.enabledProviders.istio }} +# virtualservice/destinationrule access needed for using the Istio provider - apiGroups: - networking.istio.io resources: - virtualservices + - destinationrules verbs: - watch - get - update + - patch - list +{{- end }} +{{- if .Values.enabledProviders.smi }} # trafficsplit access needed for using the SMI provider - apiGroups: - split.smi-spec.io @@ -151,3 +181,70 @@ rules: - update - patch {{- end }} +{{- if .Values.enabledProviders.ambassador }} +# ambassador access needed for Ambassador provider +- apiGroups: + - getambassador.io + - x.getambassador.io + resources: + - mappings + - ambassadormappings + verbs: + - create + - watch + - get + - update + - list + - delete +{{- end }} +{{- if .Values.enabledProviders.awsLoadBalancerController }} +# Endpoints and TargetGroupBindings needed for ALB target group verification when using AWS Load Balancer Controller +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get +- apiGroups: + - elbv2.k8s.aws + resources: + - targetgroupbindings + verbs: + - list + - get +{{- end }} +{{- if .Values.enabledProviders.awsAppMesh }} +# AppMesh virtualservices/virtualrouter CRD read-only access needed for using the App Mesh provider +- apiGroups: + - appmesh.k8s.aws + resources: + - virtualservices + verbs: + - watch + - get + - list +# AppMesh virtualnode CRD r/w access needed for using the App Mesh provider +- apiGroups: + - appmesh.k8s.aws + resources: + - virtualnodes + - virtualrouters + verbs: + - watch + - get + - list + - update + - patch +{{- end }} +{{- if .Values.enabledProviders.traefik }} +# Traefik access needed when using the Traefik provider +- apiGroups: + - traefik.containo.us + resources: + - traefikservices + verbs: + - watch + - get + - update +{{- end }} +{{- end }} diff --git a/charts/argo-rollouts/values.yaml b/charts/argo-rollouts/values.yaml index 43d322c2..ec76486d 100644 --- a/charts/argo-rollouts/values.yaml +++ b/charts/argo-rollouts/values.yaml @@ -190,6 +190,21 @@ podLabels: {} imagePullSecrets: [] # - name: argo-pull-secret +## Adds provider-specific RBAC permissions to the controller role and cluster role +enabledProviders: + # -- Adds RBAC for the Istio provider + istio: true + # -- Adds RBAC for the SMI provider + smi: true + # -- Adds RBAC for the Ambassador provider + ambassador: true + # -- Adds RBAC for the AWS Load Balancer Controller provider + awsLoadBalancerController: true + # -- Adds RBAC for the AWS App Mesh provider + awsAppMesh: true + # -- Adds RBAC for the Traefik provider + traefik: true + dashboard: # -- Deploy dashboard server enabled: false