Toggle for provider-specific RBAC + Added missing RBAC rules

Signed-off-by: Richard Johansson <richard.jimmy.johansson@gmail.com>

charts/argo-rollouts/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: v1.3.1
 description: A Helm chart for Argo Rollouts
 name: argo-rollouts
-version: 2.21.2
+version: 2.21.3
 home: https://github.com/argoproj/argo-helm
 icon: https://argoproj.github.io/argo-rollouts/assets/logo.png
 keywords:
@@ -15,4 +15,6 @@ maintainers:
     url: https://argoproj.github.io/
 annotations:
   artifacthub.io/changes: |
-    - "[Added]: Add support for topologySpreadConstraints"
+    - "[Added]: Flag to toggle provider specific RBAC rules in Role and ClusterRole"
+    - "[Fixed]: Added missing RBAC rules in Role so that it aligns with ClusterRole"
+    - "[Fixed]: Added missing RBAC rules for Traefik provider"

charts/argo-rollouts/templates/controller/clusterrole.yaml

@@ -89,7 +89,9 @@ rules:
   - create
   - get
   - update
-# secret access to run analysis templates which reference secrets, allow init containers to manipulate secrets
+# secret read access to run analysis templates which reference secrets
+# secret write access to allow init containers to manipulate secrets
+# configmap access to read notification-engine configuration
 - apiGroups:
   - ""
   resources:
@@ -110,6 +112,7 @@ rules:
   verbs:
   - list
   - update
+  - watch
 # pods eviction needed for restart
 - apiGroups:
   - ""
@@ -151,6 +154,7 @@ rules:
   - update
   - patch
   - delete
+{{- if .Values.enabledProviders.istio }}
 # virtualservice/destinationrule access needed for using the Istio provider
 - apiGroups:
   - networking.istio.io
@@ -163,6 +167,8 @@ rules:
   - update
   - patch
   - list
+{{- end }}
+{{- if .Values.enabledProviders.smi }}
 # trafficsplit access needed for using the SMI provider
 - apiGroups:
   - split.smi-spec.io
@@ -174,6 +180,8 @@ rules:
   - get
   - update
   - patch
+{{- end }}
+{{- if .Values.enabledProviders.ambassador }}
 # ambassador access needed for Ambassador provider
 - apiGroups:
   - getambassador.io
@@ -188,7 +196,9 @@ rules:
   - update
   - list
   - delete
-# Endpoints and TargetGroupBindings needed for ALB target group verification
+{{- end }}
+{{- if .Values.enabledProviders.awsLoadBalancerController }}
+# Endpoints and TargetGroupBindings needed for ALB target group verification when using AWS Load Balancer Controller
 - apiGroups:
   - ""
   resources:
@@ -202,6 +212,8 @@ rules:
   verbs:
   - list
   - get
+{{- end }}
+{{- if .Values.enabledProviders.awsAppMesh }}
 # AppMesh virtualservices/virtualrouter CRD read-only access needed for using the App Mesh provider
 - apiGroups:
   - appmesh.k8s.aws
@@ -224,3 +236,15 @@ rules:
   - update
   - patch
 {{- end }}
+{{- if .Values.enabledProviders.traefik }}
+# Traefik access needed when using the Traefik provider
+- apiGroups:
+  - traefik.containo.us
+  resources:
+  - traefikservices
+  verbs:
+  - watch
+  - get
+  - update
+{{- end }}
+{{- end }}

charts/argo-rollouts/templates/controller/role.yaml

@@ -56,7 +56,19 @@ rules:
   - update
   - patch
   - delete
+# deployments and podtemplates read access needed for workload reference support
+- apiGroups:
+  - ""
+  - apps
+  resources:
+  - deployments
+  - podtemplates
+  verbs:
+  - get
+  - list
+  - watch
 # services patch needed to update selector of canary/stable/active/preview services
+# services create needed to create and delete services for experiments
 - apiGroups:
   - ""
   resources:
@@ -66,7 +78,19 @@ rules:
   - list
   - watch
   - patch
-# secret access to run analysis templates which reference secrets
+  - create
+  - delete
+# leases create/get/update needed for leader election
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - update
+# secret read access to run analysis templates which reference secrets
+# secret write access to allow init containers to manipulate secrets
 # configmap access to read notification-engine configuration
 - apiGroups:
   - ""
@@ -88,6 +112,7 @@ rules:
   verbs:
   - list
   - update
+  - watch
 # pods eviction needed for restart
 - apiGroups:
   - ""
@@ -129,16 +154,21 @@ rules:
   - update
   - patch
   - delete
-# virtualservice access needed for using the Istio provider
+{{- if .Values.enabledProviders.istio }}
+# virtualservice/destinationrule access needed for using the Istio provider
 - apiGroups:
   - networking.istio.io
   resources:
   - virtualservices
+  - destinationrules
   verbs:
   - watch
   - get
   - update
+  - patch
   - list
+{{- end }}
+{{- if .Values.enabledProviders.smi }}
 # trafficsplit access needed for using the SMI provider
 - apiGroups:
   - split.smi-spec.io
@@ -151,3 +181,70 @@ rules:
   - update
   - patch
 {{- end }}
+{{- if .Values.enabledProviders.ambassador }}
+# ambassador access needed for Ambassador provider
+- apiGroups:
+  - getambassador.io
+  - x.getambassador.io
+  resources:
+  - mappings
+  - ambassadormappings
+  verbs:
+  - create
+  - watch
+  - get
+  - update
+  - list
+  - delete
+{{- end }}
+{{- if .Values.enabledProviders.awsLoadBalancerController }}
+# Endpoints and TargetGroupBindings needed for ALB target group verification when using AWS Load Balancer Controller
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - get
+- apiGroups:
+  - elbv2.k8s.aws
+  resources:
+  - targetgroupbindings
+  verbs:
+  - list
+  - get
+{{- end }}
+{{- if .Values.enabledProviders.awsAppMesh }}
+# AppMesh virtualservices/virtualrouter CRD read-only access needed for using the App Mesh provider
+- apiGroups:
+  - appmesh.k8s.aws
+  resources:
+  - virtualservices
+  verbs:
+  - watch
+  - get
+  - list
+# AppMesh virtualnode CRD r/w access needed for using the App Mesh provider
+- apiGroups:
+  - appmesh.k8s.aws
+  resources:
+  - virtualnodes
+  - virtualrouters
+  verbs:
+  - watch
+  - get
+  - list
+  - update
+  - patch
+{{- end }}
+{{- if .Values.enabledProviders.traefik }}
+# Traefik access needed when using the Traefik provider
+- apiGroups:
+  - traefik.containo.us
+  resources:
+  - traefikservices
+  verbs:
+  - watch
+  - get
+  - update
+{{- end }}
+{{- end }}

charts/argo-rollouts/values.yaml

@@ -190,6 +190,21 @@ podLabels: {}
 imagePullSecrets: []
 # - name: argo-pull-secret
 
+## Adds provider-specific RBAC permissions to the controller role and cluster role
+enabledProviders:
+  # -- Adds RBAC for the Istio provider
+  istio: true
+  # -- Adds RBAC for the SMI provider
+  smi: true
+  # -- Adds RBAC for the Ambassador provider
+  ambassador: true
+  # -- Adds RBAC for the AWS Load Balancer Controller provider
+  awsLoadBalancerController: true
+  # -- Adds RBAC for the AWS App Mesh provider
+  awsAppMesh: true
+  # -- Adds RBAC for the Traefik provider
+  traefik: true
+
 dashboard:
   # -- Deploy dashboard server
   enabled: false