Toggle for provider-specific RBAC + Added missing RBAC rules

Signed-off-by: Richard Johansson <richard.jimmy.johansson@gmail.com>
2023-01-19 11:48:24 +01:00 · 2023-01-19 11:48:24 +01:00 · ebf9fe6eef
commit ebf9fe6eef
parent f3888bc996
4 changed files with 144 additions and 6 deletions
--- a/charts/argo-rollouts/Chart.yaml
+++ b/charts/argo-rollouts/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: v1.3.1
 description: A Helm chart for Argo Rollouts
 name: argo-rollouts
-version: 2.21.2
+version: 2.21.3
 home: https://github.com/argoproj/argo-helm
 icon: https://argoproj.github.io/argo-rollouts/assets/logo.png
 keywords:
@ -15,4 +15,6 @@ maintainers:
    url: https://argoproj.github.io/
 annotations:
  artifacthub.io/changes: |
-    - "[Added]: Add support for topologySpreadConstraints"
+    - "[Added]: Flag to toggle provider specific RBAC rules in Role and ClusterRole"
+    - "[Fixed]: Added missing RBAC rules in Role so that it aligns with ClusterRole"
+    - "[Fixed]: Added missing RBAC rules for Traefik provider"
--- a/charts/argo-rollouts/templates/controller/clusterrole.yaml
+++ b/charts/argo-rollouts/templates/controller/clusterrole.yaml
@ -89,7 +89,9 @@ rules:
  - create
  - get
  - update
-# secret access to run analysis templates which reference secrets, allow init containers to manipulate secrets
+# secret read access to run analysis templates which reference secrets
+# secret write access to allow init containers to manipulate secrets
+# configmap access to read notification-engine configuration
 - apiGroups:
  - ""
  resources:
@ -110,6 +112,7 @@ rules:
  verbs:
  - list
  - update
+  - watch
 # pods eviction needed for restart
 - apiGroups:
  - ""
@ -151,6 +154,7 @@ rules:
  - update
  - patch
  - delete
+{{- if .Values.enabledProviders.istio }}
 # virtualservice/destinationrule access needed for using the Istio provider
 - apiGroups:
  - networking.istio.io
@ -163,6 +167,8 @@ rules:
  - update
  - patch
  - list
+{{- end }}
+{{- if .Values.enabledProviders.smi }}
 # trafficsplit access needed for using the SMI provider
 - apiGroups:
  - split.smi-spec.io
@ -174,6 +180,8 @@ rules:
  - get
  - update
  - patch
+{{- end }}
+{{- if .Values.enabledProviders.ambassador }}
 # ambassador access needed for Ambassador provider
 - apiGroups:
  - getambassador.io
@ -188,7 +196,9 @@ rules:
  - update
  - list
  - delete
-# Endpoints and TargetGroupBindings needed for ALB target group verification
+{{- end }}
+{{- if .Values.enabledProviders.awsLoadBalancerController }}
+# Endpoints and TargetGroupBindings needed for ALB target group verification when using AWS Load Balancer Controller
 - apiGroups:
  - ""
  resources:
@ -202,6 +212,8 @@ rules:
  verbs:
  - list
  - get
+{{- end }}
+{{- if .Values.enabledProviders.awsAppMesh }}
 # AppMesh virtualservices/virtualrouter CRD read-only access needed for using the App Mesh provider
 - apiGroups:
  - appmesh.k8s.aws
@ -224,3 +236,15 @@ rules:
  - update
  - patch
 {{- end }}
+{{- if .Values.enabledProviders.traefik }}
+# Traefik access needed when using the Traefik provider
+- apiGroups:
+  - traefik.containo.us
+  resources:
+  - traefikservices
+  verbs:
+  - watch
+  - get
+  - update
+{{- end }}
+{{- end }}
--- a/charts/argo-rollouts/templates/controller/role.yaml
+++ b/charts/argo-rollouts/templates/controller/role.yaml
@ -56,7 +56,19 @@ rules:
  - update
  - patch
  - delete
+# deployments and podtemplates read access needed for workload reference support
+- apiGroups:
+  - ""
+  - apps
+  resources:
+  - deployments
+  - podtemplates
+  verbs:
+  - get
+  - list
+  - watch
 # services patch needed to update selector of canary/stable/active/preview services
+# services create needed to create and delete services for experiments
 - apiGroups:
  - ""
  resources:
@ -66,7 +78,19 @@ rules:
  - list
  - watch
  - patch
-# secret access to run analysis templates which reference secrets
+  - create
+  - delete
+# leases create/get/update needed for leader election
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - update
+# secret read access to run analysis templates which reference secrets
+# secret write access to allow init containers to manipulate secrets
 # configmap access to read notification-engine configuration
 - apiGroups:
  - ""
@ -88,6 +112,7 @@ rules:
  verbs:
  - list
  - update
+  - watch
 # pods eviction needed for restart
 - apiGroups:
  - ""
@ -129,16 +154,21 @@ rules:
  - update
  - patch
  - delete
-# virtualservice access needed for using the Istio provider
+{{- if .Values.enabledProviders.istio }}
+# virtualservice/destinationrule access needed for using the Istio provider
 - apiGroups:
  - networking.istio.io
  resources:
  - virtualservices
+  - destinationrules
  verbs:
  - watch
  - get
  - update
+  - patch
  - list
+{{- end }}
+{{- if .Values.enabledProviders.smi }}
 # trafficsplit access needed for using the SMI provider
 - apiGroups:
  - split.smi-spec.io
@ -151,3 +181,70 @@ rules:
  - update
  - patch
 {{- end }}
+{{- if .Values.enabledProviders.ambassador }}
+# ambassador access needed for Ambassador provider
+- apiGroups:
+  - getambassador.io
+  - x.getambassador.io
+  resources:
+  - mappings
+  - ambassadormappings
+  verbs:
+  - create
+  - watch
+  - get
+  - update
+  - list
+  - delete
+{{- end }}
+{{- if .Values.enabledProviders.awsLoadBalancerController }}
+# Endpoints and TargetGroupBindings needed for ALB target group verification when using AWS Load Balancer Controller
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - get
+- apiGroups:
+  - elbv2.k8s.aws
+  resources:
+  - targetgroupbindings
+  verbs:
+  - list
+  - get
+{{- end }}
+{{- if .Values.enabledProviders.awsAppMesh }}
+# AppMesh virtualservices/virtualrouter CRD read-only access needed for using the App Mesh provider
+- apiGroups:
+  - appmesh.k8s.aws
+  resources:
+  - virtualservices
+  verbs:
+  - watch
+  - get
+  - list
+# AppMesh virtualnode CRD r/w access needed for using the App Mesh provider
+- apiGroups:
+  - appmesh.k8s.aws
+  resources:
+  - virtualnodes
+  - virtualrouters
+  verbs:
+  - watch
+  - get
+  - list
+  - update
+  - patch
+{{- end }}
+{{- if .Values.enabledProviders.traefik }}
+# Traefik access needed when using the Traefik provider
+- apiGroups:
+  - traefik.containo.us
+  resources:
+  - traefikservices
+  verbs:
+  - watch
+  - get
+  - update
+{{- end }}
+{{- end }}
--- a/charts/argo-rollouts/values.yaml
+++ b/charts/argo-rollouts/values.yaml
@ -190,6 +190,21 @@ podLabels: {}
 imagePullSecrets: []
 # - name: argo-pull-secret

+## Adds provider-specific RBAC permissions to the controller role and cluster role
+enabledProviders:
+  # -- Adds RBAC for the Istio provider
+  istio: true
+  # -- Adds RBAC for the SMI provider
+  smi: true
+  # -- Adds RBAC for the Ambassador provider
+  ambassador: true
+  # -- Adds RBAC for the AWS Load Balancer Controller provider
+  awsLoadBalancerController: true
+  # -- Adds RBAC for the AWS App Mesh provider
+  awsAppMesh: true
+  # -- Adds RBAC for the Traefik provider
+  traefik: true
+
 dashboard:
  # -- Deploy dashboard server
  enabled: false