feat(argo-rollouts): Added flags to toggle provider-specific RBAC (argoproj#1777)

* Toggle for provider-specific RBAC + Added missing RBAC rules

Signed-off-by: Richard Johansson <[email protected]>

* Updated docs with new Helm values

Signed-off-by: Richard Johansson <[email protected]>

* Added a general flag providerRBAC.enabled to toggle all of the providers

Signed-off-by: Richard Johansson <[email protected]>

* Aligned with main

Signed-off-by: Richard Johansson <[email protected]>

* Corrected inline comments

Signed-off-by: Richard Johansson <[email protected]>

* Fixed incorrect inline comments

Signed-off-by: Richard Johansson <[email protected]>

Signed-off-by: Richard Johansson <[email protected]>

Author: illrill

charts/argo-rollouts/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: v1.4.0
 description: A Helm chart for Argo Rollouts
 name: argo-rollouts
-version: 2.22.0
+version: 2.22.1
 home: https://github.com/argoproj/argo-helm
 icon: https://argoproj.github.io/argo-rollouts/assets/logo.png
 keywords:
@@ -15,4 +15,4 @@ maintainers:
     url: https://argoproj.github.io/
 annotations:
   artifacthub.io/changes: |
-    - "[Changed]: Upgrade ArgoRollouts to v1.4.0"
+    - "[Added]: Flags to toggle provider-specific RBAC rules in Role and ClusterRole"

charts/argo-rollouts/README.md

@@ -55,6 +55,14 @@ If dashboard is installed by `--set dashboard.enabled=true`, checkout the argo-r
 | notifications.secret.items | object | `{}` | Generic key:value pairs to be inserted into the notifications secret |
 | notifications.templates | object | `{}` | Notification templates |
 | notifications.triggers | object | `{}` | The trigger defines the condition when the notification should be sent |
+| providerRBAC.enabled | bool | `true` | Toggles addition of provider-specific RBAC rules to the controller Role and ClusterRole |
+| providerRBAC.providers.ambassador | bool | `true` | Adds RBAC rules for the Ambassador provider |
+| providerRBAC.providers.apisix | bool | `true` | Adds RBAC rules for the Apisix provider |
+| providerRBAC.providers.awsAppMesh | bool | `true` | Adds RBAC rules for the AWS App Mesh provider |
+| providerRBAC.providers.awsLoadBalancerController | bool | `true` | Adds RBAC rules for the AWS Load Balancer Controller provider |
+| providerRBAC.providers.istio | bool | `true` | Adds RBAC rules for the Istio provider |
+| providerRBAC.providers.smi | bool | `true` | Adds RBAC rules for the SMI provider |
+| providerRBAC.providers.traefik | bool | `true` | Adds RBAC rules for the Traefik provider |
 
 ### Controller
 

charts/argo-rollouts/templates/controller/clusterrole.yaml

@@ -149,6 +149,8 @@ rules:
   - update
   - patch
   - delete
+{{- if .Values.providerRBAC.enabled }}
+{{- if .Values.providerRBAC.providers.istio }}
 # virtualservice/destinationrule access needed for using the Istio provider
 - apiGroups:
   - networking.istio.io
@@ -161,6 +163,8 @@ rules:
   - update
   - patch
   - list
+{{- end }}
+{{- if .Values.providerRBAC.providers.smi }}
 # trafficsplit access needed for using the SMI provider
 - apiGroups:
   - split.smi-spec.io
@@ -172,6 +176,8 @@ rules:
   - get
   - update
   - patch
+{{- end }}
+{{- if .Values.providerRBAC.providers.ambassador }}
 # ambassador access needed for Ambassador provider
 - apiGroups:
   - getambassador.io
@@ -186,7 +192,9 @@ rules:
   - update
   - list
   - delete
-# Endpoints and TargetGroupBindings needed for ALB target group verification
+{{- end }}
+{{- if .Values.providerRBAC.providers.awsLoadBalancerController }}
+# Endpoints and TargetGroupBindings needed for ALB target group verification when using AWS Load Balancer Controller
 - apiGroups:
   - ""
   resources:
@@ -200,6 +208,8 @@ rules:
   verbs:
   - list
   - get
+{{- end }}
+{{- if .Values.providerRBAC.providers.awsAppMesh }}
 # AppMesh virtualservices/virtualrouter CRD read-only access needed for using the App Mesh provider
 - apiGroups:
   - appmesh.k8s.aws
@@ -221,6 +231,9 @@ rules:
   - list
   - update
   - patch
+{{- end }}
+{{- if .Values.providerRBAC.providers.traefik }}
+# Traefik access needed when using the Traefik provider
 - apiGroups:
   - traefik.containo.us
   resources:
@@ -229,6 +242,9 @@ rules:
   - watch
   - get
   - update
+{{- end }}
+{{- if .Values.providerRBAC.providers.apisix }}
+# Access needed when using the Apisix provider
 - apiGroups:
   - apisix.apache.org
   resources:
@@ -238,3 +254,5 @@ rules:
   - get
   - update
 {{- end }}
+{{- end }}
+{{- end }}

charts/argo-rollouts/templates/controller/role.yaml

@@ -149,6 +149,8 @@ rules:
   - update
   - patch
   - delete
+{{- if .Values.providerRBAC.enabled }}
+{{- if .Values.providerRBAC.providers.istio }}
 # virtualservice/destinationrule access needed for using the Istio provider
 - apiGroups:
   - networking.istio.io
@@ -161,6 +163,8 @@ rules:
   - update
   - patch
   - list
+{{- end }}
+{{- if .Values.providerRBAC.providers.smi }}
 # trafficsplit access needed for using the SMI provider
 - apiGroups:
   - split.smi-spec.io
@@ -172,6 +176,8 @@ rules:
   - get
   - update
   - patch
+{{- end }}
+{{- if .Values.providerRBAC.providers.ambassador }}
 # ambassador access needed for Ambassador provider
 - apiGroups:
   - getambassador.io
@@ -186,7 +192,9 @@ rules:
   - update
   - list
   - delete
-# Endpoints and TargetGroupBindings needed for ALB target group verification
+{{- end }}
+{{- if .Values.providerRBAC.providers.awsLoadBalancerController }}
+# Endpoints and TargetGroupBindings needed for ALB target group verification when using AWS Load Balancer Controller
 - apiGroups:
   - ""
   resources:
@@ -200,6 +208,8 @@ rules:
   verbs:
   - list
   - get
+{{- end }}
+{{- if .Values.providerRBAC.providers.awsAppMesh }}
 # AppMesh virtualservices/virtualrouter CRD read-only access needed for using the App Mesh provider
 - apiGroups:
   - appmesh.k8s.aws
@@ -221,6 +231,9 @@ rules:
   - list
   - update
   - patch
+{{- end }}
+{{- if .Values.providerRBAC.providers.traefik }}
+# Traefik access needed when using the Traefik provider
 - apiGroups:
   - traefik.containo.us
   resources:
@@ -229,6 +242,9 @@ rules:
   - watch
   - get
   - update
+{{- end }}
+{{- if .Values.providerRBAC.providers.apisix }}
+# Access needed when using the Apisix provider
 - apiGroups:
   - apisix.apache.org
   resources:
@@ -238,3 +254,5 @@ rules:
   - get
   - update
 {{- end }}
+{{- end }}
+{{- end }}

charts/argo-rollouts/values.yaml

@@ -190,6 +190,26 @@ podLabels: {}
 imagePullSecrets: []
 # - name: argo-pull-secret
 
+providerRBAC:
+  # -- Toggles addition of provider-specific RBAC rules to the controller Role and ClusterRole
+  enabled: true
+  # providerRBAC.enabled must be true in order to toggle the individual providers
+  providers:
+    # -- Adds RBAC rules for the Istio provider
+    istio: true
+    # -- Adds RBAC rules for the SMI provider
+    smi: true
+    # -- Adds RBAC rules for the Ambassador provider
+    ambassador: true
+    # -- Adds RBAC rules for the AWS Load Balancer Controller provider
+    awsLoadBalancerController: true
+    # -- Adds RBAC rules for the AWS App Mesh provider
+    awsAppMesh: true
+    # -- Adds RBAC rules for the Traefik provider
+    traefik: true
+    # -- Adds RBAC rules for the Apisix provider
+    apisix: true
+
 dashboard:
   # -- Deploy dashboard server
   enabled: false