feat: add harvester/rancher integration rbac chart (#475)

Signed-off-by: Ivan Sim <ivan.sim@suse.com>

Author: ihcsim

charts/harvester-rbac/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/harvester-rbac/Chart.yaml

@@ -0,0 +1,37 @@
+apiVersion: v2
+name: harvester-rbac
+description: A Helm chart for Harvester/Rancher integration RBAC
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.0.1-dev
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: v0.1.0
+
+maintainers:
+  - name: harvester
+
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/display-name: Harvester RBAC
+  catalog.cattle.io/kube-version: ">= 1.31.0-0"
+  catalog.cattle.io/rancher-version: ">= 2.13.0-0"
+  catalog.cattle.io/release-name: harvester-rbac
+  catalog.cattle.io/ui-component: harvester-rbac
+
+kubeVersion: ">=1.31.0-0"

charts/harvester-rbac/templates/NOTES.txt

@@ -0,0 +1,10 @@
+The following Harvester/Rancher integration RBAC role template resources have been installed:
+
+* Manage Virtualization Resources (cluster scope)
+* View Virtualization Resources (cluster scope)
+* Manage Virtualization Resources (namespaced scope)
+* View Virtualization Resources (namespaced scope)
+
+They can be found in the "Cluster" and "Project/Namespace" sections of the "Role Template" page.
+
+For more information, see https://docs.harvesterhci.io/latest/rancher/rancher-rbac

charts/harvester-rbac/templates/_helpers.tpl

@@ -0,0 +1,51 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "harvester-rbac.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "harvester-rbac.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "harvester-rbac.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "harvester-rbac.labels" -}}
+helm.sh/chart: {{ include "harvester-rbac.chart" . }}
+{{ include "harvester-rbac.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "harvester-rbac.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "harvester-rbac.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

charts/harvester-rbac/templates/virt-cluster-manage.yaml

@@ -0,0 +1,61 @@
+apiVersion: management.cattle.io/v3
+builtin: false
+context: cluster
+description: Provides management access to all resources in Harvester
+displayName: Manage Virtualization Resources
+external: false
+hidden: false
+kind: RoleTemplate
+metadata:
+  labels:
+  {{- include "harvester-rbac.labels" . | nindent 4 }}
+  name: virt-cluster-manage
+roleTemplateNames:
+  - monitoring-ui-view
+  - cluster-member
+  - storage-manage
+  - nodes-manage
+  - projects-view
+  - edit
+  - projectroletemplatebindings-manage
+  - project-member
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - "*"
+  - apiGroups:
+      - loadbalancer.harvesterhci.io
+    resources:
+      - "*"
+    verbs:
+      - "*"
+  - apiGroups:
+      - network.harvesterhci.io
+    resources:
+      - "*"
+    verbs:
+      - "*"
+  - apiGroups:
+      - node.harvesterhci.io
+    resources:
+      - "*"
+    verbs:
+      - "*"
+  - apiGroups:
+      - devices.harvesterhci.io
+    resources:
+      - "*"
+    verbs:
+      - "*"
+  - apiGroups:
+      - harvesterhci.io
+    resources:
+      - "*"
+    verbs:
+      - "*"
+  {{- with .Values.clusterRole.virtClusterManage.additionalRules }}
+  {{- toYaml . | nindent 2 }}
+  {{- end }}

charts/harvester-rbac/templates/virt-cluster-view.yaml

@@ -0,0 +1,76 @@
+apiVersion: management.cattle.io/v3
+builtin: false
+context: cluster
+description: Provides view-only access to all resources in Harvester
+displayName: View Virtualization Resources
+external: false
+hidden: false
+kind: RoleTemplate
+metadata:
+  labels:
+  {{- include "harvester-rbac.labels" . | nindent 4 }}
+  name: virt-view-cluster
+roleTemplateNames:
+  - projects-view
+  - monitoring-ui-view
+  - clusterroletemplatebindings-view
+  - nodes-view
+rules:
+  - apiGroups:
+      - harvesterhci.io
+    resources:
+      - supportbundles
+    verbs:
+      - "*"
+  - apiGroups:
+      - network.harvesterhci.io
+    resources:
+      - "*"
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - loadbalancer.harvesterhci.io
+    resources:
+      - "*"
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - devices.harvesterhci.io
+    resources:
+      - "*"
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - node.harvesterhci.io
+    resources:
+      - "*"
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - harvesterhci.io
+    resources:
+      - "*"
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - harvesterhci.io
+    resources:
+      - settings
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+  {{- with .Values.clusterRole.virtClusterView.additionalRules }}
+  {{- toYaml . | nindent 2 }}
+  {{- end }}

charts/harvester-rbac/templates/virt-project-manage.yaml

@@ -0,0 +1,25 @@
+apiVersion: management.cattle.io/v3
+builtin: false
+context: project
+description: Provides management access to projects in Harvester
+displayName: Manage Virtualization Resources
+external: false
+hidden: false
+kind: RoleTemplate
+metadata:
+  labels:
+  {{- include "harvester-rbac.labels" . | nindent 4 }}
+  name: virt-project-manage
+roleTemplateNames:
+  - project-member
+  - monitoring-ui-view
+rules:
+  - apiGroups:
+      - loadbalancer.harvesterhci.io
+    resources:
+      - "*"
+    verbs:
+      - "*"
+  {{- with .Values.projectRole.virtProjectManage.additionalRules }}
+  {{- toYaml . | nindent 2 }}
+  {{- end }}

charts/harvester-rbac/templates/virt-project-view.yaml

@@ -0,0 +1,26 @@
+apiVersion: management.cattle.io/v3
+builtin: false
+context: project
+displayName: View Virtualization Resources
+external: false
+hidden: false
+kind: RoleTemplate
+metadata:
+  labels:
+  {{- include "harvester-rbac.labels" . | nindent 4 }}
+  name: virt-project-view
+roleTemplateNames:
+  - read-only
+  - monitoring-ui-view
+rules:
+  - apiGroups:
+      - loadbalancer.harvesterhci.io
+    resources:
+      - "*"
+    verbs:
+      - get
+      - list
+      - watch
+  {{- with .Values.projectRole.virtProjectView.additionalRules }}
+  {{- toYaml . | nindent 2 }}
+  {{- end }}

charts/harvester-rbac/values.yaml

@@ -0,0 +1,27 @@
+# Default values for harvester-rbac.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+clusterRole:
+  virtClusterManage:
+    additionalRules:
+      # - apiGroups: [""]
+      #   resources: [""]
+      #   verbs: [""]
+  virtClusterView:
+    additionalRules:
+      # - apiGroups: [""]
+      #   resources: [""]
+      #   verbs: [""]
+
+projectRole:
+  virtProjectManage:
+    additionalRules:
+      # - apiGroups: [""]
+      #   resources: [""]
+      #   verbs: [""]
+  virtProjectView:
+    additionalRules:
+      # - apiGroups: [""]
+      #   resources: [""]
+      #   verbs: [""]