feat: add harvester/rancher integration rbac chart

[ihcsim]

This PR introduces the harvester-rbac Helm chart. The chart contains the RoleTemplate RBAC resources described in HEP: Introduce Harvester/Rancher Integration RBAC Roles. These roles are assigned to Rancher users to govern cluster-scoped vs. project-scoped permissions and read-only vs. read-write permissions on Harvester resources.

The chart provides values configuration to allow users to add additional rules to the roles.

Related Issue(s):

harvester/harvester#7909

Test Plan

The test plans to validate the enforcement of the role permissions are laid out in the HEP.

The test steps described in this PR are limited to the correct installation of the chart and its configuration.

To install the chart from local path to Rancher 2.13:

helm upgrade --install harvester-rbac .

To verify that the resources are installed correctly:

$ kubectl get roletemplates -l "app.kubernetes.io/name=harvester-rbac" 

NAME                  AGE
virt-cluster-manage   8s
virt-project-manage   8s
virt-project-view     8s
virt-view-cluster     8s

To add additional rules to the roles, update the additionalRules sections in the values.yaml and then install/upgrade the chart again.

Verify that the additional rules are included in the RoleTemplates resources:

kubectl get roletemplates -l "app.kubernetes.io/name=harvester-rbac" -ojsonpath='{.items[*].rules}' | jq .

[Copilot]

Pull request overview

This PR introduces a new Helm chart harvester-rbac that provides RBAC role templates for Harvester/Rancher integration. The chart creates four RoleTemplate resources that segregate permissions based on scope (cluster vs. project) and access level (view vs. manage). It supports customization through values configuration to allow users to add additional RBAC rules.

Changes:

• Added new Helm chart structure with Chart.yaml, values.yaml, .helmignore, and template files
• Created four RoleTemplate resources: virt-cluster-manage, virt-cluster-view, virt-project-manage, and virt-project-view
• Implemented support for extending roles with additional rules via values configuration

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
charts/harvester-rbac/Chart.yaml	Defines chart metadata, version info, and Rancher-specific annotations
charts/harvester-rbac/values.yaml	Provides configuration structure for adding custom RBAC rules to each role
charts/harvester-rbac/.helmignore	Standard Helm ignore patterns for package building
charts/harvester-rbac/templates/_helpers.tpl	Common Helm template helpers for labels and naming
charts/harvester-rbac/templates/NOTES.txt	Post-installation notes for users
charts/harvester-rbac/templates/virt-cluster-manage.yaml	Cluster-scoped management role with full access to Harvester resources
charts/harvester-rbac/templates/virt-cluster-view.yaml	Cluster-scoped view role with read-only access
charts/harvester-rbac/templates/virt-project-manage.yaml	Project-scoped management role for load balancer resources
charts/harvester-rbac/templates/virt-project-view.yaml	Project-scoped view role for load balancer resources

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[ihcsim]

create is needed for UI to load the settings page. Since we have a list of UI items to check, I didn't bother investigating further at this time.

[w13915984028]

Some questions, thanks.

[w13915984028]

LGTM, thanks.

[Vicente-Cheng]

lgtm, thanks!

[ihcsim]

@mergify backport v1.8

[mergify]

backport v1.8

❌ No backport have been created

Details

• Backport to branch v1.8 failed

GitHub error: Branch not found

[ihcsim]

@mergify backport release-v1.8

[mergify]

backport release-v1.8

✅ Backports have been created

Details

• #487 feat: add harvester/rancher integration rbac chart (backport #475) has been created for branch release-v1.8