fix: restore missing RBAC Role, cert-manager, and metrics templates

ian-flores · ian-flores · commit 7ba83bf1ccfa · 2026-02-19T12:39:44.000-08:00
Address review findings from helm/v2-alpha migration:

- Add namespace-scoped Role with all operator permissions to
  manager-role.yaml (was dropped by v2-alpha plugin)
- Fix volumeMounts placement in manager.yaml (was incorrectly
  nested inside securityContext else branch)
- Restore cert-manager Issuer and Certificate templates for
  webhook and metrics TLS
- Restore metrics Service template for Prometheus scraping
- Improve post-generate script robustness for volumeMounts
  insertion
diff --git a/dist/chart/templates/certmanager/certificate.yaml b/dist/chart/templates/certmanager/certificate.yaml
@@ -0,0 +1,68 @@
+{{- if .Values.certManager.enable }}
+# Self-signed Issuer
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  labels:
+    app.kubernetes.io/component: certmanager
+    app.kubernetes.io/created-by: team-operator
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    app.kubernetes.io/part-of: team-operator
+  name: {{ include "team-operator.resourceName" (dict "suffix" "selfsigned-issuer" "context" $) }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
+---
+# Certificate for the webhook
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  annotations:
+    {{- if .Values.crd.keep }}
+    "helm.sh/resource-policy": keep
+    {{- end }}
+  labels:
+    app.kubernetes.io/component: certmanager
+    app.kubernetes.io/created-by: team-operator
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    app.kubernetes.io/part-of: team-operator
+  name: {{ include "team-operator.resourceName" (dict "suffix" "serving-cert" "context" $) }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  dnsNames:
+    - {{ include "team-operator.resourceName" (dict "suffix" "webhook-service" "context" $) }}.{{ .Release.Namespace }}.svc
+    - {{ include "team-operator.resourceName" (dict "suffix" "webhook-service" "context" $) }}.{{ .Release.Namespace }}.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: {{ include "team-operator.resourceName" (dict "suffix" "selfsigned-issuer" "context" $) }}
+  secretName: {{ include "team-operator.resourceName" (dict "suffix" "webhook-server-cert" "context" $) }}
+{{- if .Values.metrics.enable }}
+---
+# Certificate for the metrics
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  annotations:
+    {{- if .Values.crd.keep }}
+    "helm.sh/resource-policy": keep
+    {{- end }}
+  labels:
+    app.kubernetes.io/component: certmanager
+    app.kubernetes.io/created-by: team-operator
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    app.kubernetes.io/part-of: team-operator
+  name: {{ include "team-operator.resourceName" (dict "suffix" "metrics-certs" "context" $) }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  dnsNames:
+    - {{ include "team-operator.resourceName" (dict "suffix" "metrics-service" "context" $) }}.{{ .Release.Namespace }}.svc
+    - {{ include "team-operator.resourceName" (dict "suffix" "metrics-service" "context" $) }}.{{ .Release.Namespace }}.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: {{ include "team-operator.resourceName" (dict "suffix" "selfsigned-issuer" "context" $) }}
+  secretName: {{ include "team-operator.resourceName" (dict "suffix" "metrics-server-cert" "context" $) }}
+{{- end }}
+{{- end }}
diff --git a/dist/chart/templates/manager/manager.yaml b/dist/chart/templates/manager/manager.yaml
@@ -82,13 +82,13 @@ spec:
                     {{- toYaml .Values.manager.securityContext | nindent 20 }}
                     {{- else }}
                     {}
+                    {{- end }}
                   {{- if .Values.certManager.enable }}
                   volumeMounts:
                     - mountPath: /tmp/k8s-webhook-server/serving-certs
                       name: cert
                       readOnly: true
                   {{- end }}
-                    {{- end }}
             securityContext:
               {{- if .Values.manager.podSecurityContext }}
               {{- toYaml .Values.manager.podSecurityContext | nindent 14 }}
diff --git a/dist/chart/templates/metrics/metrics-service.yaml b/dist/chart/templates/metrics/metrics-service.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.metrics.enable }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "team-operator.resourceName" (dict "suffix" "metrics-service" "context" $) }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/created-by: team-operator
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    app.kubernetes.io/part-of: team-operator
+    control-plane: controller-manager
+spec:
+  ports:
+    - port: {{ .Values.metrics.port }}
+      targetPort: {{ .Values.metrics.port }}
+      protocol: TCP
+      name: https
+  selector:
+    control-plane: controller-manager
+{{- end }}
diff --git a/dist/chart/templates/rbac/manager-role.yaml b/dist/chart/templates/rbac/manager-role.yaml
@@ -15,3 +15,203 @@ rules:
         - patch
         - update
         - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+    labels:
+        app.kubernetes.io/component: rbac
+        app.kubernetes.io/created-by: team-operator
+        app.kubernetes.io/instance: manager-role
+        app.kubernetes.io/managed-by: {{ .Release.Service }}
+        app.kubernetes.io/name: role
+        helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+        app.kubernetes.io/part-of: team-operator
+    name: {{ include "team-operator.resourceName" (dict "suffix" "manager-role" "context" $) }}
+    namespace: {{ .Values.watchNamespace }}
+rules:
+    - apiGroups:
+        - ""
+      resources:
+        - configmaps
+        - persistentvolumeclaims
+        - pods
+        - pods/attach
+        - pods/exec
+        - secrets
+        - serviceaccounts
+        - services
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+    - apiGroups:
+        - ""
+      resources:
+        - events
+      verbs:
+        - watch
+    - apiGroups:
+        - ""
+      resources:
+        - pods/log
+      verbs:
+        - get
+        - list
+        - watch
+    - apiGroups:
+        - apps
+      resources:
+        - daemonsets
+        - deployments
+        - statefulsets
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+    - apiGroups:
+        - batch
+      resources:
+        - jobs
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+    - apiGroups:
+        - core.posit.team
+      resources:
+        - chronicles
+        - connects
+        - flightdecks
+        - packagemanagers
+        - postgresdatabases
+        - sites
+        - workbenches
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+    - apiGroups:
+        - core.posit.team
+      resources:
+        - chronicles/finalizers
+        - connects/finalizers
+        - flightdecks/finalizers
+        - packagemanagers/finalizers
+        - postgresdatabases/finalizers
+        - sites/finalizers
+        - workbenches/finalizers
+      verbs:
+        - update
+    - apiGroups:
+        - core.posit.team
+      resources:
+        - chronicles/status
+        - connects/status
+        - flightdecks/status
+        - packagemanagers/status
+        - postgresdatabases/status
+        - sites/status
+        - workbenches/status
+      verbs:
+        - get
+        - patch
+        - update
+    - apiGroups:
+        - k8s.keycloak.org
+      resources:
+        - keycloakrealmimports
+        - keycloaks
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+    - apiGroups:
+        - metrics.k8s.io
+      resources:
+        - pods
+      verbs:
+        - get
+    - apiGroups:
+        - networking.k8s.io
+      resources:
+        - ingresses
+        - networkpolicies
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+    - apiGroups:
+        - policy
+      resources:
+        - poddisruptionbudgets
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+    - apiGroups:
+        - rbac.authorization.k8s.io
+      resources:
+        - rolebindings
+        - roles
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+    - apiGroups:
+        - secrets-store.csi.x-k8s.io
+      resources:
+        - secretproviderclasses
+        - secretsproviderclass
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+    - apiGroups:
+        - traefik.io
+      resources:
+        - middlewares
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
diff --git a/hack/helm-post-generate.sh b/hack/helm-post-generate.sh
