Add optional clusterRole and clusterRoleBinding (#71)

jessebot · github-actions[bot] · web-flow · commit c07f0dbaedf0 · 2025-08-16T18:44:54.000+02:00
* add cluster role and cluster role binding for the new configreloader

* add comments about clusterroles

* helm-docs: automated action

---------

Co-authored-by: github-actions[bot] &lt;github-actions[bot]@users.noreply.github.com&gt;
diff --git a/charts/appset-secret-plugin/Chart.yaml b/charts/appset-secret-plugin/Chart.yaml
@@ -6,7 +6,7 @@ description: A Helm chart for adding a K8s Secret Plugin Generator to Argo CD Ap
 # to be deployed.
 type: application
 
-version: 1.0.2
+version: 1.1.0
 
 # renovate: image=jessebot/argocd-appset-secret-plugin
 appVersion: "v0.8.1"
diff --git a/charts/appset-secret-plugin/README.md b/charts/appset-secret-plugin/README.md
@@ -1,6 +1,6 @@
 # appset-secret-plugin
 
-![Version: 1.0.2](https://img.shields.io/badge/Version-1.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.8.1](https://img.shields.io/badge/AppVersion-v0.8.1-informational?style=flat-square)
+![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.8.1](https://img.shields.io/badge/AppVersion-v0.8.1-informational?style=flat-square)
 
 A Helm chart for adding a K8s Secret Plugin Generator to Argo CD ApplicationSets
 
@@ -21,7 +21,7 @@ A Helm chart for adding a K8s Secret Plugin Generator to Argo CD ApplicationSets
 | autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
 | configReloader.folder | string | `"/var/run/secret-plugin"` | full path on container to put secret file |
 | configReloader.image.pullPolicy | string | `"IfNotPresent"` | image pullPolicy for the main container |
-| configReloader.image.repository | string | `"quay.io/kiwigrid/k8s-sidecar"` | registry and repo for the configreloader image |
+| configReloader.image.repository | string | `"quay.io/kiwigrid/k8s-sidecar"` | registry and repo for the configreloader image defaults to https://github.com/kiwigrid/k8s-sidecar |
 | configReloader.image.tag | string | `"1.30.9"` | tag to point at for k8s-sidecar |
 | configReloader.interval | int | `10` | interval to wait before retrying a check for changes (in seconds) |
 | configReloader.label | string | `"argocd-appset-secret-plugin"` | the label to check for on the Secret (secretVars.existingSecret) |
@@ -36,6 +36,8 @@ A Helm chart for adding a K8s Secret Plugin Generator to Argo CD ApplicationSets
 | nodeSelector | object | `{}` | deploy chart to a specific k8s node |
 | podAnnotations | object | `{}` | any additional annotations you'd like the pod to have |
 | podSecurityContext | object | `{}` | securityContext for the pod: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
+| rbac.create | bool | `true` | create rbac clusterole and clusterolebinding |
+| rbac.useExistingClusterRole | string | `""` | use existing clusterole, but still create clusterrolebinding |
 | replicaCount | int | `1` | number of replica pods to create |
 | resources | object | `{}` |  |
 | secretVars.existingSecret | string | `""` | name of an existing secret to use for the secret keys to provide to applicationSets via the plugin generator |
diff --git a/charts/appset-secret-plugin/templates/clusterrole.yaml b/charts/appset-secret-plugin/templates/clusterrole.yaml
@@ -0,0 +1,16 @@
+{{- if and .Values.rbac.create (not .Values.rbac.useExistingClusterRole) }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    {{- include "argocd-appset-secret-plugin.labels" . | nindent 4 }}
+  {{- with .Values.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "argocd-appset-secret-plugin.fullname" . }}-clusterrole
+rules:
+  - apiGroups: [""] # "" indicates the core API group
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]
+{{- end}}
diff --git a/charts/appset-secret-plugin/templates/clusterrolebinding.yaml b/charts/appset-secret-plugin/templates/clusterrolebinding.yaml
@@ -0,0 +1,24 @@
+{{- if .Values.rbac.create }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "argocd-appset-secret-plugin.fullname" . }}-clusterrolebinding
+  labels:
+    {{- include "argocd-appset-secret-plugin.labels" . | nindent 4 }}
+  {{- with .Values.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "argocd-appset-secret-plugin.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  {{- if .Values.rbac.useExistingClusterRole }}
+  name: {{ .Values.rbac.useExistingClusterRole }}
+  {{- else }}
+  name: {{ include "argocd-appset-secret-plugin.fullname" . }}-clusterrole
+  {{- end }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/charts/appset-secret-plugin/values.yaml b/charts/appset-secret-plugin/values.yaml
@@ -108,6 +108,13 @@ autoscaling:
   targetCPUUtilizationPercentage: 80
   # targetMemoryUtilizationPercentage: 80
 
+# rbac rules needed to run the above configReloader
+rbac:
+  # -- create rbac clusterole and clusterolebinding
+  create: true
+  # -- use existing clusterole, but still create clusterrolebinding
+  useExistingClusterRole: ""
+
 # -- deploy chart to a specific k8s node
 nodeSelector: {}
 
