Set up controller-gen to generate the RBAC config in the Helm chart

Author: tomasaschan

helm/.helmignore

@@ -21,3 +21,5 @@
 .idea/
 *.tmproj
 .vscode/
+# helper scripts
+helmify.sh

helm/helmify.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# This script is used to tweak manifests generated by controller-gen to make them
+# compatible with the rest of the chart.
+#
+# It is not intended to be run directly, but is invoked when running `go generate ./...`
+
+here=$(realpath "$(dirname "$0")")
+
+# this mv is a hack; it will no longer be necessary once controller-gen supports
+# specifying the filename; see https://github.com/kubernetes-sigs/controller-tools/pull/1169
+mv "$here"/templates/role.yaml "$here"/templates/controller.static.rbac.yaml
+printf "%s\n%s\n%s\n" \
+    '{{- if eq .Values.rbac.mode "aggregation" }}' \
+    "$(sed -E "s/name: kro:(.*)/name: '{{ include \"kro.fullname\" . }}:\1'/" "$here"/templates/controller.static.rbac.yaml)" \
+    '{{- end }}' > temp && mv temp "$here"/templates/controller.static.rbac.yaml

helm/templates/cluster-role.yaml renamed to helm/templates/controller.rbac.yaml

@@ -31,53 +31,4 @@ aggregationRule:
   clusterRoleSelectors:
     - matchLabels:
         'rbac.kro.run/aggregate-to-controller': "true"
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  annotations:
-    kubernetes.io/description: |
-      This ClusterRole grants access for the kro controller to resources it always needs access to.
-  labels:
-    {{- include "kro.labels" . | nindent 4 }}
-    rbac.kro.run/aggregate-to-controller: "true"
-  name: {{ include "kro.fullname" . }}:controller:static
-rules:
-- apiGroups:
-  - kro.run
-  resources:
-  - resourcegraphdefinitions
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - kro.run
-  resources:
-  - resourcegraphdefinitions/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - kro.run
-  resources:
-  - resourcegraphdefinitions/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - apiextensions.k8s.io
-  resources:
-  - customresourcedefinitions
-  verbs:
-  - get
-  - list
-  - watch
-  - patch
-  - update
-  - delete
 {{- end }}

helm/templates/controller.static.rbac.yaml

@@ -0,0 +1,34 @@
+{{- if eq .Values.rbac.mode "aggregation" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: '{{ include "kro.fullname" . }}:controller:static'
+rules:
+- apiGroups:
+  - kro.run
+  resources:
+  - resourcegraphdefinitions
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - kro.run
+  resources:
+  - resourcegraphdefinitions/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - kro.run
+  resources:
+  - resourcegraphdefinitions/status
+  verbs:
+  - get
+  - patch
+  - update
+{{- end }}

pkg/codegen.go

@@ -0,0 +1,4 @@
+package pkg
+
+//go:generate go tool controller-gen rbac:roleName="kro:controller:static" crd paths="../..." output:crd:artifacts:config=../helm/crds output:rbac:artifacts:config=../helm/templates
+//go:generate ../helm/helmify.sh