Switch trigger Helm chart RBAC from cluster to namespace scope and bump version (#2232)

* replace supervisor cluster role with ns-scoped role

* fix cross-ns binding

* bump chart version

Author: nicktrn

hosting/k8s/helm/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: trigger
 description: The official Trigger.dev Helm chart
 type: application
-version: 4.0.0-beta.14
+version: 4.0.0-beta.15
 appVersion: trigger-helm-rc.1
 home: https://trigger.dev
 sources:

hosting/k8s/helm/templates/_helpers.tpl

@@ -278,10 +278,10 @@ Create the name of the supervisor service account to use
 {{- end }}
 
 {{/*
-Create the name of the supervisor cluster role to use
+Create the name of the supervisor role to use
 */}}
-{{- define "trigger-v4.supervisorClusterRoleName" -}}
-{{- default (printf "%s-supervisor-%s" (include "trigger-v4.fullname" .) .Release.Namespace) .Values.supervisor.rbac.clusterRole.name }}
+{{- define "trigger-v4.supervisorRoleName" -}}
+{{- default (printf "%s-supervisor-%s" (include "trigger-v4.fullname" .) .Release.Namespace) .Values.supervisor.rbac.role.name }}
 {{- end }}
 
 {{/*

hosting/k8s/helm/templates/supervisor.yaml

@@ -14,9 +14,10 @@ metadata:
 ---
 {{- if .Values.supervisor.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
-  name: {{ include "trigger-v4.supervisorClusterRoleName" . }}
+  name: {{ include "trigger-v4.supervisorRoleName" . }}
+  namespace: {{ default .Release.Namespace .Values.supervisor.config.kubernetes.namespace }}
   labels:
     {{- $component := "supervisor" }}
     {{- include "trigger-v4.componentLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "component" $component) | nindent 4 }}
@@ -26,19 +27,20 @@ rules:
     verbs: ["create", "delete", "deletecollection", "get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
-  name: {{ include "trigger-v4.supervisorClusterRoleName" . }}-binding
+  name: {{ include "trigger-v4.supervisorRoleName" . }}-binding
+  namespace: {{ default .Release.Namespace .Values.supervisor.config.kubernetes.namespace }}
   labels:
     {{- $component := "supervisor" }}
     {{- include "trigger-v4.componentLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "component" $component) | nindent 4 }}
 subjects:
   - kind: ServiceAccount
     name: {{ include "trigger-v4.supervisorServiceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ default .Release.Namespace }}
 roleRef:
-  kind: ClusterRole
-  name: {{ include "trigger-v4.supervisorClusterRoleName" . }}
+  kind: Role
+  name: {{ include "trigger-v4.supervisorRoleName" . }}
   apiGroup: rbac.authorization.k8s.io
 {{- end }}
 ---

hosting/k8s/helm/values.yaml

@@ -281,9 +281,8 @@ supervisor:
     annotations: {}
   rbac:
     create: true
-    # Cluster-level permissions for pod management
-    clusterRole:
-      create: true
+    # Namespace-scoped permissions for pod management
+    role:
       name: ""
   # Extra environment variables for Supervisor
   extraEnvVars: