Update charts with latest changes

circleci-wiz · circleci-wiz · commit 18d88dbb805f · 2026-02-24T08:34:07.000Z
diff --git a/wiz-outpost-common/templates/_controlplane-tls.tpl b/wiz-outpost-common/templates/_controlplane-tls.tpl
@@ -6,14 +6,16 @@ Parameters (passed as a dict):
   - cn: common name for the certificate
   - dnsBase: base DNS name for SAN entries (may differ from cn)
   - labelTemplate: name of the chart's labels template to include
+  - secretName: (optional) name of the Secret to create; defaults to controlPlaneTLS.serverSecretName
 */}}
 {{- define "wiz.controlplane-server-cert" -}}
 {{- if .root.Values.controlPlaneTLS.enabled }}
+{{- $secretName := .secretName | default .root.Values.controlPlaneTLS.serverSecretName }}
 {{- $caSecret := lookup "v1" "Secret" .root.Release.Namespace .root.Values.controlPlaneTLS.caSecretName }}
 {{- if $caSecret }}
 {{- $ca := buildCustomCert (index $caSecret.data "ca.crt") (index $caSecret.data "ca.key") }}
 {{- $caHash := index $caSecret.data "ca.crt" | b64dec | sha256sum }}
-{{- $existingCert := lookup "v1" "Secret" .root.Release.Namespace .root.Values.controlPlaneTLS.serverSecretName }}
+{{- $existingCert := lookup "v1" "Secret" .root.Release.Namespace $secretName }}
 {{- $regenerate := true }}
 {{- $cert := dict }}
 
@@ -35,7 +37,7 @@ Parameters (passed as a dict):
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .root.Values.controlPlaneTLS.serverSecretName }}
+  name: {{ $secretName }}
   labels:
     {{- include .labelTemplate .root | nindent 4 }}
   annotations:
diff --git a/wiz-outpost-configuration/Chart.yaml b/wiz-outpost-configuration/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2026.02.18
+version: 2026.02.22
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/wiz-outpost-configuration/templates/outpostController.clusterRole.yaml b/wiz-outpost-configuration/templates/outpostController.clusterRole.yaml
@@ -11,11 +11,4 @@ rules:
   - apiGroups: [""]
     resources: ["nodes"]
     verbs: ["get", "list", "watch"]
-  # Flux CRs - for crsOnly mode (GitRepository, Kustomization in flux-system namespace)
-  - apiGroups: ["source.toolkit.fluxcd.io"]
-    resources: ["gitrepositories"]
-    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
-  - apiGroups: ["kustomize.toolkit.fluxcd.io"]
-    resources: ["kustomizations"]
-    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
 {{- end }}
diff --git a/wiz-outpost-configuration/templates/outpostController.fluxNamespace.rbac.yaml b/wiz-outpost-configuration/templates/outpostController.fluxNamespace.rbac.yaml
@@ -0,0 +1,41 @@
+{{- if and .Values.outpostController.enabled .Values.outpostController.reducedPermissions }}
+{{- $nsPrefix := (index (splitList "-" .Release.Namespace) 0) }}
+{{- $autoFluxNamespace := ternary "flux-system" (printf "%s-flux-system" $nsPrefix) (eq .Release.Namespace "default") }}
+{{- $fluxNamespace := default $autoFluxNamespace .Values.outpostController.wizFluxNamespace }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "wiz-outpost-configuration.fullname" . }}-outpost-controller-flux
+  namespace: {{ $fluxNamespace }}
+  labels:
+    {{- include "wiz-outpost-configuration.labels" . | nindent 4 }}
+    app.kubernetes.io/component: outpost-controller
+rules:
+  - apiGroups: [""]
+    resources: ["secrets", "configmaps"]
+    verbs: ["get", "list", "watch", "create", "update", "delete"]
+  - apiGroups: ["source.toolkit.fluxcd.io"]
+    resources: ["gitrepositories"]
+    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+  - apiGroups: ["kustomize.toolkit.fluxcd.io"]
+    resources: ["kustomizations"]
+    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "wiz-outpost-configuration.fullname" . }}-outpost-controller-flux
+  namespace: {{ $fluxNamespace }}
+  labels:
+    {{- include "wiz-outpost-configuration.labels" . | nindent 4 }}
+    app.kubernetes.io/component: outpost-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "wiz-outpost-configuration.fullname" . }}-outpost-controller-flux
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.outpostController.serviceAccountName }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+
diff --git a/wiz-outpost-configuration/values.yaml b/wiz-outpost-configuration/values.yaml
@@ -102,6 +102,10 @@ outpostController:
   # Only use this when the outpost-controller will only install git-proxy (FluxCRsOnly mode).
   # Requires the namespace to be pre-created.
   reducedPermissions: false
+  # Flux namespace for RBAC (secrets, configmaps, gitrepositories, kustomizations).
+  # When set, creates Role and RoleBinding in this namespace.
+  # If empty, auto-derives from release namespace prefix (e.g., wiz-default -> wiz-flux-system).
+  wizFluxNamespace: wiz-flux-system
   image:
     repository: public-registry.wiz.io
     name: wiz-outpost-controller
