From b029a6dde311e88624de2247d39f7872f29807a1 Mon Sep 17 00:00:00 2001
From: jphelton <jdoghelton@gmail.com>
Date: Mon, 22 Aug 2022 22:43:13 -0400
Subject: [PATCH] feat(argo-rollouts): flag to disable
 clusterrole/clusterrolebinding creation (#1388)

* feat(argo-rollouts): Add flag to optionally disable the creation of cluster roles (even when running in cluster mode)

Signed-off-by: Joshua Helton <jdoghelton@gmail.com>

* fix README.md with helm-docs.sh

Signed-off-by: Joshua Helton <jdoghelton@gmail.com>

Signed-off-by: Joshua Helton <jdoghelton@gmail.com>
Co-authored-by: JM <jmeridth@gmail.com>
---
 charts/argo-rollouts/Chart.yaml                        |  4 ++--
 charts/argo-rollouts/README.md                         |  5 ++++-
 charts/argo-rollouts/templates/aggregate-roles.yaml    |  2 +-
 .../templates/controller/clusterrole.yaml              |  2 +-
 .../templates/controller/clusterrolebinding.yaml       |  2 +-
 .../argo-rollouts/templates/dashboard/clusterrole.yaml |  2 +-
 .../templates/dashboard/clusterrolebinding.yaml        |  2 +-
 charts/argo-rollouts/values.yaml                       | 10 ++++++++++
 8 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/charts/argo-rollouts/Chart.yaml b/charts/argo-rollouts/Chart.yaml
index cd411e66..94fc2692 100644
--- a/charts/argo-rollouts/Chart.yaml
+++ b/charts/argo-rollouts/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: "v1.2.0"
 description: A Helm chart for Argo Rollouts
 name: argo-rollouts
-version: 2.18.0
+version: 2.19.0
 icon: https://argoproj.github.io/argo-rollouts/assets/logo.png
 home: https://github.com/argoproj/argo-helm
 maintainers:
@@ -11,4 +11,4 @@ maintainers:
   - name: jessesuen
 annotations:
   artifacthub.io/changes: |
-    - "[Added]: Additional manifests to deploy within the chart"
+    - "[Added]: flags to disable the creation of ClusterRoles/ClusterRoleBindings when run in cluster mode "
diff --git a/charts/argo-rollouts/README.md b/charts/argo-rollouts/README.md
index 89e982fe..5aecd11b 100644
--- a/charts/argo-rollouts/README.md
+++ b/charts/argo-rollouts/README.md
@@ -42,6 +42,7 @@ If dashboard is installed by `--set dashboard.enabled=true`, checkout the argo-r
 | apiVersionOverrides.ingress | string | `""` | String to override apiVersion of ingresses rendered by this helm chart |
 | clusterInstall | bool | `true` | `false` runs controller in namespaced mode (does not require cluster RBAC) |
 | crdAnnotations | object | `{}` | Annotations to be added to all CRDs |
+| createClusterAggregateRoles | bool | `true` | flag to enable creation of cluster aggregate roles (requires cluster RBAC) |
 | extraObjects | list | `[]` | Additional manifests to deploy within the chart. A list of objects. |
 | fullnameOverride | string | `nil` | String to fully override "argo-rollouts.fullname" template |
 | imagePullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry. Registry secret names as an array. |
@@ -62,6 +63,7 @@ If dashboard is installed by `--set dashboard.enabled=true`, checkout the argo-r
 | containerSecurityContext | object | `{}` | Security Context to set on container level |
 | controller.affinity | object | `{}` | Assign custom [affinity] rules to the deployment |
 | controller.component | string | `"rollouts-controller"` | Value of label `app.kubernetes.io/component` |
+| controller.createClusterRole | bool | `true` | flag to enable creation of cluster controller role (requires cluster RBAC) |
 | controller.extraArgs | list | `[]` | Additional command line arguments to pass to rollouts-controller.  A list of flags. |
 | controller.extraContainers | list | `[]` | Literal yaml for extra containers to be added to controller deployment. |
 | controller.extraEnv | list | `[]` | Additional environment variables for rollouts-controller. A list of name/value maps. |
@@ -100,6 +102,7 @@ If dashboard is installed by `--set dashboard.enabled=true`, checkout the argo-r
 | dashboard.affinity | object | `{}` | Assign custom [affinity] rules to the deployment |
 | dashboard.component | string | `"rollouts-dashboard"` | Value of label `app.kubernetes.io/component` |
 | dashboard.containerSecurityContext | object | `{}` | Security Context to set on container level |
+| dashboard.createClusterRole | bool | `true` | flag to enable creation of dashbord cluster role (requires cluster RBAC) |
 | dashboard.enabled | bool | `false` | Deploy dashboard server |
 | dashboard.extraArgs | list | `[]` | Additional command line arguments to pass to rollouts-dashboard. A list of flags. |
 | dashboard.extraEnv | list | `[]` | Additional environment variables for rollouts-dashboard. A list of name/value maps. |
@@ -172,4 +175,4 @@ Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/
 [Tolerations]: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
 [priorityClassName]: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/
 [Pod Disruption Budget]: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#pod-disruption-budgets
-[values.yaml]: https://github.com/argoproj/argo-helm/blob/argo-rollouts-2.18.0/charts/argo-rollouts/values.yaml
+[values.yaml]: https://github.com/argoproj/argo-helm/blob/argo-rollouts-2.19.0/charts/argo-rollouts/values.yaml
diff --git a/charts/argo-rollouts/templates/aggregate-roles.yaml b/charts/argo-rollouts/templates/aggregate-roles.yaml
index ab3ac6dd..86823903 100644
--- a/charts/argo-rollouts/templates/aggregate-roles.yaml
+++ b/charts/argo-rollouts/templates/aggregate-roles.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.clusterInstall }}
+{{- if and .Values.clusterInstall .Values.createClusterAggregateRoles }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
diff --git a/charts/argo-rollouts/templates/controller/clusterrole.yaml b/charts/argo-rollouts/templates/controller/clusterrole.yaml
index 9581ef96..4db2e81d 100644
--- a/charts/argo-rollouts/templates/controller/clusterrole.yaml
+++ b/charts/argo-rollouts/templates/controller/clusterrole.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.clusterInstall }}
+{{- if and .Values.clusterInstall .Values.controller.createClusterRole }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
diff --git a/charts/argo-rollouts/templates/controller/clusterrolebinding.yaml b/charts/argo-rollouts/templates/controller/clusterrolebinding.yaml
index b48ce5b5..cbdb0e23 100644
--- a/charts/argo-rollouts/templates/controller/clusterrolebinding.yaml
+++ b/charts/argo-rollouts/templates/controller/clusterrolebinding.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.clusterInstall }}
+{{- if and .Values.clusterInstall .Values.controller.createClusterRole }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
diff --git a/charts/argo-rollouts/templates/dashboard/clusterrole.yaml b/charts/argo-rollouts/templates/dashboard/clusterrole.yaml
index 8dd1ac6b..6a84102d 100644
--- a/charts/argo-rollouts/templates/dashboard/clusterrole.yaml
+++ b/charts/argo-rollouts/templates/dashboard/clusterrole.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.dashboard.enabled .Values.clusterInstall }}
+{{- if and .Values.dashboard.enabled .Values.clusterInstall .Values.dashboard.createClusterRole }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
diff --git a/charts/argo-rollouts/templates/dashboard/clusterrolebinding.yaml b/charts/argo-rollouts/templates/dashboard/clusterrolebinding.yaml
index 331fbe4e..3296060c 100644
--- a/charts/argo-rollouts/templates/dashboard/clusterrolebinding.yaml
+++ b/charts/argo-rollouts/templates/dashboard/clusterrolebinding.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.dashboard.enabled .Values.clusterInstall }}
+{{- if and .Values.dashboard.enabled .Values.clusterInstall .Values.dashboard.createClusterRole }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
diff --git a/charts/argo-rollouts/values.yaml b/charts/argo-rollouts/values.yaml
index b8ebfc49..ae24b660 100644
--- a/charts/argo-rollouts/values.yaml
+++ b/charts/argo-rollouts/values.yaml
@@ -6,6 +6,9 @@ keepCRDs: true
 # -- `false` runs controller in namespaced mode (does not require cluster RBAC)
 clusterInstall: true
 
+# -- flag to enable creation of cluster aggregate roles (requires cluster RBAC)
+createClusterAggregateRoles: true
+
 # -- String to partially override "argo-rollouts.fullname" template
 nameOverride:
 
@@ -80,6 +83,9 @@ controller:
   #    cpu: 50m
   #    memory: 64Mi
 
+  # -- flag to enable creation of cluster controller role (requires cluster RBAC)
+  createClusterRole: true
+
   metrics:
     # -- Deploy metrics service
     enabled: false
@@ -181,6 +187,10 @@ dashboard:
   affinity: {}
   # -- [priorityClassName] for the dashboard server
   priorityClassName: ""
+
+  # -- flag to enable creation of dashbord cluster role (requires cluster RBAC)
+  createClusterRole: true
+
   # -- The number of dashboard pods to run
   replicas: 1
   image: