Merge pull request #203 from odise/crd-rbac-annotations

Adding CRD and RBAC annotation option
fluxcd-community · Nov 9, 2023 · 9d38c29 · 9d38c29
2 parents 5fea58a + da7a1c5
commit 9d38c29
Show file tree

Hide file tree

Showing 26 changed files with 109 additions and 14 deletions.
diff --git a/charts/flux2/Chart.yaml b/charts/flux2/Chart.yaml
@@ -1,11 +1,11 @@
 annotations:
   artifacthub.io/changes: |
-    - "feat: add ingress resource for notificationController's receiver webhook service"
+    - "feat: adding CRD and RBAC annotation option"
 apiVersion: v2
 appVersion: 2.1.2
 description: A Helm chart for flux2
 name: flux2
 sources:
 - https://github.com/fluxcd-community/helm-charts
 type: application
-version: 2.11.0
+version: 2.11.1
diff --git a/charts/flux2/README.md b/charts/flux2/README.md
@@ -22,6 +22,7 @@ This helm chart is maintained and released by the fluxcd-community on a best eff
 | cli.tag | string | `"v2.1.2"` |  |
 | cli.tolerations | list | `[]` |  |
 | clusterDomain | string | `"cluster.local"` |  |
+| crds.annotations | object | `{}` | Add annotations to all CRD resources, e.g. "helm.sh/resource-policy": keep |
 | extraObjects | list | `[]` | Array of extra K8s manifests to deploy |
 | helmController.affinity | object | `{}` |  |
 | helmController.annotations."prometheus.io/port" | string | `"8080"` |  |
@@ -146,6 +147,7 @@ This helm chart is maintained and released by the fluxcd-community on a best eff
 | prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].action | string | `"keep"` |  |
 | prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].regex | string | `"Running"` |  |
 | prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].sourceLabels[0] | string | `"__meta_kubernetes_pod_phase"` |  |
+| rbac.annotations | object | `{}` | Add annotations to all RBAC resources, e.g. "helm.sh/resource-policy": keep |
 | rbac.create | bool | `true` |  |
 | rbac.createAggregation | bool | `true` | Grant the Kubernetes view, edit and admin roles access to Flux custom resources |
 | sourceController.affinity | object | `{}` |  |

diff --git a/charts/flux2/templates/aggregate-clusterroles.yaml b/charts/flux2/templates/aggregate-clusterroles.yaml
@@ -2,6 +2,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  {{- with .Values.rbac.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
   name: flux-edit
   labels:
     rbac.authorization.k8s.io/aggregate-to-edit: "true"

diff --git a/charts/flux2/templates/cluster-reconciler-clusterrolebinding.yaml b/charts/flux2/templates/cluster-reconciler-clusterrolebinding.yaml
@@ -2,6 +2,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
+  {{- with .Values.rbac.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
   labels:
     app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
     app.kubernetes.io/managed-by: {{ .Release.Service | quote }}

diff --git a/charts/flux2/templates/cluster-reconciler-impersonator-clusterrole.yaml b/charts/flux2/templates/cluster-reconciler-impersonator-clusterrole.yaml
@@ -2,6 +2,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  {{- with .Values.rbac.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
   name: cluster-reconciler-impersonator
   labels:
     app.kubernetes.io/instance: {{ .Release.Namespace | quote }}

diff --git a/charts/flux2/templates/cluster-reconciler-impersonator-clusterrolebinding.yaml b/charts/flux2/templates/cluster-reconciler-impersonator-clusterrolebinding.yaml
@@ -2,6 +2,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
+  {{- with .Values.rbac.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
   labels:
     app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
     app.kubernetes.io/managed-by: {{ .Release.Service | quote }}

diff --git a/charts/flux2/templates/crd-controller-clusterrole.yaml b/charts/flux2/templates/crd-controller-clusterrole.yaml
@@ -2,6 +2,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  {{- with .Values.rbac.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
   name: crd-controller
   labels:
     app.kubernetes.io/instance: {{ .Release.Namespace | quote }}

diff --git a/charts/flux2/templates/crd-controller-clusterrolebinding.yaml b/charts/flux2/templates/crd-controller-clusterrolebinding.yaml
@@ -2,6 +2,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
+  {{- with .Values.rbac.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
   name: crd-controller
   labels:
     app.kubernetes.io/instance: {{ .Release.Namespace | quote }}

diff --git a/charts/flux2/templates/helm-controller.crds.yaml b/charts/flux2/templates/helm-controller.crds.yaml
@@ -4,6 +4,9 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.0
+    {{- with .Values.crds.annotations }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
   labels:
     app.kubernetes.io/component: helm-controller
     app.kubernetes.io/instance: '{{ .Release.Namespace }}'

diff --git a/charts/flux2/templates/image-automation-controller.crds.yaml b/charts/flux2/templates/image-automation-controller.crds.yaml
@@ -4,6 +4,9 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.0
+    {{- with .Values.crds.annotations }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
   labels:
     app.kubernetes.io/component: image-automation-controller
     app.kubernetes.io/instance: '{{ .Release.Namespace }}'

diff --git a/charts/flux2/templates/image-reflector-controller.crds.yaml b/charts/flux2/templates/image-reflector-controller.crds.yaml
@@ -4,6 +4,9 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.0
+    {{- with .Values.crds.annotations }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
   labels:
     app.kubernetes.io/component: image-reflector-controller
     app.kubernetes.io/instance: '{{ .Release.Namespace }}'
@@ -413,6 +416,9 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.0
+    {{- with .Values.crds.annotations }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
   labels:
     app.kubernetes.io/component: image-reflector-controller
     app.kubernetes.io/instance: '{{ .Release.Namespace }}'

diff --git a/charts/flux2/templates/kustomize-controller.crds.yaml b/charts/flux2/templates/kustomize-controller.crds.yaml
@@ -4,6 +4,9 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.0
+    {{- with .Values.crds.annotations }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
   labels:
     app.kubernetes.io/component: kustomize-controller
     app.kubernetes.io/instance: '{{ .Release.Namespace }}'

diff --git a/charts/flux2/templates/notification-controller.crds.yaml b/charts/flux2/templates/notification-controller.crds.yaml
@@ -4,6 +4,9 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.0
+    {{- with .Values.crds.annotations }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
   labels:
     app.kubernetes.io/instance: '{{ .Release.Namespace }}'
     app.kubernetes.io/managed-by: '{{ .Release.Service }}'
@@ -442,6 +445,9 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.0
+    {{- with .Values.crds.annotations }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
   labels:
     app.kubernetes.io/instance: '{{ .Release.Namespace }}'
     app.kubernetes.io/managed-by: '{{ .Release.Service }}'
@@ -854,6 +860,9 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.0
+    {{- with .Values.crds.annotations }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
   labels:
     app.kubernetes.io/instance: '{{ .Release.Namespace }}'
     app.kubernetes.io/managed-by: '{{ .Release.Service }}'

diff --git a/charts/flux2/templates/source-controller.crds.yaml b/charts/flux2/templates/source-controller.crds.yaml
@@ -4,6 +4,9 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.0
+    {{- with .Values.crds.annotations }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
   labels:
     app.kubernetes.io/component: source-controller
     app.kubernetes.io/instance: '{{ .Release.Namespace }}'
@@ -524,6 +527,9 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.0
+    {{- with .Values.crds.annotations }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
   labels:
     app.kubernetes.io/component: source-controller
     app.kubernetes.io/instance: '{{ .Release.Namespace }}'
@@ -1727,6 +1733,9 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.0
+    {{- with .Values.crds.annotations }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
   labels:
     app.kubernetes.io/component: source-controller
     app.kubernetes.io/instance: '{{ .Release.Namespace }}'
@@ -2325,6 +2334,9 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.0
+    {{- with .Values.crds.annotations }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
   labels:
     app.kubernetes.io/component: source-controller
     app.kubernetes.io/instance: '{{ .Release.Namespace }}'
@@ -2851,6 +2863,9 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.0
+    {{- with .Values.crds.annotations }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
   labels:
     app.kubernetes.io/component: source-controller
     app.kubernetes.io/instance: '{{ .Release.Namespace }}'

diff --git a/charts/flux2/tests/__snapshot__/helm-controller_test.yaml.snap b/charts/flux2/tests/__snapshot__/helm-controller_test.yaml.snap
@@ -10,7 +10,7 @@ should match snapshot of default values:
         app.kubernetes.io/part-of: flux
         app.kubernetes.io/version: 2.1.2
         control-plane: controller
-        helm.sh/chart: flux2-2.11.0
+        helm.sh/chart: flux2-2.11.1
         labeltestkey: labeltestvalue
         labeltestkey2: labeltestvalue2
       name: helm-controller

diff --git a/charts/flux2/tests/__snapshot__/image-automation-controller_test.yaml.snap b/charts/flux2/tests/__snapshot__/image-automation-controller_test.yaml.snap
@@ -10,7 +10,7 @@ should match snapshot of default values:
         app.kubernetes.io/part-of: flux
         app.kubernetes.io/version: 2.1.2
         control-plane: controller
-        helm.sh/chart: flux2-2.11.0
+        helm.sh/chart: flux2-2.11.1
       name: image-automation-controller
     spec:
       replicas: 1

diff --git a/charts/flux2/tests/__snapshot__/image-reflector-controller_test.yaml.snap b/charts/flux2/tests/__snapshot__/image-reflector-controller_test.yaml.snap
@@ -10,7 +10,7 @@ should match snapshot of default values:
         app.kubernetes.io/part-of: flux
         app.kubernetes.io/version: 2.1.2
         control-plane: controller
-        helm.sh/chart: flux2-2.11.0
+        helm.sh/chart: flux2-2.11.1
       name: image-reflector-controller
     spec:
       replicas: 1

diff --git a/charts/flux2/tests/__snapshot__/kustomize-controller-secret_test.yaml.snap b/charts/flux2/tests/__snapshot__/kustomize-controller-secret_test.yaml.snap
@@ -10,7 +10,7 @@ should match snapshot of default values:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/part-of: flux
         app.kubernetes.io/version: 2.1.2
-        helm.sh/chart: flux2-2.11.0
+        helm.sh/chart: flux2-2.11.1
       name: test1
       namespace: NAMESPACE
     type: Opaque
diff --git a/charts/flux2/tests/__snapshot__/kustomize-controller_test.yaml.snap b/charts/flux2/tests/__snapshot__/kustomize-controller_test.yaml.snap
@@ -10,7 +10,7 @@ should match snapshot of default values:
         app.kubernetes.io/part-of: flux
         app.kubernetes.io/version: 2.1.2
         control-plane: controller
-        helm.sh/chart: flux2-2.11.0
+        helm.sh/chart: flux2-2.11.1
       name: kustomize-controller
     spec:
       replicas: 1

diff --git a/charts/flux2/tests/__snapshot__/notification-controller_test.yaml.snap b/charts/flux2/tests/__snapshot__/notification-controller_test.yaml.snap
@@ -10,7 +10,7 @@ should match snapshot of default values:
         app.kubernetes.io/part-of: flux
         app.kubernetes.io/version: 2.1.2
         control-plane: controller
-        helm.sh/chart: flux2-2.11.0
+        helm.sh/chart: flux2-2.11.1
       name: notification-controller
     spec:
       replicas: 1

diff --git a/charts/flux2/tests/__snapshot__/pre-install-job_test.yaml.snap b/charts/flux2/tests/__snapshot__/pre-install-job_test.yaml.snap
@@ -12,7 +12,7 @@ should match snapshot of default values:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/part-of: flux
         app.kubernetes.io/version: 2.1.2
-        helm.sh/chart: flux2-2.11.0
+        helm.sh/chart: flux2-2.11.1
       name: RELEASE-NAME-flux-check
     spec:
       backoffLimit: 1
@@ -23,7 +23,7 @@ should match snapshot of default values:
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/part-of: flux
             app.kubernetes.io/version: 2.1.2
-            helm.sh/chart: flux2-2.11.0
+            helm.sh/chart: flux2-2.11.1
           name: RELEASE-NAME
         spec:
           automountServiceAccountToken: true

diff --git a/charts/flux2/tests/__snapshot__/source-controller_test.yaml.snap b/charts/flux2/tests/__snapshot__/source-controller_test.yaml.snap
@@ -10,7 +10,7 @@ should match snapshot of default values:
         app.kubernetes.io/part-of: flux
         app.kubernetes.io/version: 2.1.2
         control-plane: controller
-        helm.sh/chart: flux2-2.11.0
+        helm.sh/chart: flux2-2.11.1
       name: source-controller
     spec:
       replicas: 1

diff --git a/charts/flux2/tests/cluster-reconciler-clusterrolebinding_test.yaml b/charts/flux2/tests/cluster-reconciler-clusterrolebinding_test.yaml
@@ -28,4 +28,13 @@ tests:
       multitenancy.privileged: false
     asserts:
       - hasDocuments:
-          count: 1
+          count: 1
+  - it: should add annotations to the resource
+    set:
+      rbac.annotations:
+        "helm.sh/resource-policy": keep
+    asserts:
+      - equal:
+          path: metadata.annotations
+          value:
+            helm.sh/resource-policy: keep
diff --git a/charts/flux2/tests/cluster-reconciler-impersonator-clusterrole_test.yaml b/charts/flux2/tests/cluster-reconciler-impersonator-clusterrole_test.yaml
@@ -28,4 +28,15 @@ tests:
       multitenancy.privileged: false
     asserts:
       - hasDocuments:
-          count: 1
+          count: 1
+  - it: should add annotations to the resource
+    set:
+      multitenancy.enabled: true
+      multitenancy.privileged: false
+      rbac.annotations:
+        "helm.sh/resource-policy": keep
+    asserts:
+      - equal:
+          path: metadata.annotations
+          value:
+            helm.sh/resource-policy: keep
diff --git a/charts/flux2/tests/cluster-reconciler-impersonator-clusterrolebinding.yaml b/charts/flux2/tests/cluster-reconciler-impersonator-clusterrolebinding.yaml
@@ -28,4 +28,15 @@ tests:
       multitenancy.privileged: false
     asserts:
       - hasDocuments:
-          count: 1
+          count: 1
+  - it: should add annotations to the resource
+    set:
+      multitenancy.enabled: true
+      multitenancy.privileged: false
+      rbac.annotations:
+        "helm.sh/resource-policy": keep
+    asserts:
+      - equal:
+          path: metadata.annotations
+          value:
+            helm.sh/resource-policy: keep
diff --git a/charts/flux2/values.yaml b/charts/flux2/values.yaml
@@ -1,6 +1,9 @@
 # global
 
 installCRDs: true
+crds:
+  # -- Add annotations to all CRD resources, e.g. "helm.sh/resource-policy": keep
+  annotations: {}
 
 multitenancy:
   # -- Implement the patches for Multi-tenancy lockdown.
@@ -273,6 +276,8 @@ rbac:
   create: true
   # -- Grant the Kubernetes view, edit and admin roles access to Flux custom resources
   createAggregation: true
+  # -- Add annotations to all RBAC resources, e.g. "helm.sh/resource-policy": keep
+  annotations: {}
 
 logLevel: info
 watchAllNamespaces: true