From 3f33a4d435938fb48004e79671dba469906cbfcb Mon Sep 17 00:00:00 2001 From: Henry Zeng Date: Mon, 2 Mar 2026 16:08:14 -0800 Subject: [PATCH 1/5] feat: add fine-grained aggregatable ClusterRoles This commit implements support for Kubernetes ClusterRole aggregation to enable more flexible RBAC configurations. The monolithic ClusterRole has been refactored into 9 fine-grained roles that can be selectively aggregated to standard K8s roles (view, edit, admin). Key features: - Separate ClusterRoles for read vs write permissions - Isolated secrets access (not aggregated to view role by default) - Configurable aggregation via values.yaml - 100% backward compatible (aggregation disabled by default) This enables use cases such as: - Grant read-only access to OCM/Flux CRDs without exposing secrets - Compose custom permission sets for different user personas - Follow Kubernetes RBAC best practices The 9 ClusterRoles created in aggregation mode: 1. ocm-controller-core-reader - Read configmaps & serviceaccounts 2. ocm-controller-secrets-reader - Read secrets (isolated) 3. ocm-controller-core-writer - Manage pods, services, deployments 4. ocm-controller-ocm-reader - Read OCM CRDs 5. ocm-controller-ocm-writer - Manage OCM CRDs 6. ocm-controller-flux-reader - Read Flux source CRDs 7. ocm-controller-flux-writer-source - Manage Flux source repos 8. ocm-controller-flux-writer-deploy - Manage Flux deployments 9. ocm-controller-manager-role - Main aggregating role Configuration example: ```yaml manager: clusterRole: aggregation: enabled: true standardRoles: view: enabled: true ``` Fixes https://github.com/open-component-model/ocm/issues/1848 Signed-off-by: Henry Zeng --- deploy/templates/role.yaml | 306 ++++++++++++++++++++++++++++++++++++- deploy/values.yaml | 61 ++++++++ 2 files changed, 363 insertions(+), 4 deletions(-) diff --git a/deploy/templates/role.yaml b/deploy/templates/role.yaml index 77979095..40d482a3 100644 --- a/deploy/templates/role.yaml +++ b/deploy/templates/role.yaml @@ -1,14 +1,311 @@ -{{/* - 2025-06-10 : - Switched from generating this with controller-gen to maintaining it by hand. +{{/* + 2025-06-10 : + Switched from generating this with controller-gen to maintaining it by hand. See https://github.com/open-component-model/ocm-project/issues/518 + + 2026-03-02 : + Added support for fine-grained aggregatable ClusterRoles. + When manager.clusterRole.aggregation.enabled is true, this template generates + 9 separate ClusterRoles that can be aggregated to standard K8s roles. + When false (default), generates the original monolithic ClusterRole for + backward compatibility. */ -}} + +{{- /* Helper function to build aggregation labels */ -}} +{{- define "ocm-controller.aggregationLabels" -}} +{{- $config := .config -}} +ocm.software/aggregate-to-controller: "true" +{{- if and (hasKey $config "aggregateToView") $config.aggregateToView }} +{{- if $.Values.manager.clusterRole.aggregation.standardRoles.view.enabled }} +rbac.authorization.k8s.io/aggregate-to-view: "true" +{{- end }} +{{- end }} +{{- if and (hasKey $config "aggregateToEdit") $config.aggregateToEdit }} +{{- if $.Values.manager.clusterRole.aggregation.standardRoles.edit.enabled }} +rbac.authorization.k8s.io/aggregate-to-edit: "true" +{{- end }} +{{- end }} +{{- end -}} + +{{- if .Values.manager.clusterRole.aggregation.enabled }} +{{- /* AGGREGATION MODE: Create fine-grained ClusterRoles */ -}} + +--- +# 1. Core Reader - Read-only access to configmaps and serviceaccounts (NO secrets) +{{- if .Values.manager.clusterRole.aggregation.roles.coreReader.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ocm-controller-core-reader + labels: + {{- include "ocm-controller.aggregationLabels" (dict "config" .Values.manager.clusterRole.aggregation.roles.coreReader "Values" .Values) | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - serviceaccounts + verbs: + - get + - list + - watch +{{- end }} + +--- +# 2. Secrets Reader - Read-only access to secrets (separate for security) +{{- if .Values.manager.clusterRole.aggregation.roles.secretsReader.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ocm-controller-secrets-reader + labels: + {{- include "ocm-controller.aggregationLabels" (dict "config" .Values.manager.clusterRole.aggregation.roles.secretsReader "Values" .Values) | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +{{- end }} + +--- +# 3. Core Writer - Write access to core resources +{{- if .Values.manager.clusterRole.aggregation.roles.coreWriter.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ocm-controller-core-writer + labels: + {{- include "ocm-controller.aggregationLabels" (dict "config" .Values.manager.clusterRole.aggregation.roles.coreWriter "Values" .Values) | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - pods + - services + verbs: + - create + - delete + - get + - patch + - update +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - patch + - update +{{- end }} + +--- +# 4. OCM Reader - Read-only access to OCM CRDs +{{- if .Values.manager.clusterRole.aggregation.roles.ocmReader.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ocm-controller-ocm-reader + labels: + {{- include "ocm-controller.aggregationLabels" (dict "config" .Values.manager.clusterRole.aggregation.roles.ocmReader "Values" .Values) | nindent 4 }} +rules: +- apiGroups: + - delivery.ocm.software + resources: + - componentdescriptors + - componentversions + - configurations + - fluxdeployers + - localizations + - resources + - snapshots + verbs: + - get + - list + - watch +{{- end }} + +--- +# 5. OCM Writer - Full management of OCM CRDs +{{- if .Values.manager.clusterRole.aggregation.roles.ocmWriter.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ocm-controller-ocm-writer + labels: + {{- include "ocm-controller.aggregationLabels" (dict "config" .Values.manager.clusterRole.aggregation.roles.ocmWriter "Values" .Values) | nindent 4 }} +rules: +- apiGroups: + - delivery.ocm.software + resources: + - componentdescriptors + - componentversions + - configurations + - fluxdeployers + - localizations + - resources + - snapshots + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - delivery.ocm.software + resources: + - componentversions/finalizers + - configurations/finalizers + - fluxdeployers/finalizers + - localizations/finalizers + - resources/finalizers + - snapshots/finalizers + verbs: + - update +- apiGroups: + - delivery.ocm.software + resources: + - componentversions/status + - configurations/status + - fluxdeployers/status + - localizations/status + - resources/status + - snapshots/status + verbs: + - get + - patch + - update +{{- end }} + +--- +# 6. Flux Reader - Read-only access to Flux source CRDs +{{- if .Values.manager.clusterRole.aggregation.roles.fluxReader.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ocm-controller-flux-reader + labels: + {{- include "ocm-controller.aggregationLabels" (dict "config" .Values.manager.clusterRole.aggregation.roles.fluxReader "Values" .Values) | nindent 4 }} +rules: +- apiGroups: + - source.toolkit.fluxcd.io + resources: + - buckets + - gitrepositories + verbs: + - get + - list + - watch +{{- end }} + +--- +# 7. Flux Source Writer - Full management of Flux source repositories +{{- if .Values.manager.clusterRole.aggregation.roles.fluxWriterSource.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ocm-controller-flux-writer-source + labels: + {{- include "ocm-controller.aggregationLabels" (dict "config" .Values.manager.clusterRole.aggregation.roles.fluxWriterSource "Values" .Values) | nindent 4 }} +rules: +- apiGroups: + - source.toolkit.fluxcd.io + resources: + - helmrepositories + - ocirepositories + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- end }} + +--- +# 8. Flux Deploy Writer - Full management of Flux deployment resources +{{- if .Values.manager.clusterRole.aggregation.roles.fluxWriterDeploy.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ocm-controller-flux-writer-deploy + labels: + {{- include "ocm-controller.aggregationLabels" (dict "config" .Values.manager.clusterRole.aggregation.roles.fluxWriterDeploy "Values" .Values) | nindent 4 }} +rules: +- apiGroups: + - helm.toolkit.fluxcd.io + resources: + - helmreleases + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - kustomize.toolkit.fluxcd.io + resources: + - kustomizations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- end }} + +--- +# 9. Main Controller Role - Aggregates all sub-roles +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ocm-controller-manager-role + labels: + {{- if .Values.manager.clusterRole.labels }} + {{- toYaml .Values.manager.clusterRole.labels | nindent 4 }} + {{- end }} +aggregationRule: + clusterRoleSelectors: + - matchLabels: + ocm.software/aggregate-to-controller: "true" +rules: [] # Automatically filled by aggregation + +{{- else }} +{{- /* LEGACY MODE: Create monolithic ClusterRole (backward compatible) */ -}} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ocm-controller-manager-role - labels: {{ $.Values.manager.clusterRole.labels | toJson }} + labels: + {{- if .Values.manager.clusterRole.labels }} + {{- toYaml .Values.manager.clusterRole.labels | nindent 4 }} + {{- end }} rules: - apiGroups: - "" @@ -142,3 +439,4 @@ rules: - patch - update - watch +{{- end }} diff --git a/deploy/values.yaml b/deploy/values.yaml index a31d9592..ccc0f93e 100644 --- a/deploy/values.yaml +++ b/deploy/values.yaml @@ -89,6 +89,67 @@ manager: affinity: {} clusterRole: labels: + # Users can add custom labels here + # These labels are applied to the main ocm-controller-manager-role + + # Fine-grained role aggregation configuration + aggregation: + # Enable fine-grained aggregatable roles + # When false (default), uses the existing monolithic ClusterRole + # When true, creates 9 separate ClusterRoles with aggregation labels + enabled: false # DEFAULT: false for backward compatibility + + # Control which fine-grained roles aggregate to standard K8s roles + standardRoles: + view: + # Aggregate read-only roles (core-reader, ocm-reader, flux-reader) to 'view' + # This allows users with 'view' role to see OCM/Flux CRDs + # Secrets are NOT included (handled by separate secrets-reader role) + enabled: true + edit: + # Aggregate write roles to 'edit' + # Disabled by default for security - users should explicitly opt-in + enabled: false + admin: + # Admin inherits from edit automatically in K8s + # This setting has no effect (included for documentation) + enabled: false + + # Advanced: Individual role control (optional) + # Most users won't need to modify these + roles: + coreReader: + enabled: true + aggregateToView: true + aggregateToController: true + secretsReader: + enabled: true + aggregateToView: false # Never aggregate secrets to view + aggregateToController: true + coreWriter: + enabled: true + aggregateToEdit: false + aggregateToController: true + ocmReader: + enabled: true + aggregateToView: true + aggregateToController: true + ocmWriter: + enabled: true + aggregateToEdit: false + aggregateToController: true + fluxReader: + enabled: true + aggregateToView: true + aggregateToController: true + fluxWriterSource: + enabled: true + aggregateToEdit: false + aggregateToController: true + fluxWriterDeploy: + enabled: true + aggregateToEdit: false + aggregateToController: true monitoring: enabled: false From def7ff27cdd9669f7d4b6fb192c70573fa2c22e3 Mon Sep 17 00:00:00 2001 From: Henry Zeng Date: Tue, 3 Mar 2026 11:00:12 -0800 Subject: [PATCH 2/5] fix: address PR review feedback for aggregatable ClusterRoles This commit addresses all feedback from PR #852 review: 1. Fix YAML separator placement - Move separators inside conditional blocks to prevent orphaned `---` - Separators now only appear when roles are actually rendered 2. Remove duplicate read permissions from write roles - Removed get/list/watch verbs from all writer roles - Writers now only contain write verbs (create, delete, patch, update) - Enables proper aggregation: reader + writer = full access - Affected roles: core-writer, ocm-writer, flux-writer-source, flux-writer-deploy 3. Maintain consistent label formatting - Reverted to original `toJson` format instead of `toYaml` - Prevents triggering GitOps reconciliation on label changes - Maintains backward compatibility 4. Remove non-functional admin.enabled field - Kubernetes admin role inherits from edit automatically - Configuration field had no effect and caused confusion 5. Make aggregateToController flag functional - Added conditional check in helper template - Label now respects user configuration instead of being hardcoded - Users can disable controller aggregation per role if needed Testing: - Legacy mode renders correctly (backward compatible) - Aggregation mode renders 9 ClusterRoles properly - No orphaned YAML separators - Write roles contain only write verbs - aggregateToController flag works as expected Related: https://github.com/open-component-model/ocm-controller/pull/852 Signed-off-by: Henry Zeng --- deploy/templates/role.yaml | 42 +++++++++++--------------------------- deploy/values.yaml | 4 ---- 2 files changed, 12 insertions(+), 34 deletions(-) diff --git a/deploy/templates/role.yaml b/deploy/templates/role.yaml index 40d482a3..1c4a1b25 100644 --- a/deploy/templates/role.yaml +++ b/deploy/templates/role.yaml @@ -14,7 +14,9 @@ {{- /* Helper function to build aggregation labels */ -}} {{- define "ocm-controller.aggregationLabels" -}} {{- $config := .config -}} +{{- if and (hasKey $config "aggregateToController") $config.aggregateToController }} ocm.software/aggregate-to-controller: "true" +{{- end }} {{- if and (hasKey $config "aggregateToView") $config.aggregateToView }} {{- if $.Values.manager.clusterRole.aggregation.standardRoles.view.enabled }} rbac.authorization.k8s.io/aggregate-to-view: "true" @@ -30,9 +32,9 @@ rbac.authorization.k8s.io/aggregate-to-edit: "true" {{- if .Values.manager.clusterRole.aggregation.enabled }} {{- /* AGGREGATION MODE: Create fine-grained ClusterRoles */ -}} +{{- if .Values.manager.clusterRole.aggregation.roles.coreReader.enabled }} --- # 1. Core Reader - Read-only access to configmaps and serviceaccounts (NO secrets) -{{- if .Values.manager.clusterRole.aggregation.roles.coreReader.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -51,9 +53,9 @@ rules: - watch {{- end }} +{{- if .Values.manager.clusterRole.aggregation.roles.secretsReader.enabled }} --- # 2. Secrets Reader - Read-only access to secrets (separate for security) -{{- if .Values.manager.clusterRole.aggregation.roles.secretsReader.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -71,9 +73,9 @@ rules: - watch {{- end }} +{{- if .Values.manager.clusterRole.aggregation.roles.coreWriter.enabled }} --- # 3. Core Writer - Write access to core resources -{{- if .Values.manager.clusterRole.aggregation.roles.coreWriter.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -96,7 +98,6 @@ rules: verbs: - create - delete - - get - patch - update - apiGroups: @@ -112,14 +113,13 @@ rules: verbs: - create - delete - - get - patch - update {{- end }} +{{- if .Values.manager.clusterRole.aggregation.roles.ocmReader.enabled }} --- # 4. OCM Reader - Read-only access to OCM CRDs -{{- if .Values.manager.clusterRole.aggregation.roles.ocmReader.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -143,9 +143,9 @@ rules: - watch {{- end }} +{{- if .Values.manager.clusterRole.aggregation.roles.ocmWriter.enabled }} --- # 5. OCM Writer - Full management of OCM CRDs -{{- if .Values.manager.clusterRole.aggregation.roles.ocmWriter.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -166,11 +166,8 @@ rules: verbs: - create - delete - - get - - list - patch - update - - watch - apiGroups: - delivery.ocm.software resources: @@ -197,9 +194,9 @@ rules: - update {{- end }} +{{- if .Values.manager.clusterRole.aggregation.roles.fluxReader.enabled }} --- # 6. Flux Reader - Read-only access to Flux source CRDs -{{- if .Values.manager.clusterRole.aggregation.roles.fluxReader.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -218,9 +215,9 @@ rules: - watch {{- end }} +{{- if .Values.manager.clusterRole.aggregation.roles.fluxWriterSource.enabled }} --- # 7. Flux Source Writer - Full management of Flux source repositories -{{- if .Values.manager.clusterRole.aggregation.roles.fluxWriterSource.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -236,16 +233,13 @@ rules: verbs: - create - delete - - get - - list - patch - update - - watch {{- end }} +{{- if .Values.manager.clusterRole.aggregation.roles.fluxWriterDeploy.enabled }} --- # 8. Flux Deploy Writer - Full management of Flux deployment resources -{{- if .Values.manager.clusterRole.aggregation.roles.fluxWriterDeploy.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -260,11 +254,8 @@ rules: verbs: - create - delete - - get - - list - patch - update - - watch - apiGroups: - kustomize.toolkit.fluxcd.io resources: @@ -272,11 +263,8 @@ rules: verbs: - create - delete - - get - - list - patch - update - - watch {{- end }} --- @@ -285,10 +273,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ocm-controller-manager-role - labels: - {{- if .Values.manager.clusterRole.labels }} - {{- toYaml .Values.manager.clusterRole.labels | nindent 4 }} - {{- end }} + labels: {{ $.Values.manager.clusterRole.labels | toJson }} aggregationRule: clusterRoleSelectors: - matchLabels: @@ -302,10 +287,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ocm-controller-manager-role - labels: - {{- if .Values.manager.clusterRole.labels }} - {{- toYaml .Values.manager.clusterRole.labels | nindent 4 }} - {{- end }} + labels: {{ $.Values.manager.clusterRole.labels | toJson }} rules: - apiGroups: - "" diff --git a/deploy/values.yaml b/deploy/values.yaml index ccc0f93e..ae987ad2 100644 --- a/deploy/values.yaml +++ b/deploy/values.yaml @@ -110,10 +110,6 @@ manager: # Aggregate write roles to 'edit' # Disabled by default for security - users should explicitly opt-in enabled: false - admin: - # Admin inherits from edit automatically in K8s - # This setting has no effect (included for documentation) - enabled: false # Advanced: Individual role control (optional) # Most users won't need to modify these From 934c3b6ec4f2959f4352d31a0829316bbb825b65 Mon Sep 17 00:00:00 2001 From: Henry Zeng Date: Tue, 3 Mar 2026 11:10:25 -0800 Subject: [PATCH 3/5] refactor: use dig function for safer key access in helper template Replace 'and (hasKey ...)' pattern with idiomatic 'dig' function for checking aggregation flags. This is the Helm best practice for safely accessing potentially missing keys. Benefits: - Cleaner, more readable syntax - Single function call instead of nested conditions - Safer with explicit default values - More idiomatic Helm template code All three aggregation flags now use consistent pattern: - aggregateToController: dig "aggregateToController" false $config - aggregateToView: dig "aggregateToView" false $config - aggregateToEdit: dig "aggregateToEdit" false $config Signed-off-by: Henry Zeng --- deploy/templates/role.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/deploy/templates/role.yaml b/deploy/templates/role.yaml index 1c4a1b25..f5f49741 100644 --- a/deploy/templates/role.yaml +++ b/deploy/templates/role.yaml @@ -14,15 +14,15 @@ {{- /* Helper function to build aggregation labels */ -}} {{- define "ocm-controller.aggregationLabels" -}} {{- $config := .config -}} -{{- if and (hasKey $config "aggregateToController") $config.aggregateToController }} +{{- if dig "aggregateToController" false $config }} ocm.software/aggregate-to-controller: "true" {{- end }} -{{- if and (hasKey $config "aggregateToView") $config.aggregateToView }} +{{- if dig "aggregateToView" false $config }} {{- if $.Values.manager.clusterRole.aggregation.standardRoles.view.enabled }} rbac.authorization.k8s.io/aggregate-to-view: "true" {{- end }} {{- end }} -{{- if and (hasKey $config "aggregateToEdit") $config.aggregateToEdit }} +{{- if dig "aggregateToEdit" false $config }} {{- if $.Values.manager.clusterRole.aggregation.standardRoles.edit.enabled }} rbac.authorization.k8s.io/aggregate-to-edit: "true" {{- end }} From 5da7d683cbdf86f745bfebeb61ff488104b7ebbf Mon Sep 17 00:00:00 2001 From: Henry Zeng Date: Tue, 3 Mar 2026 11:22:48 -0800 Subject: [PATCH 4/5] fix: always aggregate fine-grained roles to controller Remove aggregateToController configuration flag and always apply the controller aggregation label to all fine-grained roles. Rationale: - The controller ALWAYS needs all permissions from fine-grained roles - Making this configurable adds unnecessary complexity - Users should not be able to disable controller permissions - Simplifies configuration by removing 8 redundant flags Changes: - Removed conditional check for aggregateToController in helper template - Label 'ocm.software/aggregate-to-controller: true' is now always added - Removed aggregateToController field from all 8 roles in values.yaml - Controller will always receive full aggregated permissions This ensures the controller functions correctly regardless of user configuration while still allowing users to control view/edit aggregation. Signed-off-by: Henry Zeng --- deploy/templates/role.yaml | 2 -- deploy/values.yaml | 8 -------- 2 files changed, 10 deletions(-) diff --git a/deploy/templates/role.yaml b/deploy/templates/role.yaml index f5f49741..b40fca36 100644 --- a/deploy/templates/role.yaml +++ b/deploy/templates/role.yaml @@ -14,9 +14,7 @@ {{- /* Helper function to build aggregation labels */ -}} {{- define "ocm-controller.aggregationLabels" -}} {{- $config := .config -}} -{{- if dig "aggregateToController" false $config }} ocm.software/aggregate-to-controller: "true" -{{- end }} {{- if dig "aggregateToView" false $config }} {{- if $.Values.manager.clusterRole.aggregation.standardRoles.view.enabled }} rbac.authorization.k8s.io/aggregate-to-view: "true" diff --git a/deploy/values.yaml b/deploy/values.yaml index ae987ad2..71da8400 100644 --- a/deploy/values.yaml +++ b/deploy/values.yaml @@ -117,35 +117,27 @@ manager: coreReader: enabled: true aggregateToView: true - aggregateToController: true secretsReader: enabled: true aggregateToView: false # Never aggregate secrets to view - aggregateToController: true coreWriter: enabled: true aggregateToEdit: false - aggregateToController: true ocmReader: enabled: true aggregateToView: true - aggregateToController: true ocmWriter: enabled: true aggregateToEdit: false - aggregateToController: true fluxReader: enabled: true aggregateToView: true - aggregateToController: true fluxWriterSource: enabled: true aggregateToEdit: false - aggregateToController: true fluxWriterDeploy: enabled: true aggregateToEdit: false - aggregateToController: true monitoring: enabled: false From 3f79f9f30171e94637be96841393b7ef3864f858 Mon Sep 17 00:00:00 2001 From: Henry Zeng Date: Tue, 3 Mar 2026 11:42:47 -0800 Subject: [PATCH 5/5] refactor: consolidate Flux roles and expand reader permissions Merge the two Flux writer roles (flux-writer-source and flux-writer-deploy) into a single flux-writer role for simplicity and consistency. Expand flux-reader to include read access to all Flux resources: - helmrepositories and ocirepositories (previously write-only) - helmreleases and kustomizations (previously write-only) This provides a cleaner separation: - flux-reader: read access to ALL Flux CRDs - flux-writer: write access to ALL Flux CRDs Changes: - Merged ocm-controller-flux-writer-source and ocm-controller-flux-writer-deploy into single ocm-controller-flux-writer role - Added helmrepositories, ocirepositories, helmreleases, and kustomizations to flux-reader with get/list/watch permissions - Updated role count from 9 to 8 (7 fine-grained + 1 main) - Simplified values.yaml configuration (removed fluxWriterSource and fluxWriterDeploy, added single fluxWriter) Benefits: - Simpler configuration with fewer roles to manage - Consistent pattern: one reader + one writer per functional area - Users can grant read-only Flux access without complexity - Easier to understand and maintain Signed-off-by: Henry Zeng --- deploy/templates/role.yaml | 44 ++++++++++++++++++++++---------------- deploy/values.yaml | 5 +---- 2 files changed, 26 insertions(+), 23 deletions(-) diff --git a/deploy/templates/role.yaml b/deploy/templates/role.yaml index b40fca36..4408e146 100644 --- a/deploy/templates/role.yaml +++ b/deploy/templates/role.yaml @@ -6,7 +6,7 @@ 2026-03-02 : Added support for fine-grained aggregatable ClusterRoles. When manager.clusterRole.aggregation.enabled is true, this template generates - 9 separate ClusterRoles that can be aggregated to standard K8s roles. + 8 separate ClusterRoles that can be aggregated to standard K8s roles. When false (default), generates the original monolithic ClusterRole for backward compatibility. */ -}} @@ -194,7 +194,7 @@ rules: {{- if .Values.manager.clusterRole.aggregation.roles.fluxReader.enabled }} --- -# 6. Flux Reader - Read-only access to Flux source CRDs +# 6. Flux Reader - Read-only access to all Flux CRDs apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -207,21 +207,39 @@ rules: resources: - buckets - gitrepositories + - helmrepositories + - ocirepositories + verbs: + - get + - list + - watch +- apiGroups: + - helm.toolkit.fluxcd.io + resources: + - helmreleases + verbs: + - get + - list + - watch +- apiGroups: + - kustomize.toolkit.fluxcd.io + resources: + - kustomizations verbs: - get - list - watch {{- end }} -{{- if .Values.manager.clusterRole.aggregation.roles.fluxWriterSource.enabled }} +{{- if .Values.manager.clusterRole.aggregation.roles.fluxWriter.enabled }} --- -# 7. Flux Source Writer - Full management of Flux source repositories +# 7. Flux Writer - Full management of all Flux CRDs apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: ocm-controller-flux-writer-source + name: ocm-controller-flux-writer labels: - {{- include "ocm-controller.aggregationLabels" (dict "config" .Values.manager.clusterRole.aggregation.roles.fluxWriterSource "Values" .Values) | nindent 4 }} + {{- include "ocm-controller.aggregationLabels" (dict "config" .Values.manager.clusterRole.aggregation.roles.fluxWriter "Values" .Values) | nindent 4 }} rules: - apiGroups: - source.toolkit.fluxcd.io @@ -233,18 +251,6 @@ rules: - delete - patch - update -{{- end }} - -{{- if .Values.manager.clusterRole.aggregation.roles.fluxWriterDeploy.enabled }} ---- -# 8. Flux Deploy Writer - Full management of Flux deployment resources -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ocm-controller-flux-writer-deploy - labels: - {{- include "ocm-controller.aggregationLabels" (dict "config" .Values.manager.clusterRole.aggregation.roles.fluxWriterDeploy "Values" .Values) | nindent 4 }} -rules: - apiGroups: - helm.toolkit.fluxcd.io resources: @@ -266,7 +272,7 @@ rules: {{- end }} --- -# 9. Main Controller Role - Aggregates all sub-roles +# 8. Main Controller Role - Aggregates all sub-roles apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/deploy/values.yaml b/deploy/values.yaml index 71da8400..f23fd569 100644 --- a/deploy/values.yaml +++ b/deploy/values.yaml @@ -132,10 +132,7 @@ manager: fluxReader: enabled: true aggregateToView: true - fluxWriterSource: - enabled: true - aggregateToEdit: false - fluxWriterDeploy: + fluxWriter: enabled: true aggregateToEdit: false