19b1c138e1
* Add initContainers to controller pod, allow secrets to be manipulated Signed-off-by: lukepatrick <lukephilips@gmail.com> * bump Signed-off-by: lukepatrick <lukephilips@gmail.com> * linting Signed-off-by: lukepatrick <lukephilips@gmail.com> * Update charts/argo-rollouts/templates/controller/deployment.yaml Co-authored-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> Signed-off-by: lukepatrick <lukephilips@gmail.com> Signed-off-by: lukepatrick <lukephilips@gmail.com> Co-authored-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>
153 lines
2.5 KiB
YAML
153 lines
2.5 KiB
YAML
{{- if not .Values.clusterInstall }}
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: {{ include "argo-rollouts.fullname" . }}
|
|
labels:
|
|
app.kubernetes.io/component: {{ .Values.controller.component }}
|
|
{{- include "argo-rollouts.labels" . | nindent 4 }}
|
|
rules:
|
|
- apiGroups:
|
|
- argoproj.io
|
|
resources:
|
|
- rollouts
|
|
- rollouts/status
|
|
- rollouts/finalizers
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- update
|
|
- patch
|
|
- apiGroups:
|
|
- argoproj.io
|
|
resources:
|
|
- analysisruns
|
|
- analysisruns/finalizers
|
|
- experiments
|
|
- experiments/finalizers
|
|
verbs:
|
|
- create
|
|
- get
|
|
- list
|
|
- watch
|
|
- update
|
|
- patch
|
|
- delete
|
|
- apiGroups:
|
|
- argoproj.io
|
|
resources:
|
|
- analysistemplates
|
|
- clusteranalysistemplates
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
# replicaset access needed for managing ReplicaSets
|
|
- apiGroups:
|
|
- apps
|
|
resources:
|
|
- replicasets
|
|
verbs:
|
|
- create
|
|
- get
|
|
- list
|
|
- watch
|
|
- update
|
|
- patch
|
|
- delete
|
|
# services patch needed to update selector of canary/stable/active/preview services
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- services
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- patch
|
|
# secret access to run analysis templates which reference secrets
|
|
# configmap access to read notification-engine configuration
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- secrets
|
|
- configmaps
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- create
|
|
- patch
|
|
- update
|
|
# pod list/update needed for updating ephemeral data
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods
|
|
verbs:
|
|
- list
|
|
- update
|
|
# pods eviction needed for restart
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods/eviction
|
|
verbs:
|
|
- create
|
|
# event write needed for emitting events
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- events
|
|
verbs:
|
|
- create
|
|
- update
|
|
- patch
|
|
# ingress patch needed for managing ingress annotations, create needed for nginx canary
|
|
- apiGroups:
|
|
- networking.k8s.io
|
|
- extensions
|
|
resources:
|
|
- ingresses
|
|
verbs:
|
|
- create
|
|
- get
|
|
- list
|
|
- watch
|
|
- patch
|
|
# job access needed for analysis template job metrics
|
|
- apiGroups:
|
|
- batch
|
|
resources:
|
|
- jobs
|
|
verbs:
|
|
- create
|
|
- get
|
|
- list
|
|
- watch
|
|
- update
|
|
- patch
|
|
- delete
|
|
# virtualservice access needed for using the Istio provider
|
|
- apiGroups:
|
|
- networking.istio.io
|
|
resources:
|
|
- virtualservices
|
|
verbs:
|
|
- watch
|
|
- get
|
|
- update
|
|
- list
|
|
# trafficsplit access needed for using the SMI provider
|
|
- apiGroups:
|
|
- split.smi-spec.io
|
|
resources:
|
|
- trafficsplits
|
|
verbs:
|
|
- create
|
|
- watch
|
|
- get
|
|
- update
|
|
- patch
|
|
{{- end }}
|