feat: add cluster role and fluxcd crd rules to role

deploy/helm/pulumi-operator/Chart.yaml

@@ -5,12 +5,12 @@ home: https://pulumi.com
 sources:
   - https://github.com/pulumi/pulumi-kubernetes-operator
 
-icon: https://www.pulumi.com/logos/brand/twitter-card.png
+icon: https://www.pulumi.com/logos/brand/avatar-on-white.svg
 
 type: application
 
-version: 0.1.0
-appVersion: "1.10.1"
+version: 0.2.0
+appVersion: "1.13.0"
 
 keywords:
   - pulumi
@@ -25,7 +25,7 @@ maintainers:
 annotations:
   artifacthub.io/containsSecurityUpdates: "false"
   artifacthub.io/changes: |
-    - initial release
+    - add cluster role and fluxcd crd rules to role
   artifacthub.io/images: |
     - name: pulumi-kubernetes-operator
       image: docker.io/pulumi-kubernetes-operator:v1.10.1

deploy/helm/pulumi-operator/README.md

@@ -1,6 +1,6 @@
 # node-red ⚙
 
-![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=for-the-badge) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=for-the-badge) ![AppVersion: 1.10.1](https://img.shields.io/badge/AppVersion-1.10.1-informational?style=for-the-badge)
+![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=for-the-badge) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=for-the-badge) ![AppVersion: 1.13.0](https://img.shields.io/badge/AppVersion-1.13.0-informational?style=for-the-badge)
 
 ## Description 📜
 
@@ -11,7 +11,7 @@ A Helm chart for the Pulumi Kubernetes Operator
 To install the chart using the OCI artifact, run:
 
 ```bash
-helm install pulumi-kubernetes-operator oci://ghcr.io/pulumi/helm-charts/pulumi-kubernetes-operator --version 0.1.0
+helm install pulumi-kubernetes-operator oci://ghcr.io/pulumi/helm-charts/pulumi-kubernetes-operator --version 0.2.0
 ```
 
 ## Usage
@@ -27,7 +27,7 @@ helm repo update
 To install the chart with the release name `pulumi-kubernetes-operator` run:
 
 ```bash
-helm install pulumi-kubernetes-operator pulumi-kubernetes-operator/pulumi-kubernetes-operator --version 0.1.0
+helm install pulumi-kubernetes-operator pulumi-kubernetes-operator/pulumi-kubernetes-operator --version 0.2.0
 ```
 
 After a few seconds, the `pulumi-kubernetes-operator` should be running.
@@ -56,11 +56,14 @@ The command removes all the Kubernetes components associated with the chart and
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | The affinity constraint |
+| clusterRoleRules.enabled | bool | `false` | Enable custom rules for the application controller's ClusterRole resource default: false |
+| clusterRoleRules.rules | list | `[]` | List of custom rules for the application controller's ClusterRole resource default: [] |
 | controller.args | list | `["--zap-level=error","--zap-time-encoding=iso8601"]` | List of arguments to pass to the operator |
 | controller.gracefulShutdownTimeoutDuration | string | `"5m"` | Graceful shutdown timeout duration, default: `5m` |
 | controller.kubernetesClusterDomain | string | `"cluster.local"` | Kubernetes Cluster Domain, default: `cluster.local` |
 | controller.maxConcurrentReconciles | string | `"10"` | Max concurrent reconciles, default: `10` |
 | controller.pulumiInferNamespace | string | `"1"` | Pulumi infer namespace, default: `1` |
+| createClusterRole | bool | `true` | Create a ClusterRole resource for the node-red pod. default: false |
 | deploymentAnnotations | object | `{}` | Deployment annotations |
 | deploymentStrategy | string | `""` | Specifies the strategy used to replace old Pods by new ones, default: `RollingUpdate` |
 | extraEnv | list | `[]` | Extra Environments to be passed to the operator |

deploy/helm/pulumi-operator/templates/clusterrole.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.createClusterRole }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "pulumi-kubernetes-operator.fullname" . }}
+  labels:
+  {{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }}
+rules:
+  {{- if .Values.clusterRoleRules.enabled }}
+    {{- toYaml .Values.clusterRoleRules.rules | nindent 2 }}
+  {{- else }}
+  - apiGroups:
+      - '*'
+    resources:
+      - '*'
+    verbs:
+      - '*'
+  {{- end }}
+{{- end }}

deploy/helm/pulumi-operator/templates/clusterrolebinding.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.createClusterRole }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "pulumi-kubernetes-operator.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "pulumi-kubernetes-operator.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace | quote }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "pulumi-kubernetes-operator.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

deploy/helm/pulumi-operator/templates/role.yaml

@@ -88,3 +88,33 @@ rules:
   - get
   - list
   - update
+- apiGroups:
+  - source.toolkit.fluxcd.io'
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - kustomize.toolkit.fluxcd.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - helm.toolkit.fluxcd.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - notification.toolkit.fluxcd.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - image.toolkit.fluxcd.io
+  resources:
+  - '*'
+  verbs:
+  - '*'

deploy/helm/pulumi-operator/values.yaml

@@ -32,6 +32,16 @@ controller:
 # -- Extra Environments to be passed to the operator
 extraEnv: []
 
+# -- Create a ClusterRole resource for the node-red pod. default: false
+createClusterRole: true
+
+## -- Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource.
+clusterRoleRules:
+  # -- Enable custom rules for the application controller's ClusterRole resource default: false
+  enabled: false
+  # -- List of custom rules for the application controller's ClusterRole resource default: []
+  rules: []
+
 # -- The image pull secrets
 imagePullSecrets: ""