Allow for toggling aggregate-to-view and aggregate-to-edit (#4733)

Signed-off-by: Lino Layani <layanilino@gmail.com>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

deploy/charts/external-secrets/README.md

@@ -141,6 +141,8 @@ The command removes all the Kubernetes components associated with the chart and
 | processClusterPushSecret | bool | `true` | if true, the operator will process cluster push secret. Else, it will ignore them. |
 | processClusterStore | bool | `true` | if true, the operator will process cluster store. Else, it will ignore them. |
 | processPushSecret | bool | `true` | if true, the operator will process push secret. Else, it will ignore them. |
+| rbac.aggregateToEdit | bool | `true` | Specifies whether permissions are aggregated to the edit ClusterRole |
+| rbac.aggregateToView | bool | `true` | Specifies whether permissions are aggregated to the view ClusterRole |
 | rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
 | rbac.servicebindings.create | bool | `true` | Specifies whether a clusterrole to give servicebindings read access should be created. |
 | replicaCount | int | `1` |  |

deploy/charts/external-secrets/templates/rbac.yaml

@@ -186,8 +186,12 @@ metadata:
   {{- end }}
   labels:
     {{- include "external-secrets.labels" . | nindent 4 }}
+    {{- if .Values.rbac.aggregateToView }}
     rbac.authorization.k8s.io/aggregate-to-view: "true"
+    {{- end }}
+    {{- if .Values.rbac.aggregateToEdit }}
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    {{- end }}
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules:
   - apiGroups:
@@ -241,7 +245,9 @@ metadata:
   {{- end }}
   labels:
     {{- include "external-secrets.labels" . | nindent 4 }}
+    {{- if .Values.rbac.aggregateToEdit }}
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    {{- end }}
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules:
   - apiGroups:

deploy/charts/external-secrets/tests/rbac_test.yaml

@@ -0,0 +1,32 @@
+suite: test rbac
+templates:
+  - rbac.yaml
+tests:
+  - it: should remove the labels aggregate-to-view to the view ClusterRole
+    set:
+      rbac:
+        aggregateToView: false
+    asserts:
+      - notExists:
+          path: metadata.labels["rbac.authorization.k8s.io/aggregate-to-view"]
+        documentSelector:
+          kind: ClusterRole
+          path: metadata.name
+          value: RELEASE-NAME-external-secrets-view
+  - it: should remove the labels aggregate-to-edit to the view and edit ClusterRoles
+    set:
+      rbac:
+        aggregateToEdit: false
+    asserts:
+      - notExists:
+          path: metadata.labels["rbac.authorization.k8s.io/aggregate-to-edit"]
+        documentSelector:
+          kind: ClusterRole
+          path: metadata.name
+          value: RELEASE-NAME-external-secrets-view
+      - notExists:
+          path: metadata.labels["rbac.authorization.k8s.io/aggregate-to-edit"]
+        documentSelector:
+          kind: ClusterRole
+          path: metadata.name
+          value: RELEASE-NAME-external-secrets-edit

deploy/charts/external-secrets/values.schema.json

@@ -503,6 +503,12 @@
         },
         "rbac": {
             "properties": {
+                "aggregateToEdit": {
+                    "type": "boolean"
+                },
+                "aggregateToView": {
+                    "type": "boolean"
+                },
                 "create": {
                     "type": "boolean"
                 },

deploy/charts/external-secrets/values.yaml

@@ -130,6 +130,12 @@ rbac:
     # -- Specifies whether a clusterrole to give servicebindings read access should be created.
     create: true
 
+  # -- Specifies whether permissions are aggregated to the view ClusterRole
+  aggregateToView: true
+
+  # -- Specifies whether permissions are aggregated to the edit ClusterRole
+  aggregateToEdit: true
+
 ## -- Extra environment variables to add to container.
 extraEnv: []