Generate RBAC role directly into Chart template, adapt hardcoded path.

notandy · notandy · commit 4357756c5bb6 · 2026-05-05T08:54:23.000-04:00
helmify before did convert the controller-gen generated rbac role to
helm, but now we can just use it directly in the charts. Seperated out
the rbac role.
Should work as before.
diff --git a/Makefile b/Makefile
@@ -113,7 +113,7 @@ check: FORCE static-check build/cover.html build-all
 
 generate: install-controller-gen
 	@printf "\e[1;36m>> controller-gen\e[0m\n"
-	@controller-gen crd:allowDangerousTypes=true rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=charts/openstack-hypervisor-operator/crds output:rbac:artifacts:config=config/rbac
+	@controller-gen crd:allowDangerousTypes=true rbac:roleName=hypervisor-operator-manager-role webhook paths="./..." output:crd:artifacts:config=charts/openstack-hypervisor-operator/crds output:rbac:artifacts:config=charts/openstack-hypervisor-operator/templates
 	@controller-gen object:headerFile="hack/boilerplate.go.txt" paths="./..."
 	@controller-gen applyconfiguration paths="./..."
 
diff --git a/Makefile.maker.yaml b/Makefile.maker.yaml
@@ -9,7 +9,8 @@ controllerGen:
   enabled: true
   crdOutputPath: charts/openstack-hypervisor-operator/crds
   objectHeaderFile: hack/boilerplate.go.txt
-  rbacRoleName: manager-role
+  rbacRoleName: hypervisor-operator-manager-role
+  rbacOutputPath: charts/openstack-hypervisor-operator/templates
   allowDangerousTypes: true
 
 coverageTest:
diff --git a/charts/openstack-hypervisor-operator/templates/manager-clusterrolebinding.yaml b/charts/openstack-hypervisor-operator/templates/manager-clusterrolebinding.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "openstack-hypervisor-operator.fullname" . }}-manager-rolebinding
+  labels:
+  {{- include "openstack-hypervisor-operator.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: hypervisor-operator-manager-role
+subjects:
+- kind: ServiceAccount
+  name: '{{ include "openstack-hypervisor-operator.serviceAccountName" . }}'
+  namespace: '{{ .Release.Namespace }}'
diff --git a/charts/openstack-hypervisor-operator/templates/manager-rbac.yaml b/charts/openstack-hypervisor-operator/templates/manager-rbac.yaml
diff --git a/charts/openstack-hypervisor-operator/templates/role.yaml b/charts/openstack-hypervisor-operator/templates/role.yaml
@@ -2,7 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: manager-role
+  name: hypervisor-operator-manager-role
 rules:
 - apiGroups:
   - ""
