automate Helm chart RBAC sync from generated ClusterRoles

Signed-off-by: kahirokunn <okinakahiro@gmail.com>

Author: kahirokunn

config/charts/knative-operator/templates/operator.yaml

@@ -0,0 +1,267 @@
+# Code generated by hack/sync-helm-rbac.sh; DO NOT EDIT.
+# Copyright 2025 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: knative-serving-operator
+  labels:
+    app.kubernetes.io/version: '{{ .Chart.Version }}'
+    app.kubernetes.io/name: knative-operator
+rules:
+  - apiGroups:
+      - operator.knative.dev
+    resources:
+      - '*'
+    verbs:
+      - '*'
+  # Bootstrapping permissions.
+  # Roles that are explicitly bound buch which are specified by this Operator
+  # MUST be specified here with 'get' and 'bind'.
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterroles
+    resourceNames:
+      - system:auth-delegator
+    verbs:
+      - bind
+      - get
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - roles
+    resourceNames:
+      - extension-apiserver-authentication-reader
+    verbs:
+      - bind
+      - get
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterroles
+      - roles
+    verbs:
+      - create
+      - delete
+      # Escalate is necessary in order to create a role using cluster role aggregation,
+      # and to allow the Operator to bootstrap itself into the necessary set of
+      # permissions, even as those continue to evolve upstream.
+      - escalate
+      - get
+      - list
+      - update
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterrolebindings
+      - rolebindings
+    verbs:
+      - create
+      - delete
+      - list
+      - get
+      - update
+  # Permissions required for Knative controller
+  # infra.
+  - apiGroups:
+      - apiregistration.k8s.io
+    resources:
+      - apiservices
+    verbs:
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - caching.internal.knative.dev
+    resources:
+      - images
+    verbs:
+      - '*'
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - update
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - events
+    verbs:
+      - create
+      - update
+      - patch
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - security.istio.io
+      - apps
+      - policy
+    resources:
+      - poddisruptionbudgets
+      - peerauthentications
+      - deployments
+      - daemonsets
+      - replicasets
+      - statefulsets
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - watch
+      - update
+  - apiGroups:
+      - apiregistration.k8s.io
+    resources:
+      - apiservices
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+  - apiGroups:
+      - autoscaling
+    resources:
+      - horizontalpodautoscalers
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - '*'
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - '*'
+  # Old resources that need cleaning up that are not in the knative-serving
+  # namespace.
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - deployments
+      - horizontalpodautoscalers
+    resourceNames:
+      - knative-ingressgateway
+    verbs:
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    resourceNames:
+      - config-controller
+    verbs:
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - serviceaccounts
+    resourceNames:
+      - knative-serving-operator
+    verbs:
+      - delete
+  # for contour TLS
+  - apiGroups:
+      - projectcontour.io
+    resources:
+      - httpproxies
+      - tlscertificatedelegations
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+      - create
+      - delete
+      - deletecollection
+      - patch
+  # for security-guard
+  - apiGroups:
+      - guard.security.knative.dev
+    resources:
+      - guardians
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - authentication.k8s.io
+    resources:
+      - tokenreviews
+    verbs:
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+# Copyright 2020 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

config/charts/knative-operator/templates/rbac/eventing-operator-role.yaml

@@ -254,6 +254,20 @@ rules:
   verbs:
   - get
 ---
+# Copyright 2020 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:

config/charts/knative-operator/templates/rbac/serving-operator-role.yaml

@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+
+# Copyright 2025 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Syncs ClusterRole definitions from config/rbac/role.yaml to the Helm chart.
+# Replaces app.kubernetes.io/version: devel with "{{ .Chart.Version }}" for Helm.
+#
+# Usage: hack/sync-helm-rbac.sh
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+REPO_ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+
+ROLE_SRC="${REPO_ROOT_DIR}/config/rbac/role.yaml"
+HELM_RBAC_DIR="${REPO_ROOT_DIR}/config/charts/knative-operator/templates/rbac"
+BOILERPLATE_YAML="${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.yaml.txt"
+
+mkdir -p "${HELM_RBAC_DIR}"
+
+# Ensure a recent mikefarah/yq.
+GOFLAGS=-mod=mod go install github.com/mikefarah/yq/v4@v4.52.5
+YQ_BIN_DIR="$(go env GOBIN)"
+YQ_BIN_DIR="${YQ_BIN_DIR:-$(go env GOPATH)/bin}"
+export PATH="${YQ_BIN_DIR}:$PATH"
+
+echo "Syncing ClusterRoles from ${ROLE_SRC} to ${HELM_RBAC_DIR}"
+
+write_clusterrole() {
+  local name="$1"
+  local target="$2"
+
+  echo "  Processing ClusterRole ${name} -> rbac/$(basename "${target}")"
+
+  local tmp
+  tmp="$(mktemp)"
+  if ! yq eval "(select(.metadata.name == \"${name}\")) | .metadata.labels.\"app.kubernetes.io/version\" = \"{{ .Chart.Version }}\"" "${ROLE_SRC}" > "${tmp}"; then
+    echo "ERROR: yq failed to extract ClusterRole ${name}"
+    rm -f "${tmp}"
+    exit 1
+  fi
+
+  if ! grep -qE '^kind:[[:space:]]+ClusterRole' "${tmp}"; then
+    echo "ERROR: no ClusterRole document found for ${name} in ${ROLE_SRC}"
+    rm -f "${tmp}"
+    exit 1
+  fi
+
+  # Drop any leading comments from yq output so every chart template gets the same
+  # Apache-2.0 header (eventing's ClusterRole in role.yaml may not preserve comments).
+  {
+    echo "# Code generated by hack/sync-helm-rbac.sh; DO NOT EDIT."
+    cat "${BOILERPLATE_YAML}"
+    awk '/^kind:/{p=1} p' "${tmp}"
+  } > "${target}"
+  rm -f "${tmp}"
+}
+
+write_clusterrole "knative-serving-operator" "${HELM_RBAC_DIR}/serving-operator-role.yaml"
+write_clusterrole "knative-eventing-operator" "${HELM_RBAC_DIR}/eventing-operator-role.yaml"
+
+echo "Done. RBAC synced to ${HELM_RBAC_DIR}"

config/rbac/role.yaml

@@ -70,6 +70,10 @@ group "Sync CRDs to Helm chart"
 
 "${REPO_ROOT_DIR}/hack/sync-helm-crds.sh"
 
+group "Sync RBAC to Helm chart"
+
+"${REPO_ROOT_DIR}/hack/sync-helm-rbac.sh"
+
 group "Update deps post-codegen"
 
 # Make sure our dependencies are up-to-date