break(helm/v2-plugin): enhance RBAC support with namespace-scoped deployments, multi-namespace configuration, and dynamic Role/ClusterRole rendering

Generated-by: Claude

Author: camilamacedo86

docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/manager/manager.yaml

@@ -53,6 +53,9 @@ spec:
       - args:
         {{- if .Values.metrics.enable }}
         - --metrics-bind-address=:{{ .Values.metrics.port }}
+        {{- if not .Values.metrics.secure }}
+        - --metrics-secure=false
+        {{- end }}
         {{- else }}
         # Bind to :0 to disable the controller-runtime managed metrics server
         - --metrics-bind-address=0

docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/rbac/cronjob-admin-role.yaml

@@ -1,7 +1,14 @@
-{{- if .Values.rbacHelpers.enable }}
+{{- if .Values.rbac.helpers.enable }}
 apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.rbac.namespaced }}
+kind: Role
+{{- else }}
 kind: ClusterRole
+{{- end }}
 metadata:
+{{- if .Values.rbac.namespaced }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
   labels:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/name: {{ include "project.name" . }}

docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/rbac/cronjob-editor-role.yaml

@@ -1,7 +1,14 @@
-{{- if .Values.rbacHelpers.enable }}
+{{- if .Values.rbac.helpers.enable }}
 apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.rbac.namespaced }}
+kind: Role
+{{- else }}
 kind: ClusterRole
+{{- end }}
 metadata:
+{{- if .Values.rbac.namespaced }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
   labels:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/name: {{ include "project.name" . }}

docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/rbac/cronjob-viewer-role.yaml

@@ -1,7 +1,14 @@
-{{- if .Values.rbacHelpers.enable }}
+{{- if .Values.rbac.helpers.enable }}
 apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.rbac.namespaced }}
+kind: Role
+{{- else }}
 kind: ClusterRole
+{{- end }}
 metadata:
+{{- if .Values.rbac.namespaced }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
   labels:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/name: {{ include "project.name" . }}

docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/rbac/manager-role.yaml

@@ -1,6 +1,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.rbac.namespaced }}
+kind: Role
+{{- else }}
 kind: ClusterRole
+{{- end }}
 metadata:
+{{- if .Values.rbac.namespaced }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
   name: {{ include "project.resourceName" (dict "suffix" "manager-role" "context" $) }}
 rules:
 - apiGroups:

docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/rbac/manager-rolebinding.yaml

@@ -1,6 +1,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.rbac.namespaced }}
+kind: RoleBinding
+{{- else }}
 kind: ClusterRoleBinding
+{{- end }}
 metadata:
+{{- if .Values.rbac.namespaced }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
   labels:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/name: {{ include "project.name" . }}
@@ -9,7 +16,11 @@ metadata:
   name: {{ include "project.resourceName" (dict "suffix" "manager-rolebinding" "context" $) }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
+  {{- if .Values.rbac.namespaced }}
+  kind: Role
+  {{- else }}
   kind: ClusterRole
+  {{- end }}
   name: {{ include "project.resourceName" (dict "suffix" "manager-role" "context" $) }}
 subjects:
 - kind: ServiceAccount

docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/rbac/metrics-auth-role.yaml

@@ -1,4 +1,7 @@
-{{- if .Values.metrics.enable }}
+{{- if and .Values.metrics.enable .Values.metrics.secure }}
+{{- if .Values.rbac.namespaced }}
+{{- fail "Cannot enable secure metrics (metrics.secure=true) with namespace-scoped RBAC (rbac.namespaced=true). Metrics authentication requires cluster-scoped TokenReview/SubjectAccessReview permissions. Either set metrics.secure=false or rbac.namespaced=false." }}
+{{- end }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/rbac/metrics-auth-rolebinding.yaml

@@ -1,4 +1,7 @@
-{{- if .Values.metrics.enable }}
+{{- if and .Values.metrics.enable .Values.metrics.secure }}
+{{- if .Values.rbac.namespaced }}
+{{- fail "Cannot enable secure metrics (metrics.secure=true) with namespace-scoped RBAC (rbac.namespaced=true). Metrics authentication requires cluster-scoped TokenReview/SubjectAccessReview permissions. Either set metrics.secure=false or rbac.namespaced=false." }}
+{{- end }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:

docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/rbac/metrics-reader.yaml

@@ -1,4 +1,7 @@
-{{- if .Values.metrics.enable }}
+{{- if and .Values.metrics.enable .Values.metrics.secure }}
+{{- if .Values.rbac.namespaced }}
+{{- fail "Cannot enable secure metrics (metrics.secure=true) with namespace-scoped RBAC (rbac.namespaced=true). Metrics reader role requires nonResourceURLs which are only valid in ClusterRoles. Either set metrics.secure=false or rbac.namespaced=false." }}
+{{- end }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

docs/book/src/cronjob-tutorial/testdata/project/dist/chart/values.yaml

@@ -87,11 +87,18 @@ manager:
   ##
   terminationGracePeriodSeconds: 10
 
-## Helper RBAC roles for managing custom resources
+## RBAC configuration
 ##
-rbacHelpers:
-  # Install convenience admin/editor/viewer roles for CRDs
-  enable: false
+rbac:
+  # RBAC resource scope
+  # - false (default): ClusterRole/ClusterRoleBinding (all namespaces)
+  # - true: Role/RoleBinding (release namespace only)
+  namespaced: false
+
+  # Helper roles for CRD management (admin/editor/viewer)
+  helpers:
+    # Install convenience admin/editor/viewer roles for CRDs
+    enable: false
 
 ## Custom Resource Definitions
 ##
@@ -108,6 +115,9 @@ metrics:
   enable: true
   # Metrics server port
   port: 8443
+  # Secure metrics protection
+  # Requires RBAC cluster scoped permissions
+  secure: true
 
 ## Cert-manager integration for TLS certificates.
 ## Required for webhook certificates and metrics endpoint certificates.