⚠️ (helm/v2-plugin): enhance RBAC support with namespace-scoped deployments, multi-namespace configuration, and dynamic Role/ClusterRole rendering (rename rbacHelpers to rbac.helpers)

[camilamacedo86]

This PR introduces two new RBAC configuration options to the Helm v2-alpha plugin.

1. rbac.namespaced — Namespace-scoped operator deployments

Allows switching between cluster-wide and namespace-scoped RBAC.

Example values:

rbac:
  namespaced: true  # Uses Role/RoleBinding instead of ClusterRole/ClusterRoleBinding

Example install:
helm install my-operator ./dist/chart --set rbac.namespaced=true

2. rbac.roleNamespaces — Multi-namespace RBAC

Enables deploying Roles and RoleBindings into specific namespaces using kubebuilder annotations.

Example annotations:

// +kubebuilder:rbac:groups=apps,namespace=infrastructure,resources=deployments,verbs=get;list;watch
// +kubebuilder:rbac:groups="",namespace=users,resources=secrets,verbs=get;list;watch

Generated values:

rbac:
  roleNamespaces:
    manager-role-infrastructure: infrastructure
    manager-role-users: users

Override at install:

helm install my-operator ./dist/chart \
  --set 'rbac.roleNamespaces[manager-role-infrastructure]=prod-infra'

Breaking Change

RBAC values structure has changed:

Before:

rbacHelpers:
  enable: false

After:

rbac:
  helpers:
    enable: false

Closes:

• (helm/v2-alpha): disable cluster wide rbac resource creation #5505
• helm/v2-alpha: disable cluster wide rbac resource creation #5504

Partially: #5517

[camilamacedo86]

@Allex1 could you please give a hand on this one?
WDYT?

[camilamacedo86]

Hi @sam-mcbr could you please help us to validate this one.

[sam-mcbr]

Hi @camilamacedo86! I think this PR looks good. I tested with our deployment and I do see when I remove cluster-scoped RBAC scaffolding it generates a correct ClusterRole/Role (and associated binding) with a Values.yaml that would allow making sure they are rendered as Roles.

I do see this doesn't solve the issue I opened (#5546) where we need both cluster-scoped RBAC and namespace-scoped RBAC (but that seems intended since you didn't mark it as fixed in the description. I only mention this because when both kinds of scaffolds are included, the manager-role.yaml file in the chart only includes the cluster-scoped RBAC and the namespace-scoped RBAC is ignored. I'm assuming this is intentional since this PR doesn't say it addresses the issue I opened 😄

Thanks for the fast improvements to the chart generation!

[camilamacedo86]

Hi @sam-mcbr

Thank you a lot for the fast review and for raise this one 🎉
The whole magic is here:

{{- if .Values.rbac.namespaced }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
{{- if .Values.rbac.namespaced }}
  namespace: {{ .Release.Namespace }}
{{- end }}

So, we do not need to duplicate the roles. We do that conditionally.
Why that?

• Simplification / avoid the duplication
• Also, because we have the option to create a true namespace solution, see; https://book.kubebuilder.io/migration/namespace-scoped.html so that keep more generic.

WDYT? Does not this solve the scenario?

[sam-mcbr]

@camilamacedo86 maybe I'm missing something about the changes. To clarify, our use-case is:

We have an operator that monitors CustomResources across a cluster, and then uses those to create/reconcile a single ConfigMap in a single namespace. In the spirit of least-privilege, I was thinking ideally we could have the chart:

• Deploy a ClusterRole (and binding) for permissions to read, update status, etc. of our CustomResource type and
• Deploy a Role (and binding) for permissions to read, write, update, etc. ConfigMaps in a single namespace.

Please correct me if I'm misunderstanding the changes in your PR, but to me it looks like the chart only supports either a ClusterRole and binding or a Role and binding. Again, definitely let me know if I'm misunderstanding something!

[camilamacedo86]

That is true. So, now I understand better your case. Let me think more about
/hold

[camilamacedo86]

Hi @sam-mcbr

Your issue scenario has no relation with this PR.
We need a new release of controller-tools to address that.
See; #5546 (comment) I provided all info there.

Then that would either work with this one, because the goal here is allow the cluster-admin/consumer of the chart install only using namespaced scoped instead of cluster scoped options.

But I am changing this PR to either cover this specific scenario.
It is a great input. Thank you so much 🎉

[Copilot]

Pull request overview

Copilot reviewed 9 out of 53 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 53 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 53 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 65 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 65 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 65 changed files in this pull request and generated no new comments.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 65 changed files in this pull request and generated 1 comment.

[camilamacedo86]

Hi @sam-mcbr and @Allex1

Now, it seems good to get merged.
Could you please give a look?

If yes, could you please LGTM this one?
@porridge , if you be able to help with this one would be great either.

[Allex1]

/lgtm

thanks for this

[k8s-ci-robot]

@Allex1: changing LGTM is restricted to collaborators

Details

In response to this:

/lgtm

thanks for this

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Allex1, camilamacedo86

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [camilamacedo86]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[porridge]

Wouldn't a nil map work too?

[camilamacedo86]

Yes, done

[porridge]

The comment does not seem to match the code.

[camilamacedo86]

Fixed

[porridge]

WDYM by "specific"?

[camilamacedo86]

Improved

[porridge]

Ah, not manager ns. Perhaps move this definition up?

[camilamacedo86]

Improved

[Copilot]

Pull request overview

Copilot reviewed 10 out of 65 changed files in this pull request and generated 3 comments.

[Copilot]

handleRBACConditionalWrappers classifies RBAC resources as “metrics-related” via strings.Contains(name, "metrics"). Because RBAC resource names include the project prefix, a project whose name/prefix contains metrics (e.g. metrics-operator-manager-role) will be misclassified and wrapped by the metrics conditionals, potentially preventing essential RBAC from being rendered when metrics is disabled. Prefer matching specific known metrics RBAC resource suffixes (e.g., -metrics-auth-role, -metrics-reader, -metrics-auth-rolebinding) or otherwise using a delimiter/suffix-based match rather than a broad substring check.

[Copilot]

handleCertificateConditionalWrappers / handleServiceConditionalWrappers use broad substring checks like strings.Contains(name, "metrics") (and "webhook") to decide conditional wrappers. Since resource names are typically prefixed with the project name, this can misclassify unrelated resources when the project prefix contains those substrings (e.g., metrics-operator-webhook-service would be treated as a metrics Service). Consider switching to suffix- or pattern-based matching for the well-known resource names you intend to target (metrics service, metrics certs, webhook service, etc.).

[Copilot]

hasClusterScopedRBAC detection excludes any ClusterRole whose name contains "metrics". Because ClusterRole names include the project prefix, projects with metrics in their name/prefix will incorrectly be treated as having no cluster-scoped RBAC, which can suppress emitting the rbac.namespaced value/docs. Consider excluding only the specific metrics ClusterRoles (e.g., metrics-auth-role/metrics-reader) using suffix/pattern matches rather than a generic substring.