Automate helm ClusterRole RBAC sync from kubebuilder

Author: shraddhabang

Makefile

@@ -81,6 +81,7 @@ deploy: manifests
 manifests: controller-gen kustomize
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=controller-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 	yq eval '.metadata.name = "webhook"' -i config/webhook/manifests.yaml
+	hack/sync-rbac-to-helm.sh
 
 crds: manifests
 	$(MOVE_GATEWAY_CRDS)
@@ -204,7 +205,7 @@ lint:
 	echo "TODO"
 
 .PHONY: quick-ci
-quick-ci: verify-versions verify-generate verify-crds
+quick-ci: verify-versions verify-generate verify-crds verify-rbac-sync
 	echo "Done!"
 
 .PHONY: verify-generate
@@ -215,6 +216,10 @@ verify-generate:
 verify-crds:
 	hack/verify-crds.sh
 
+.PHONY: verify-rbac-sync
+verify-rbac-sync:
+	hack/verify-rbac-sync.sh
+
 .PHONY: verify-versions
 verify-versions:
 	hack/verify-versions.sh

hack/sync-rbac-to-helm.sh

@@ -0,0 +1,174 @@
+#!/usr/bin/env bash
+
+# Copyright 2025 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script syncs RBAC rules from the kubebuilder-generated role.yaml
+# into the helm chart's rbac.yaml template, keeping helm-specific sections
+# (leader election, bindings, conditionals) intact.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+ROOT_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)"
+
+KUBEBUILDER_ROLE="${ROOT_DIR}/config/rbac/role.yaml"
+HELM_RBAC="${ROOT_DIR}/helm/aws-load-balancer-controller/templates/rbac.yaml"
+
+if [ ! -f "${KUBEBUILDER_ROLE}" ]; then
+    echo "Error: kubebuilder role not found at ${KUBEBUILDER_ROLE}"
+    echo "Run 'make manifests' first."
+    exit 1
+fi
+
+if [ ! -f "${HELM_RBAC}" ]; then
+    echo "Error: helm rbac template not found at ${HELM_RBAC}"
+    exit 1
+fi
+
+# Extract rules from kubebuilder role.yaml and convert to helm flow style
+# We use yq to read the rules and output them in the compact format used by the helm chart
+generate_helm_clusterrole_rules() {
+    # Read rules from kubebuilder role.yaml using yq
+    # Convert each rule to the flow-style format used in the helm chart
+    yq eval -o=json '.rules' "${KUBEBUILDER_ROLE}" | python3 -c '
+import json
+import sys
+
+rules = json.load(sys.stdin)
+
+def format_list(items):
+    """Format a list as YAML flow sequence: [item1, item2]"""
+    return "[" + ", ".join(str(i) for i in items) + "]"
+
+for rule in rules:
+    api_groups = rule.get("apiGroups", [])
+    resources = rule.get("resources", [])
+    verbs = rule.get("verbs", [])
+    resource_names = rule.get("resourceNames", None)
+
+    # Quote empty string api group
+    formatted_groups = []
+    for g in api_groups:
+        if g == "":
+            formatted_groups.append("\"\"")
+        else:
+            formatted_groups.append("\"" + g + "\"")
+
+    print("- apiGroups: [{}]".format(", ".join(formatted_groups)))
+    print("  resources: {}".format(format_list(resources)))
+    if resource_names:
+        print("  resourceNames: {}".format(format_list(resource_names)))
+    print("  verbs: {}".format(format_list(verbs)))
+'
+}
+
+# Build the new helm rbac.yaml
+# We preserve the leader election Role, RoleBinding, and ClusterRoleBinding
+# from the existing template, and only replace the ClusterRole rules.
+
+GENERATED_RULES=$(generate_helm_clusterrole_rules)
+
+cat > "${HELM_RBAC}" << 'HELM_HEADER'
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "aws-load-balancer-controller.fullname" . }}-leader-election-role
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: [configmaps]
+  verbs: [create]
+- apiGroups: [""]
+  resources: [configmaps]
+  resourceNames: [aws-load-balancer-controller-leader]
+  verbs: [get, patch, update]
+- apiGroups:
+  - "coordination.k8s.io"
+  resources:
+  - leases
+  verbs:
+  - create
+- apiGroups:
+  - "coordination.k8s.io"
+  resources:
+  - leases
+  resourceNames:
+  - aws-load-balancer-controller-leader
+  verbs:
+  - get
+  - update
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "aws-load-balancer-controller.fullname" . }}-leader-election-rolebinding
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "aws-load-balancer-controller.fullname" . }}-leader-election-role
+subjects:
+- kind: ServiceAccount
+  name: {{ template "aws-load-balancer-controller.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "aws-load-balancer-controller.fullname" . }}-role
+  labels:
+    {{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
+rules:
+HELM_HEADER
+
+# Append the generated rules (from kubebuilder source of truth)
+echo "# AUTO-GENERATED from config/rbac/role.yaml by hack/sync-rbac-to-helm.sh" >> "${HELM_RBAC}"
+echo "# Do not edit these rules manually. Run 'make manifests' to update." >> "${HELM_RBAC}"
+echo "${GENERATED_RULES}" >> "${HELM_RBAC}"
+
+# Append helm-specific conditional rules and the ClusterRoleBinding
+cat >> "${HELM_RBAC}" << 'HELM_FOOTER'
+{{- if .Values.clusterSecretsPermissions.allowAllSecrets }}
+- apiGroups: [""]
+  resources: [secrets]
+  verbs: [get, list, watch]
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "aws-load-balancer-controller.fullname" . }}-rolebinding
+  labels:
+    {{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "aws-load-balancer-controller.fullname" . }}-role
+subjects:
+- kind: ServiceAccount
+  name: {{ template "aws-load-balancer-controller.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+HELM_FOOTER
+
+echo "Synced RBAC rules from ${KUBEBUILDER_ROLE} to ${HELM_RBAC}"

hack/verify-rbac-sync.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+# Copyright 2025 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Verifies that the helm chart RBAC rules are in sync with the
+# kubebuilder-generated role.yaml. Fails if they have drifted.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+"${SCRIPT_DIR}/sync-rbac-to-helm.sh"
+
+changed_files=$(git status --porcelain --untracked-files=no -- helm/aws-load-balancer-controller/templates/rbac.yaml || true)
+if [ -n "${changed_files}" ]; then
+   echo "Detected that helm RBAC is out of sync with kubebuilder RBAC; run 'make sync-rbac'"
+   echo "changed files:"
+   printf "%s\n" "${changed_files}"
+   echo "git diff:"
+   git --no-pager diff -- helm/aws-load-balancer-controller/templates/rbac.yaml
+   echo "To fix: run 'make sync-rbac'"
+   exit 1
+fi

helm/aws-load-balancer-controller/templates/rbac.yaml

@@ -54,83 +54,82 @@ metadata:
   labels:
     {{- include "aws-load-balancer-controller.labels" . | nindent 4 }}
 rules:
-- apiGroups: ["elbv2.k8s.aws"]
-  resources: [targetgroupbindings]
-  verbs: [create, delete, get, list, patch, update, watch]
-- apiGroups: ["elbv2.k8s.aws"]
-  resources: [ingressclassparams]
-  verbs: [get, list, watch]
-- apiGroups: ["elbv2.k8s.aws"]
-  resources: [albtargetcontrolconfigs]
-  verbs: [get]
+# AUTO-GENERATED from config/rbac/role.yaml by hack/sync-rbac-to-helm.sh
+# Do not edit these rules manually. Run 'make manifests' to update.
 - apiGroups: [""]
-  resources: [events]
-  verbs: [create, patch]
+  resources: [configmaps]
+  verbs: [create, delete, get, update]
 - apiGroups: [""]
-  resources: [pods]
-  verbs: [get, list, watch]
-- apiGroups: ["networking.k8s.io"]
-  resources: [ingressclasses]
+  resources: [endpoints, namespaces, nodes, pods]
   verbs: [get, list, watch]
-- apiGroups: ["", "extensions", "networking.k8s.io"]
-  resources: [services, ingresses]
-  verbs: [get, list, patch, update, watch]
 - apiGroups: [""]
-  resources: [nodes, namespaces, endpoints]
-  verbs: [get, list, watch]
+  resources: [events]
+  verbs: [create, patch]
 - apiGroups: [""]
-  resources: [configmaps]
-  verbs: [get, delete, create, update]
-{{- if .Values.clusterSecretsPermissions.allowAllSecrets }}
+  resources: [pods/status, services/status]
+  verbs: [patch, update]
 - apiGroups: [""]
-  resources: [secrets]
-  verbs: [get, list, watch]
-{{- end }}
-- apiGroups: ["elbv2.k8s.aws", "", "extensions", "networking.k8s.io"]
-  resources: [targetgroupbindings/status, pods/status, services/status, ingresses/status]
-  verbs: [update, patch]
+  resources: [services]
+  verbs: [get, list, patch, update, watch]
+- apiGroups: ["aga.k8s.aws"]
+  resources: [globalaccelerators]
+  verbs: [get, list, patch, watch]
+- apiGroups: ["aga.k8s.aws"]
+  resources: [globalaccelerators/finalizers, globalaccelerators/status]
+  verbs: [patch, update]
 - apiGroups: ["discovery.k8s.io"]
   resources: [endpointslices]
   verbs: [get, list, watch]
+- apiGroups: ["elbv2.k8s.aws"]
+  resources: [albtargetcontrolconfigs]
+  verbs: [get]
+- apiGroups: ["elbv2.k8s.aws"]
+  resources: [ingressclassparams]
+  verbs: [get, list, watch]
+- apiGroups: ["elbv2.k8s.aws"]
+  resources: [targetgroupbindings]
+  verbs: [create, delete, get, list, patch, update, watch]
+- apiGroups: ["elbv2.k8s.aws"]
+  resources: [targetgroupbindings/status]
+  verbs: [patch, update]
+- apiGroups: ["extensions", "networking.k8s.io"]
+  resources: [ingresses]
+  verbs: [get, list, patch, update, watch]
+- apiGroups: ["extensions", "networking.k8s.io"]
+  resources: [ingresses/status]
+  verbs: [patch, update]
 - apiGroups: ["gateway.k8s.aws"]
-  resources: [loadbalancerconfigurations, targetgroupconfigurations, listenerruleconfigurations]
-  verbs: [get, list, watch, patch]
+  resources: [listenerruleconfigurations, loadbalancerconfigurations, targetgroupconfigurations]
+  verbs: [get, list, patch, watch]
 - apiGroups: ["gateway.k8s.aws"]
-  resources: [loadbalancerconfigurations/finalizers, targetgroupconfigurations/finalizers, listenerruleconfigurations/finalizers]
-  verbs: [update, patch]
+  resources: [listenerruleconfigurations/finalizers, loadbalancerconfigurations/finalizers, targetgroupconfigurations/finalizers]
+  verbs: [patch, update]
 - apiGroups: ["gateway.k8s.aws"]
-  resources: [loadbalancerconfigurations/status, targetgroupconfigurations/status, listenerruleconfigurations/status]
-  verbs: [get, patch, watch]
-- apiGroups: ["gateway.networking.k8s.io"]
-  resources: [gatewayclasses, gateways]
-  verbs: [get, list, watch, patch]
+  resources: [listenerruleconfigurations/status, loadbalancerconfigurations/status, targetgroupconfigurations/status]
+  verbs: [get, patch, update]
 - apiGroups: ["gateway.networking.k8s.io"]
-  resources: [referencegrants]
-  verbs: [get, list, watch]
+  resources: [gatewayclasses, gateways, referencegrants]
+  verbs: [get, list, patch, watch]
 - apiGroups: ["gateway.networking.k8s.io"]
   resources: [gatewayclasses/finalizers, gateways/finalizers]
-  verbs: [update, patch]
+  verbs: [patch, update]
 - apiGroups: ["gateway.networking.k8s.io"]
-  resources: [gatewayclasses/status, gateways/status]
+  resources: [gatewayclasses/status, gateways/status, grpcroutes/status, httproutes/status, listenersets/status, tcproutes/status, tlsroutes/status, udproutes/status]
   verbs: [get, patch, update]
 - apiGroups: ["gateway.networking.k8s.io"]
-  resources: [grpcroutes, httproutes, tcproutes, tlsroutes, udproutes, listenersets]
+  resources: [grpcroutes, httproutes, listenersets, tcproutes, tlsroutes, udproutes]
   verbs: [get, list, watch]
 - apiGroups: ["gateway.networking.k8s.io"]
-  resources: [grpcroutes/finalizers, httproutes/finalizers, tcproutes/finalizers, tlsroutes/finalizers, udproutes/finalizers, listenersets/finalizers]
+  resources: [grpcroutes/finalizers, httproutes/finalizers, listenersets/finalizers, tcproutes/finalizers, tlsroutes/finalizers, udproutes/finalizers]
   verbs: [update]
-- apiGroups: ["gateway.networking.k8s.io"]
-  resources: [grpcroutes/status, httproutes/status, tcproutes/status, tlsroutes/status, udproutes/status, listenersets/status]
-  verbs: [get, patch, update]
-- apiGroups: ["aga.k8s.aws"]
-  resources: [globalaccelerators]
-  verbs: [get, list, patch, watch]
-- apiGroups: ["aga.k8s.aws"]
-  resources: [globalaccelerators/finalizers]
-  verbs: [patch, update]
-- apiGroups: ["aga.k8s.aws"]
-  resources: [globalaccelerators/status]
-  verbs: [patch, update]
+- apiGroups: ["networking.k8s.io"]
+  resources: [ingressclasses]
+  verbs: [get, list, watch]
+{{- if .Values.clusterSecretsPermissions.allowAllSecrets }}
+- apiGroups: [""]
+  resources: [secrets]
+  verbs: [get, list, watch]
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding