feat(helm): support namespaced RBAC for MCP controller (#127)

Sibling of kagent-dev/tools#53 and
kagent-dev/kagent#1549

Fixes a CI issue. Also separates out the build step in CI before running
E2E tests.

---------

Signed-off-by: Jet Chiang <pokyuen.jetchiang-ext@solo.io>

Author: supreme-gg-gg

.github/workflows/test-e2e.yml

@@ -21,8 +21,15 @@ jobs:
 
       - name: Create k8s Kind Cluster
         uses: helm/kind-action@v1
-      - name: Running Test e2e
+        with:
+          cluster_name: kind
+
+      - name: Build controller image
+        run: make docker-build CONTROLLER_IMG=ghcr.io/kagent-dev/kmcp/controller:e2e-test
+        timeout-minutes: 15
+
+      - name: Run e2e tests
         run: |
-          kind create cluster
           go mod tidy
           make test-e2e
+        timeout-minutes: 20

Makefile

@@ -7,7 +7,7 @@ HELM_REPO ?= oci://ghcr.io/kagent-dev
 
 BUILD_DATE := $(shell date -u '+%Y-%m-%d')
 GIT_COMMIT := $(shell git rev-parse --short HEAD || echo "unknown")
-VERSION ?= $(shell git describe --tags --always --dirty 2>/dev/null | sed 's/-dirty//' | grep v || echo "v0.0.1+$(GIT_COMMIT)")
+VERSION ?= $(shell git describe --tags --always --dirty 2>/dev/null | sed 's/-dirty//' | grep v || echo "v0.0.1-$(GIT_COMMIT)")
 
 
 # Version information for the build
@@ -166,7 +166,7 @@ test-e2e: manifests generate fmt vet ## Run the e2e tests. Expected an isolated
 		echo "No Kind cluster is running. Please start a Kind cluster before running the e2e tests."; \
 		exit 1; \
 	}
-	go test ./test/e2e/ -v
+	go test ./test/e2e/ -v -timeout 30m
 
 .PHONY: lint
 lint: golangci-lint ## Run golangci-lint linter

api/v1alpha1/zz_generated.deepcopy.go

@@ -8,6 +8,7 @@ rules:
   - ""
   resources:
   - configmaps
+  - serviceaccounts
   - services
   verbs:
   - create

config/rbac/role.yaml

@@ -83,5 +83,9 @@ Create controller manager container args
 {{- if .Values.controller.metrics.enabled }}
 {{- $args = append $args (printf "--metrics-bind-address=%s" .Values.controller.metrics.bindAddress) }}
 {{- end }}
+{{- if not .Values.rbac.clusterScoped }}
+{{- $namespaces := .Values.rbac.namespaces | default (list (include "kmcp.namespace" .)) }}
+{{- $args = append $args (printf "--watch-namespaces=%s" (join "," $namespaces)) }}
+{{- end }}
 {{- toYaml $args }}
 {{- end }} 

helm/kmcp-crds/templates/mcpserver-crd.yaml

@@ -1,11 +1,4 @@
-{{- if .Values.rbac.create }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ include "kmcp.fullname" . }}-manager-role
-  labels:
-    {{- include "kmcp.labels" . | nindent 4 }}
-rules:
+{{- define "kmcp.manager.rules" -}}
 - apiGroups:
   - ""
   resources:
@@ -58,4 +51,32 @@ rules:
   - get
   - patch
   - update
+{{- end -}}
+
+{{- if .Values.rbac.create }}
+
+{{- if .Values.rbac.clusterScoped }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kmcp.fullname" . }}-manager-role
+  labels:
+    {{- include "kmcp.labels" . | nindent 4 }}
+rules:
+  {{- include "kmcp.manager.rules" . | nindent 2 }}
+{{- else }}
+{{- $namespaces := .Values.rbac.namespaces | default (list (include "kmcp.namespace" .)) }}
+{{- range $namespace := $namespaces }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "kmcp.fullname" $ }}-manager-role
+  namespace: {{ $namespace }}
+  labels:
+    {{- include "kmcp.labels" $ | nindent 4 }}
+rules:
+  {{- include "kmcp.manager.rules" $ | nindent 2 }}
+{{- end }}
+{{- end }}
 {{- end }} 

helm/kmcp/templates/_helpers.tpl

@@ -1,4 +1,5 @@
 {{- if .Values.rbac.create }}
+{{- if .Values.rbac.clusterScoped }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -13,4 +14,25 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "kmcp.serviceAccountName" . }}
   namespace: {{ include "kmcp.namespace" . }}
+{{- else }}
+{{- $namespaces := .Values.rbac.namespaces | default (list (include "kmcp.namespace" .)) }}
+{{- range $namespace := $namespaces }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "kmcp.fullname" $ }}-manager-rolebinding
+  namespace: {{ $namespace }}
+  labels:
+    {{- include "kmcp.labels" $ | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "kmcp.fullname" $ }}-manager-role
+subjects:
+- kind: ServiceAccount
+  name: {{ include "kmcp.serviceAccountName" $ }}
+  namespace: {{ include "kmcp.namespace" $ }}
+{{- end }}
+{{- end }}
 {{- end }} 

helm/kmcp/templates/rbac/clusterrole.yaml

@@ -8,7 +8,7 @@ should create deployment with default values:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: kmcp
         control-plane: controller-manager
-        helm.sh/chart: kmcp-0.1.0
+        helm.sh/chart: kmcp-1.0.0
       name: RELEASE-NAME-controller-manager
       namespace: NAMESPACE
     spec:
@@ -73,7 +73,7 @@ should create deployment with default values:
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-          serviceAccountName: RELEASE-NAME-kmcp-controller-manager
+          serviceAccountName: RELEASE-NAME-controller-manager
           terminationGracePeriodSeconds: 10
           volumes: []
 should include health probe ports when health probe enabled:
@@ -86,7 +86,7 @@ should include health probe ports when health probe enabled:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: kmcp
         control-plane: controller-manager
-        helm.sh/chart: kmcp-0.1.0
+        helm.sh/chart: kmcp-1.0.0
       name: RELEASE-NAME-controller-manager
       namespace: NAMESPACE
     spec:
@@ -151,7 +151,7 @@ should include health probe ports when health probe enabled:
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-          serviceAccountName: RELEASE-NAME-kmcp-controller-manager
+          serviceAccountName: RELEASE-NAME-controller-manager
           terminationGracePeriodSeconds: 10
           volumes: []
 should include image pull secrets when specified:
@@ -164,7 +164,7 @@ should include image pull secrets when specified:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: kmcp
         control-plane: controller-manager
-        helm.sh/chart: kmcp-0.1.0
+        helm.sh/chart: kmcp-1.0.0
       name: RELEASE-NAME-controller-manager
       namespace: NAMESPACE
     spec:
@@ -231,7 +231,7 @@ should include image pull secrets when specified:
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-          serviceAccountName: RELEASE-NAME-kmcp-controller-manager
+          serviceAccountName: RELEASE-NAME-controller-manager
           terminationGracePeriodSeconds: 10
           volumes: []
 should include metrics port when metrics enabled:
@@ -244,7 +244,7 @@ should include metrics port when metrics enabled:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: kmcp
         control-plane: controller-manager
-        helm.sh/chart: kmcp-0.1.0
+        helm.sh/chart: kmcp-1.0.0
       name: RELEASE-NAME-controller-manager
       namespace: NAMESPACE
     spec:
@@ -309,7 +309,7 @@ should include metrics port when metrics enabled:
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-          serviceAccountName: RELEASE-NAME-kmcp-controller-manager
+          serviceAccountName: RELEASE-NAME-controller-manager
           terminationGracePeriodSeconds: 10
           volumes: []
 should include node selector when specified:
@@ -322,7 +322,7 @@ should include node selector when specified:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: kmcp
         control-plane: controller-manager
-        helm.sh/chart: kmcp-0.1.0
+        helm.sh/chart: kmcp-1.0.0
       name: RELEASE-NAME-controller-manager
       namespace: NAMESPACE
     spec:
@@ -389,7 +389,7 @@ should include node selector when specified:
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-          serviceAccountName: RELEASE-NAME-kmcp-controller-manager
+          serviceAccountName: RELEASE-NAME-controller-manager
           terminationGracePeriodSeconds: 10
           volumes: []
 should include pod annotations when specified:
@@ -402,7 +402,7 @@ should include pod annotations when specified:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: kmcp
         control-plane: controller-manager
-        helm.sh/chart: kmcp-0.1.0
+        helm.sh/chart: kmcp-1.0.0
       name: RELEASE-NAME-controller-manager
       namespace: NAMESPACE
     spec:
@@ -469,7 +469,7 @@ should include pod annotations when specified:
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-          serviceAccountName: RELEASE-NAME-kmcp-controller-manager
+          serviceAccountName: RELEASE-NAME-controller-manager
           terminationGracePeriodSeconds: 10
           volumes: []
 should include tolerations when specified:
@@ -482,7 +482,7 @@ should include tolerations when specified:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: kmcp
         control-plane: controller-manager
-        helm.sh/chart: kmcp-0.1.0
+        helm.sh/chart: kmcp-1.0.0
       name: RELEASE-NAME-controller-manager
       namespace: NAMESPACE
     spec:
@@ -547,7 +547,7 @@ should include tolerations when specified:
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-          serviceAccountName: RELEASE-NAME-kmcp-controller-manager
+          serviceAccountName: RELEASE-NAME-controller-manager
           terminationGracePeriodSeconds: 10
           tolerations:
             - effect: NoSchedule
@@ -565,7 +565,7 @@ should set custom replica count:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: kmcp
         control-plane: controller-manager
-        helm.sh/chart: kmcp-0.1.0
+        helm.sh/chart: kmcp-1.0.0
       name: RELEASE-NAME-controller-manager
       namespace: NAMESPACE
     spec:
@@ -630,7 +630,7 @@ should set custom replica count:
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-          serviceAccountName: RELEASE-NAME-kmcp-controller-manager
+          serviceAccountName: RELEASE-NAME-controller-manager
           terminationGracePeriodSeconds: 10
           volumes: []
 should set custom resources:
@@ -643,7 +643,7 @@ should set custom resources:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: kmcp
         control-plane: controller-manager
-        helm.sh/chart: kmcp-0.1.0
+        helm.sh/chart: kmcp-1.0.0
       name: RELEASE-NAME-controller-manager
       namespace: NAMESPACE
     spec:
@@ -708,7 +708,7 @@ should set custom resources:
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-          serviceAccountName: RELEASE-NAME-kmcp-controller-manager
+          serviceAccountName: RELEASE-NAME-controller-manager
           terminationGracePeriodSeconds: 10
           volumes: []
 should set pod security context:
@@ -721,7 +721,7 @@ should set pod security context:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: kmcp
         control-plane: controller-manager
-        helm.sh/chart: kmcp-0.1.0
+        helm.sh/chart: kmcp-1.0.0
       name: RELEASE-NAME-controller-manager
       namespace: NAMESPACE
     spec:
@@ -786,7 +786,7 @@ should set pod security context:
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-          serviceAccountName: RELEASE-NAME-kmcp-controller-manager
+          serviceAccountName: RELEASE-NAME-controller-manager
           terminationGracePeriodSeconds: 10
           volumes: []
 should set security context:
@@ -799,7 +799,7 @@ should set security context:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: kmcp
         control-plane: controller-manager
-        helm.sh/chart: kmcp-0.1.0
+        helm.sh/chart: kmcp-1.0.0
       name: RELEASE-NAME-controller-manager
       namespace: NAMESPACE
     spec:
@@ -864,7 +864,7 @@ should set security context:
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-          serviceAccountName: RELEASE-NAME-kmcp-controller-manager
+          serviceAccountName: RELEASE-NAME-controller-manager
           terminationGracePeriodSeconds: 10
           volumes: []
 should set termination grace period:
@@ -877,7 +877,7 @@ should set termination grace period:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: kmcp
         control-plane: controller-manager
-        helm.sh/chart: kmcp-0.1.0
+        helm.sh/chart: kmcp-1.0.0
       name: RELEASE-NAME-controller-manager
       namespace: NAMESPACE
     spec:
@@ -942,6 +942,6 @@ should set termination grace period:
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-          serviceAccountName: RELEASE-NAME-kmcp-controller-manager
+          serviceAccountName: RELEASE-NAME-controller-manager
           terminationGracePeriodSeconds: 10
           volumes: []