From 3d7ea1948e064ec5ab006511f97e7ccf45acbd6e Mon Sep 17 00:00:00 2001
From: Thomas Vitale <ThomasVitale@users.noreply.github.com>
Date: Sat, 1 Apr 2023 17:38:58 +0200
Subject: [PATCH] Add roles for supply chains

---
 package/config/kapp-config.yaml      | 26 ++++++++++++++++++++++++++
 package/config/roles/deliverable.yml | 10 ++++++++++
 package/config/roles/workload.yml    | 10 ++++++++++
 3 files changed, 46 insertions(+)
 create mode 100644 package/config/roles/deliverable.yml
 create mode 100644 package/config/roles/workload.yml

diff --git a/package/config/kapp-config.yaml b/package/config/kapp-config.yaml
index ba16ece..3081592 100644
--- a/package/config/kapp-config.yaml
+++ b/package/config/kapp-config.yaml
@@ -1,12 +1,38 @@
+---
 apiVersion: kapp.k14s.io/v1alpha1
 kind: Config
 
 minimumRequiredVersion: 0.50.0
 
+#! Rebase rules explicitly define how kapp should merge resources during an update.
+#! See more about the resource merge method: https://carvel.dev/kapp/docs/latest/merge-method.
 rebaseRules:
+
+#! Kubernetes automatically fills in the rules of aggregated ClusterRoles.
+#! We want to keep that configuration between upgrades.
+- path: [rules]
+  type: copy
+  sources: [existing]
+  resourceMatchers:
+  - apiVersionKindMatcher:
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRole
+
+#! If the synchronization of a PackageInstall or App resource has been manually paused.
 - path: [spec, paused]
   type: copy
   sources: [new, existing]
   resourceMatchers:
   - apiVersionKindMatcher: {apiVersion: packaging.carvel.dev/v1alpha1, kind: PackageInstall}
   - apiVersionKindMatcher: {apiVersion: kappctrl.k14s.io/v1alpha1, kind: App}
+
+#! These rules define which fields should be removed before kapp performs a diff against the last applied resource.
+diffAgainstLastAppliedFieldExclusionRules:
+
+- path: [metadata, annotations]
+  type: copy
+  sources: [existing]
+  resourceMatchers:
+  - apiVersionKindMatcher:
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRole
diff --git a/package/config/roles/deliverable.yml b/package/config/roles/deliverable.yml
new file mode 100644
index 0000000..d3d06f1
--- /dev/null
+++ b/package/config/roles/deliverable.yml
@@ -0,0 +1,10 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: deliverable
+aggregationRule:
+  clusterRoleSelectors:
+  - matchLabels:
+      apps.kadras.io/aggregate-to-deliverable: "true"
+rules: []
diff --git a/package/config/roles/workload.yml b/package/config/roles/workload.yml
new file mode 100644
index 0000000..83d0156
--- /dev/null
+++ b/package/config/roles/workload.yml
@@ -0,0 +1,10 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: workload
+aggregationRule:
+  clusterRoleSelectors:
+  - matchLabels:
+      apps.kadras.io/aggregate-to-workload: "true"
+rules: []