corresponding chart changes

Signed-off-by: Kent Rancourt <kent.rancourt@gmail.com>

charts/kargo/templates/api/cluster-role.yaml

@@ -76,4 +76,12 @@ rules:
     verbs:
       - patch
       - update
+{{- if .Values.api.rollouts.integrationEnabled }}
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - analysistemplates
+    verbs:
+      - "*"
+{{- end }}
 {{- end }}

charts/kargo/templates/api/configmap.yaml

@@ -55,4 +55,5 @@ data:
   ARGOCD_NAMESPACE: {{ .Values.controller.argocd.namespace }}
   ARGOCD_URLS: {{ range $key, $val := .Values.api.argocd.urls }}{{ $key }}={{ $val }},{{- end }}
   {{- end }}
+  ROLLOUTS_INTEGRATION_ENABLED: {{ quote .Values.api.rollouts.integrationEnabled }}
 {{- end }}

charts/kargo/templates/argocd/role-binding.yaml

@@ -1,4 +1,4 @@
-{{- if or .Values.controller.argocd.watchArgocdNamespaceOnly .Values.controller.argocd.enableCredentialBorrowing }}
+{{- if and .Values.controller.argocd.integrationEnabled (or .Values.controller.argocd.watchArgocdNamespaceOnly .Values.controller.argocd.enableCredentialBorrowing) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:

charts/kargo/templates/argocd/role.yaml

@@ -1,4 +1,4 @@
-{{- if or .Values.controller.argocd.watchArgocdNamespaceOnly .Values.controller.argocd.enableCredentialBorrowing }}
+{{- if and .Values.controller.argocd.integrationEnabled (or .Values.controller.argocd.watchArgocdNamespaceOnly .Values.controller.argocd.enableCredentialBorrowing) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:

charts/kargo/templates/controller/cluster-role-bindings.yaml

@@ -14,8 +14,8 @@ subjects:
 - kind: ServiceAccount
   namespace: {{ .Release.Namespace }}
   name: kargo-controller
+{{- if and .Values.controller.argocd.integrationEnabled (not .Values.controller.argocd.watchArgocdNamespaceOnly) }}
 ---
-{{- if not .Values.controller.argocd.watchArgocdNamespaceOnly }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -32,4 +32,22 @@ subjects:
   namespace: {{ .Release.Namespace }}
   name: kargo-controller
 {{- end }}
+{{- if .Values.controller.rollouts.integrationEnabled }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kargo-controller-rollouts
+  labels:
+    {{- include "kargo.labels" . | nindent 4 }}
+    {{- include "kargo.controller.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kargo-controller-rollouts
+subjects:
+- kind: ServiceAccount
+  namespace: {{ .Release.Namespace }}
+  name: kargo-controller
+{{- end }}
 {{- end }}

charts/kargo/templates/controller/cluster-roles.yaml

@@ -72,8 +72,8 @@ rules:
   - get
   - list
   - watch
+{{- if and .Values.controller.argocd.integrationEnabled (not .Values.controller.argocd.watchArgocdNamespaceOnly) }}
 ---
-{{- if not .Values.controller.argocd.watchArgocdNamespaceOnly }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -91,6 +91,17 @@ rules:
   - list
   - patch
   - watch
+{{- end }}
+{{- if .Values.controller.rollouts.integrationEnabled }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kargo-controller-rollouts
+  labels:
+    {{- include "kargo.labels" . | nindent 4 }}
+    {{- include "kargo.controller.labels" . | nindent 4 }}
+rules:
 - apiGroups:
   - argoproj.io
   resources:
@@ -100,5 +111,5 @@ rules:
   - get
   - list
   - watch
-{{- end }}  
+{{- end }}
 {{- end }}

charts/kargo/templates/controller/configmap.yaml

@@ -16,13 +16,17 @@ data:
   KUBECONFIG: /etc/kargo/kubeconfigs/kubeconfig.yaml
   {{- end }}
   GLOBAL_CREDENTIALS_NAMESPACES: {{ join "," .Values.controller.globalCredentials.namespaces }}
+  ARGOCD_INTEGRATION_ENABLED: {{ quote .Values.controller.argocd.integrationEnabled }}
+  {{- if .Values.controller.argocd.integrationEnabled }}
   {{- if .Values.kubeconfigSecrets.argocd }}
   ARGOCD_KUBECONFIG: /etc/kargo/kubeconfigs/argocd-kubeconfig.yaml
   {{- end }}
-  {{- if .Values.kubeconfigSecrets.rollouts }}
-  ROLLOUTS_KUBECONFIG: /etc/kargo/kubeconfigs/rollouts-kubeconfig.yaml
-  {{- end }}
   ARGOCD_NAMESPACE: {{ .Values.controller.argocd.namespace }}
   ARGOCD_ENABLE_CREDENTIAL_BORROWING: {{ quote .Values.controller.argocd.enableCredentialBorrowing }}
   ARGOCD_WATCH_ARGOCD_NAMESPACE_ONLY: {{ quote .Values.controller.argocd.watchArgocdNamespaceOnly }}
+  {{- end }}
+  ROLLOUTS_INTEGRATION_ENABLED: {{ quote .Values.controller.rollouts.integrationEnabled }}
+  {{- if and .Values.controller.rollouts.integrationEnabled .Values.kubeconfigSecrets.rollouts }}
+  ROLLOUTS_KUBECONFIG: /etc/kargo/kubeconfigs/rollouts-kubeconfig.yaml
+  {{- end }}
 {{- end }}

charts/kargo/values.yaml

@@ -199,6 +199,11 @@ api:
       # "": https://argocd.example.com
       # "shard2": https://argocd2.example.com
 
+  ## All settings relating to the use of Argo Rollouts by the API Server.
+  rollouts:
+    ## @param api.rollouts.integrationEnabled Specifies whether Argo Rollouts integration is enabled. When not enabled, the API server will not be capable of creating/updating/applying AnalysesTemplate resources in the Kargo control plane.
+    integrationEnabled: true
+
 ## @section Controller
 ## All settings for the controller component
 controller:
@@ -213,16 +218,24 @@ controller:
   ## @param controller.shardName [nullable] Set a shard name only if you are running multiple controllers backed by a single underlying control plane. Setting a shard name will cause this controller to operate **only** on resources with a matching shard name. Leaving the shard name undefined will designate this controller as the default controller that is responsible exclusively for resources that are **not** assigned to a specific shard. Leaving this undefined is the correct choice when you are not using sharding at all. It is also the correct setting if you are using sharding and want to designate a controller as the default for handling resources not assigned to a specific shard. In most cases, this setting should simply be left alone.
   # shardName:
 
-  ## All settings relating to the Argo CD control plane this controller will
+  ## All settings relating to the Argo CD control plane this controller might
   ## integrate with.
   argocd:
+    ## @param controller.argocd.integrationEnabled Specifies whether Argo CD integration is enabled. When not enabled, the controller will not watch Argo CD Application resources or factor Application health and sync state into determinations of Stage health. Argo CD-based promotion mechanisms will also fail.
+    integrationEnabled: true
     ## @param controller.argocd.namespace The namespace into which Argo CD is installed.
     namespace: argocd
     ## @param controller.argocd.watchArgocdNamespaceOnly Specifies whether the reconciler that watches Argo CD Applications for the sake of forcing related Stages to reconcile should only watch Argo CD Application resources residing in Argo CD's own namespace. Note: Older versions of Argo CD only supported Argo CD Application resources in Argo CD's own namespace, but newer versions support Argo CD Application resources in any namespace. This should usually be left as `false`.
     watchArgocdNamespaceOnly: false
     ## @param controller.argocd.enableCredentialBorrowing Specifies whether Kargo may borrow repository credentials (specially formatted and specially annotated Secrets) from Argo CD.
     enableCredentialBorrowing: true
 
+  ## All settings relating to the use of Argo Rollouts AnalysisTemplates and
+  ## AnalysisRuns as a means of verifying Stages after a Promotion.
+  rollouts:
+    ## @param controller.rollouts.integrationEnabled Specifies whether Argo Rollouts integration is enabled. When not enabled, the controller will not reconcile Argo Rollouts AnalysisRun resources and attempts to verify Stages via Analysis will fail.
+    integrationEnabled: true
+
   ## @param controller.logLevel The log level for the controller.
   logLevel: INFO