Description
Describe the bug
A recent code-generator change moved RBAC permissions for the controller into _helpers.tpl with a static constant Helm named template controller-role-rules - aws-controllers-k8s/code-generator#495.
When deploying multiple controller as Helm subcharts, the controller-role-rules named templates conflict and only the last one loaded will be used. This results in all but one of the controllers having the wrong RBAC permissions and failing.
Per the Helm chart template guide:
An important detail to keep in mind when naming templates: template names are global. If you declare two templates with the same name, whichever one is loaded last will be the one used. Because templates in subcharts are compiled together with top-level templates, you should be careful to name your templates with chart-specific names.
A better approach would be to include the controller name in the _helpers.tpl, for example iam.controller-role-rules for the IAM controller.
Steps to reproduce
Deploy two or more recent Helm charts as subcharts in a single Helm release:
Chart.yaml
apiVersion: v2
name: k8s-ack-controllers
description: Controllers for creating AWS resources in Kubernetes
version: 1.0.0
dependencies:
- name: dynamodb-chart
version: "1.2.7"
repository: oci://public.ecr.aws/aws-controllers-k8s
- name: ec2-chart
version: "1.2.2"
repository: oci://public.ecr.aws/aws-controllers-k8s
Check the permissions on the controller ClusterRoles.
Expected outcome
ClusterRoles and other resources to not conflict when deploying more than one controller as subcharts.
Environment
- Kubernetes version: 1.27
- Using EKS (yes/no), if so version? Yes, 1.27
- AWS service targeted (S3, RDS, etc.): Multiple, observed with DynamoDB, EC2, EventBridge, IAM, KMS, S3, SNS, SQS