additionalRulesForClusterRole seem to be broken in templates/clusterrole.yaml template

[mkaspar]

Describe the bug
I tried to add additional zabbix role rules via rbac.additionalRulesForClusterRole but it failed with an error:
Error: YAML parse error on zabbix/templates/clusterrole.yaml: error converting YAML to JSON: yaml: line 53: did not find expected key

Version of Helm and Kubernetes:
Helm: version.BuildInfo{Version:"v3.12.0", GitCommit:"c9f554d75773799f72ceef38c51210f1842a1dea", GitTreeState:"clean", GoVersion:"go1.20.3"}

Kubernetes:
Client Version: 4.13.0-0.okd-2023-06-24-145750
Kustomize Version: v4.5.7
Server Version: 4.15.0-0.okd-2024-03-10-010116
Kubernetes Version: v1.28.2-3598+6e2789bbd58938-dirty

What happened:
The helm install (or template) ends with an error: Error: YAML parse error on zabbix/templates/clusterrole.yaml: error converting YAML to JSON: yaml: line 53: did not find expected key
Running with debug flag renders the template with the error which reveals the source of the error:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: zabbix
  labels:
    app.kubernetes.io/name: zabbix
    helm.sh/chart: zabbix-4.4.1
    app.kubernetes.io/instance: zabbix
    app.kubernetes.io/version: "6.0.30"
    app.kubernetes.io/managed-by: Helm
rules:
  - nonResourceURLs:
      - "/metrics"
      - "/metrics/cadvisor"
      - "/version"
      - "/healthz"
      - "/readyz"
    verbs: ["get"]
  - apiGroups: [""]
    resources:
      - nodes/metrics
      - nodes/spec
      - nodes/proxy
      - nodes/stats
    verbs: ["get"]
  - apiGroups: [""]
    resources:
      - namespaces
      - pods
      - services
      - componentstatuses
      - nodes
      - endpoints
      - events
    verbs: ["get", "list"]
  - apiGroups: ["batch"]
    resources:
      - jobs
      - cronjobs
    verbs: ["get", "list"]
  - apiGroups: ["extensions"]
    resources:
      - deployments
      - daemonsets
    verbs: ["get", "list"]
  - apiGroups: ["apps"]
    resources:
      - statefulsets
      - deployments
      - daemonsets
    verbs: ["get", "list"]
- apiGroups:
  - security.openshift.io
  resourceNames:
  - zabbix
  resources:
  - securitycontextconstraints
  verbs:
  - use

The template code to render the additional rules looks like:

{{- if .Values.rbac.additionalRulesForClusterRole }}
{{ toYaml .Values.rbac.additionalRulesForClusterRole | indent 0 }}
{{- end }}
{{- end }}

It looks like there is incorrect indent value. Should be 4 instead of 0. We use chart version 4.4.1but the 5.0.0 behaves the same and I see the same code in master branch

What you expected to happen:
Template should be rendered, the release installed.

How to reproduce it (as minimally and precisely as possible):

1. Add this to the values.overrides.yaml:

rbac:
  # -- Specifies whether the RBAC resources should be created
  create: true
  additionalRulesForClusterRole:
  #  - apiGroups: [ "" ]
  #    resources:
  #      - nodes/proxy
  #    verbs: [ "get", "list", "watch" ]
  # SCC. Unfortunately there is a bug in Zabbix Helm chart preventing setting additional rules.
  # https://docs.openshift.com/container-platform/4.15/authentication/managing-security-context-constraints.html#role-based-access-to-ssc_configuring-internal-oauth
    - apiGroups:
        - security.openshift.io
      resourceNames:
        - zabbix
      resources:
        - securitycontextconstraints 
      verbs: 
        - use

2. Try to generate template: helm template zabbix zabbix-community/zabbix --version 5.0.0 -f values.overrides.yaml

Anything else we need to know:

[aeciopires]

Hello @mkaspar!

Thanks for reporting this bug in great detail. I resolved the issue and will make a new release.