From 01fb902c10745a50ef53e47c58d054eb99e9d11a Mon Sep 17 00:00:00 2001
From: wanglijie6 <wanglijie6@xiaomi.com>
Date: Mon, 2 Dec 2024 19:59:32 +0800
Subject: [PATCH] feat: add aggregated label to cluster role

fix #48

see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings

Signed-off-by: wanglijie6 <wanglijie6@xiaomi.com>
---
 .../kuberay-operator/templates/ray_rayjob_editor_role.yaml     | 3 ++-
 .../kuberay-operator/templates/ray_rayjob_viewer_role.yaml     | 3 ++-
 .../kuberay-operator/templates/ray_rayservice_editor_role.yaml | 2 ++
 .../kuberay-operator/templates/ray_rayservice_viewer_role.yaml | 2 ++
 4 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/helm-chart/kuberay-operator/templates/ray_rayjob_editor_role.yaml b/helm-chart/kuberay-operator/templates/ray_rayjob_editor_role.yaml
index 0de7282..09e2b51 100644
--- a/helm-chart/kuberay-operator/templates/ray_rayjob_editor_role.yaml
+++ b/helm-chart/kuberay-operator/templates/ray_rayjob_editor_role.yaml
@@ -4,8 +4,9 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  labels: {{ include "kuberay-operator.labels" . | nindent 4 }}
   name: rayjob-editor-role
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
 rules:
 - apiGroups:
   - ray.io
diff --git a/helm-chart/kuberay-operator/templates/ray_rayjob_viewer_role.yaml b/helm-chart/kuberay-operator/templates/ray_rayjob_viewer_role.yaml
index 26906b0..bf0378e 100644
--- a/helm-chart/kuberay-operator/templates/ray_rayjob_viewer_role.yaml
+++ b/helm-chart/kuberay-operator/templates/ray_rayjob_viewer_role.yaml
@@ -4,8 +4,9 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  labels: {{ include "kuberay-operator.labels" . | nindent 4 }}
   name: rayjob-viewer-role
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
 rules:
 - apiGroups:
   - ray.io
diff --git a/helm-chart/kuberay-operator/templates/ray_rayservice_editor_role.yaml b/helm-chart/kuberay-operator/templates/ray_rayservice_editor_role.yaml
index 1c0a695..60be960 100644
--- a/helm-chart/kuberay-operator/templates/ray_rayservice_editor_role.yaml
+++ b/helm-chart/kuberay-operator/templates/ray_rayservice_editor_role.yaml
@@ -4,6 +4,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: rayservice-editor-role
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
 rules:
 - apiGroups:
   - ray.io
diff --git a/helm-chart/kuberay-operator/templates/ray_rayservice_viewer_role.yaml b/helm-chart/kuberay-operator/templates/ray_rayservice_viewer_role.yaml
index 59e878f..4a29370 100644
--- a/helm-chart/kuberay-operator/templates/ray_rayservice_viewer_role.yaml
+++ b/helm-chart/kuberay-operator/templates/ray_rayservice_viewer_role.yaml
@@ -4,6 +4,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: rayservice-viewer-role
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
 rules:
 - apiGroups:
   - ray.io