From 7fab2dfbb58967fa4c1ddfb64dc1e033e0a4c530 Mon Sep 17 00:00:00 2001
From: Alexis Gauthiez <alexis.gauthiez@blablacar.com>
Date: Fri, 16 Apr 2021 12:28:54 +0200
Subject: [PATCH] Suggest an alternative gradual migration technique

Signed-off-by: Alexis Gauthiez <alexis.gauthiez@blablacar.com>
---
 docs/guides/helm-operator-migration.md | 37 ++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/docs/guides/helm-operator-migration.md b/docs/guides/helm-operator-migration.md
index 4c9d6250..b62eabc6 100644
--- a/docs/guides/helm-operator-migration.md
+++ b/docs/guides/helm-operator-migration.md
@@ -742,6 +742,43 @@ Gradually migrating to the Helm Controller is possible by scaling down the Helm
 
 While doing this, make sure that once you scale up the Helm Operator again, there are no old and new `HelmRelease` resources pointing towards the same release, as they will fight over the release.
 
+Alternatively, you can gradually migrate per namespace without ever needing to shut the Helm Operator down, enabling no continuous delivery interruption on most namespaces. To do so, customize the Helm Operator roles associated to its `ServiceAccount`. By default, [the Helm Operator `ServiceAccount` is bound to a `ClusterRole` that allows it to watch `HelmRelases` in all namespaces](https://github.com/fluxcd/helm-operator/blob/1baacd6dee865b57da80e0e767286ed68d578246/deploy/rbac.yaml#L9-L36). By removing the `helm-operator` `ClusterRoleBinding` and replacing it by `RoleBindings` for each namespace, but the one you are currently migrating, the Helm Operator will be unable to watch and process HelmReleases in the namespace under maintenance:
+
+```yaml
+# Create a `RoleBinding` for each namespace the Helm Operator is allowed to process `HelmReleases` in
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: helm-operator
+  namespace: helm-operator-watched-namespace
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: helm-operator
+subjects:
+  - name: helm-operator
+    namespace: flux
+    kind: ServiceAccount
+# Do not create the following to prevent the Helm Operator from watching `HelmReleases` in `helm-controller-watched-namespace`
+# ---
+# apiVersion: rbac.authorization.k8s.io/v1
+# kind: RoleBinding
+# metadata:
+#   name: helm-operator
+#   namespace: helm-controller-watched-namespace
+# roleRef:
+#   apiGroup: rbac.authorization.k8s.io
+#   kind: ClusterRole
+#   name: helm-operator
+# subjects:
+#   - name: helm-operator
+#     namespace: flux
+#     kind: ServiceAccount
+```
+
+If you are using [the Helm Operator chart](https://github.com/fluxcd/helm-operator/tree/master/chart/helm-operator), make sure to set `rbac.create` to `false` in order to take over `RoleBindings` as you wish.
+
 ### Deleting old resources
 
 Once you have migrated all your `HelmRelease` resources to the Helm Controller. You can remove all of the old resources by removing the old Custom Resource Definition.