helm: add bool to control cluster level rbac rendering

Closes #5228

charts/nginx-ingress/README.md

@@ -473,6 +473,8 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 |`controller.telemetryReporting.enable` | Enable telemetry reporting. | true |
 |`controller.enableWeightChangesDynamicReload` | Enable weight changes without reloading the NGINX configuration. May require increasing `map_hash_bucket_size`, `map_hash_max_size`, `variable_hash_bucket_size`, and `variable_hash_max_size` in the [ConfigMap](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) if there are many two-way splits. Requires `controller.nginxplus` | false |
 |`rbac.create` | Configures RBAC. | true |
+|`rbac.clusterrole.create` | Configures creation of ClusterRole. Creation can be disabled when more fine-grained control over RBAC is required. For example when controller.watchNamespace is used. | true |
+|`rbac.clusterrolebinding.create` | Configures creation of ClusterRoleBinding. Creation can be disabled when more fine-grained control over RBAC is required. For example when controller.watchNamespace is used. | true |
 |`prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true |
 |`prometheus.port` | Configures the port to scrape the metrics. | 9113 |
 |`prometheus.scheme` | Configures the HTTP scheme to use for connections to the Prometheus endpoint. | http |

charts/nginx-ingress/templates/clusterrole.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.rbac.create }}
+{{- if and .Values.rbac.create .Values.rbac.clusterrole.create }}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:

charts/nginx-ingress/templates/clusterrolebiding.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.rbac.create }}
+{{- if and .Values.rbac.create .Values.rbac.clusterrolebinding.create }}
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:

charts/nginx-ingress/values.yaml

@@ -501,6 +501,14 @@ rbac:
  ## Configures RBAC.
  create: true
 
+ clusterrole:
+ ## Create ClusterRole
+ create: true
+
+ clusterrolebinding:
+ ## Create ClusterRoleBinding
+ create: true
+
 prometheus:
  ## Expose NGINX or NGINX Plus metrics in the Prometheus format.
  create: true

docs/content/installation/installing-nic/installation-with-helm.md

@@ -430,6 +430,8 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 | **controller.telemetryReporting.enable** | Enable telemetry reporting. | true |
 | **controller.enableWeightChangesDynamicReload** | Enable weight changes without reloading the NGINX configuration. May require increasing `map_hash_bucket_size`, `map_hash_max_size`, `variable_hash_bucket_size`, and `variable_hash_max_size` in the [ConfigMap](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) if there are many two-way splits. Requires `controller.nginxplus` | false |
 | **rbac.create** | Configures RBAC. | true |
+| **rbac.clusterrole.create** | Configures creation of ClusterRole. Creation can be disabled when more fine-grained control over RBAC is required. For example when controller.watchNamespace is used. | true |
+| **rbac.clusterrolebinding.create** | Configures creation of ClusterRoleBinding. Creation can be disabled when more fine-grained control over RBAC is required. For example when controller.watchNamespace is used. | true |
 | **prometheus.create** | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true |
 | **prometheus.port** | Configures the port to scrape the metrics. | 9113 |
 | **prometheus.scheme** | Configures the HTTP scheme to use for connections to the Prometheus endpoint. | http |