Add missing cluster rolebinding for applicationset in case multiple namespaces are used.

Signed-off-by: Boris Smidt <boris.smidt@restore.eu>
2023-08-17 17:38:32 +02:00 · 2023-08-17 17:38:32 +02:00 · 05234984e3
commit 05234984e3
parent dc56fa63f3
3 changed files with 44 additions and 2 deletions
--- a/charts/argo-cd/Chart.yaml
+++ b/charts/argo-cd/Chart.yaml
@ -3,7 +3,7 @@ appVersion: v2.8.0
 kubeVersion: ">=1.23.0-0"
 description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 5.43.4
+version: 5.43.5
 home: https://github.com/argoproj/argo-helm
 icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
 sources:
@ -27,4 +27,4 @@ annotations:
    url: https://argoproj.github.io/argo-helm/pgp_keys.asc
  artifacthub.io/changes: |
    - kind: fixed
-      description: Rename comment of repositoryCredentials to credentialTemplates
+      description: Add a cluster role to make namespaced application set controller work.  
--- a/charts/argo-cd/templates/argocd-applicationset/clusterrole.yaml
+++ b/charts/argo-cd/templates/argocd-applicationset/clusterrole.yaml
@ -0,0 +1,25 @@
+{{- $config := .Values.controller.clusterAdminAccess | default dict -}}
+{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "argo-cd.applicationSet.fullname" . }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
+rules:
+  - apiGroups:
+    - argoproj.io
+    resources:
+    - applications
+    - applicationsets
+    verbs:
+    - '*'
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+{{- end }}
--- a/charts/argo-cd/templates/argocd-applicationset/clusterrolebinding.yaml
+++ b/charts/argo-cd/templates/argocd-applicationset/clusterrolebinding.yaml
@ -0,0 +1,17 @@
+{{- $config := .Values.controller.clusterAdminAccess | default dict -}}
+{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "argo-cd.applicationSet.fullname" . }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "argo-cd.applicationSet.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "argo-cd.applicationSetServiceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}