feat(argo-cd): Ability to provide cluster role to repo-server (#919)

* feat(argo-cd): Ability to provide cluster role to repo-server

Signed-off-by: Roman Rudenko <3kmnazapad@gmail.com>

* custom clusterRoleRules

Signed-off-by: Roman Rudenko <3kmnazapad@gmail.com>

* chore: beautify indentation

Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>

* fix: noeol in clusterrolebinding.yaml

Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>

Co-authored-by: Roman Rudenko <roman.rudenko@telekom.com>
Co-authored-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>

charts/argo-cd/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: 2.1.2
 description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 3.20.0
+version: 3.21.0
 home: https://github.com/argoproj/argo-helm
 icon: https://argoproj.github.io/argo-cd/assets/logo.png
 keywords:
@@ -21,4 +21,4 @@ dependencies:
     condition: redis-ha.enabled
 annotations:
   artifacthub.io/changes: |
-    - "[Added]: Ability to scrape redis metrics"
+    - "[Added]: Ability to provide cluster role to repo-server"

charts/argo-cd/README.md

@@ -187,6 +187,8 @@ NAME: my-release
 | controller.args.selfHealTimeout | define the controller `--self-heal-timeout-seconds` | `"5"` |
 | controller.args.statusProcessors | define the controller `--status-processors` | `"20"` |
 | controller.clusterAdminAccess.enabled | Enable RBAC for local cluster deployments. | `true` |
+| controller.clusterRoleRules.enabled | Enable custom rules for the Application Controller's Cluster Role resource. | `false` |
+| controller.clusterRoleRules.rules | List of custom rules for the Application Controller's Cluster Role resource. | `[]` |
 | controller.containerPort | Controller listening port. | `8082` |
 | controller.extraArgs | Additional arguments for the controller. A list of flags | `[]` |
 | controller.extraContainers | Additional containers for the controller. A list of containers. | `[]` |
@@ -244,6 +246,9 @@ NAME: my-release
 | repoServer.autoscaling.maxReplicas | Maximum number of replicas for the repo server [HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | `5` |
 | repoServer.autoscaling.targetCPUUtilizationPercentage | Average CPU utilization percentage for the repo server [HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | `50` |
 | repoServer.autoscaling.targetMemoryUtilizationPercentage | Average memory utilization percentage for the repo server [HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | `50` |
+| repoServer.clusterAdminAccess.enabled | Enable RBAC for local cluster deployments. | `false` |
+| repoServer.clusterRoleRules.enabled | Enable custom rules for the Repo server's Cluster Role resource. | `false` |
+| repoServer.clusterRoleRules.rules | List of custom rules for the Repo server's Cluster Role resource. | `[]` |
 | repoServer.containerPort | Repo server port | `8081` |
 | repoServer.extraArgs | Additional arguments for the repo server. A  list of flags. | `[]` |
 | repoServer.extraContainers | Additional containers for the repo server. A list of containers. | `[]` |

charts/argo-cd/templates/argocd-application-controller/clusterrole.yaml

@@ -6,9 +6,9 @@ metadata:
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
 rules:
-{{- if .Values.controller.clusterRoleRules.enabled }}
-{{- toYaml .Values.controller.clusterRoleRules.rules | nindent 2 }}
-{{ else }}
+  {{- if .Values.controller.clusterRoleRules.enabled }}
+  {{- toYaml .Values.controller.clusterRoleRules.rules | nindent 0 }}
+  {{- else }}
 - apiGroups:
   - '*'
   resources:
@@ -19,5 +19,5 @@ rules:
   - '*'
   verbs:
   - '*'
-{{- end }}
+  {{- end }}
 {{- end }}

charts/argo-cd/templates/argocd-repo-server/clusterrole.yaml

@@ -0,0 +1,23 @@
+{{- if and .Values.repoServer.serviceAccount.create .Values.repoServer.clusterAdminAccess.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "argo-cd.repoServer.fullname" . }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
+rules:
+  {{- if .Values.repoServer.clusterRoleRules.enabled }}
+  {{- toYaml .Values.repoServer.clusterRoleRules.rules | nindent 0 }}
+  {{- else }}
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- nonResourceURLs:
+  - '*'
+  verbs:
+  - '*'
+  {{- end }}
+{{- end }}

charts/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml

@@ -0,0 +1,16 @@
+{{- if and .Values.repoServer.serviceAccount.create .Values.repoServer.clusterAdminAccess.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "argo-cd.repoServer.fullname" . }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "argo-cd.repoServer.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "argo-cd.repoServerServiceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

charts/argo-cd/values.yaml

@@ -1061,6 +1061,17 @@ repoServer:
     #   namespace: monitoring
     #   additionalLabels: {}
 
+  ## Enable Admin ClusterRole resources.
+  ## Enable if you would like to grant cluster rights to ArgoCD repo-server.
+  clusterAdminAccess:
+    enabled: false
+  ## Enable Custom Rules for the Repo server's Cluster Role resource
+  ## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource.
+  ## Defaults to off
+  clusterRoleRules:
+    enabled: false
+    rules: []
+
   ## Repo server service account
   ## If create is set to true, make sure to uncomment the name and update the rbac section below
   serviceAccount: