fix(argo-cd): Extend K8s RBAC when using UI exec feature (#1326)

Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>

charts/argo-cd/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: v2.4.0
 description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 4.9.0
+version: 4.9.1
 home: https://github.com/argoproj/argo-helm
 icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
 keywords:
@@ -21,8 +21,4 @@ dependencies:
     condition: redis-ha.enabled
 annotations:
   artifacthub.io/changes: |
-    - "[Changed]: Update Argo CD to v2.4.0"
-    - "[Added]: Specify logs RBAC enforcement config in server"
-    - "[Changed]: Remove ksonnet and helm 2 support from Application and applicationSet CRDs"
-    - "[Changed]: Use applicationset binary on the upstream image"
-    - "[Changed]: Upgrade redis to 7.0.0"
+    - "[Fixed]: Extend K8s RBAC when using UI exec feature"

charts/argo-cd/templates/argocd-server/clusterrole.yaml

@@ -27,4 +27,12 @@ rules:
       - pods/log
     verbs:
       - get
+  {{- if eq (index .Values.server.config "exec.enabled") "true" }}
+  - apiGroups:
+    - ""
+    resources:
+    - pods/exec
+    verbs:
+    - create
+  {{- end }}
 {{- end }}

charts/argo-cd/values.yaml

@@ -1231,6 +1231,10 @@ server:
     # Ref: https://argo-cd.readthedocs.io/en/latest/operator-manual/upgrading/2.3-2.4/#enable-logs-rbac-enforcement
     server.rbac.log.enforce.enable: "false"
 
+    # exec.enabled indicates whether the UI exec feature is enabled. It is disabled by default.
+    # Ref: https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac/#exec-resource
+    exec.enabled: "false"
+
     # DEPRECATED: Please instead use configs.credentialTemplates and configs.repositories
     # repositories: |
     #   - url: git@github.com:group/repo.git