feat(argo-cd): Add support for aggregation clusterroles (#865)

* feat(argo-cd): Add support for aggregation clusterroles * feat: Add support for aggregation clusterroles Signed-off-by: Christian Strack <github@abyth.de> * fix(argo-cd): Remove redundant whitespace from README.md Signed-off-by: Christian Strack <github@abyth.de> Co-authored-by: Marko Bevc <marko.bevc@gmail.com> * fix(argo-cd): Remove component labels from aggregation roles Signed-off-by: Christian Strack <github@abyth.de> Co-authored-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> * fix(argo-cd): Use value `createAggregateRoles` to control role creation * fix: Use value `createAggregateRoles` to control role creation * bump version to 3.12.0 * update chart README.md accordingly Signed-off-by: Christian Strack <github@abyth.de> Co-authored-by: Marko Bevc <marko.bevc@gmail.com> Co-authored-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>
2021-08-13 22:15:02 +02:00 · 2021-08-13 22:15:02 +02:00 · a795074dd1
commit a795074dd1
parent 1dad68d4f4
4 changed files with 74 additions and 2 deletions
--- a/charts/argo-cd/Chart.yaml
+++ b/charts/argo-cd/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: 2.0.5
 description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 3.11.5
+version: 3.12.0
 home: https://github.com/argoproj/argo-helm
 icon: https://argoproj.github.io/argo-cd/assets/logo.png
 keywords:
@ -21,4 +21,4 @@ dependencies:
    condition: redis-ha.enabled
 annotations:
  artifacthub.io/changes: |
-    - "[Fixed]: Can't login when using configs.secret.argocdServerAdminPassword"
+    - "[Added]: Support for aggregation clusterroles"
--- a/charts/argo-cd/README.md
+++ b/charts/argo-cd/README.md
@ -148,6 +148,7 @@ NAME: my-release
 | fullnameOverride | String to fully override `"argo-cd.fullname"` | `""` |
 | apiVersionOverrides.certmanager | String to override apiVersion of certmanager resources rendered by this helm chart | `""` |
 | apiVersionOverrides.ingress | String to override apiVersion of ingresses rendered by this helm chart | `""` |
+| createAggregateRoles | Create clusterroles that extend aggregated roles to use argo-cd crds | `false` |
 | configs.clusterCredentials | Provide one or multiple [external cluster credentials](https://argoproj.github.io/argo-cd/operator-manual/declarative-setup/#clusters) | `[]` (See [values.yaml](values.yaml)) |
 | configs.gpgKeysAnnotations | GnuPG key ring annotations | `{}` |
 | configs.gpgKeys | [GnuPG](https://argoproj.github.io/argo-cd/user-guide/gpg-verification/) keys to add to the key ring | `{}` (See [values.yaml](values.yaml)) |
--- a/charts/argo-cd/templates/argocd-aggregate-roles.yaml
+++ b/charts/argo-cd/templates/argocd-aggregate-roles.yaml
@ -0,0 +1,67 @@
+{{- if .Values.createAggregateRoles }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "argo-cd.fullname" . }}-aggregate-to-view
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+    {{- include "argo-cd.labels" (dict "context" .) | nindent 4 }}
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applications
+  - appprojects
+  verbs:
+  - get
+  - list
+  - watch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "argo-cd.fullname" . }}-aggregate-to-edit
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    {{- include "argo-cd.labels" (dict "context" .) | nindent 4 }}
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applications
+  - appprojects
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "argo-cd.fullname" . }}-aggregate-to-admin
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- include "argo-cd.labels" (dict "context" .) | nindent 4 }}
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applications
+  - appprojects
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+{{- end }}
--- a/charts/argo-cd/values.yaml
+++ b/charts/argo-cd/values.yaml
@ -31,6 +31,10 @@ apiVersionOverrides:
  certmanager: "" # cert-manager.io/v1
  ingress: "" # networking.k8s.io/v1beta1

+## Create clusterroles that extend existing clusterroles to interact with argo-cd crds
+## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
+createAggregateRoles: false
+
 ## Controller
 controller:
  name: application-controller