DevFW-CICD/argocd-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore(argo-cd): Consolidate cluster-wide RBAC (#1597)

Browse source 
Signed-off-by: Petr Drastil <petr.drastil@gmail.com>
This commit is contained in:
Petr Drastil 2023-01-10 09:58:45 +01:00 committed by GitHub
parent 7992b5d04b
commit c5648d5c9f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 70 additions and 66 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
charts/argo-cd/Chart.yaml
View file

@ -3,7 +3,7 @@ appVersion: v2.5.5
kubeVersion: ">=1.22.0-0" kubeVersion: ">=1.22.0-0"
description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
name: argo-cd name: argo-cd
version: 5.16.14 version: 5.16.15
home: https://github.com/argoproj/argo-helm home: https://github.com/argoproj/argo-helm
icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
sources: sources:
@ -23,6 +23,7 @@ dependencies:
condition: redis-ha.enabled condition: redis-ha.enabled
annotations: annotations:
artifacthub.io/changes: | artifacthub.io/changes: |
- "[Docs]: Added sample how to provide K8s credentials plugin" - "[Added]: Option createClusterRoles to enable cluster roles from one place"
- "[Docs]: Added sample how to provide Argo config management plugin" - "[Deprecated]: Option controller.clusterAdminAccess.enabled"
- "[Docs]: Removed samples that injects tools into incorrect controllers" - "[Deprecated]: Option server.clusterAdminAccess.enabled"
- "[Deprecated]: Option repoServer.clusterAdminAccess.enabled"

6
charts/argo-cd/README.md
View file

@ -362,7 +362,8 @@ NAME: my-release
| crds.annotations | object | `{}` | Annotations to be added to all CRDs | | crds.annotations | object | `{}` | Annotations to be added to all CRDs |
| crds.install | bool | `true` | Install and upgrade CRDs | | crds.install | bool | `true` | Install and upgrade CRDs |
| crds.keep | bool | `true` | Keep CRDs on chart uninstall | | crds.keep | bool | `true` | Keep CRDs on chart uninstall |
| createAggregateRoles | bool | `false` | Create clusterroles that extend existing clusterroles to interact with argo-cd crds | | createAggregateRoles | bool | `false` | Create aggregated roles that extend existing cluster roles to interact with argo-cd resources |
| createClusterRoles | bool | `true` | Create cluster roles for cluster-wide installation. |
| extraObjects | list | `[]` | Array of extra K8s manifests to deploy | | extraObjects | list | `[]` | Array of extra K8s manifests to deploy |
| fullnameOverride | string | `""` | String to fully override `"argo-cd.fullname"` | | fullnameOverride | string | `""` | String to fully override `"argo-cd.fullname"` |
| kubeVersionOverride | string | `""` | Override the Kubernetes version, which is used to evaluate certain manifests | | kubeVersionOverride | string | `""` | Override the Kubernetes version, which is used to evaluate certain manifests |
@ -451,7 +452,6 @@ NAME: my-release
|-----|------|---------|-------------| |-----|------|---------|-------------|
| controller.affinity | object | `{}` | Assign custom [affinity] rules to the deployment | | controller.affinity | object | `{}` | Assign custom [affinity] rules to the deployment |
| controller.args | object | `{}` | DEPRECATED - Application controller commandline flags | | controller.args | object | `{}` | DEPRECATED - Application controller commandline flags |
| controller.clusterAdminAccess.enabled | bool | `true` | Enable RBAC for local cluster deployments |
| controller.clusterRoleRules.enabled | bool | `false` | Enable custom rules for the application controller's ClusterRole resource | | controller.clusterRoleRules.enabled | bool | `false` | Enable custom rules for the application controller's ClusterRole resource |
| controller.clusterRoleRules.rules | list | `[]` | List of custom rules for the application controller's ClusterRole resource | | controller.clusterRoleRules.rules | list | `[]` | List of custom rules for the application controller's ClusterRole resource |
| controller.containerPort | int | `8082` | Application controller listening port | | controller.containerPort | int | `8082` | Application controller listening port |
@ -529,7 +529,6 @@ NAME: my-release
| repoServer.certificateSecret.enabled | bool | `false` | Create argocd-repo-server-tls secret | | repoServer.certificateSecret.enabled | bool | `false` | Create argocd-repo-server-tls secret |
| repoServer.certificateSecret.key | string | `""` | Certificate private key | | repoServer.certificateSecret.key | string | `""` | Certificate private key |
| repoServer.certificateSecret.labels | object | `{}` | Labels to be added to argocd-repo-server-tls secret | | repoServer.certificateSecret.labels | object | `{}` | Labels to be added to argocd-repo-server-tls secret |
| repoServer.clusterAdminAccess.enabled | bool | `false` | Enable RBAC for local cluster deployments |
| repoServer.clusterRoleRules.enabled | bool | `false` | Enable custom rules for the Repo server's Cluster Role resource | | repoServer.clusterRoleRules.enabled | bool | `false` | Enable custom rules for the Repo server's Cluster Role resource |
| repoServer.clusterRoleRules.rules | list | `[]` | List of custom rules for the Repo server's Cluster Role resource | | repoServer.clusterRoleRules.rules | list | `[]` | List of custom rules for the Repo server's Cluster Role resource |
| repoServer.containerPort | int | `8081` | Configures the repo server port | | repoServer.containerPort | int | `8081` | Configures the repo server port |
@ -631,7 +630,6 @@ NAME: my-release
| server.certificateSecret.enabled | bool | `false` | Create argocd-server-tls secret | | server.certificateSecret.enabled | bool | `false` | Create argocd-server-tls secret |
| server.certificateSecret.key | string | `""` | Private Key of the certificate | | server.certificateSecret.key | string | `""` | Private Key of the certificate |
| server.certificateSecret.labels | object | `{}` | Labels to be added to argocd-server-tls secret | | server.certificateSecret.labels | object | `{}` | Labels to be added to argocd-server-tls secret |
| server.clusterAdminAccess.enabled | bool | `true` | Enable RBAC for local cluster deployments |
| server.containerPort | int | `8080` | Configures the server port | | server.containerPort | int | `8080` | Configures the server port |
| server.containerSecurityContext | object | See [values.yaml] | Server container-level security context | | server.containerSecurityContext | object | See [values.yaml] | Server container-level security context |
| server.deploymentAnnotations | object | `{}` | Annotations to be added to server Deployment | | server.deploymentAnnotations | object | `{}` | Annotations to be added to server Deployment |

12
charts/argo-cd/templates/NOTES.txt
View file

@ -52,6 +52,18 @@ DEPRECATED option configs.gpgKeys - Use config.gpg.keys
{{- if .Values.configs.gpgKeysAnnotations }} {{- if .Values.configs.gpgKeysAnnotations }}
DEPRECATED option configs.gpgKeysAnnotations - Use config.gpg.annotations DEPRECATED option configs.gpgKeysAnnotations - Use config.gpg.annotations
{{- end }} {{- end }}
{{- if hasKey .Values "createAggregateRoles" }}
DEPRECATED option createAggregateRoles - Use global.rbac.aggregatedRoles
{{- end }}
{{- if hasKey (.Values.controller.clusterAdminAccess | default dict) "enabled" }}
DEPRECATED option .controller.clusterAdminAccess.enabled - Use createClusterRoles
{{- end }}
{{- if hasKey (.Values.server.clusterAdminAccess | default dict) "enabled" }}
DEPRECATED option .server.clusterAdminAccess.enabled - Use createClusterRoles
{{- end }}
{{- if hasKey (.Values.repoServer.clusterAdminAccess | default dict) "enabled" }}
DEPRECATED option .server.clusterAdminAccess.enabled - Use createClusterRoles
{{- end }}
{{- if .Values.controller.service }} {{- if .Values.controller.service }}
REMOVED option controller.service - Use controller.metrics REMOVED option controller.service - Use controller.metrics
{{- end }} {{- end }}

11
charts/argo-cd/templates/argocd-application-controller/clusterrole.yaml
View file

@ -1,21 +1,22 @@
{{- if .Values.controller.clusterAdminAccess.enabled }} {{- $config := .Values.controller.clusterAdminAccess | default dict -}}
{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
name: {{ template "argo-cd.controller.fullname" . }} name: {{ include "argo-cd.controller.fullname" . }}
labels: labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
rules: rules:
{{- if .Values.controller.clusterRoleRules.enabled }} {{- if .Values.controller.clusterRoleRules.enabled }}
{{- toYaml .Values.controller.clusterRoleRules.rules | nindent 0 }} {{- toYaml .Values.controller.clusterRoleRules.rules | nindent 2 }}
{{- else }} {{- else }}
- apiGroups: - apiGroups:
- '*' - '*'
resources: resources:
- '*' - '*'
verbs: verbs:
- '*' - '*'
- nonResourceURLs: - nonResourceURLs:
- '*' - '*'
verbs: verbs:
- '*' - '*'

9
charts/argo-cd/templates/argocd-application-controller/clusterrolebinding.yaml
View file

@ -1,16 +1,17 @@
{{- if .Values.controller.clusterAdminAccess.enabled }} {{- $config := .Values.controller.clusterAdminAccess | default dict -}}
{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: {{ template "argo-cd.controller.fullname" . }} name: {{ include "argo-cd.controller.fullname" . }}
labels: labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: {{ template "argo-cd.controller.fullname" . }} name: {{ include "argo-cd.controller.fullname" . }}
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ template "argo-cd.controllerServiceAccountName" . }} name: {{ include "argo-cd.controllerServiceAccountName" . }}
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
{{- end }} {{- end }}

11
charts/argo-cd/templates/argocd-repo-server/clusterrole.yaml
View file

@ -1,21 +1,22 @@
{{- if and .Values.repoServer.serviceAccount.create .Values.repoServer.clusterAdminAccess.enabled }} {{- $config := .Values.repoServer.clusterAdminAccess | default dict -}}
{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
name: {{ template "argo-cd.repoServer.fullname" . }} name: {{ include "argo-cd.repoServer.fullname" . }}
labels: labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }} {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
rules: rules:
{{- if .Values.repoServer.clusterRoleRules.enabled }} {{- if .Values.repoServer.clusterRoleRules.enabled }}
{{- toYaml .Values.repoServer.clusterRoleRules.rules | nindent 0 }} {{- toYaml .Values.repoServer.clusterRoleRules.rules | nindent 2 }}
{{- else }} {{- else }}
- apiGroups: - apiGroups:
- '*' - '*'
resources: resources:
- '*' - '*'
verbs: verbs:
- '*' - '*'
- nonResourceURLs: - nonResourceURLs:
- '*' - '*'
verbs: verbs:
- '*' - '*'

9
charts/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml
View file

@ -1,16 +1,17 @@
{{- if and .Values.repoServer.serviceAccount.create .Values.repoServer.clusterAdminAccess.enabled }} {{- $config := .Values.repoServer.clusterAdminAccess | default dict -}}
{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: {{ template "argo-cd.repoServer.fullname" . }} name: {{ include "argo-cd.repoServer.fullname" . }}
labels: labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }} {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: {{ template "argo-cd.repoServer.fullname" . }} name: {{ include "argo-cd.repoServer.fullname" . }}
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ template "argo-cd.repoServerServiceAccountName" . }} name: {{ include "argo-cd.repoServerServiceAccountName" . }}
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
{{- end }} {{- end }}

3
charts/argo-cd/templates/argocd-server/clusterrole.yaml
View file

@ -1,4 +1,5 @@
{{- if .Values.server.clusterAdminAccess.enabled }} {{- $config := .Values.server.clusterAdminAccess | default dict -}}
{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:

9
charts/argo-cd/templates/argocd-server/clusterrolebinding.yaml
View file

@ -1,16 +1,17 @@
{{- if .Values.server.clusterAdminAccess.enabled }} {{- $config := .Values.server.clusterAdminAccess | default dict -}}
{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: {{ template "argo-cd.server.fullname" . }} name: {{ include "argo-cd.server.fullname" . }}
labels: labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: {{ template "argo-cd.server.fullname" . }} name: {{ include "argo-cd.server.fullname" . }}
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ template "argo-cd.serverServiceAccountName" . }} name: {{ include "argo-cd.serverServiceAccountName" . }}
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
{{- end }} {{- end }}

21
charts/argo-cd/values.yaml
View file

@ -19,9 +19,12 @@ apiVersionOverrides:
# -- String to override apiVersion of autoscaling rendered by this helm chart # -- String to override apiVersion of autoscaling rendered by this helm chart
autoscaling: "" # autoscaling/v2 autoscaling: "" # autoscaling/v2
# -- Create clusterroles that extend existing clusterroles to interact with argo-cd crds # -- Create aggregated roles that extend existing cluster roles to interact with argo-cd resources
## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles ## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
createAggregateRoles: false createAggregateRoles: false
# -- Create cluster roles for cluster-wide installation.
## Used when you manage applications in the same cluster where Argo CD runs
createClusterRoles: true
openshift: openshift:
# -- enables using arbitrary uid for argo repo server # -- enables using arbitrary uid for argo repo server
@ -718,11 +721,6 @@ controller:
# additionalLabels: {} # additionalLabels: {}
# annotations: {} # annotations: {}
## Enable if you would like to grant rights to Argo CD to deploy to the local Kubernetes cluster.
clusterAdminAccess:
# -- Enable RBAC for local cluster deployments
enabled: true
## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource. ## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource.
## Defaults to off ## Defaults to off
clusterRoleRules: clusterRoleRules:
@ -1732,12 +1730,6 @@ server:
# -- Termination policy of Openshift Route # -- Termination policy of Openshift Route
termination_policy: None termination_policy: None
## Enable Admin ClusterRole resources.
## Enable if you would like to grant rights to Argo CD to deploy to the local Kubernetes cluster.
clusterAdminAccess:
# -- Enable RBAC for local cluster deployments
enabled: true
GKEbackendConfig: GKEbackendConfig:
# -- Enable BackendConfig custom resource for Google Kubernetes Engine # -- Enable BackendConfig custom resource for Google Kubernetes Engine
enabled: false enabled: false
@ -2031,11 +2023,6 @@ repoServer:
# -- Prometheus ServiceMonitor annotations # -- Prometheus ServiceMonitor annotations
annotations: {} annotations: {}
## Enable Admin ClusterRole resources.
## Enable if you would like to grant cluster rights to Argo CD repo server.
clusterAdminAccess:
# -- Enable RBAC for local cluster deployments
enabled: false
## Enable Custom Rules for the Repo server's Cluster Role resource ## Enable Custom Rules for the Repo server's Cluster Role resource
## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource. ## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource.
## Defaults to off ## Defaults to off