custom clusterRoleRules

Signed-off-by: Roman Rudenko <3kmnazapad@gmail.com>

charts/argo-cd/README.md

@@ -186,6 +186,8 @@ NAME: my-release
 | controller.args.selfHealTimeout | define the controller `--self-heal-timeout-seconds` | `"5"` |
 | controller.args.statusProcessors | define the controller `--status-processors` | `"20"` |
 | controller.clusterAdminAccess.enabled | Enable RBAC for local cluster deployments. | `true` |
+| controller.clusterRoleRules.enabled | Enable custom rules for the Application Controller's Cluster Role resource. | `false` |
+| controller.clusterRoleRules.rules | List of custom rules for the Application Controller's Cluster Role resource. | `[]` |
 | controller.containerPort | Controller listening port. | `8082` |
 | controller.extraArgs | Additional arguments for the controller. A list of flags | `[]` |
 | controller.enableStatefulSet | Enable deploying the controller as a StatefulSet instead of a Deployment. Used for HA installations. | `false` |
@@ -242,6 +244,8 @@ NAME: my-release
 | repoServer.autoscaling.targetCPUUtilizationPercentage | Average CPU utilization percentage for the repo server [HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | `50` |
 | repoServer.autoscaling.targetMemoryUtilizationPercentage | Average memory utilization percentage for the repo server [HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | `50` |
 | repoServer.clusterAdminAccess.enabled | Enable RBAC for local cluster deployments. | `false` |
+| repoServer.clusterRoleRules.enabled | Enable custom rules for the Repo server's Cluster Role resource. | `false` |
+| repoServer.clusterRoleRules.rules | List of custom rules for the Repo server's Cluster Role resource. | `[]` |
 | repoServer.containerPort | Repo server port | `8081` |
 | repoServer.extraArgs | Additional arguments for the repo server. A  list of flags. | `[]` |
 | repoServer.env | Environment variables for the repo server. | `[]` |

charts/argo-cd/templates/argocd-repo-server/clusterrole.yaml

@@ -1,5 +1,4 @@
-{{- if .Values.repoServer.serviceAccount.create }}
-{{- if .Values.repoServer.clusterAdminAccess.enabled }}
+{{- if and .Values.repoServer.serviceAccount.create .Values.repoServer.clusterAdminAccess.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -7,8 +6,18 @@ metadata:
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
 rules:
-{{- if .Values.repoServer.rbac }}
-{{toYaml .Values.repoServer.rbac }}
-{{- end }}
+{{- if .Values.repoServer.clusterRoleRules.enabled }}
+{{- toYaml .Values.repoServer.clusterRoleRules.rules | nindent 2 }}
+{{ else }}
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- nonResourceURLs:
+  - '*'
+  verbs:
+  - '*'
 {{- end }}
 {{- end }}

charts/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml

@@ -1,5 +1,4 @@
-{{- if .Values.repoServer.serviceAccount.create }}
-{{- if .Values.repoServer.clusterAdminAccess.enabled }}
+{{- if and .Values.repoServer.serviceAccount.create .Values.repoServer.clusterAdminAccess.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -14,5 +13,4 @@ subjects:
 - kind: ServiceAccount
   name: {{ template "argo-cd.repoServerServiceAccountName" . }}
   namespace: {{ .Release.Namespace }}
-{{- end }}
 {{- end }}

charts/argo-cd/values.yaml

@@ -986,6 +986,12 @@ repoServer:
   ## Enable if you would like to grant cluster rights to ArgoCD repo-server.
   clusterAdminAccess:
     enabled: false
+  ## Enable Custom Rules for the Repo server's Cluster Role resource
+  ## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource.
+  ## Defaults to off
+  clusterRoleRules:
+    enabled: false
+    rules: []
 
   ## Repo server service account
   ## If create is set to true, make sure to uncomment the name and update the rbac section below