From cf5036d8eaef78dd21a32ff54c08490df2f715ca Mon Sep 17 00:00:00 2001 From: Roman Rudenko <3kmnazapad@gmail.com> Date: Fri, 17 Sep 2021 17:44:57 +0300 Subject: [PATCH] custom clusterRoleRules Signed-off-by: Roman Rudenko <3kmnazapad@gmail.com> --- charts/argo-cd/README.md | 4 ++++ .../argocd-repo-server/clusterrole.yaml | 19 ++++++++++++++----- .../clusterrolebinding.yaml | 4 +--- charts/argo-cd/values.yaml | 6 ++++++ 4 files changed, 25 insertions(+), 8 deletions(-) diff --git a/charts/argo-cd/README.md b/charts/argo-cd/README.md index 3c384de2..58af0daa 100644 --- a/charts/argo-cd/README.md +++ b/charts/argo-cd/README.md @@ -186,6 +186,8 @@ NAME: my-release | controller.args.selfHealTimeout | define the controller `--self-heal-timeout-seconds` | `"5"` | | controller.args.statusProcessors | define the controller `--status-processors` | `"20"` | | controller.clusterAdminAccess.enabled | Enable RBAC for local cluster deployments. | `true` | +| controller.clusterRoleRules.enabled | Enable custom rules for the Application Controller's Cluster Role resource. | `false` | +| controller.clusterRoleRules.rules | List of custom rules for the Application Controller's Cluster Role resource. | `[]` | | controller.containerPort | Controller listening port. | `8082` | | controller.extraArgs | Additional arguments for the controller. A list of flags | `[]` | | controller.enableStatefulSet | Enable deploying the controller as a StatefulSet instead of a Deployment. Used for HA installations. | `false` | @@ -242,6 +244,8 @@ NAME: my-release | repoServer.autoscaling.targetCPUUtilizationPercentage | Average CPU utilization percentage for the repo server [HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | `50` | | repoServer.autoscaling.targetMemoryUtilizationPercentage | Average memory utilization percentage for the repo server [HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | `50` | | repoServer.clusterAdminAccess.enabled | Enable RBAC for local cluster deployments. | `false` | +| repoServer.clusterRoleRules.enabled | Enable custom rules for the Repo server's Cluster Role resource. | `false` | +| repoServer.clusterRoleRules.rules | List of custom rules for the Repo server's Cluster Role resource. | `[]` | | repoServer.containerPort | Repo server port | `8081` | | repoServer.extraArgs | Additional arguments for the repo server. A list of flags. | `[]` | | repoServer.env | Environment variables for the repo server. | `[]` | diff --git a/charts/argo-cd/templates/argocd-repo-server/clusterrole.yaml b/charts/argo-cd/templates/argocd-repo-server/clusterrole.yaml index 950986de..d316b4da 100644 --- a/charts/argo-cd/templates/argocd-repo-server/clusterrole.yaml +++ b/charts/argo-cd/templates/argocd-repo-server/clusterrole.yaml @@ -1,5 +1,4 @@ -{{- if .Values.repoServer.serviceAccount.create }} -{{- if .Values.repoServer.clusterAdminAccess.enabled }} +{{- if and .Values.repoServer.serviceAccount.create .Values.repoServer.clusterAdminAccess.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -7,8 +6,18 @@ metadata: labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }} rules: -{{- if .Values.repoServer.rbac }} -{{toYaml .Values.repoServer.rbac }} -{{- end }} +{{- if .Values.repoServer.clusterRoleRules.enabled }} +{{- toYaml .Values.repoServer.clusterRoleRules.rules | nindent 2 }} +{{ else }} +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +- nonResourceURLs: + - '*' + verbs: + - '*' {{- end }} {{- end }} diff --git a/charts/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml b/charts/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml index 1146b7fc..fb461069 100644 --- a/charts/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml +++ b/charts/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml @@ -1,5 +1,4 @@ -{{- if .Values.repoServer.serviceAccount.create }} -{{- if .Values.repoServer.clusterAdminAccess.enabled }} +{{- if and .Values.repoServer.serviceAccount.create .Values.repoServer.clusterAdminAccess.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -14,5 +13,4 @@ subjects: - kind: ServiceAccount name: {{ template "argo-cd.repoServerServiceAccountName" . }} namespace: {{ .Release.Namespace }} -{{- end }} {{- end }} \ No newline at end of file diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index 38547934..0ceb554c 100755 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -986,6 +986,12 @@ repoServer: ## Enable if you would like to grant cluster rights to ArgoCD repo-server. clusterAdminAccess: enabled: false + ## Enable Custom Rules for the Repo server's Cluster Role resource + ## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource. + ## Defaults to off + clusterRoleRules: + enabled: false + rules: [] ## Repo server service account ## If create is set to true, make sure to uncomment the name and update the rbac section below