From d67acde1bd0d85daad1429c664dbac654e80d6af Mon Sep 17 00:00:00 2001 From: Christian Strack Date: Thu, 12 Aug 2021 21:15:25 +0200 Subject: [PATCH] feat(argo-cd): Add support for aggregation clusterroles * feat: Add support for aggregation clusterroles Signed-off-by: Christian Strack --- charts/argo-cd/Chart.yaml | 4 +- charts/argo-cd/README.md | 3 +- .../templates/argocd-aggregate-roles.yaml | 67 +++++++++++++++++++ charts/argo-cd/values.yaml | 5 ++ 4 files changed, 76 insertions(+), 3 deletions(-) create mode 100644 charts/argo-cd/templates/argocd-aggregate-roles.yaml diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml index 90cde221..3cbfae9d 100644 --- a/charts/argo-cd/Chart.yaml +++ b/charts/argo-cd/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 2.0.5 description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes. name: argo-cd -version: 3.11.5 +version: 3.11.6 home: https://github.com/argoproj/argo-helm icon: https://argoproj.github.io/argo-cd/assets/logo.png keywords: @@ -21,4 +21,4 @@ dependencies: condition: redis-ha.enabled annotations: artifacthub.io/changes: | - - "[Fixed]: Can't login when using configs.secret.argocdServerAdminPassword" + - "[Added]: Support for aggregation clusterroles" diff --git a/charts/argo-cd/README.md b/charts/argo-cd/README.md index 5672d677..1928b8f6 100644 --- a/charts/argo-cd/README.md +++ b/charts/argo-cd/README.md @@ -147,7 +147,7 @@ NAME: my-release | nameOverride | Provide a name in place of `argocd` | `"argocd"` | | fullnameOverride | String to fully override `"argo-cd.fullname"` | `""` | | apiVersionOverrides.certmanager | String to override apiVersion of certmanager resources rendered by this helm chart | `""` | -| apiVersionOverrides.ingress | String to override apiVersion of ingresses rendered by this helm chart | `""` | +| apiVersionOverrides.ingress | String to override apiVersion of ingresses rendered by this helm chart | `""` | | configs.clusterCredentials | Provide one or multiple [external cluster credentials](https://argoproj.github.io/argo-cd/operator-manual/declarative-setup/#clusters) | `[]` (See [values.yaml](values.yaml)) | | configs.gpgKeysAnnotations | GnuPG key ring annotations | `{}` | | configs.gpgKeys | [GnuPG](https://argoproj.github.io/argo-cd/user-guide/gpg-verification/) keys to add to the key ring | `{}` (See [values.yaml](values.yaml)) | @@ -165,6 +165,7 @@ NAME: my-release | configs.secret.extra | add additional secrets to be added to argocd-secret | `{}` | | configs.styles | Define custom CSS styles for your argo instance ([Read More](https://argo-cd.readthedocs.io/en/stable/operator-manual/custom-styles/)). This Settings will automatically mount the provided css and reference it in the argo configuration. | `""` (See [values.yaml](values.yaml)) | | openshift.enabled | enables using arbitrary uid for argo repo server | `false` | +| rbac.create | Create clusterroles that extend aggregated roles to use argo-cd crds | `false` | ## ArgoCD Controller diff --git a/charts/argo-cd/templates/argocd-aggregate-roles.yaml b/charts/argo-cd/templates/argocd-aggregate-roles.yaml new file mode 100644 index 00000000..894b8355 --- /dev/null +++ b/charts/argo-cd/templates/argocd-aggregate-roles.yaml @@ -0,0 +1,67 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "argo-cd.fullname" . }}-aggregate-to-view + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} +rules: +- apiGroups: + - argoproj.io + resources: + - applications + - appprojects + verbs: + - get + - list + - watch + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "argo-cd.fullname" . }}-aggregate-to-edit + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} +rules: +- apiGroups: + - argoproj.io + resources: + - applications + - appprojects + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "argo-cd.fullname" . }}-aggregate-to-admin + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} +rules: +- apiGroups: + - argoproj.io + resources: + - applications + - appprojects + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +{{- end }} diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index 6edc9201..3316d37a 100755 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -31,6 +31,11 @@ apiVersionOverrides: certmanager: "" # cert-manager.io/v1 ingress: "" # networking.k8s.io/v1beta1 +## Create clusterroles that extend existing clusterroles to interact with argo-cd crds +## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles +rbac: + create: false + ## Controller controller: name: application-controller