DevFW-CICD/argocd-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(argo-cd): Add support for aggregation clusterroles

Browse source 
* feat: Add support for aggregation clusterroles

Signed-off-by: Christian Strack <github@abyth.de>
This commit is contained in:
Christian Strack 2021-08-12 21:15:25 +02:00
parent 607caac246
commit d67acde1bd
4 changed files with 76 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
charts/argo-cd/Chart.yaml
View file

@ -2,7 +2,7 @@ apiVersion: v2
appVersion: 2.0.5 appVersion: 2.0.5
description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes. description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes.
name: argo-cd name: argo-cd
version: 3.11.5 version: 3.11.6
home: https://github.com/argoproj/argo-helm home: https://github.com/argoproj/argo-helm
icon: https://argoproj.github.io/argo-cd/assets/logo.png icon: https://argoproj.github.io/argo-cd/assets/logo.png
keywords: keywords:
@ -21,4 +21,4 @@ dependencies:
condition: redis-ha.enabled condition: redis-ha.enabled
annotations: annotations:
artifacthub.io/changes: | artifacthub.io/changes: |
- "[Fixed]: Can't login when using configs.secret.argocdServerAdminPassword" - "[Added]: Support for aggregation clusterroles"

3
charts/argo-cd/README.md
View file

@ -147,7 +147,7 @@ NAME: my-release
| nameOverride | Provide a name in place of `argocd` | `"argocd"` | | nameOverride | Provide a name in place of `argocd` | `"argocd"` |
| fullnameOverride | String to fully override `"argo-cd.fullname"` | `""` | | fullnameOverride | String to fully override `"argo-cd.fullname"` | `""` |
| apiVersionOverrides.certmanager | String to override apiVersion of certmanager resources rendered by this helm chart | `""` | | apiVersionOverrides.certmanager | String to override apiVersion of certmanager resources rendered by this helm chart | `""` |
| apiVersionOverrides.ingress | String to override apiVersion of ingresses rendered by this helm chart | `""` | | apiVersionOverrides.ingress | String to override apiVersion of ingresses rendered by this helm chart | `""` |
| configs.clusterCredentials | Provide one or multiple [external cluster credentials](https://argoproj.github.io/argo-cd/operator-manual/declarative-setup/#clusters) | `[]` (See [values.yaml](values.yaml)) | | configs.clusterCredentials | Provide one or multiple [external cluster credentials](https://argoproj.github.io/argo-cd/operator-manual/declarative-setup/#clusters) | `[]` (See [values.yaml](values.yaml)) |
| configs.gpgKeysAnnotations | GnuPG key ring annotations | `{}` | | configs.gpgKeysAnnotations | GnuPG key ring annotations | `{}` |
| configs.gpgKeys | [GnuPG](https://argoproj.github.io/argo-cd/user-guide/gpg-verification/) keys to add to the key ring | `{}` (See [values.yaml](values.yaml)) | | configs.gpgKeys | [GnuPG](https://argoproj.github.io/argo-cd/user-guide/gpg-verification/) keys to add to the key ring | `{}` (See [values.yaml](values.yaml)) |
@ -165,6 +165,7 @@ NAME: my-release
| configs.secret.extra | add additional secrets to be added to argocd-secret | `{}` | | configs.secret.extra | add additional secrets to be added to argocd-secret | `{}` |
| configs.styles | Define custom CSS styles for your argo instance ([Read More](https://argo-cd.readthedocs.io/en/stable/operator-manual/custom-styles/)). This Settings will automatically mount the provided css and reference it in the argo configuration. | `""` (See [values.yaml](values.yaml)) | | configs.styles | Define custom CSS styles for your argo instance ([Read More](https://argo-cd.readthedocs.io/en/stable/operator-manual/custom-styles/)). This Settings will automatically mount the provided css and reference it in the argo configuration. | `""` (See [values.yaml](values.yaml)) |
| openshift.enabled | enables using arbitrary uid for argo repo server | `false` | | openshift.enabled | enables using arbitrary uid for argo repo server | `false` |
| rbac.create | Create clusterroles that extend aggregated roles to use argo-cd crds | `false` |
## ArgoCD Controller ## ArgoCD Controller

67
charts/argo-cd/templates/argocd-aggregate-roles.yaml Normal file
View file

@ -0,0 +1,67 @@
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "argo-cd.fullname" . }}-aggregate-to-view
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
rules:
- apiGroups:
- argoproj.io
resources:
- applications
- appprojects
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "argo-cd.fullname" . }}-aggregate-to-edit
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
rules:
- apiGroups:
- argoproj.io
resources:
- applications
- appprojects
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "argo-cd.fullname" . }}-aggregate-to-admin
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
rules:
- apiGroups:
- argoproj.io
resources:
- applications
- appprojects
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
{{- end }}

5
charts/argo-cd/values.yaml
View file

@ -31,6 +31,11 @@ apiVersionOverrides:
certmanager: "" # cert-manager.io/v1 certmanager: "" # cert-manager.io/v1
ingress: "" # networking.k8s.io/v1beta1 ingress: "" # networking.k8s.io/v1beta1
## Create clusterroles that extend existing clusterroles to interact with argo-cd crds
## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
rbac:
create: false
## Controller ## Controller
controller: controller:
name: application-controller name: application-controller