feat(argo-cd): Add support for aggregation clusterroles

* feat: Add support for aggregation clusterroles Signed-off-by: Christian Strack <github@abyth.de>
2021-08-12 21:15:25 +02:00 · 2021-08-12 21:15:25 +02:00 · d67acde1bd
commit d67acde1bd
parent 607caac246
4 changed files with 76 additions and 3 deletions
--- a/charts/argo-cd/Chart.yaml
+++ b/charts/argo-cd/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: 2.0.5
 description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 3.11.5
+version: 3.11.6
 home: https://github.com/argoproj/argo-helm
 icon: https://argoproj.github.io/argo-cd/assets/logo.png
 keywords:
@ -21,4 +21,4 @@ dependencies:
    condition: redis-ha.enabled
 annotations:
  artifacthub.io/changes: |
-    - "[Fixed]: Can't login when using configs.secret.argocdServerAdminPassword"
+    - "[Added]: Support for aggregation clusterroles"
--- a/charts/argo-cd/README.md
+++ b/charts/argo-cd/README.md
@ -165,6 +165,7 @@ NAME: my-release
 | configs.secret.extra | add additional secrets to be added to argocd-secret | `{}` |
 | configs.styles | Define custom CSS styles for your argo instance ([Read More](https://argo-cd.readthedocs.io/en/stable/operator-manual/custom-styles/)). This Settings will automatically mount the provided css and reference it in the argo configuration. | `""` (See [values.yaml](values.yaml)) |
 | openshift.enabled | enables using arbitrary uid for argo repo server | `false` |
+| rbac.create | Create clusterroles that extend aggregated roles to use argo-cd crds | `false` |

 ## ArgoCD Controller

--- a/charts/argo-cd/templates/argocd-aggregate-roles.yaml
+++ b/charts/argo-cd/templates/argocd-aggregate-roles.yaml
@ -0,0 +1,67 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "argo-cd.fullname" . }}-aggregate-to-view
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applications
+  - appprojects
+  verbs:
+  - get
+  - list
+  - watch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "argo-cd.fullname" . }}-aggregate-to-edit
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applications
+  - appprojects
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "argo-cd.fullname" . }}-aggregate-to-admin
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applications
+  - appprojects
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+{{- end }}
--- a/charts/argo-cd/values.yaml
+++ b/charts/argo-cd/values.yaml
@ -31,6 +31,11 @@ apiVersionOverrides:
  certmanager: "" # cert-manager.io/v1
  ingress: "" # networking.k8s.io/v1beta1

+## Create clusterroles that extend existing clusterroles to interact with argo-cd crds
+## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
+rbac:
+  create: false
+
 ## Controller
 controller:
  name: application-controller