From fd38ac25b7aba4fa5ef1f5d7fdd1c9e19cbce7f4 Mon Sep 17 00:00:00 2001
From: Roman Rudenko <roman.rudenko@telekom.com>
Date: Thu, 2 Sep 2021 17:18:20 +0300
Subject: [PATCH] feat(argo-cd): Ability to provide cluster role to repo-server

Signed-off-by: Roman Rudenko <3kmnazapad@gmail.com>
---
 charts/argo-cd/Chart.yaml                      |  4 ++--
 charts/argo-cd/README.md                       |  1 +
 .../argocd-repo-server/clusterrole.yaml        | 14 ++++++++++++++
 .../argocd-repo-server/clusterrolebinding.yaml | 18 ++++++++++++++++++
 charts/argo-cd/values.yaml                     |  5 +++++
 5 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 charts/argo-cd/templates/argocd-repo-server/clusterrole.yaml
 create mode 100644 charts/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml

diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml
index 4efb92dd..73b695f2 100644
--- a/charts/argo-cd/Chart.yaml
+++ b/charts/argo-cd/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: 2.1.1
 description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 3.17.5
+version: 3.17.6
 home: https://github.com/argoproj/argo-helm
 icon: https://argoproj.github.io/argo-cd/assets/logo.png
 keywords:
@@ -21,4 +21,4 @@ dependencies:
     condition: redis-ha.enabled
 annotations:
   artifacthub.io/changes: |
-    - "[Changed]: Make AWS ALB GRPC backend protocol version configurable"
+    - "[Added]: Ability to provide cluster role to repo-server"
diff --git a/charts/argo-cd/README.md b/charts/argo-cd/README.md
index 8679a009..6500afc2 100644
--- a/charts/argo-cd/README.md
+++ b/charts/argo-cd/README.md
@@ -241,6 +241,7 @@ NAME: my-release
 | repoServer.autoscaling.maxReplicas | Maximum number of replicas for the repo server [HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | `5` |
 | repoServer.autoscaling.targetCPUUtilizationPercentage | Average CPU utilization percentage for the repo server [HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | `50` |
 | repoServer.autoscaling.targetMemoryUtilizationPercentage | Average memory utilization percentage for the repo server [HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | `50` |
+| repoServer.clusterAdminAccess.enabled | Enable RBAC for local cluster deployments. | `false` |
 | repoServer.containerPort | Repo server port | `8081` |
 | repoServer.extraArgs | Additional arguments for the repo server. A  list of flags. | `[]` |
 | repoServer.env | Environment variables for the repo server. | `[]` |
diff --git a/charts/argo-cd/templates/argocd-repo-server/clusterrole.yaml b/charts/argo-cd/templates/argocd-repo-server/clusterrole.yaml
new file mode 100644
index 00000000..950986de
--- /dev/null
+++ b/charts/argo-cd/templates/argocd-repo-server/clusterrole.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.repoServer.serviceAccount.create }}
+{{- if .Values.repoServer.clusterAdminAccess.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "argo-cd.repoServer.fullname" . }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
+rules:
+{{- if .Values.repoServer.rbac }}
+{{toYaml .Values.repoServer.rbac }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml b/charts/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml
new file mode 100644
index 00000000..1146b7fc
--- /dev/null
+++ b/charts/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.repoServer.serviceAccount.create }}
+{{- if .Values.repoServer.clusterAdminAccess.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "argo-cd.repoServer.fullname" . }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "argo-cd.repoServer.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "argo-cd.repoServerServiceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml
index 8bf991c6..bf834966 100755
--- a/charts/argo-cd/values.yaml
+++ b/charts/argo-cd/values.yaml
@@ -982,6 +982,11 @@ repoServer:
     #   namespace: monitoring
     #   additionalLabels: {}
 
+  ## Enable Admin ClusterRole resources.
+  ## Enable if you would like to grant cluster rights to ArgoCD repo-server.
+  clusterAdminAccess:
+    enabled: false
+
   ## Repo server service account
   ## If create is set to true, make sure to uncomment the name and update the rbac section below
   serviceAccount: