Skip to content

Commit

Permalink
feat: Add support for respectRBAC configuration. (#1612)
Browse files Browse the repository at this point in the history
* feat: Add support for respectRBAC configuration.

Signed-off-by: Jayendra Parsai <[email protected]>

* docs: add Respect RBAC page to TOC

Signed-off-by: Jonathan West <[email protected]>

---------

Signed-off-by: Jayendra Parsai <[email protected]>
Signed-off-by: Jonathan West <[email protected]>
Co-authored-by: Jayendra Parsai <[email protected]>
Co-authored-by: Jonathan West <[email protected]>
  • Loading branch information
3 people authored Dec 4, 2024
1 parent 0ca1920 commit 28659bf
Show file tree
Hide file tree
Showing 19 changed files with 177 additions and 4 deletions.
3 changes: 3 additions & 0 deletions api/v1beta1/argocd_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,9 @@ type ArgoCDApplicationControllerSpec struct {

// Custom labels to pods deployed by the operator
Labels map[string]string `json:"labels,omitempty"`

// RespectRBAC restricts controller from discovering/syncing specific resources, Defaults is empty if not configured. Valid options are strict and normal.
RespectRBAC string `json:"respectRBAC,omitempty"`
}

func (a *ArgoCDApplicationControllerSpec) IsEnabled() bool {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -247,7 +247,7 @@ metadata:
capabilities: Deep Insights
categories: Integration & Delivery
certified: "false"
createdAt: "2024-11-21T12:06:55Z"
createdAt: "2024-11-29T09:50:31Z"
description: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.
operators.operatorframework.io/builder: operator-sdk-v1.35.0
operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
Expand Down
5 changes: 5 additions & 0 deletions bundle/manifests/argoproj.io_argocds.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10897,6 +10897,11 @@ spec:
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
respectRBAC:
description: RespectRBAC restricts controller from discovering/syncing
specific resources, Defaults is empty if not configured. Valid
options are strict and normal.
type: string
sharding:
description: Sharding contains the options for the Application
Controller sharding configuration.
Expand Down
12 changes: 11 additions & 1 deletion common/keys.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,17 @@ import (
)

const (
// ArgoCDKeyAdminEnabled is the configuration key for the admin enabled setting..

// ArgoCDKeyRespectRBAC is the configuration key for the respectRBAC setting.
ArgoCDKeyRespectRBAC = "resource.respectRBAC"

// ArgoCDValueRespectRBACStrict is the configuration value for the respectRBAC setting.
ArgoCDValueRespectRBACStrict = "strict"

// ArgoCDValueRespectRBACStrict is the configuration value for the respectRBAC setting.
ArgoCDValueRespectRBACNormal = "normal"

// ArgoCDKeyAdminEnabled is the configuration key for the admin enabled setting.
ArgoCDKeyAdminEnabled = "admin.enabled"

// ArgoCDKeyApplicationInstanceLabelKey is the configuration key for the application instance label.
Expand Down
5 changes: 5 additions & 0 deletions config/crd/bases/argoproj.io_argocds.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10886,6 +10886,11 @@ spec:
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
respectRBAC:
description: RespectRBAC restricts controller from discovering/syncing
specific resources, Defaults is empty if not configured. Valid
options are strict and normal.
type: string
sharding:
description: Sharding contains the options for the Application
Controller sharding configuration.
Expand Down
11 changes: 10 additions & 1 deletion controllers/argocd/configmap.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,15 @@ func getApplicationInstanceLabelKey(cr *argoproj.ArgoCD) string {
return key
}

// setRespectRBAC configures RespectRBAC key and value for ConfigMap.
func setRespectRBAC(cr *argoproj.ArgoCD, data map[string]string) map[string]string {
if cr.Spec.Controller.RespectRBAC != "" &&
(cr.Spec.Controller.RespectRBAC == common.ArgoCDValueRespectRBACStrict || cr.Spec.Controller.RespectRBAC == common.ArgoCDValueRespectRBACNormal) {
data[common.ArgoCDKeyRespectRBAC] = cr.Spec.Controller.RespectRBAC
}
return data
}

// getCAConfigMapName will return the CA ConfigMap name for the given ArgoCD.
func getCAConfigMapName(cr *argoproj.ArgoCD) string {
if len(cr.Spec.TLS.CA.ConfigMapName) > 0 {
Expand Down Expand Up @@ -370,7 +379,7 @@ func (r *ReconcileArgoCD) reconcileArgoConfigMap(cr *argoproj.ArgoCD) error {
cm := newConfigMapWithName(common.ArgoCDConfigMapName, cr)

cm.Data = make(map[string]string)

cm.Data = setRespectRBAC(cr, cm.Data)
cm.Data[common.ArgoCDKeyApplicationInstanceLabelKey] = getApplicationInstanceLabelKey(cr)
cm.Data[common.ArgoCDKeyConfigManagementPlugins] = getConfigManagementPlugins(cr)
cm.Data[common.ArgoCDKeyAdminEnabled] = fmt.Sprintf("%t", !cr.Spec.DisableAdmin)
Expand Down
47 changes: 47 additions & 0 deletions controllers/argocd/configmap_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1012,6 +1012,53 @@ func TestReconcileArgoCD_reconcileArgoConfigMap_withExtraConfig(t *testing.T) {

}

func TestReconcileArgoCD_reconcileArgoConfigMap_withRespectRBAC(t *testing.T) {
logf.SetLogger(ZapLogger(true))
a := makeTestArgoCD(func(a *argoproj.ArgoCD) {
a.Spec.Controller.RespectRBAC = "normal"
})

resObjs := []client.Object{a}
subresObjs := []client.Object{a}
runtimeObjs := []runtime.Object{}
sch := makeTestReconcilerScheme(argoproj.AddToScheme)
cl := makeTestReconcilerClient(sch, resObjs, subresObjs, runtimeObjs)
r := makeTestReconciler(cl, sch)

err := r.reconcileArgoConfigMap(a)
assert.NoError(t, err)

cm := &corev1.ConfigMap{}

assert.NoError(t, r.Client.Get(context.TODO(), types.NamespacedName{Name: common.ArgoCDConfigMapName, Namespace: testNamespace}, cm))

if c := cm.Data["resource.respectRBAC"]; c != "normal" {
t.Fatalf("reconcileArgoConfigMap failed got %q, want %q", c, "false")
}

// update config
a.Spec.Controller.RespectRBAC = "strict"

err = r.reconcileArgoConfigMap(a)
assert.NoError(t, err)

assert.NoError(t, r.Client.Get(context.TODO(), types.NamespacedName{Name: common.ArgoCDConfigMapName, Namespace: testNamespace}, cm))
if c := cm.Data["resource.respectRBAC"]; c != "strict" {
t.Fatalf("reconcileArgoConfigMap failed got %q, want %q", c, "false")
}

// update config
a.Spec.Controller.RespectRBAC = ""

err = r.reconcileArgoConfigMap(a)
assert.NoError(t, err)

assert.NoError(t, r.Client.Get(context.TODO(), types.NamespacedName{Name: common.ArgoCDConfigMapName, Namespace: testNamespace}, cm))
if c := cm.Data["resource.respectRBAC"]; c != "" {
t.Fatalf("reconcileArgoConfigMap failed got %q, want %q", c, "false")
}
}

func Test_reconcileRBAC(t *testing.T) {
a := makeTestArgoCD()

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -247,7 +247,7 @@ metadata:
capabilities: Deep Insights
categories: Integration & Delivery
certified: "false"
createdAt: "2024-11-21T12:06:55Z"
createdAt: "2024-11-29T09:50:31Z"
description: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.
operators.operatorframework.io/builder: operator-sdk-v1.35.0
operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10897,6 +10897,11 @@ spec:
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
respectRBAC:
description: RespectRBAC restricts controller from discovering/syncing
specific resources, Defaults is empty if not configured. Valid
options are strict and normal.
type: string
sharding:
description: Sharding contains the options for the Application
Controller sharding configuration.
Expand Down
18 changes: 18 additions & 0 deletions docs/usage/respect_rbac.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Respect RBAC for controller

See the [upstream documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#auto-respect-rbac-for-controller) for more information.

This feature can be enabled by setting `respectRBAC` field in ArgoCD resource. To configure value in `argocd-cm` ConfigMap via ArgoCD resource, users need to configure `argocd.spec.controller.respectRBAC` field. Possible values for this field are `strict`, `normal` or empty (default).


```yaml
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
name: example-argocd
spec:
controller:
respectRBAC: strict
```
1 change: 1 addition & 0 deletions mkdocs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ nav:
- Notifications: usage/notifications.md
- Resource Management: usage/resource_management.md
- Routes: usage/routes.md
- Respect RBAC: usage/respect_rbac.md
- Custom Roles: usage/custom_roles.md
- Apps in Any Namespace: usage/apps-in-any-namespace.md
- Appsets in Any Namespace: usage/appsets-in-any-namespace.md
Expand Down
14 changes: 14 additions & 0 deletions tests/k8s/1-045_validate_controller_respect_rbac/01-assert.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
name: example-argocd
status:
phase: Available
---
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
data:
resource.respectRBAC: normal
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
name: example-argocd
spec:
controller:
respectRBAC: normal
14 changes: 14 additions & 0 deletions tests/k8s/1-045_validate_controller_respect_rbac/02-assert.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
name: example-argocd
status:
phase: Available
---
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
data:
resource.respectRBAC: strict
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
name: example-argocd
spec:
controller:
respectRBAC: strict
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
data:
resource.respectRBAC: strict
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
name: example-argocd
spec:
controller:
respectRBAC: somethibg
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
data:
resource.respectRBAC: ""
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
name: example-argocd
spec:
controller:
respectRBAC: ""

0 comments on commit 28659bf

Please sign in to comment.