From 28659bf8b6cc0fab1f717d2b7f3a320abb219e7a Mon Sep 17 00:00:00 2001 From: Jayendra Parsai Date: Wed, 4 Dec 2024 13:09:21 +0530 Subject: [PATCH] feat: Add support for respectRBAC configuration. (#1612) * feat: Add support for respectRBAC configuration. Signed-off-by: Jayendra Parsai * docs: add Respect RBAC page to TOC Signed-off-by: Jonathan West --------- Signed-off-by: Jayendra Parsai Signed-off-by: Jonathan West Co-authored-by: Jayendra Parsai Co-authored-by: Jonathan West --- api/v1beta1/argocd_types.go | 3 ++ ...argocd-operator.clusterserviceversion.yaml | 2 +- bundle/manifests/argoproj.io_argocds.yaml | 5 ++ common/keys.go | 12 ++++- config/crd/bases/argoproj.io_argocds.yaml | 5 ++ controllers/argocd/configmap.go | 11 ++++- controllers/argocd/configmap_test.go | 47 +++++++++++++++++++ ...perator.v0.13.0.clusterserviceversion.yaml | 2 +- .../0.13.0/argoproj.io_argocds.yaml | 5 ++ docs/usage/respect_rbac.md | 18 +++++++ mkdocs.yml | 1 + .../01-assert.yaml | 14 ++++++ .../01-install.yaml | 7 +++ .../02-assert.yaml | 14 ++++++ .../02-install.yaml | 7 +++ .../03-errors.yaml | 7 +++ .../03-install.yaml | 7 +++ .../04-errors.yaml | 7 +++ .../04-install.yaml | 7 +++ 19 files changed, 177 insertions(+), 4 deletions(-) create mode 100644 docs/usage/respect_rbac.md create mode 100644 tests/k8s/1-045_validate_controller_respect_rbac/01-assert.yaml create mode 100644 tests/k8s/1-045_validate_controller_respect_rbac/01-install.yaml create mode 100644 tests/k8s/1-045_validate_controller_respect_rbac/02-assert.yaml create mode 100644 tests/k8s/1-045_validate_controller_respect_rbac/02-install.yaml create mode 100644 tests/k8s/1-045_validate_controller_respect_rbac/03-errors.yaml create mode 100644 tests/k8s/1-045_validate_controller_respect_rbac/03-install.yaml create mode 100644 tests/k8s/1-045_validate_controller_respect_rbac/04-errors.yaml create mode 100644 tests/k8s/1-045_validate_controller_respect_rbac/04-install.yaml diff --git a/api/v1beta1/argocd_types.go b/api/v1beta1/argocd_types.go index 28419448c..d169da14d 100644 --- a/api/v1beta1/argocd_types.go +++ b/api/v1beta1/argocd_types.go @@ -134,6 +134,9 @@ type ArgoCDApplicationControllerSpec struct { // Custom labels to pods deployed by the operator Labels map[string]string `json:"labels,omitempty"` + + // RespectRBAC restricts controller from discovering/syncing specific resources, Defaults is empty if not configured. Valid options are strict and normal. + RespectRBAC string `json:"respectRBAC,omitempty"` } func (a *ArgoCDApplicationControllerSpec) IsEnabled() bool { diff --git a/bundle/manifests/argocd-operator.clusterserviceversion.yaml b/bundle/manifests/argocd-operator.clusterserviceversion.yaml index abdedb50e..7a78fb81a 100644 --- a/bundle/manifests/argocd-operator.clusterserviceversion.yaml +++ b/bundle/manifests/argocd-operator.clusterserviceversion.yaml @@ -247,7 +247,7 @@ metadata: capabilities: Deep Insights categories: Integration & Delivery certified: "false" - createdAt: "2024-11-21T12:06:55Z" + createdAt: "2024-11-29T09:50:31Z" description: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. operators.operatorframework.io/builder: operator-sdk-v1.35.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 diff --git a/bundle/manifests/argoproj.io_argocds.yaml b/bundle/manifests/argoproj.io_argocds.yaml index dc91c40e2..a5a714563 100644 --- a/bundle/manifests/argoproj.io_argocds.yaml +++ b/bundle/manifests/argoproj.io_argocds.yaml @@ -10897,6 +10897,11 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object + respectRBAC: + description: RespectRBAC restricts controller from discovering/syncing + specific resources, Defaults is empty if not configured. Valid + options are strict and normal. + type: string sharding: description: Sharding contains the options for the Application Controller sharding configuration. diff --git a/common/keys.go b/common/keys.go index b6f02a744..76aed700c 100644 --- a/common/keys.go +++ b/common/keys.go @@ -19,7 +19,17 @@ import ( ) const ( - // ArgoCDKeyAdminEnabled is the configuration key for the admin enabled setting.. + + // ArgoCDKeyRespectRBAC is the configuration key for the respectRBAC setting. + ArgoCDKeyRespectRBAC = "resource.respectRBAC" + + // ArgoCDValueRespectRBACStrict is the configuration value for the respectRBAC setting. + ArgoCDValueRespectRBACStrict = "strict" + + // ArgoCDValueRespectRBACStrict is the configuration value for the respectRBAC setting. + ArgoCDValueRespectRBACNormal = "normal" + + // ArgoCDKeyAdminEnabled is the configuration key for the admin enabled setting. ArgoCDKeyAdminEnabled = "admin.enabled" // ArgoCDKeyApplicationInstanceLabelKey is the configuration key for the application instance label. diff --git a/config/crd/bases/argoproj.io_argocds.yaml b/config/crd/bases/argoproj.io_argocds.yaml index 1feb92b47..949842077 100644 --- a/config/crd/bases/argoproj.io_argocds.yaml +++ b/config/crd/bases/argoproj.io_argocds.yaml @@ -10886,6 +10886,11 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object + respectRBAC: + description: RespectRBAC restricts controller from discovering/syncing + specific resources, Defaults is empty if not configured. Valid + options are strict and normal. + type: string sharding: description: Sharding contains the options for the Application Controller sharding configuration. diff --git a/controllers/argocd/configmap.go b/controllers/argocd/configmap.go index e68bf2a2f..19640c2e6 100644 --- a/controllers/argocd/configmap.go +++ b/controllers/argocd/configmap.go @@ -54,6 +54,15 @@ func getApplicationInstanceLabelKey(cr *argoproj.ArgoCD) string { return key } +// setRespectRBAC configures RespectRBAC key and value for ConfigMap. +func setRespectRBAC(cr *argoproj.ArgoCD, data map[string]string) map[string]string { + if cr.Spec.Controller.RespectRBAC != "" && + (cr.Spec.Controller.RespectRBAC == common.ArgoCDValueRespectRBACStrict || cr.Spec.Controller.RespectRBAC == common.ArgoCDValueRespectRBACNormal) { + data[common.ArgoCDKeyRespectRBAC] = cr.Spec.Controller.RespectRBAC + } + return data +} + // getCAConfigMapName will return the CA ConfigMap name for the given ArgoCD. func getCAConfigMapName(cr *argoproj.ArgoCD) string { if len(cr.Spec.TLS.CA.ConfigMapName) > 0 { @@ -370,7 +379,7 @@ func (r *ReconcileArgoCD) reconcileArgoConfigMap(cr *argoproj.ArgoCD) error { cm := newConfigMapWithName(common.ArgoCDConfigMapName, cr) cm.Data = make(map[string]string) - + cm.Data = setRespectRBAC(cr, cm.Data) cm.Data[common.ArgoCDKeyApplicationInstanceLabelKey] = getApplicationInstanceLabelKey(cr) cm.Data[common.ArgoCDKeyConfigManagementPlugins] = getConfigManagementPlugins(cr) cm.Data[common.ArgoCDKeyAdminEnabled] = fmt.Sprintf("%t", !cr.Spec.DisableAdmin) diff --git a/controllers/argocd/configmap_test.go b/controllers/argocd/configmap_test.go index 43e212006..64fb94c3c 100644 --- a/controllers/argocd/configmap_test.go +++ b/controllers/argocd/configmap_test.go @@ -1012,6 +1012,53 @@ func TestReconcileArgoCD_reconcileArgoConfigMap_withExtraConfig(t *testing.T) { } +func TestReconcileArgoCD_reconcileArgoConfigMap_withRespectRBAC(t *testing.T) { + logf.SetLogger(ZapLogger(true)) + a := makeTestArgoCD(func(a *argoproj.ArgoCD) { + a.Spec.Controller.RespectRBAC = "normal" + }) + + resObjs := []client.Object{a} + subresObjs := []client.Object{a} + runtimeObjs := []runtime.Object{} + sch := makeTestReconcilerScheme(argoproj.AddToScheme) + cl := makeTestReconcilerClient(sch, resObjs, subresObjs, runtimeObjs) + r := makeTestReconciler(cl, sch) + + err := r.reconcileArgoConfigMap(a) + assert.NoError(t, err) + + cm := &corev1.ConfigMap{} + + assert.NoError(t, r.Client.Get(context.TODO(), types.NamespacedName{Name: common.ArgoCDConfigMapName, Namespace: testNamespace}, cm)) + + if c := cm.Data["resource.respectRBAC"]; c != "normal" { + t.Fatalf("reconcileArgoConfigMap failed got %q, want %q", c, "false") + } + + // update config + a.Spec.Controller.RespectRBAC = "strict" + + err = r.reconcileArgoConfigMap(a) + assert.NoError(t, err) + + assert.NoError(t, r.Client.Get(context.TODO(), types.NamespacedName{Name: common.ArgoCDConfigMapName, Namespace: testNamespace}, cm)) + if c := cm.Data["resource.respectRBAC"]; c != "strict" { + t.Fatalf("reconcileArgoConfigMap failed got %q, want %q", c, "false") + } + + // update config + a.Spec.Controller.RespectRBAC = "" + + err = r.reconcileArgoConfigMap(a) + assert.NoError(t, err) + + assert.NoError(t, r.Client.Get(context.TODO(), types.NamespacedName{Name: common.ArgoCDConfigMapName, Namespace: testNamespace}, cm)) + if c := cm.Data["resource.respectRBAC"]; c != "" { + t.Fatalf("reconcileArgoConfigMap failed got %q, want %q", c, "false") + } +} + func Test_reconcileRBAC(t *testing.T) { a := makeTestArgoCD() diff --git a/deploy/olm-catalog/argocd-operator/0.13.0/argocd-operator.v0.13.0.clusterserviceversion.yaml b/deploy/olm-catalog/argocd-operator/0.13.0/argocd-operator.v0.13.0.clusterserviceversion.yaml index abdedb50e..7a78fb81a 100644 --- a/deploy/olm-catalog/argocd-operator/0.13.0/argocd-operator.v0.13.0.clusterserviceversion.yaml +++ b/deploy/olm-catalog/argocd-operator/0.13.0/argocd-operator.v0.13.0.clusterserviceversion.yaml @@ -247,7 +247,7 @@ metadata: capabilities: Deep Insights categories: Integration & Delivery certified: "false" - createdAt: "2024-11-21T12:06:55Z" + createdAt: "2024-11-29T09:50:31Z" description: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. operators.operatorframework.io/builder: operator-sdk-v1.35.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 diff --git a/deploy/olm-catalog/argocd-operator/0.13.0/argoproj.io_argocds.yaml b/deploy/olm-catalog/argocd-operator/0.13.0/argoproj.io_argocds.yaml index dc91c40e2..a5a714563 100644 --- a/deploy/olm-catalog/argocd-operator/0.13.0/argoproj.io_argocds.yaml +++ b/deploy/olm-catalog/argocd-operator/0.13.0/argoproj.io_argocds.yaml @@ -10897,6 +10897,11 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object + respectRBAC: + description: RespectRBAC restricts controller from discovering/syncing + specific resources, Defaults is empty if not configured. Valid + options are strict and normal. + type: string sharding: description: Sharding contains the options for the Application Controller sharding configuration. diff --git a/docs/usage/respect_rbac.md b/docs/usage/respect_rbac.md new file mode 100644 index 000000000..4dce09ebb --- /dev/null +++ b/docs/usage/respect_rbac.md @@ -0,0 +1,18 @@ +# Respect RBAC for controller + +See the [upstream documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#auto-respect-rbac-for-controller) for more information. + +This feature can be enabled by setting `respectRBAC` field in ArgoCD resource. To configure value in `argocd-cm` ConfigMap via ArgoCD resource, users need to configure `argocd.spec.controller.respectRBAC` field. Possible values for this field are `strict`, `normal` or empty (default). + + +```yaml +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: example-argocd +spec: + controller: + respectRBAC: strict +``` + + diff --git a/mkdocs.yml b/mkdocs.yml index 8bff350ee..a55e45a37 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -56,6 +56,7 @@ nav: - Notifications: usage/notifications.md - Resource Management: usage/resource_management.md - Routes: usage/routes.md + - Respect RBAC: usage/respect_rbac.md - Custom Roles: usage/custom_roles.md - Apps in Any Namespace: usage/apps-in-any-namespace.md - Appsets in Any Namespace: usage/appsets-in-any-namespace.md diff --git a/tests/k8s/1-045_validate_controller_respect_rbac/01-assert.yaml b/tests/k8s/1-045_validate_controller_respect_rbac/01-assert.yaml new file mode 100644 index 000000000..d2406a750 --- /dev/null +++ b/tests/k8s/1-045_validate_controller_respect_rbac/01-assert.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: example-argocd +status: + phase: Available +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-cm +data: + resource.respectRBAC: normal \ No newline at end of file diff --git a/tests/k8s/1-045_validate_controller_respect_rbac/01-install.yaml b/tests/k8s/1-045_validate_controller_respect_rbac/01-install.yaml new file mode 100644 index 000000000..51075cdca --- /dev/null +++ b/tests/k8s/1-045_validate_controller_respect_rbac/01-install.yaml @@ -0,0 +1,7 @@ +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: example-argocd +spec: + controller: + respectRBAC: normal diff --git a/tests/k8s/1-045_validate_controller_respect_rbac/02-assert.yaml b/tests/k8s/1-045_validate_controller_respect_rbac/02-assert.yaml new file mode 100644 index 000000000..1d8523472 --- /dev/null +++ b/tests/k8s/1-045_validate_controller_respect_rbac/02-assert.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: example-argocd +status: + phase: Available +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-cm +data: + resource.respectRBAC: strict \ No newline at end of file diff --git a/tests/k8s/1-045_validate_controller_respect_rbac/02-install.yaml b/tests/k8s/1-045_validate_controller_respect_rbac/02-install.yaml new file mode 100644 index 000000000..d4dd22c44 --- /dev/null +++ b/tests/k8s/1-045_validate_controller_respect_rbac/02-install.yaml @@ -0,0 +1,7 @@ +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: example-argocd +spec: + controller: + respectRBAC: strict diff --git a/tests/k8s/1-045_validate_controller_respect_rbac/03-errors.yaml b/tests/k8s/1-045_validate_controller_respect_rbac/03-errors.yaml new file mode 100644 index 000000000..02e77132f --- /dev/null +++ b/tests/k8s/1-045_validate_controller_respect_rbac/03-errors.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-cm +data: + resource.respectRBAC: strict \ No newline at end of file diff --git a/tests/k8s/1-045_validate_controller_respect_rbac/03-install.yaml b/tests/k8s/1-045_validate_controller_respect_rbac/03-install.yaml new file mode 100644 index 000000000..1d9a6a4e1 --- /dev/null +++ b/tests/k8s/1-045_validate_controller_respect_rbac/03-install.yaml @@ -0,0 +1,7 @@ +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: example-argocd +spec: + controller: + respectRBAC: somethibg diff --git a/tests/k8s/1-045_validate_controller_respect_rbac/04-errors.yaml b/tests/k8s/1-045_validate_controller_respect_rbac/04-errors.yaml new file mode 100644 index 000000000..bac291b95 --- /dev/null +++ b/tests/k8s/1-045_validate_controller_respect_rbac/04-errors.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-cm +data: + resource.respectRBAC: "" \ No newline at end of file diff --git a/tests/k8s/1-045_validate_controller_respect_rbac/04-install.yaml b/tests/k8s/1-045_validate_controller_respect_rbac/04-install.yaml new file mode 100644 index 000000000..dfb82b50b --- /dev/null +++ b/tests/k8s/1-045_validate_controller_respect_rbac/04-install.yaml @@ -0,0 +1,7 @@ +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: example-argocd +spec: + controller: + respectRBAC: ""