feat(argo-cd): Ability to provide cluster role to repo-server (#919)

* feat(argo-cd): Ability to provide cluster role to repo-server Signed-off-by: Roman Rudenko <3kmnazapad@gmail.com> * custom clusterRoleRules Signed-off-by: Roman Rudenko <3kmnazapad@gmail.com> * chore: beautify indentation Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> * fix: noeol in clusterrolebinding.yaml Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> Co-authored-by: Roman Rudenko <roman.rudenko@telekom.com> Co-authored-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>
2021-09-17 23:14:31 +03:00 · 2021-09-17 23:14:31 +03:00 · 6452b6a2e9
commit 6452b6a2e9
parent c7584ab51d
6 changed files with 61 additions and 6 deletions
--- a/charts/argo-cd/templates/argocd-application-controller/clusterrole.yaml
+++ b/charts/argo-cd/templates/argocd-application-controller/clusterrole.yaml
@ -6,9 +6,9 @@ metadata:
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
 rules:
-{{- if .Values.controller.clusterRoleRules.enabled }}
-{{- toYaml .Values.controller.clusterRoleRules.rules | nindent 2 }}
-{{ else }}
+  {{- if .Values.controller.clusterRoleRules.enabled }}
+  {{- toYaml .Values.controller.clusterRoleRules.rules | nindent 0 }}
+  {{- else }}
 - apiGroups:
  - '*'
  resources:
@ -19,5 +19,5 @@ rules:
  - '*'
  verbs:
  - '*'
-{{- end }}
+  {{- end }}
 {{- end }}
--- a/charts/argo-cd/templates/argocd-repo-server/clusterrole.yaml
+++ b/charts/argo-cd/templates/argocd-repo-server/clusterrole.yaml
@ -0,0 +1,23 @@
+{{- if and .Values.repoServer.serviceAccount.create .Values.repoServer.clusterAdminAccess.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "argo-cd.repoServer.fullname" . }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
+rules:
+  {{- if .Values.repoServer.clusterRoleRules.enabled }}
+  {{- toYaml .Values.repoServer.clusterRoleRules.rules | nindent 0 }}
+  {{- else }}
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- nonResourceURLs:
+  - '*'
+  verbs:
+  - '*'
+  {{- end }}
+{{- end }}
--- a/charts/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml
+++ b/charts/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml
@ -0,0 +1,16 @@
+{{- if and .Values.repoServer.serviceAccount.create .Values.repoServer.clusterAdminAccess.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "argo-cd.repoServer.fullname" . }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "argo-cd.repoServer.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "argo-cd.repoServerServiceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}