diff --git a/helm/argocd-rbac-operator/.helmignore b/helm/argocd-rbac-operator/.helmignore index 0e8a0eb..678911e 100644 --- a/helm/argocd-rbac-operator/.helmignore +++ b/helm/argocd-rbac-operator/.helmignore @@ -21,3 +21,7 @@ .idea/ *.tmproj .vscode/ + +/*.tgz +output +*.gotmpl diff --git a/helm/argocd-rbac-operator/Chart.yaml b/helm/argocd-rbac-operator/Chart.yaml index e4e6826..2f7a4f6 100644 --- a/helm/argocd-rbac-operator/Chart.yaml +++ b/helm/argocd-rbac-operator/Chart.yaml @@ -3,7 +3,7 @@ appVersion: v0.1.6 name: argocd-rbac-operator description: A Helm chart for Argo CD RBAC Operator, a Kubernetes Operator for Argo CD RBAC Management. type: application -version: 0.1.0 +version: 0.2.0 keywords: - argocd - operator diff --git a/helm/argocd-rbac-operator/README.md b/helm/argocd-rbac-operator/README.md new file mode 100644 index 0000000..568c44e --- /dev/null +++ b/helm/argocd-rbac-operator/README.md @@ -0,0 +1,165 @@ +# Argo CD RBAC Operator + +[![Go Report Card](https://goreportcard.com/badge/github.com/argoproj-labs/argocd-rbac-operator)](https://goreportcard.com/report/github.com/argoproj-labs/argocd-rbac-operator) +[![go.mod Go version](https://img.shields.io/github/go-mod/go-version/argoproj-labs/argocd-rbac-operator)](https://github.com/argoproj-labs/argocd-rbac-operator) +[![GitHub Release](https://img.shields.io/github/v/release/argoproj-labs/argocd-rbac-operator)](https://github.com/argoproj-labs/argocd-rbac-operator/releases/tag/v0.1.6) +[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/argocd-rbac-operator)](https://artifacthub.io/packages/search?repo=argocd-rbac-operator) + +Kubernetes Operator for Argo CD RBAC Management. + +## Introduction + +The Argo CD RBAC Operator provides a CRD based API for the RBAC management of Argo CD. It provides a structured and easy to use way to define RBAC policies. The Operator uses the CRs as a single source of truth for RBAC management and converts them into a policy string that is patched into the Argo CD RBAC ConfigMap. + +## Installation + +First you have to add the repo: + +```bash +helm repo add argocd-rbac-operator https://argoproj-labs.github.io/argocd-rbac-operator/ +``` + +After the repo has been added, you can install the Helm chart of the operator: + +```bash +helm install argocd-rbac-operator argocd-rbac-operator/argocd-rbac-operator +``` + +If you want to change the namespace of the Argo CD instance, image version, or other values, you have to define a values.yaml file and run following command: + +```bash +helm install argocd-rbac-operator argocd-rbac-operator/argocd-rbac-operator -f values.yaml +``` + +## Usage + +The following example shows a manifest to create a new ArgoCDRole `test-role`: + +```yaml +apiVersion: rbac-operator.argoproj-labs.io/v1alpha1 +kind: ArgoCDRole +metadata: + labels: + app.kubernetes.io/name: argocd-rbac-operator + app.kubernetes.io/managed-by: kustomize + name: test-role + namespace: test-ns +spec: + rules: + - resource: "applications" + verbs: ["get", "create", "update", "delete"] + objects: ["*/*"] +``` + +And a ArgoCDRoleBinding `test-role-binding` to bind the specified users and a role to the new ArgoCDRole: + +```yaml +apiVersion: rbac-operator.argoproj-labs.io/v1alpha1 +kind: ArgoCDRoleBinding +metadata: + labels: + app.kubernetes.io/name: argocd-rbac-operator + app.kubernetes.io/managed-by: kustomize + name: test-role-binding + namespace: test-ns +spec: + subjects: + - kind: "sso" + name: "gosha" + - kind: "local" + name: "localUser" + - kind: "role" + name: "orgadmin" + argocdRoleRef: + name: "test-role" +``` + +### Create + +Make sure that the `argocd` Namespace exists, so that the ConfigMap can be created properly. + +Create a new ArgoCDRole and ArgoCDRoleBinding using the provided example. (Make sure that both CRs are created in the same Namespace) + +```bash +kubectl create -f test-role.yaml +kubectl create -f test-role-binding.yaml +``` + +The following ConfigMap will be created after the ArgoCDRole and ArgoCDRoleBinding has been reconciled. + +```yaml +apiVersion: v1 +data: + policy.csv: "" + policy.default: role:readonly + policy.test-ns.test-role.csv: | + p, role:test-role, applications, get, */*, allow + p, role:test-role, applications, create, */*, allow + p, role:test-role, applications, update, */*, allow + p, role:test-role, applications, delete, */*, allow + g, gosha, role:test-role + p, localUser, applications, get, */*, allow + p, localUser, applications, create, */*, allow + p, localUser, applications, update, */*, allow + p, localUser, applications, delete, */*, allow + g, role:orgadmin, role:test-role + scopes: '[groups]' +kind: ConfigMap +metadata: + name: argocd-rbac-cm + namespace: argocd +``` + +### Delete + +To delete a Role you can use `kubectl` +``` +kubectl delete argocdrole.rbac-operator.argoproj-labs.io/test-role +kubectl delete argocdrolebinding.rbac-operator.argoproj-labs.io/test-role-binding +``` +After the Resource is deleted, the policy string will be also deleted from the RBAC-CM. + +### Change the Policy.CSV + +To change the policy.csv you have to make changes in the `internal/controller/common/defaults.go` file. + +### Deployment types + +As for now only single Argo CD deployment type is supported. The default Argo CD namespace is defined as `argocd`, to change that you have to make a change in `internal/controller/common/values.go`. + +## General parameters + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalLabels | object | `{}` | | +| argocd.cmName | string | `"argocd-rbac-cm"` | | +| argocd.namespace | string | `"argocd"` | | +| containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | +| containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | | +| containerSecurityContext.readOnlyRootFilesystem | bool | `true` | | +| containerSecurityContext.runAsNonRoot | bool | `true` | | +| containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"quay.io/argoprojlabs/argocd-rbac-operator"` | | +| image.tag | string | `"v0.1.6"` | | +| imagePullSecrets | list | `[]` | | +| livenessProbe.httpGet.path | string | `"/healthz"` | | +| livenessProbe.httpGet.port | int | `8081` | | +| livenessProbe.initialDelaySeconds | int | `15` | | +| livenessProbe.periodSeconds | int | `20` | | +| nodeSelector | object | `{}` | | +| readinessProbe.httpGet.path | string | `"/readyz"` | | +| readinessProbe.httpGet.port | int | `8081` | | +| readinessProbe.initialDelaySeconds | int | `5` | | +| readinessProbe.periodSeconds | int | `10` | | +| replicaCount | int | `1` | | +| resources.limits.cpu | string | `"500m"` | | +| resources.limits.memory | string | `"128Mi"` | | +| resources.requests.cpu | string | `"10m"` | | +| resources.requests.memory | string | `"64Mi"` | | +| securityContext.runAsNonRoot | bool | `true` | | +| securityContext.seccompProfile.type | string | `"RuntimeDefault"` | | +| serviceAccountAnnotations | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs) \ No newline at end of file diff --git a/helm/argocd-rbac-operator/README.md.gotmpl b/helm/argocd-rbac-operator/README.md.gotmpl new file mode 100644 index 0000000..37822bc --- /dev/null +++ b/helm/argocd-rbac-operator/README.md.gotmpl @@ -0,0 +1,141 @@ +# Argo CD RBAC Operator + +[![Go Report Card](https://goreportcard.com/badge/github.com/argoproj-labs/argocd-rbac-operator)](https://goreportcard.com/report/github.com/argoproj-labs/argocd-rbac-operator) +[![go.mod Go version](https://img.shields.io/github/go-mod/go-version/argoproj-labs/argocd-rbac-operator)](https://github.com/argoproj-labs/argocd-rbac-operator) +[![GitHub Release](https://img.shields.io/github/v/release/argoproj-labs/argocd-rbac-operator)](https://github.com/argoproj-labs/argocd-rbac-operator/releases/tag/v0.1.6) +[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/argocd-rbac-operator)](https://artifacthub.io/packages/search?repo=argocd-rbac-operator) + +Kubernetes Operator for Argo CD RBAC Management. + +## Introduction + +The Argo CD RBAC Operator provides a CRD based API for the RBAC management of Argo CD. It provides a structured and easy to use way to define RBAC policies. The Operator uses the CRs as a single source of truth for RBAC management and converts them into a policy string that is patched into the Argo CD RBAC ConfigMap. + +## Installation + +First you have to add the repo: + +```bash +helm repo add argocd-rbac-operator https://argoproj-labs.github.io/argocd-rbac-operator/ +``` + +After the repo has been added, you can install the Helm chart of the operator: + +```bash +helm install argocd-rbac-operator argocd-rbac-operator/argocd-rbac-operator +``` + +If you want to change the namespace of the Argo CD instance, image version, or other values, you have to define a values.yaml file and run following command: + +```bash +helm install argocd-rbac-operator argocd-rbac-operator/argocd-rbac-operator -f values.yaml +``` + +## Usage + +The following example shows a manifest to create a new ArgoCDRole `test-role`: + +```yaml +apiVersion: rbac-operator.argoproj-labs.io/v1alpha1 +kind: ArgoCDRole +metadata: + labels: + app.kubernetes.io/name: argocd-rbac-operator + app.kubernetes.io/managed-by: kustomize + name: test-role + namespace: test-ns +spec: + rules: + - resource: "applications" + verbs: ["get", "create", "update", "delete"] + objects: ["*/*"] +``` + +And a ArgoCDRoleBinding `test-role-binding` to bind the specified users and a role to the new ArgoCDRole: + +```yaml +apiVersion: rbac-operator.argoproj-labs.io/v1alpha1 +kind: ArgoCDRoleBinding +metadata: + labels: + app.kubernetes.io/name: argocd-rbac-operator + app.kubernetes.io/managed-by: kustomize + name: test-role-binding + namespace: test-ns +spec: + subjects: + - kind: "sso" + name: "gosha" + - kind: "local" + name: "localUser" + - kind: "role" + name: "orgadmin" + argocdRoleRef: + name: "test-role" +``` + +### Create + +Make sure that the `argocd` Namespace exists, so that the ConfigMap can be created properly. + +Create a new ArgoCDRole and ArgoCDRoleBinding using the provided example. (Make sure that both CRs are created in the same Namespace) + +```bash +kubectl create -f test-role.yaml +kubectl create -f test-role-binding.yaml +``` + +The following ConfigMap will be created after the ArgoCDRole and ArgoCDRoleBinding has been reconciled. + +```yaml +apiVersion: v1 +data: + policy.csv: "" + policy.default: role:readonly + policy.test-ns.test-role.csv: | + p, role:test-role, applications, get, */*, allow + p, role:test-role, applications, create, */*, allow + p, role:test-role, applications, update, */*, allow + p, role:test-role, applications, delete, */*, allow + g, gosha, role:test-role + p, localUser, applications, get, */*, allow + p, localUser, applications, create, */*, allow + p, localUser, applications, update, */*, allow + p, localUser, applications, delete, */*, allow + g, role:orgadmin, role:test-role + scopes: '[groups]' +kind: ConfigMap +metadata: + name: argocd-rbac-cm + namespace: argocd +``` + +### Delete + +To delete a Role you can use `kubectl` +``` +kubectl delete argocdrole.rbac-operator.argoproj-labs.io/test-role +kubectl delete argocdrolebinding.rbac-operator.argoproj-labs.io/test-role-binding +``` +After the Resource is deleted, the policy string will be also deleted from the RBAC-CM. + +### Change the Policy.CSV + +To change the policy.csv you have to make changes in the `internal/controller/common/defaults.go` file. + +### Deployment types + +As for now only single Argo CD deployment type is supported. The default Argo CD namespace is defined as `argocd`, to change that you have to make a change in `internal/controller/common/values.go`. + +## General parameters + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range .Values }} + {{- if not (or (hasPrefix "global" .Key) (hasPrefix "configs" .Key) (hasPrefix "controller" .Key) (hasPrefix "repoServer" .Key) (hasPrefix "server" .Key) (hasPrefix "applicationSet" .Key) (hasPrefix "notifications" .Key) (hasPrefix "dex" .Key) (hasPrefix "redis" .Key) (hasPrefix "externalRedis" .Key) ) }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | + {{- end }} +{{- end }} + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs) \ No newline at end of file diff --git a/helm/scripts/helm-docs.sh b/helm/scripts/helm-docs.sh new file mode 100644 index 0000000..e24772b --- /dev/null +++ b/helm/scripts/helm-docs.sh @@ -0,0 +1,11 @@ +#!/bin/bash +## Reference: https://github.com/norwoodj/helm-docs +set -eux +REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)" +echo "$REPO_ROOT" + +echo "Running Helm-Docs" +docker run \ + -v "$REPO_ROOT:/helm-docs" \ + -u $(id -u) \ + jnorwood/helm-docs:v1.9.1 \ No newline at end of file