fix: [CDS-88838]: Fix Cluster Roles for Argo CD (#16)

harness · Jan 19, 2024 · b5a194e · b5a194e
1 parent 11c82d9
commit b5a194e
Show file tree

Hide file tree

Showing 7 changed files with 82 additions and 5 deletions.
diff --git a/templates/argocd-application-controller/clusterrole.yaml b/templates/argocd-application-controller/clusterrole.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.harness.createClusterRoles }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "argo-cd.controller.fullname" . }}-{{ .Release.Namespace }}
+  labels:
+    {{- include "harness.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
+rules:
+  - apiGroups:
+    - '*'
+    resources:
+    - '*'
+    verbs:
+    - '*'
+  - nonResourceURLs:
+    - '*'
+    verbs:
+    - '*'
+{{- end }}
diff --git a/templates/argocd-application-controller/clusterrolebinding.yaml b/templates/argocd-application-controller/clusterrolebinding.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.harness.createClusterRoles }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "argo-cd.controller.fullname" . }}-{{ .Release.Namespace }}
+  labels:
+    {{- include "harness.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "argo-cd.controller.fullname" . }}-{{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "argo-cd.controllerServiceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/templates/argocd-repo-server/clusterrole.yaml b/templates/argocd-repo-server/clusterrole.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.harness.createClusterRoles }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "argo-cd.repoServer.fullname" . }}-{{ .Release.Namespace }}
+  labels:
+    {{- include "harness.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
+rules:
+  - apiGroups:
+    - '*'
+    resources:
+    - '*'
+    verbs:
+    - '*'
+  - nonResourceURLs:
+    - '*'
+    verbs:
+    - '*'
+{{- end }}
diff --git a/templates/argocd-repo-server/clusterrolebinding.yaml b/templates/argocd-repo-server/clusterrolebinding.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.harness.createClusterRoles }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "argo-cd.repoServer.fullname" . }}-{{ .Release.Namespace }}
+  labels:
+    {{- include "harness.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "argo-cd.repoServer.fullname" . }}-{{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "argo-cd.repoServerServiceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/templates/gitops-agent/clusterrole.yaml b/templates/gitops-agent/clusterrole.yaml
@@ -1,5 +1,5 @@
 {{- $argo := (index .Values "argo-cd") -}}
-{{- if .Values.agent.createClusterRole }}
+{{- if .Values.harness.createClusterRoles }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

diff --git a/templates/gitops-agent/clusterrolebinding.yaml b/templates/gitops-agent/clusterrolebinding.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.agent.createClusterRole }}
+{{- if .Values.harness.createClusterRoles }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:

diff --git a/values.yaml b/values.yaml
@@ -12,6 +12,9 @@ argo-cd:
   # -- String to fully override `"argo-cd.fullname"`
   fullnameOverride: argocd
 
+  # -- These are added as custom templates in each component
+  createClusterRoles: false
+
   ## Argo Configs
   configs:
     # General Argo CD configuration
@@ -188,6 +191,9 @@ harness:
       enabled: false
       secret: ""
 
+  # -- Create cluster role for Argo CD and GitOps agent, required for in-cluster
+  createClusterRoles: true
+
   # Default Harness network policy rules used by all components
   networkPolicy:
     # -- Create NetworkPolicy objects for all components
@@ -212,9 +218,6 @@ agent:
   # -- GitOps Agent identifier name
   harnessName: gitops-agent
 
-  # -- Create cluster role for the agent, required for in-cluster
-  createClusterRole: true
-
   # -- The number of agent pods to run
   replicas: 1
 
@@ -496,12 +499,16 @@ global:
 
 repoServer:
   name: repo-server
+  serviceAccount:
+    create: true
 
 applicationSet:
   name: applicationset-controller
 
 controller:
   name: application-controller
+  serviceAccount:
+    create: true
 
 redis:
   name: redis