feat(argo-cd): add notification cluster role (#2315)

* Add notification cluster role

Signed-off-by: drfaust92 <ilia.lazebnik@gmail.com>

* Add notification cluster role

Signed-off-by: drfaust92 <ilia.lazebnik@gmail.com>

* Add notification cluster role

Signed-off-by: drfaust92 <ilia.lazebnik@gmail.com>

* Add notification cluster role

Signed-off-by: drfaust92 <ilia.lazebnik@gmail.com>

---------

Signed-off-by: drfaust92 <ilia.lazebnik@gmail.com>

charts/argo-cd/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: v2.8.5
 kubeVersion: ">=1.23.0-0"
 description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 5.48.1
+version: 5.49.0
 home: https://github.com/argoproj/argo-helm
 icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
 sources:
@@ -26,5 +26,5 @@ annotations:
     fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
     url: https://argoproj.github.io/argo-helm/pgp_keys.asc
   artifacthub.io/changes: |
-    - kind: changed
-      description: Update Bitbucket.org SSH key
+    - kind: added
+      description: Add notification cluster role support

charts/argo-cd/README.md

@@ -1160,6 +1160,7 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
 |-----|------|---------|-------------|
 | notifications.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules |
 | notifications.argocdUrl | string | `nil` | Argo CD dashboard url; used in place of {{.context.argocdUrl}} in templates |
+| notifications.clusterRoleRules.rules | list | `[]` | List of custom rules for the notifications controller's ClusterRole resource |
 | notifications.cm.create | bool | `true` | Whether helm chart creates notifications controller config map |
 | notifications.containerPorts.metrics | int | `9001` | Metrics container port |
 | notifications.containerSecurityContext | object | See [values.yaml] | Notification controller container-level security Context |

charts/argo-cd/templates/argocd-notifications/clusterrole.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.createClusterRoles }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "argo-cd.notifications.fullname" . }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
+rules:
+  {{- with .Values.notifications.clusterRoleRules.rules }}
+    {{- toYaml . | nindent 2 }}
+  {{- end }}
+  - apiGroups:
+    - "argoproj.io"
+    resources:
+    - "applications"
+    verbs:
+    - get
+    - list
+    - watch
+    - update
+    - patch
+{{- end }}

charts/argo-cd/templates/argocd-notifications/clusterrolebinding.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.createClusterRoles }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "argo-cd.notifications.fullname" . }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "argo-cd.notifications.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "argo-cd.notificationsServiceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

charts/argo-cd/values.yaml

@@ -2997,6 +2997,12 @@ notifications:
     # -- Whether helm chart creates notifications controller config map
     create: true
 
+  ## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource.
+  ## Defaults to off
+  clusterRoleRules:
+    # -- List of custom rules for the notifications controller's ClusterRole resource
+    rules: []
+
   # -- Contains centrally managed global application subscriptions
   ## For more information: https://argocd-notifications.readthedocs.io/en/stable/subscriptions/
   subscriptions: []