Repo server rbac (#160)

* Added Role and service account to repo-server * Fixed comment in repo-server SA name helper * Bumped chart version * Added repoServer service account annotations
2019-11-20 00:27:12 +01:00 · 2019-11-20 00:27:12 +01:00 · 8c3430b89e
parent 9b3d5d35a7
commit 8c3430b89e
7 changed files with 89 additions and 1 deletions
--- a/charts/argo-cd/Chart.yaml
+++ b/charts/argo-cd/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: "1.2.4"
 description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 1.0.8
+version: 1.0.9
 home: https://github.com/argoproj/argo-helm
 icon: https://raw.githubusercontent.com/argoproj/argo/master/argo.png
 keywords:
--- a/charts/argo-cd/templates/_helpers.tpl
+++ b/charts/argo-cd/templates/_helpers.tpl
@ -92,6 +92,17 @@ Create the name of the ArgoCD server service account to use
 {{- end -}}
 {{- end -}}

+{{/*
+Create the name of the repo-server service account to use
+*/}}
+{{- define "argo-cd.repoServerServiceAccountName" -}}
+{{- if .Values.repoServer.serviceAccount.create -}}
+    {{ default (include "argo-cd.fullname" .) .Values.repoServer.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.repoServer.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
--- a/charts/argo-cd/templates/argocd-repo-server/deployment.yaml
+++ b/charts/argo-cd/templates/argocd-repo-server/deployment.yaml
@ -105,6 +105,7 @@ spec:
      affinity:
 {{- toYaml .Values.repoServer.affinity | nindent 8 }}
    {{- end }}
+      serviceAccountName: {{ template "argo-cd.repoServerServiceAccountName" . }}
      volumes:
      {{- if .Values.repoServer.volumes }}
 {{- toYaml .Values.repoServer.volumes | nindent 8}}
--- a/charts/argo-cd/templates/argocd-repo-server/role.yaml
+++ b/charts/argo-cd/templates/argocd-repo-server/role.yaml
@ -0,0 +1,17 @@
+{{- if .Values.repoServer.serviceAccount.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "argo-cd.repoServer.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "argo-cd.name" . }}-{{ .Values.repoServer.name }}
+    helm.sh/chart: {{ include "argo-cd.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/part-of: argocd
+    app.kubernetes.io/component: {{ .Values.repoServer.name }}
+rules:
+{{- if .Values.repoServer.rbac }}
+{{toYaml .Values.repoServer.rbac }}
+{{- end }}
+{{- end }}
--- a/charts/argo-cd/templates/argocd-repo-server/rolebinding.yaml
+++ b/charts/argo-cd/templates/argocd-repo-server/rolebinding.yaml
@ -0,0 +1,21 @@
+{{- if .Values.repoServer.serviceAccount.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "argo-cd.repoServer.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "argo-cd.name" . }}-{{ .Values.repoServer.name }}
+    helm.sh/chart: {{ include "argo-cd.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/part-of: argocd
+    app.kubernetes.io/component: {{ .Values.repoServer.name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "argo-cd.repoServer.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "argo-cd.repoServerServiceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
--- a/charts/argo-cd/templates/argocd-repo-server/serviceaccount.yaml
+++ b/charts/argo-cd/templates/argocd-repo-server/serviceaccount.yaml
@ -0,0 +1,19 @@
+{{- if .Values.repoServer.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "argo-cd.repoServerServiceAccountName" . }}
+{{- if .Values.repoServer.serviceAccount.annotations }}
+  annotations:
+  {{- range $key, $value := .Values.repoServer.serviceAccount.annotations }}
+    {{ $key }}: {{ $value | quote }}
+  {{- end }}
+{{- end }}
+  labels:
+    app.kubernetes.io/name: {{ include "argo-cd.name" . }}-{{ .Values.repoServer.name }}
+    helm.sh/chart: {{ include "argo-cd.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/part-of: argocd
+    app.kubernetes.io/component: {{ .Values.repoServer.name }}
+{{- end }}
--- a/charts/argo-cd/values.yaml
+++ b/charts/argo-cd/values.yaml
@ -480,6 +480,25 @@ repoServer:
    #   namespace: monitoring
    #   additionalLabels: {}

+  ## Repo server service account
+  ## If create is set to true, make sure to uncomment the name and update the rbac section below
+  serviceAccount:
+    create: false
+  #  name: argocd-repo-server
+    ## Annotations applied to created service account
+    annotations: {}
+
+  ## Repo server rbac rules
+ # rbac:
+ #   - apiGroups:
+ #     - argoproj.io
+ #     resources:
+ #     - applications
+ #     verbs:
+ #     - get
+ #     - list
+ #     - watch
+
 ## Argo Configs
 configs:
  knownHosts: