Add custom ArgoCD rbac

README.md

@@ -8,6 +8,7 @@ This chart is used to set up the basic building blocks in [Validated Patterns](h
 
 ### Notable changes
 
+* v0.9.50: Add support to custom `rbac` in `ArgoDC.spec`
 * v0.9.49: Boolean Templates in override values now also render correctly
 * v0.9.48: Templates in override values now render
 * v0.9.45: Default value of `resourceTrackingMethod` is now `annotation`
@@ -68,6 +69,7 @@ clusterGroup:
 | clusterGroup.argoCD.configManagementPlugins | list | `[]` |  |
 | clusterGroup.argoCD.env | list | `[]` |  |
 | clusterGroup.argoCD.initContainers | list | `[]` |  |
+| clusterGroup.argoCD.rbac | object | `{}` |  |
 | clusterGroup.argoCD.resourceActions | list | `[]` |  |
 | clusterGroup.argoCD.resourceExclusions | string | `"- apiGroups:\n  - tekton.dev\n  kinds:\n  - TaskRun\n  - PipelineRun\n"` |  |
 | clusterGroup.argoCD.resourceHealthChecks[0].check | string | `"hs = {}\nif obj.status ~= nil then\n  if obj.status.phase ~= nil then\n    if obj.status.phase == \"Pending\" then\n      hs.status = \"Healthy\"\n      hs.message = obj.status.phase\n      return hs\n    elseif obj.status.phase == \"Bound\" then\n      hs.status = \"Healthy\"\n      hs.message = obj.status.phase\n      return hs\n    end\n  end\nend\nhs.status = \"Progressing\"\nhs.message = \"Waiting for PVC\"\nreturn hs\n"` |  |

README.md.gotmpl

@@ -9,6 +9,7 @@ This chart is used to set up the basic building blocks in [Validated Patterns](h
 
 ### Notable changes
 
+* v0.9.50: Add support to custom `rbac` in `ArgoDC.spec`
 * v0.9.49: Boolean Templates in override values now also render correctly
 * v0.9.48: Templates in override values now render
 * v0.9.45: Default value of `resourceTrackingMethod` is now `annotation`

templates/plumbing/argocd.yaml

@@ -53,12 +53,16 @@ spec:
           memory: 128Mi
   initialSSHKnownHosts: {}
   rbac:
+  {{- if $.Values.clusterGroup.argoCD.rbac }}
+    {{- toYaml $.Values.clusterGroup.argoCD.rbac | nindent 4 }}
+  {{- else }}
     defaultPolicy: role:readonly
     policy: |-
       g, system:cluster-admins, role:admin
       g, cluster-admins, role:admin
       g, admin, role:admin
     scopes: '[groups, email]'
+  {{- end }}
   repo:
     env: {{ $.Values.clusterGroup.argoCD.env | toPrettyJson }}
     initContainers:

tests/argocd_rbac_test.yaml

@@ -0,0 +1,37 @@
+suite: Test argocd with rbac
+templates:
+  - templates/plumbing/argocd.yaml
+release:
+  name: release-test
+tests:
+  - it: should render default rbac
+    documentIndex: 0
+    asserts:
+      - isSubset:
+          path: spec.rbac
+          content:
+            defaultPolicy: role:readonly
+            policy: |-
+              g, system:cluster-admins, role:admin
+              g, cluster-admins, role:admin
+              g, admin, role:admin
+            scopes: '[groups, email]'
+
+  - it: should render custom rbac correctly
+    set:
+      clusterGroup:
+        argoCD:
+          rbac:
+            defaultPolicy: default
+            policy: |-
+              g, test-group, role:admin
+            scopes: '[one, two]'
+    documentIndex: 0
+    asserts:
+      - isSubset:
+          path: spec.rbac
+          content:
+            defaultPolicy: default
+            policy: |-
+              g, test-group, role:admin
+            scopes: '[one, two]'

values.schema.json

@@ -719,6 +719,11 @@
             "$ref": "#/definitions/ArgoCDResourceActions"
           },
           "description": "ResourceActions customizes resource action behavior."
+        },
+        "rbac": {
+          "type": "object",
+          "description": "Rbac customizes ArgoCD RBAC policies.",
+          "additionalProperties": true
         }
       }
     },

values.yaml

@@ -33,6 +33,7 @@ clusterGroup:
   argoCD:
     initContainers: []
     env: []
+    rbac: {}
     volumes: []
     volumeMounts: []
     configManagementPlugins: []