diff --git a/.github/configs/cr.yaml b/.github/configs/cr.yaml
new file mode 100644
index 0000000..b313f36
--- /dev/null
+++ b/.github/configs/cr.yaml
@@ -0,0 +1,6 @@
+## Reference: https://github.com/helm/chart-releaser
+index-path: "./index.yaml"
+
+# Enable automatic generation of release notes using GitHubs release notes generator.
+# see: https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes
+generate-release-notes: true
\ No newline at end of file
diff --git a/.github/workflows/publish-chart.yaml b/.github/workflows/publish-chart.yaml
new file mode 100644
index 0000000..f1631e4
--- /dev/null
+++ b/.github/workflows/publish-chart.yaml
@@ -0,0 +1,65 @@
+# Reference: https://github.com/helm/chart-releaser-action
+name: Chart Publish
+on:
+ push:
+ branches:
+ - main
+ paths:
+ - "helm/**"
+
+permissions:
+ contents: read
+
+jobs:
+ publish:
+ if: github.repository == 'argoproj-labs/argocd-rbac-operator'
+ permissions:
+ contents: write
+ packages: write
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ with:
+ fetch-depth: 0
+
+ - name: Install Helm
+ uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+ with:
+ version: v3.10.1 # Also update in lint-and-test.yaml
+
+ - name: Configure Git
+ run: |
+ git config user.name "$GITHUB_ACTOR"
+ git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+ ## This is required to consider the old Circle-CI Index and to stay compatible with all the old releases.
+ - name: Fetch current Chart Index
+ run: |
+ git checkout origin/gh-pages index.yaml
+
+ - name: Run chart-releaser
+ uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
+ with:
+ config: "./.github/configs/cr.yaml"
+ charts_dir: "./helm"
+ skip_existing: true
+ env:
+ CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+
+ - name: Login to GHCR
+ uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ with:
+ registry: ghcr.io
+ username: ${{ github.actor }}
+ password: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Push chart to GHCR
+ run: |
+ shopt -s nullglob
+ for pkg in .cr-release-packages/*.tgz; do
+ if [ -z "${pkg:-}" ]; then
+ break
+ fi
+ helm push "${pkg}" oci://ghcr.io/${{ github.repository }}
+ done
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
index a60119c..15785ae 100644
--- a/.gitignore
+++ b/.gitignore
@@ -26,4 +26,5 @@ go.work
*.swo
*~
-.donotcommit/
\ No newline at end of file
+.donotcommit/
+dist/
\ No newline at end of file
diff --git a/LICENSE b/LICENSE
index 261eeb9..2e54e9c 100644
--- a/LICENSE
+++ b/LICENSE
@@ -186,7 +186,7 @@
same "printed page" as the copyright notice for easier
identification within third-party archives.
- Copyright [yyyy] [name of copyright owner]
+ Copyright 2024-2025 Georgy Khromov
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
diff --git a/README.md b/README.md
index 0f120ca..0f2f57e 100644
--- a/README.md
+++ b/README.md
@@ -127,9 +127,9 @@ kubectl delete argocdrolebinding.rbac-operator.argoproj-labs.io/test-role-bindin
```
After the Resource is deleted, the policy string will be also deleted from the RBAC-CM.
-### Change the Scope, Default Role or Policy.CSV
+### Change the Policy.CSV
-To change the scope, default role or policy.csv you have to make changes in the `internal/controller/common/defaults.go` file.
+To change the policy.csv you have to make changes in the `internal/controller/common/defaults.go` file.
### Deployment types
diff --git a/config/cm-role/role.yaml b/config/cm-role/role.yaml
index c062db0..8bffa0e 100644
--- a/config/cm-role/role.yaml
+++ b/config/cm-role/role.yaml
@@ -1,6 +1,9 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
+ labels:
+ app.kubernetes.io/name: argocd-rbac-operator
+ app.kubernetes.io/managed-by: kustomize
name: manager-role
namespace: argocd
rules:
diff --git a/helm/argocd-rbac-operator/.helmignore b/helm/argocd-rbac-operator/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/helm/argocd-rbac-operator/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/helm/argocd-rbac-operator/Chart.yaml b/helm/argocd-rbac-operator/Chart.yaml
new file mode 100644
index 0000000..e4e6826
--- /dev/null
+++ b/helm/argocd-rbac-operator/Chart.yaml
@@ -0,0 +1,19 @@
+apiVersion: v2
+appVersion: v0.1.6
+name: argocd-rbac-operator
+description: A Helm chart for Argo CD RBAC Operator, a Kubernetes Operator for Argo CD RBAC Management.
+type: application
+version: 0.1.0
+keywords:
+ - argocd
+ - operator
+ - rbac
+ - argoproj-labs
+home: https://github.com/argoproj-labs/argocd-rbac-operator
+sources:
+ - https://github.com/argoproj-labs/argocd-rbac-operator
+icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
+maintainers:
+ - name: Gosha Khromov
+ email: gg.khrmv@gmail.com
+ url: https://github.com/ggkhrmv
diff --git a/helm/argocd-rbac-operator/LICENSE b/helm/argocd-rbac-operator/LICENSE
new file mode 100644
index 0000000..0213ffb
--- /dev/null
+++ b/helm/argocd-rbac-operator/LICENSE
@@ -0,0 +1,201 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright 2025 Georgy Khromov
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/helm/argocd-rbac-operator/templates/_helpers.tpl b/helm/argocd-rbac-operator/templates/_helpers.tpl
new file mode 100644
index 0000000..76e3ec9
--- /dev/null
+++ b/helm/argocd-rbac-operator/templates/_helpers.tpl
@@ -0,0 +1,51 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "argocd-rbac-operator.name" -}}
+{{- default .Chart.Name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "argocd-rbac-operator.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "argocd-rbac-operator.labels" -}}
+helm.sh/chart: {{ include "argocd-rbac-operator.chart" . }}
+{{ include "argocd-rbac-operator.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- range $key, $val := .Values.additionalLabels }}
+{{ $key }}: {{ $val | quote }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "argocd-rbac-operator.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "argocd-rbac-operator.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the namespace
+*/}}
+{{- define "argocd-rbac-operator.namespace" -}}
+{{- printf "%s-system" .Chart.Name | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create the name of the service account
+*/}}
+{{- define "argocd-rbac-operator.serviceAccountName" -}}
+{{- printf "%s-controller-manager" .Chart.Name | trimSuffix "-" }}
+{{- end }}
+
diff --git a/helm/argocd-rbac-operator/templates/cm_role.yaml b/helm/argocd-rbac-operator/templates/cm_role.yaml
new file mode 100644
index 0000000..98db50f
--- /dev/null
+++ b/helm/argocd-rbac-operator/templates/cm_role.yaml
@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: manager-role
+ labels: {{- include "argocd-rbac-operator.labels" . | nindent 4 }}
+ namespace: {{ .Values.argocd.namespace }}
+rules:
+- apiGroups:
+ - ""
+ resourceNames:
+ - {{ .Values.argocd.cmName }}
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - patch
+ - update
+ - watch
diff --git a/helm/argocd-rbac-operator/templates/cm_role_binding.yaml b/helm/argocd-rbac-operator/templates/cm_role_binding.yaml
new file mode 100644
index 0000000..2d03262
--- /dev/null
+++ b/helm/argocd-rbac-operator/templates/cm_role_binding.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels: {{- include "argocd-rbac-operator.labels" . | nindent 4 }}
+ name: manager-rolebinding
+ namespace: {{ .Values.argocd.namespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: manager-role
+subjects:
+- kind: ServiceAccount
+ name: {{ include "argocd-rbac-operator.serviceAccountName" . }}
+ namespace: {{ include "argocd-rbac-operator.namespace" . }}
\ No newline at end of file
diff --git a/helm/argocd-rbac-operator/templates/deployment.yaml b/helm/argocd-rbac-operator/templates/deployment.yaml
new file mode 100644
index 0000000..7728b52
--- /dev/null
+++ b/helm/argocd-rbac-operator/templates/deployment.yaml
@@ -0,0 +1,66 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ {{- include "argocd-rbac-operator.labels" . | nindent 4 }}
+ {{- include "argocd-rbac-operator.selectorLabels" . | nindent 4 }}
+ name: {{ include "argocd-rbac-operator.name" . }}
+ namespace: {{ include "argocd-rbac-operator.namespace" . }}
+spec:
+ replicas: {{ .Values.replicaCount }}
+ selector:
+ matchLabels: {{- include "argocd-rbac-operator.selectorLabels" . | nindent 6 }}
+ template:
+ metadata:
+ annotations:
+ kubectl.kubernetes.io/default-container: rbac-operator
+ labels:
+ {{- include "argocd-rbac-operator.labels" . | nindent 8 }}
+ {{- include "argocd-rbac-operator.selectorLabels" . | nindent 8 }}
+ spec:
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: kubernetes.io/arch
+ operator: In
+ values:
+ - amd64
+ - arm64
+ - ppc64le
+ - s390x
+ - key: kubernetes.io/os
+ operator: In
+ values:
+ - linux
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.securityContext }}
+ securityContext: {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ terminationGracePeriodSeconds: 10
+ serviceAccountName: {{ include "argocd-rbac-operator.serviceAccountName" . }}
+ containers:
+ - args:
+ - --leader-elect
+ - --health-probe-bind-address=:8081
+ command:
+ - /rbac-operator
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ livenessProbe:
+ {{- toYaml .Values.livenessProbe | nindent 12 }}
+ readinessProbe:
+ {{- toYaml .Values.readinessProbe | nindent 12 }}
+ name: {{ .Chart.Name }}
+ resources:
+ {{- toYaml .Values.resources | nindent 12 }}
+ {{- with .Values.containerSecurityContext }}
+ securityContext: {{- toYaml . | nindent 12 }}
+ {{- end }}
diff --git a/helm/argocd-rbac-operator/templates/editor_roles.yaml b/helm/argocd-rbac-operator/templates/editor_roles.yaml
new file mode 100644
index 0000000..dd3b732
--- /dev/null
+++ b/helm/argocd-rbac-operator/templates/editor_roles.yaml
@@ -0,0 +1,51 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels: {{- include "argocd-rbac-operator.labels" . | nindent 4 }}
+ name: argocd-rbac-operator-argocdrolebinding-editor-role
+rules:
+- apiGroups:
+ - rbac-operator.argoproj-labs.io
+ resources:
+ - argocdrolebindings
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - rbac-operator.argoproj-labs.io
+ resources:
+ - argocdrolebindings/status
+ verbs:
+ - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels: {{- include "argocd-rbac-operator.labels" . | nindent 4 }}
+ name: argocd-rbac-operator-role-editor-role
+rules:
+- apiGroups:
+ - rbac-operator.argoproj-labs.io
+ resources:
+ - argocdroles
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - rbac-operator.argoproj-labs.io
+ resources:
+ - argocdroles/status
+ verbs:
+ - get
+---
diff --git a/helm/argocd-rbac-operator/templates/leader_election_role.yaml b/helm/argocd-rbac-operator/templates/leader_election_role.yaml
new file mode 100644
index 0000000..899672d
--- /dev/null
+++ b/helm/argocd-rbac-operator/templates/leader_election_role.yaml
@@ -0,0 +1,38 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ labels: {{- include "argocd-rbac-operator.labels" . | nindent 4 }}
+ name: argocd-rbac-operator-leader-election-role
+ namespace: {{ include "argocd-rbac-operator.namespace" . }}
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
\ No newline at end of file
diff --git a/helm/argocd-rbac-operator/templates/leader_election_role_binding.yaml b/helm/argocd-rbac-operator/templates/leader_election_role_binding.yaml
new file mode 100644
index 0000000..8ba3649
--- /dev/null
+++ b/helm/argocd-rbac-operator/templates/leader_election_role_binding.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels: {{- include "argocd-rbac-operator.labels" . | nindent 4 }}
+ name: argocd-rbac-operator-leader-election-rolebinding
+ namespace: {{ include "argocd-rbac-operator.namespace" . }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: argocd-rbac-operator-leader-election-role
+subjects:
+- kind: ServiceAccount
+ name: {{ include "argocd-rbac-operator.serviceAccountName" . }}
+ namespace: {{ include "argocd-rbac-operator.namespace" . }}
\ No newline at end of file
diff --git a/helm/argocd-rbac-operator/templates/manager_role.yaml b/helm/argocd-rbac-operator/templates/manager_role.yaml
new file mode 100644
index 0000000..ddcad38
--- /dev/null
+++ b/helm/argocd-rbac-operator/templates/manager_role.yaml
@@ -0,0 +1,55 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels: {{- include "argocd-rbac-operator.labels" . | nindent 4 }}
+ name: argocd-rbac-operator-manager-role
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - list
+- apiGroups:
+ - rbac-operator.argoproj-labs.io
+ resources:
+ - argocdrolebindings
+ verbs:
+ - '*'
+ - get
+ - list
+- apiGroups:
+ - rbac-operator.argoproj-labs.io
+ resources:
+ - argocdrolebindings/finalizers
+ verbs:
+ - '*'
+- apiGroups:
+ - rbac-operator.argoproj-labs.io
+ resources:
+ - argocdrolebindings/status
+ verbs:
+ - '*'
+- apiGroups:
+ - rbac-operator.argoproj-labs.io
+ resources:
+ - argocdroles
+ verbs:
+ - '*'
+ - get
+ - list
+- apiGroups:
+ - rbac-operator.argoproj-labs.io
+ resources:
+ - argocdroles/finalizers
+ verbs:
+ - '*'
+- apiGroups:
+ - rbac-operator.argoproj-labs.io
+ resources:
+ - argocdroles/status
+ verbs:
+ - '*'
+ - get
+ - patch
+ - update
\ No newline at end of file
diff --git a/helm/argocd-rbac-operator/templates/manager_role_binding.yaml b/helm/argocd-rbac-operator/templates/manager_role_binding.yaml
new file mode 100644
index 0000000..cb0cf15
--- /dev/null
+++ b/helm/argocd-rbac-operator/templates/manager_role_binding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels: {{- include "argocd-rbac-operator.labels" . | nindent 4 }}
+ name: argocd-rbac-operator-manager-rolebinding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: argocd-rbac-operator-manager-role
+subjects:
+- kind: ServiceAccount
+ name: {{ include "argocd-rbac-operator.serviceAccountName" . }}
+ namespace: {{ include "argocd-rbac-operator.namespace" . }}
\ No newline at end of file
diff --git a/helm/argocd-rbac-operator/templates/namespace.yaml b/helm/argocd-rbac-operator/templates/namespace.yaml
new file mode 100644
index 0000000..0fdf443
--- /dev/null
+++ b/helm/argocd-rbac-operator/templates/namespace.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ labels:
+ {{- include "argocd-rbac-operator.labels" . | nindent 4 }}
+ {{- include "argocd-rbac-operator.selectorLabels" . | nindent 4 }}
+ name: {{ include "argocd-rbac-operator.namespace" . }}
\ No newline at end of file
diff --git a/helm/argocd-rbac-operator/templates/rbac-operator.argoproj-labs.io_argocdrolebindings.yaml b/helm/argocd-rbac-operator/templates/rbac-operator.argoproj-labs.io_argocdrolebindings.yaml
new file mode 100644
index 0000000..215d396
--- /dev/null
+++ b/helm/argocd-rbac-operator/templates/rbac-operator.argoproj-labs.io_argocdrolebindings.yaml
@@ -0,0 +1,131 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.15.0
+ name: argocdrolebindings.rbac-operator.argoproj-labs.io
+spec:
+ group: rbac-operator.argoproj-labs.io
+ names:
+ kind: ArgoCDRoleBinding
+ listKind: ArgoCDRoleBindingList
+ plural: argocdrolebindings
+ singular: argocdrolebinding
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: ArgoCDRoleBinding is the Schema for the argocdrolebindings API
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: ArgoCDRoleBindingSpec defines the desired state of ArgoCDRoleBinding
+ properties:
+ argocdRoleRef:
+ description: ArgocdRoleRef defines the reference to the role being
+ granted.
+ properties:
+ name:
+ description: Name of the ArgoCDRole. Should not start with "role:"
+ type: string
+ required:
+ - name
+ type: object
+ subjects:
+ description: List of subjects being bound to ArgoCDRole (argocdRoleRef).
+ items:
+ description: Subject defines the subject being bound to ArgoCDRole.
+ properties:
+ kind:
+ description: Kind of the subject (sso, local or role).
+ enum:
+ - sso
+ - local
+ - role
+ type: string
+ name:
+ description: Name of the subject. If Kind is "role", it shouldn't
+ start with "role:"
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ type: array
+ required:
+ - argocdRoleRef
+ - subjects
+ type: object
+ status:
+ description: ArgoCDRoleBindingStatus defines the observed state of ArgoCDRoleBinding
+ properties:
+ conditions:
+ description: Conditions defines the list of conditions.
+ items:
+ description: A Condition that may apply to a resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ LastTransitionTime is the last time this condition transitioned from one
+ status to another.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ A Message containing details about this condition's last transition from
+ one status to another, if any.
+ type: string
+ observedGeneration:
+ description: |-
+ ObservedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ type: integer
+ reason:
+ description: A Reason for this condition's last transition from
+ one status to another.
+ type: string
+ status:
+ description: Status of this condition; is it currently True,
+ False, or Unknown?
+ type: string
+ type:
+ description: |-
+ Type of this condition. At most one of each condition type may apply to
+ a resource at any point in time.
+ type: string
+ required:
+ - lastTransitionTime
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/helm/argocd-rbac-operator/templates/rbac-operator.argoproj-labs.io_argocdroles.yaml b/helm/argocd-rbac-operator/templates/rbac-operator.argoproj-labs.io_argocdroles.yaml
new file mode 100644
index 0000000..31c7f25
--- /dev/null
+++ b/helm/argocd-rbac-operator/templates/rbac-operator.argoproj-labs.io_argocdroles.yaml
@@ -0,0 +1,140 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.15.0
+ name: argocdroles.rbac-operator.argoproj-labs.io
+spec:
+ group: rbac-operator.argoproj-labs.io
+ names:
+ kind: ArgoCDRole
+ listKind: ArgoCDRoleList
+ plural: argocdroles
+ singular: argocdrole
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: ArgoCDRole is the Schema for the roles API
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: ArgoCDRoleSpec defines the desired state of Role
+ properties:
+ rules:
+ items:
+ description: Rules define the desired set of permissions.
+ properties:
+ objects:
+ description: List of resource's objects the permissions are
+ granted for.
+ items:
+ type: string
+ type: array
+ resource:
+ description: Target resource type.
+ enum:
+ - clusters
+ - projects
+ - applications
+ - applicationsets
+ - repositories
+ - certificates
+ - accounts
+ - gpgkeys
+ - logs
+ - exec
+ - extensions
+ type: string
+ verbs:
+ description: Verbs define the operations that are being performed
+ on the resource.
+ items:
+ type: string
+ type: array
+ required:
+ - objects
+ - resource
+ - verbs
+ type: object
+ type: array
+ required:
+ - rules
+ type: object
+ status:
+ description: ArgoCDRoleStatus defines the observed state of Role
+ properties:
+ argocdRoleBindingRef:
+ description: argocdRoleBindingRef defines the reference to the ArgoCDRoleBinding
+ Resource.
+ type: string
+ conditions:
+ description: Conditions defines the list of conditions.
+ items:
+ description: A Condition that may apply to a resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ LastTransitionTime is the last time this condition transitioned from one
+ status to another.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ A Message containing details about this condition's last transition from
+ one status to another, if any.
+ type: string
+ observedGeneration:
+ description: |-
+ ObservedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ type: integer
+ reason:
+ description: A Reason for this condition's last transition from
+ one status to another.
+ type: string
+ status:
+ description: Status of this condition; is it currently True,
+ False, or Unknown?
+ type: string
+ type:
+ description: |-
+ Type of this condition. At most one of each condition type may apply to
+ a resource at any point in time.
+ type: string
+ required:
+ - lastTransitionTime
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/helm/argocd-rbac-operator/templates/serviceaccount.yaml b/helm/argocd-rbac-operator/templates/serviceaccount.yaml
new file mode 100644
index 0000000..24cff3a
--- /dev/null
+++ b/helm/argocd-rbac-operator/templates/serviceaccount.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels: {{- include "argocd-rbac-operator.labels" . | nindent 4 }}
+ name: {{ include "argocd-rbac-operator.serviceAccountName" . }}
+ namespace: {{ include "argocd-rbac-operator.namespace" . }}
+ {{- with .Values.serviceAccountAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
\ No newline at end of file
diff --git a/helm/argocd-rbac-operator/templates/viewer_roles.yaml b/helm/argocd-rbac-operator/templates/viewer_roles.yaml
new file mode 100644
index 0000000..cbe7fe1
--- /dev/null
+++ b/helm/argocd-rbac-operator/templates/viewer_roles.yaml
@@ -0,0 +1,43 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels: {{- include "argocd-rbac-operator.labels" . | nindent 4 }}
+ name: argocd-rbac-operator-argocdrolebinding-viewer-role
+rules:
+- apiGroups:
+ - rbac-operator.argoproj-labs.io
+ resources:
+ - argocdrolebindings
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - rbac-operator.argoproj-labs.io
+ resources:
+ - argocdrolebindings/status
+ verbs:
+ - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels: {{- include "argocd-rbac-operator.labels" . | nindent 4 }}
+ name: argocd-rbac-operator-role-viewer-role
+rules:
+- apiGroups:
+ - rbac-operator.argoproj-labs.io
+ resources:
+ - argocdroles
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - rbac-operator.argoproj-labs.io
+ resources:
+ - argocdroles/status
+ verbs:
+ - get
+---
diff --git a/helm/argocd-rbac-operator/values.yaml b/helm/argocd-rbac-operator/values.yaml
new file mode 100644
index 0000000..a9c0788
--- /dev/null
+++ b/helm/argocd-rbac-operator/values.yaml
@@ -0,0 +1,73 @@
+# Default values for argocd-rbac-operator.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
+replicaCount: 1
+
+argocd:
+ # The namespace where the ArgoCD instance is running
+ namespace: argocd
+ # The name of the ArgoCD RBAC ConfigMap
+ cmName: argocd-rbac-cm
+
+# Specify the Operator container image to use for the deployment.
+# For example, the following sets the image to the ``quay.io/argoprojlabs/argocd-rbac-operator`` repo and the v0.1.6 tag.
+# The container pulls the image if not already present
+image:
+ repository: quay.io/argoprojlabs/argocd-rbac-operator
+ tag: v0.1.6
+ pullPolicy: IfNotPresent
+
+# An array of additional annotations to be applied to the operator service account
+serviceAccountAnnotations: []
+# additional labels to be applied to operator resources
+additionalLabels: {}
+
+# An array of Kubernetes secrets to use for pulling images from a private ``image.repository``.
+# Only one array element is supported at this time.
+imagePullSecrets: []
+
+# The Kubernetes `SecurityContext `__ to use for deploying Operator resources.
+#
+# You may need to modify these values to meet your cluster's security and access settings.
+securityContext:
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+
+# The Kubernetes `SecurityContext `__ to use for deploying Operator containers.
+# You may need to modify these values to meet your cluster's security and access settings.
+containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+
+resources:
+ limits:
+ cpu: 500m
+ memory: 128Mi
+ requests:
+ cpu: 10m
+ memory: 64Mi
+
+# This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+livenessProbe:
+ httpGet:
+ path: /healthz
+ port: 8081
+ initialDelaySeconds: 15
+ periodSeconds: 20
+readinessProbe:
+ httpGet:
+ path: /readyz
+ port: 8081
+ initialDelaySeconds: 5
+ periodSeconds: 10
+
+nodeSelector: {}
\ No newline at end of file