feat: added docs

Signed-off-by: Soumya Ghosh Dastidar <[email protected]>

docs/operator-manual/argocd-cm.yaml

@@ -231,6 +231,10 @@ data:
  # 'none' - disabled
  ignoreResourceStatusField: crd
 
+ # configuration to instruct controller to only watch for resources that it has permissions to list
+ # can be either empty, "normal" or "strict". By default, it is empty i.e. disabled.
+ resource.respectRBAC: "normal"
+
  # Configuration to add a config management plugin.
  configManagementPlugins: |
  - name: kasane

docs/operator-manual/declarative-setup.md

@@ -857,6 +857,30 @@ Notes:
 * Invalid globs result in the whole rule being ignored.
 * If you add a rule that matches existing resources, these will appear in the interface as `OutOfSync`.
 
+## Auto respect RBAC for controller
+
+Argocd controller can be restricted from discovering/syncing specific resources using just controller rbac, without having to manually configure resource exclusions.
+This feature can be enabled by setting `resource.respectRBAC` key in argocd cm, once it is set the controller will automatically stop watching for resources 
+that it does not have the permission to list/access. Possible values for `resource.respectRBAC` are:
+ - `strict` : This setting checks whether the list call made by controller is forbidden/unauthorized and if it is, it will cross-check the permission by making a `SelfSubjectAccessReview` call for the resource.
+ - `normal` : This will only check whether the list call response is forbidden/unauthorized and skip `SelfSubjectAccessReview` call, to minimize any extra api-server calls.
+ - unset/empty (default) : This will disable the feature and controller will continue to monitor all resources.
+
+Users who are comfortable with an increase in kube api-server calls can opt for `strict` option while users who are concerned with higher api calls and are willing to compromise on the accuracy can opt for the `normal` option.
+
+NOTE: when set to use `strict` mode controller must have rbac permission to `create` a `SelfSubjectAccessReview` resource.
+
+Example argocd cm with `resource.respectRBAC` set to `strict`:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: argocd-cm
+data:
+ resource.respectRBAC: "strict"
+```
+
 ## Resource Custom Labels
 
 Custom Labels configured with `resource.customLabels` (comma separated string) will be displayed in the UI (for any resource that defines them).

go.mod

@@ -296,4 +296,4 @@ replace (
  k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.24.2
 )
 
-replace github.com/argoproj/gitops-engine => github.com/gdsoumya/gitops-engine v0.0.0-20230706134546-8f9051a1fe77
+replace github.com/argoproj/gitops-engine => github.com/gdsoumya/gitops-engine v0.0.0-20230706170353-56c89ca1b7cd

go.sum

@@ -340,8 +340,8 @@ github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/fvbommel/sortorder v1.0.1 h1:dSnXLt4mJYH25uDDGa3biZNQsozaUWDSWeKJ0qqFfzE=
 github.com/fvbommel/sortorder v1.0.1/go.mod h1:uk88iVf1ovNn1iLfgUVU2F9o5eO30ui720w+kxuqRs0=
-github.com/gdsoumya/gitops-engine v0.0.0-20230706134546-8f9051a1fe77 h1:Y48vXnEnzCpd4W0lAfemCWPui/N6dsJ+bWbH5Ns7/1o=
-github.com/gdsoumya/gitops-engine v0.0.0-20230706134546-8f9051a1fe77/go.mod h1:/GMN0JuoJUUpnKlNLp2Wn/mfK8sglFsdPn+eoxSddmg=
+github.com/gdsoumya/gitops-engine v0.0.0-20230706170353-56c89ca1b7cd h1:xWLRADoMSfMvIpJtwQspOK2u5KhoZFhIgqBtHNeb4yE=
+github.com/gdsoumya/gitops-engine v0.0.0-20230706170353-56c89ca1b7cd/go.mod h1:/GMN0JuoJUUpnKlNLp2Wn/mfK8sglFsdPn+eoxSddmg=
 github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg=
 github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ=
 github.com/gfleury/go-bitbucket-v1 v0.0.0-20220301131131-8e7ed04b843e h1:C3DkNr9pxqXqCrmRHO7s3XgZS3zpi9GEA01GuWZODfo=

util/settings/settings.go

@@ -17,16 +17,6 @@ import (
  "sync"
  "time"
 
- "github.com/argoproj/argo-cd/v2/common"
- "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
- "github.com/argoproj/argo-cd/v2/server/settings/oidc"
- "github.com/argoproj/argo-cd/v2/util"
- "github.com/argoproj/argo-cd/v2/util/crypto"
- "github.com/argoproj/argo-cd/v2/util/kube"
- "github.com/argoproj/argo-cd/v2/util/password"
- tlsutil "github.com/argoproj/argo-cd/v2/util/tls"
- enginecache "github.com/argoproj/gitops-engine/pkg/cache"
- timeutil "github.com/argoproj/pkg/time"
  log "github.com/sirupsen/logrus"
  apiv1 "k8s.io/api/core/v1"
  apierr "k8s.io/apimachinery/pkg/api/errors"
@@ -39,6 +29,17 @@ import (
  v1listers "k8s.io/client-go/listers/core/v1"
  "k8s.io/client-go/tools/cache"
  "sigs.k8s.io/yaml"
+
+ "github.com/argoproj/argo-cd/v2/common"
+ "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+ "github.com/argoproj/argo-cd/v2/server/settings/oidc"
+ "github.com/argoproj/argo-cd/v2/util"
+ "github.com/argoproj/argo-cd/v2/util/crypto"
+ "github.com/argoproj/argo-cd/v2/util/kube"
+ "github.com/argoproj/argo-cd/v2/util/password"
+ tlsutil "github.com/argoproj/argo-cd/v2/util/tls"
+ enginecache "github.com/argoproj/gitops-engine/pkg/cache"
+ timeutil "github.com/argoproj/pkg/time"
 )
 
 // ArgoCDSettings holds in-memory runtime configuration options.
@@ -559,7 +560,7 @@ func (mgr *SettingsManager) RespectRBAC() (int, error) {
  case RespectRBACValueNormal:
  return enginecache.RespectRbacNormal, nil
  case RespectRBACValueStrict:
- return enginecache.RespectRbacNormal, nil
+ return enginecache.RespectRbacStrict, nil
  default:
  return enginecache.RespectRbacDisabled, fmt.Errorf("invalid value for %s: %s", RespectRBAC, cm.Data[RespectRBAC])
  }