From ec44133bf4366cb0c1aa70c8bb7fe0fb0e143471 Mon Sep 17 00:00:00 2001
From: Soumya Ghosh Dastidar <gdsoumya@gmail.com>
Date: Thu, 6 Jul 2023 23:07:13 +0530
Subject: [PATCH] feat: added docs

Signed-off-by: Soumya Ghosh Dastidar <gdsoumya@gmail.com>
---
 docs/operator-manual/argocd-cm.yaml       |  4 ++++
 docs/operator-manual/declarative-setup.md | 24 +++++++++++++++++++++++
 go.mod                                    |  2 +-
 go.sum                                    |  4 ++--
 util/settings/settings.go                 | 23 +++++++++++-----------
 5 files changed, 43 insertions(+), 14 deletions(-)

diff --git a/docs/operator-manual/argocd-cm.yaml b/docs/operator-manual/argocd-cm.yaml
index 748471498798a..5e4ed095be56d 100644
--- a/docs/operator-manual/argocd-cm.yaml
+++ b/docs/operator-manual/argocd-cm.yaml
@@ -231,6 +231,10 @@ data:
     # 'none' - disabled
     ignoreResourceStatusField: crd
 
+  # configuration to instruct controller to only watch for resources that it has permissions to list
+  # can be either empty, "normal" or "strict". By default, it is empty i.e. disabled.
+  resource.respectRBAC: "normal"
+
   # Configuration to add a config management plugin.
   configManagementPlugins: |
     - name: kasane
diff --git a/docs/operator-manual/declarative-setup.md b/docs/operator-manual/declarative-setup.md
index c5762f4ab9791..c63a0d0db1e9a 100644
--- a/docs/operator-manual/declarative-setup.md
+++ b/docs/operator-manual/declarative-setup.md
@@ -857,6 +857,30 @@ Notes:
 * Invalid globs result in the whole rule being ignored.
 * If you add a rule that matches existing resources, these will appear in the interface as `OutOfSync`.
 
+## Auto respect RBAC for controller
+
+Argocd controller can be restricted from discovering/syncing specific resources using just controller rbac, without having to manually configure resource exclusions.
+This feature can be enabled by setting `resource.respectRBAC` key in argocd cm, once it is set the controller will automatically stop watching for resources 
+that it does not have the permission to list/access. Possible values for `resource.respectRBAC` are:
+    - `strict` : This setting checks whether the list call made by controller is forbidden/unauthorized and if it is, it will cross-check the permission by making a `SelfSubjectAccessReview` call for the resource.
+    - `normal` : This will only check whether the list call response is forbidden/unauthorized and skip `SelfSubjectAccessReview` call, to minimize any extra api-server calls.
+    - unset/empty (default) : This will disable the feature and controller will continue to monitor all resources.
+
+Users who are comfortable with an increase in kube api-server calls can opt for `strict` option while users who are concerned with higher api calls and are willing to compromise on the accuracy can opt for the `normal` option.
+
+NOTE: when set to use `strict` mode controller must have rbac permission to `create` a `SelfSubjectAccessReview` resource.
+
+Example argocd cm with `resource.respectRBAC` set to `strict`:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
+data:
+  resource.respectRBAC: "strict"
+```
+
 ## Resource Custom Labels
 
 Custom Labels configured with `resource.customLabels` (comma separated string) will be displayed in the UI (for any resource that defines them).
diff --git a/go.mod b/go.mod
index 67831cb218706..691e97e61b007 100644
--- a/go.mod
+++ b/go.mod
@@ -296,4 +296,4 @@ replace (
 	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.24.2
 )
 
-replace github.com/argoproj/gitops-engine => github.com/gdsoumya/gitops-engine v0.0.0-20230706134546-8f9051a1fe77
+replace github.com/argoproj/gitops-engine => github.com/gdsoumya/gitops-engine v0.0.0-20230706170353-56c89ca1b7cd
diff --git a/go.sum b/go.sum
index 95e81b60e2186..bee2020ac6aac 100644
--- a/go.sum
+++ b/go.sum
@@ -340,8 +340,8 @@ github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/fvbommel/sortorder v1.0.1 h1:dSnXLt4mJYH25uDDGa3biZNQsozaUWDSWeKJ0qqFfzE=
 github.com/fvbommel/sortorder v1.0.1/go.mod h1:uk88iVf1ovNn1iLfgUVU2F9o5eO30ui720w+kxuqRs0=
-github.com/gdsoumya/gitops-engine v0.0.0-20230706134546-8f9051a1fe77 h1:Y48vXnEnzCpd4W0lAfemCWPui/N6dsJ+bWbH5Ns7/1o=
-github.com/gdsoumya/gitops-engine v0.0.0-20230706134546-8f9051a1fe77/go.mod h1:/GMN0JuoJUUpnKlNLp2Wn/mfK8sglFsdPn+eoxSddmg=
+github.com/gdsoumya/gitops-engine v0.0.0-20230706170353-56c89ca1b7cd h1:xWLRADoMSfMvIpJtwQspOK2u5KhoZFhIgqBtHNeb4yE=
+github.com/gdsoumya/gitops-engine v0.0.0-20230706170353-56c89ca1b7cd/go.mod h1:/GMN0JuoJUUpnKlNLp2Wn/mfK8sglFsdPn+eoxSddmg=
 github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg=
 github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ=
 github.com/gfleury/go-bitbucket-v1 v0.0.0-20220301131131-8e7ed04b843e h1:C3DkNr9pxqXqCrmRHO7s3XgZS3zpi9GEA01GuWZODfo=
diff --git a/util/settings/settings.go b/util/settings/settings.go
index 1316719edf832..2ecac0eb602f3 100644
--- a/util/settings/settings.go
+++ b/util/settings/settings.go
@@ -17,16 +17,6 @@ import (
 	"sync"
 	"time"
 
-	"github.com/argoproj/argo-cd/v2/common"
-	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/v2/server/settings/oidc"
-	"github.com/argoproj/argo-cd/v2/util"
-	"github.com/argoproj/argo-cd/v2/util/crypto"
-	"github.com/argoproj/argo-cd/v2/util/kube"
-	"github.com/argoproj/argo-cd/v2/util/password"
-	tlsutil "github.com/argoproj/argo-cd/v2/util/tls"
-	enginecache "github.com/argoproj/gitops-engine/pkg/cache"
-	timeutil "github.com/argoproj/pkg/time"
 	log "github.com/sirupsen/logrus"
 	apiv1 "k8s.io/api/core/v1"
 	apierr "k8s.io/apimachinery/pkg/api/errors"
@@ -39,6 +29,17 @@ import (
 	v1listers "k8s.io/client-go/listers/core/v1"
 	"k8s.io/client-go/tools/cache"
 	"sigs.k8s.io/yaml"
+
+	"github.com/argoproj/argo-cd/v2/common"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/server/settings/oidc"
+	"github.com/argoproj/argo-cd/v2/util"
+	"github.com/argoproj/argo-cd/v2/util/crypto"
+	"github.com/argoproj/argo-cd/v2/util/kube"
+	"github.com/argoproj/argo-cd/v2/util/password"
+	tlsutil "github.com/argoproj/argo-cd/v2/util/tls"
+	enginecache "github.com/argoproj/gitops-engine/pkg/cache"
+	timeutil "github.com/argoproj/pkg/time"
 )
 
 // ArgoCDSettings holds in-memory runtime configuration options.
@@ -559,7 +560,7 @@ func (mgr *SettingsManager) RespectRBAC() (int, error) {
 		case RespectRBACValueNormal:
 			return enginecache.RespectRbacNormal, nil
 		case RespectRBACValueStrict:
-			return enginecache.RespectRbacNormal, nil
+			return enginecache.RespectRbacStrict, nil
 		default:
 			return enginecache.RespectRbacDisabled, fmt.Errorf("invalid value for %s: %s", RespectRBAC, cm.Data[RespectRBAC])
 		}