fix(rbac)[ISSUE-17]: fix rbac for argocd-rbac-cm (#20)

* fix(rbac)[ISSUE-17]: fix rbac for argocd-rbac-cm Signed-off-by: Georgy Khromov <[email protected]> * bump image version Signed-off-by: Georgy Khromov <[email protected]> --------- Signed-off-by: Georgy Khromov <[email protected]>
argoproj-labs · Dec 30, 2024 · fcd54b3 · fcd54b3
1 parent 00fcbc1
commit fcd54b3
Show file tree

Hide file tree

Showing 11 changed files with 71 additions and 57 deletions.
diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
 # VERSION defines the project version for the bundle.
 # Update this value when you upgrade the version of your project.
-VERSION ?= 0.1.5
+VERSION ?= 0.1.6
 
 # Try to detect Docker or Podman
 CONTAINER_TOOL := $(shell command -v docker 2> /dev/null)
@@ -148,11 +148,13 @@ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified
 .PHONY: deploy
 deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
 	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
-	$(KUSTOMIZE) build config/default | $(KUBECTL) apply -f -
+	$(KUSTOMIZE) build config/default | $(KUBECTL) apply --server-side=true -f -
+	$(KUSTOMIZE) build config/cm-role | $(KUBECTL) apply --server-side=true -f -
 
 .PHONY: undeploy
 undeploy: kustomize ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
 	$(KUSTOMIZE) build config/default | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f -
+	$(KUSTOMIZE) build config/cm-role | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f -
 
 ##@ Dependencies
 

diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 [![Go Report Card](https://goreportcard.com/badge/github.com/argoproj-labs/argocd-rbac-operator)](https://goreportcard.com/report/github.com/argoproj-labs/argocd-rbac-operator)
 [![go.mod Go version](https://img.shields.io/github/go-mod/go-version/argoproj-labs/argocd-rbac-operator)](https://github.com/argoproj-labs/argocd-rbac-operator)
-[![GitHub Release](https://img.shields.io/github/v/release/argoproj-labs/argocd-rbac-operator)](https://github.com/argoproj-labs/argocd-rbac-operator/releases/tag/v0.1.5)
+[![GitHub Release](https://img.shields.io/github/v/release/argoproj-labs/argocd-rbac-operator)](https://github.com/argoproj-labs/argocd-rbac-operator/releases/tag/v0.1.6)
 
 Kubernetes Operator for Argo CD RBAC Management.
 

diff --git a/config/cm-role/kustomization.yaml b/config/cm-role/kustomization.yaml
@@ -0,0 +1,10 @@
+# Value of this field is prepended to the
+# names of all resources, e.g. a deployment named
+# "wordpress" becomes "alices-wordpress".
+# Note that it should also match with the prefix (text before '-') of the namespace
+# field above.
+namePrefix: argocd-rbac-operator-
+
+resources:
+- role.yaml
+- role_binding.yaml
diff --git a/config/cm-role/role.yaml b/config/cm-role/role.yaml
@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: manager-role
+  namespace: argocd
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - argocd-rbac-cm
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
diff --git a/config/cm-role/role_binding.yaml b/config/cm-role/role_binding.yaml
@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: argocd-rbac-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: manager-rolebinding
+  namespace: argocd
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: manager-role
+subjects:
+- kind: ServiceAccount
+  name: argocd-rbac-operator-controller-manager
+  namespace: argocd-rbac-operator-system
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -144,4 +144,4 @@ resources:
 #        options:
 #          delimiter: '.'
 #          index: 1
-#          create: true
+#          create: true
diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
@@ -5,4 +5,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: quay.io/argoprojlabs/argocd-rbac-operator
-  newTag: v0.1.5
+  newTag: v0.1.6
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -4,68 +4,52 @@ kind: ClusterRole
 metadata:
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - list
 - apiGroups:
   - rbac-operator.argoproj-labs.io
   resources:
   - argocdrolebindings
   verbs:
+  - '*'
   - get
   - list
-  - update
-  - watch
 - apiGroups:
   - rbac-operator.argoproj-labs.io
   resources:
   - argocdrolebindings/finalizers
   verbs:
-  - update
+  - '*'
 - apiGroups:
   - rbac-operator.argoproj-labs.io
   resources:
   - argocdrolebindings/status
   verbs:
-  - get
-  - patch
-  - update
+  - '*'
 - apiGroups:
   - rbac-operator.argoproj-labs.io
   resources:
   - argocdroles
   verbs:
+  - '*'
   - get
   - list
-  - update
-  - watch
 - apiGroups:
   - rbac-operator.argoproj-labs.io
   resources:
   - argocdroles/finalizers
   verbs:
-  - update
+  - '*'
 - apiGroups:
   - rbac-operator.argoproj-labs.io
   resources:
   - argocdroles/status
   verbs:
+  - '*'
   - get
   - patch
   - update
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: manager-role
-  namespace: argocd
-rules:
-- apiGroups:
-  - ""
-  resourceNames:
-  - argocd-rbac-cm
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - list
-  - patch
-  - update
-  - watch
diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml
@@ -10,22 +10,6 @@ roleRef:
   kind: ClusterRole
   name: manager-role
 subjects:
-- kind: ServiceAccount
-  name: controller-manager
-  namespace: system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  labels:
-    app.kubernetes.io/name: argocd-rbac-operator
-    app.kubernetes.io/managed-by: kustomize
-  name: manager-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: manager-role
-subjects:
 - kind: ServiceAccount
   name: controller-manager
   namespace: system
diff --git a/internal/controller/argocdrole_controller.go b/internal/controller/argocdrole_controller.go
@@ -42,11 +42,11 @@ type ArgoCDRoleReconciler struct {
 	Scheme *runtime.Scheme
 }
 
-// +kubebuilder:rbac:groups=rbac-operator.argoproj-labs.io,resources=argocdroles,verbs=get;list;watch;update
-// +kubebuilder:rbac:groups=rbac-operator.argoproj-labs.io,resources=argocdroles/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=rbac-operator.argoproj-labs.io,resources=argocdroles/finalizers,verbs=update
+// +kubebuilder:rbac:groups=rbac-operator.argoproj-labs.io,resources=argocdroles,verbs=*
+// +kubebuilder:rbac:groups=rbac-operator.argoproj-labs.io,resources=argocdroles/status,verbs=*
+// +kubebuilder:rbac:groups=rbac-operator.argoproj-labs.io,resources=argocdroles/finalizers,verbs=*
 // +kubebuilder:rbac:groups=rbac-operator.argoproj-labs.io,resources=argocdrolebindings,verbs=get;list
-// +kubebuilder:rbac:groups=core,resources=configmaps,resourceNames=argocd-rbac-cm,namespace=argocd,verbs=get;list;watch;update;patch
+// +kubebuilder:rbac:groups="",resources=configmaps,verbs=list
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.

diff --git a/internal/controller/argocdrolebinding_controller.go b/internal/controller/argocdrolebinding_controller.go
@@ -39,12 +39,12 @@ type ArgoCDRoleBindingReconciler struct {
 	Scheme *runtime.Scheme
 }
 
-// +kubebuilder:rbac:groups=rbac-operator.argoproj-labs.io,resources=argocdrolebindings,verbs=get;list;watch;update
-// +kubebuilder:rbac:groups=rbac-operator.argoproj-labs.io,resources=argocdrolebindings/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=rbac-operator.argoproj-labs.io,resources=argocdrolebindings/finalizers,verbs=update
+// +kubebuilder:rbac:groups=rbac-operator.argoproj-labs.io,resources=argocdrolebindings,verbs=*
+// +kubebuilder:rbac:groups=rbac-operator.argoproj-labs.io,resources=argocdrolebindings/status,verbs=*
+// +kubebuilder:rbac:groups=rbac-operator.argoproj-labs.io,resources=argocdrolebindings/finalizers,verbs=*
 // +kubebuilder:rbac:groups=rbac-operator.argoproj-labs.io,resources=argocdroles,verbs=get;list
 // +kubebuilder:rbac:groups=rbac-operator.argoproj-labs.io,resources=argocdroles/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=core,resources=configmaps,resourceNames=argocd-rbac-cm,namespace=argocd,verbs=get;list;watch;update;patch
+// +kubebuilder:rbac:groups="",resources=configmaps,verbs=list
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.