Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-5955

Add support for respectRBAC configuration option to Argo CD operator

XMLWordPrintable

    • GitOps Scarlet - Sprint 7/3266

      Story (Required)

      See parent epic for details.

      Background

      respectRBAC is an Argo CD configuration option that controls how Argo CD watches resources on a cluster.

      By default, Argo CD will attempt to watch all K8s resources (CRDs) on a cluster at cluster scope.

      But in general, Argo CD assumes that it has permission to watch ALL resources on a cluster, and will complain if there exists a resource it cannot watch. For example, if the Argo CD cluster role prevented Argo CD from watching OpenShift Routes, Argo CD would return an error on syncing to the cluster ('unable to watch Route').

      The respectRBAC setting (https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#auto-respect-rbac-for-controller) attempts to improve that: when enabled, Argo CD will attempt to watch ONLY the resources it is allowed to.

      That is, in our above Route example, if the Argo CD ClusterRole did not allow Argo CD to watch for Route, Argo CD would detect that, and would skip watching Route. When enabled, Argo CD figure out what resources it can and can't watch, and only watches those that it can.

      There are a couple of ways that respectRBAC determines what Argo CD can watch: normal and strict.

      respectRBAC was added to Argo CD in September 2023 (https://github.com/argoproj/argo-cd/pull/14381), and thus should be available on modern OpenShift GitOps
      versions.

      Approach

      At present, respectRBAC can only be enabled by modifying the argocd-cm ConfigMap (but this is owned by Argo CD operator, so users cannot add this by themselvews).

      As part of this story/epic, we should add a new configuration option to ArgoCD CR, which enables this feature in OpenShift GitOps.

      There are a couple of ways that respectRBAC determines what Argo CD can watch: normal and strict. It should be possible to enable both via the ArgoCD CR.

      Acceptance Criteria (Mandatory)

      • New field in ArgoCD CR to support enabling both modes of respectRBAC
        • Should the field live under .spec or under .spec.controller? Why '.spec.controller'? Well I believe this functionality is only used by application controller component of Argo CD.
        • It couldn't hurt to propose the new field name/structure in #gitops-dev before implementing it.
      • When the field is set, the corresponding resource.respectRBAC field in 'argocd-cm' ConfigMap is likewise set to that value.
      • Unit tests
      • E2E tests (kuttl)

              jparsai Jayendra Parsai
              jgwest Jonathan West
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: