From a93854fa65cb86da6d7172e30a3e811e1438f9c7 Mon Sep 17 00:00:00 2001 From: puretension Date: Fri, 19 Sep 2025 22:42:10 +0900 Subject: [PATCH 1/4] feat(argo-cd): add custom roleRules support for application-controller Add possibility to customize Role rules for application-controller when running in namespace-scoped environments with security constraints. This follows the same pattern as the existing clusterRoleRules feature: - controller.roleRules.enabled: Enable custom rules (default: false) - controller.roleRules.rules: List of custom RBAC rules Fixes #3414 Signed-off-by: puretension --- charts/argo-cd/Chart.yaml | 6 +++--- charts/argo-cd/README.md | 2 ++ .../templates/argocd-application-controller/role.yaml | 4 ++++ charts/argo-cd/values.yaml | 8 ++++++++ 4 files changed, 17 insertions(+), 3 deletions(-) diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml index 3e54278fc..dd43d0b1c 100644 --- a/charts/argo-cd/Chart.yaml +++ b/charts/argo-cd/Chart.yaml @@ -3,7 +3,7 @@ appVersion: v3.1.6 kubeVersion: ">=1.25.0-0" description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. name: argo-cd -version: 8.5.2 +version: 8.5.3 home: https://github.com/argoproj/argo-helm icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png sources: @@ -26,5 +26,5 @@ annotations: fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc artifacthub.io/changes: | - - kind: changed - description: Bump argo-cd to v3.1.6 + - kind: added + description: Add custom roleRules support for application-controller Role resource diff --git a/charts/argo-cd/README.md b/charts/argo-cd/README.md index fa15bd337..ed5fb1920 100644 --- a/charts/argo-cd/README.md +++ b/charts/argo-cd/README.md @@ -941,6 +941,8 @@ NAME: my-release | controller.replicas | int | `1` | The number of application controller pods to run. Additional replicas will cause sharding of managed clusters across number of replicas. | | controller.resources | object | `{}` | Resource limits and requests for the application controller pods | | controller.revisionHistoryLimit | int | `5` | Maximum number of controller revisions that will be maintained in StatefulSet history | +| controller.roleRules.enabled | bool | `false` | Enable custom rules for the application controller's Role resource | +| controller.roleRules.rules | list | `[]` | List of custom rules for the application controller's Role resource | | controller.runtimeClassName | string | `""` (defaults to global.runtimeClassName) | Runtime class name for the application controller | | controller.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | | controller.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account | diff --git a/charts/argo-cd/templates/argocd-application-controller/role.yaml b/charts/argo-cd/templates/argocd-application-controller/role.yaml index fa3a791b2..0bdc1216d 100644 --- a/charts/argo-cd/templates/argocd-application-controller/role.yaml +++ b/charts/argo-cd/templates/argocd-application-controller/role.yaml @@ -6,6 +6,9 @@ metadata: labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} rules: +{{- if .Values.controller.roleRules.enabled }} + {{- toYaml .Values.controller.roleRules.rules | nindent 2 }} +{{- else }} - apiGroups: - "" resources: @@ -58,3 +61,4 @@ rules: - create - update {{- end }} +{{- end }} diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index 62ce4011f..59487f1ba 100644 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -1140,6 +1140,14 @@ controller: # -- List of custom rules for the application controller's ClusterRole resource rules: [] + ## Enable this and set the rules: to whatever custom rules you want for the Role resource. + ## Defaults to off + roleRules: + # -- Enable custom rules for the application controller's Role resource + enabled: false + # -- List of custom rules for the application controller's Role resource + rules: [] + # Default application controller's network policy networkPolicy: # -- Default network policy rules used by application controller From fd6f3370b11c777fb6f08e02b70afbf7d0dbb737 Mon Sep 17 00:00:00 2001 From: puretension Date: Sat, 20 Sep 2025 01:07:14 +0900 Subject: [PATCH 2/4] fix: remove enabled flag and use with pattern for roleRules Signed-off-by: puretension --- .../templates/argocd-application-controller/role.yaml | 4 ++-- charts/argo-cd/values.yaml | 7 ++----- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/charts/argo-cd/templates/argocd-application-controller/role.yaml b/charts/argo-cd/templates/argocd-application-controller/role.yaml index 0bdc1216d..a801aba0d 100644 --- a/charts/argo-cd/templates/argocd-application-controller/role.yaml +++ b/charts/argo-cd/templates/argocd-application-controller/role.yaml @@ -6,8 +6,8 @@ metadata: labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} rules: -{{- if .Values.controller.roleRules.enabled }} - {{- toYaml .Values.controller.roleRules.rules | nindent 2 }} +{{- with .Values.controller.roleRules }} +{{- toYaml . | nindent 0 }} {{- else }} - apiGroups: - "" diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index 59487f1ba..c2a49a4f8 100644 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -1142,11 +1142,8 @@ controller: ## Enable this and set the rules: to whatever custom rules you want for the Role resource. ## Defaults to off - roleRules: - # -- Enable custom rules for the application controller's Role resource - enabled: false - # -- List of custom rules for the application controller's Role resource - rules: [] + # -- List of custom rules for the application controller's Role resource + roleRules: [] # Default application controller's network policy networkPolicy: From d56d91f9c60c844b54692f26fa1bd376b837bcee Mon Sep 17 00:00:00 2001 From: puretension Date: Sat, 20 Sep 2025 01:08:50 +0900 Subject: [PATCH 3/4] docs: update roleRules documentation structure Signed-off-by: puretension --- charts/argo-cd/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/charts/argo-cd/README.md b/charts/argo-cd/README.md index ed5fb1920..0fab16bed 100644 --- a/charts/argo-cd/README.md +++ b/charts/argo-cd/README.md @@ -941,8 +941,7 @@ NAME: my-release | controller.replicas | int | `1` | The number of application controller pods to run. Additional replicas will cause sharding of managed clusters across number of replicas. | | controller.resources | object | `{}` | Resource limits and requests for the application controller pods | | controller.revisionHistoryLimit | int | `5` | Maximum number of controller revisions that will be maintained in StatefulSet history | -| controller.roleRules.enabled | bool | `false` | Enable custom rules for the application controller's Role resource | -| controller.roleRules.rules | list | `[]` | List of custom rules for the application controller's Role resource | +| controller.roleRules | list | `[]` | List of custom rules for the application controller's Role resource | | controller.runtimeClassName | string | `""` (defaults to global.runtimeClassName) | Runtime class name for the application controller | | controller.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | | controller.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account | From 455e240799221ca3d93f4d0e10525e8a9b85f9b6 Mon Sep 17 00:00:00 2001 From: DOHYEONG LEE Date: Sat, 20 Sep 2025 12:41:49 +0900 Subject: [PATCH 4/4] Update charts/argo-cd/templates/argocd-application-controller/role.yaml Co-authored-by: Aikawa Signed-off-by: DOHYEONG LEE --- .../argo-cd/templates/argocd-application-controller/role.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/argo-cd/templates/argocd-application-controller/role.yaml b/charts/argo-cd/templates/argocd-application-controller/role.yaml index a801aba0d..9165e96c3 100644 --- a/charts/argo-cd/templates/argocd-application-controller/role.yaml +++ b/charts/argo-cd/templates/argocd-application-controller/role.yaml @@ -7,7 +7,7 @@ metadata: {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} rules: {{- with .Values.controller.roleRules }} -{{- toYaml . | nindent 0 }} +{{- toYaml . | nindent 2 }} {{- else }} - apiGroups: - ""