feat[#2]: allow configuration of ArgoCD RBAC configmap and namespace (#38)

* Allow configuration of ArgoCD RBAC configmap and namespace

Signed-off-by: Jonasz Łasut-Balcerzak <jonasz.lasut@gmail.com>

* add readme about namespace flag

Signed-off-by: Jonasz Łasut-Balcerzak <jonasz.lasut@gmail.com>

* remove interface

Signed-off-by: Jonasz Łasut-Balcerzak <jonasz.lasut@gmail.com>

* fix linter

Signed-off-by: Jonasz Łasut-Balcerzak <jonasz.lasut@gmail.com>

---------

Signed-off-by: Jonasz Łasut-Balcerzak <jonasz.lasut@gmail.com>

Author: jonasz-lasut

README.md

@@ -156,7 +156,7 @@ To change the policy.csv you have to make changes in the `internal/controller/co
 
 ### Deployment types
 
-As for now only single Argo CD deployment type is supported. The default Argo CD namespace is defined as `argocd`, to change that you have to make a change in `internal/controller/common/values.go`.
+As for now only single Argo CD deployment type is supported. The default Argo CD namespace is defined as `argocd`, to change that you have to provide a flag --argocd-rbac-cm-namespace="your-argocd-namespace".
 
 ## Roadmap
 

cmd/main.go

@@ -57,9 +57,14 @@ func main() {
 	var probeAddr string
 	var secureMetrics bool
 	var enableHTTP2 bool
+	var argoCDRBACConfigMapName string
+	var argoCDRBACConfigMapNamespace string
 	flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metric endpoint binds to. "+
 		"Use the port :8080. If not set, it will be 0 in order to disable the metrics server")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
+	flag.StringVar(&argoCDRBACConfigMapName, "argocd-rbac-cm-name", "argocd-rbac-cm", "The name of ArgoCD RBAC configmap.")
+	flag.StringVar(&argoCDRBACConfigMapNamespace, "argocd-rbac-cm-namespace", "argocd",
+		"The namespace of ArgoCD RBAC configmap.")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
@@ -124,15 +129,19 @@ func main() {
 	}
 
 	if err = (&controller.ArgoCDRoleReconciler{
-		Client: mgr.GetClient(),
-		Scheme: mgr.GetScheme(),
+		Client:                       mgr.GetClient(),
+		Scheme:                       mgr.GetScheme(),
+		ArgoCDRBACConfigMapName:      argoCDRBACConfigMapName,
+		ArgoCDRBACConfigMapNamespace: argoCDRBACConfigMapNamespace,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "Role")
 		os.Exit(1)
 	}
 	if err = (&controller.ArgoCDRoleBindingReconciler{
-		Client: mgr.GetClient(),
-		Scheme: mgr.GetScheme(),
+		Client:                       mgr.GetClient(),
+		Scheme:                       mgr.GetScheme(),
+		ArgoCDRBACConfigMapName:      argoCDRBACConfigMapName,
+		ArgoCDRBACConfigMapNamespace: argoCDRBACConfigMapNamespace,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "ArgoCDRoleBinding")
 		os.Exit(1)

config/manager/manager.yaml

@@ -59,6 +59,8 @@ spec:
         args:
           - --leader-elect
           - --health-probe-bind-address=:8081
+          - --argocd-rbac-cm-name=argocd-rbac-cm
+          - --argocd-rbac-cm-namespace=argocd
         image: controller:latest
         name: rbac-operator
         securityContext:

helm/argocd-rbac-operator/README.md

@@ -147,6 +147,8 @@ As for now only single Argo CD deployment type is supported. The default Argo CD
 | livenessProbe.httpGet.port | int | `8081` |  |
 | livenessProbe.initialDelaySeconds | int | `15` |  |
 | livenessProbe.periodSeconds | int | `20` |  |
+| namespace.create | bool | `true` |  |
+| namespace.nameOverride | string | `""` |  |
 | nodeSelector | object | `{}` |  |
 | readinessProbe.httpGet.path | string | `"/readyz"` |  |
 | readinessProbe.httpGet.port | int | `8081` |  |

helm/argocd-rbac-operator/templates/deployment.yaml

@@ -48,6 +48,8 @@ spec:
         - args:
           - --leader-elect
           - --health-probe-bind-address=:8081
+          - --argocd-rbac-cm-name={{ .Values.argocd.cmName }}
+          - --argocd-rbac-cm-namespace={{ .Values.argocd.namespace }}
           command:
           - /rbac-operator
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"

internal/controller/argocdrbac_operator_finalizer.go

@@ -45,7 +45,7 @@ func (r *ArgoCDRoleReconciler) handleFinalizer(ctx context.Context, role *rbacop
 }
 
 func (r *ArgoCDRoleReconciler) delete(role *rbacoperatorv1alpha1.ArgoCDRole) error {
-	cm := newConfigMap()
+	cm := newConfigMap(r.ArgoCDRBACConfigMapName, r.ArgoCDRBACConfigMapNamespace)
 	overlayKey := fmt.Sprintf("policy.%s.%s.csv", role.Namespace, role.ObjectMeta.Name)
 	if IsObjectFound(r.Client, cm.Namespace, cm.Name, cm) {
 		delete(cm.Data, overlayKey)
@@ -78,7 +78,7 @@ func (r *ArgoCDRoleBindingReconciler) handleFinalizer(ctx context.Context, rb *r
 func (r *ArgoCDRoleBindingReconciler) delete(rb *rbacoperatorv1alpha1.ArgoCDRoleBinding) error {
 	roleRefName := rb.Spec.ArgoCDRoleRef.Name
 	if roleRefName == common.ArgoCDRoleAdmin || roleRefName == common.ArgoCDRoleReadOnly {
-		cm := newConfigMap()
+		cm := newConfigMap(r.ArgoCDRBACConfigMapName, r.ArgoCDRBACConfigMapNamespace)
 		overlayKey := fmt.Sprintf("policy.%s.%s.csv", rb.Namespace, roleRefName)
 		if IsObjectFound(r.Client, cm.Namespace, cm.Name, cm) {
 			delete(cm.Data, overlayKey)

internal/controller/argocdrole_controller.go

@@ -38,8 +38,10 @@ var _ reconcile.Reconciler = &ArgoCDRoleReconciler{}
 // ArgoCDRoleReconciler reconciles a Role object
 type ArgoCDRoleReconciler struct {
 	client.Client
-	Log    logr.Logger
-	Scheme *runtime.Scheme
+	Log                          logr.Logger
+	Scheme                       *runtime.Scheme
+	ArgoCDRBACConfigMapName      string
+	ArgoCDRBACConfigMapNamespace string
 }
 
 // +kubebuilder:rbac:groups=rbac-operator.argoproj-labs.io,resources=argocdroles,verbs=*
@@ -97,7 +99,7 @@ func (r *ArgoCDRoleReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		return ctrl.Result{}, nil
 	}
 
-	cm := newConfigMap()
+	cm := newConfigMap(r.ArgoCDRBACConfigMapName, r.ArgoCDRBACConfigMapNamespace)
 
 	r.Log.Info("Checking if ConfigMap exists")
 	if !IsObjectFound(r.Client, cm.Namespace, cm.Name, cm) {

internal/controller/argocdrole_controller_test.go

@@ -22,7 +22,6 @@ import (
 	"time"
 
 	rbacoperatorv1alpha1 "github.com/argoproj-labs/argocd-rbac-operator/api/v1alpha1"
-	"github.com/argoproj-labs/argocd-rbac-operator/internal/controller/common"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -61,7 +60,7 @@ func TestArgoCDRoleReconciler_Reconcile(t *testing.T) {
 	}
 
 	cm := &corev1.ConfigMap{}
-	err = reconciler.Client.Get(context.TODO(), types.NamespacedName{Name: common.ArgoCDRBACConfigMapName, Namespace: testRBACCMNamespace}, cm)
+	err = reconciler.Client.Get(context.TODO(), types.NamespacedName{Name: testRBACCMName, Namespace: testRBACCMNamespace}, cm)
 	assert.NoError(t, err)
 	resCM := makeTestCMArgoCDRoleExpected()
 	assert.Equal(t, resCM.Data, cm.Data)
@@ -181,7 +180,7 @@ func TestArgoCDRoleReconciler_HandleFinalizer(t *testing.T) {
 	}
 
 	cm := &corev1.ConfigMap{}
-	err = reconciler.Client.Get(context.TODO(), types.NamespacedName{Name: common.ArgoCDRBACConfigMapName, Namespace: testRBACCMNamespace}, cm)
+	err = reconciler.Client.Get(context.TODO(), types.NamespacedName{Name: testRBACCMName, Namespace: testRBACCMNamespace}, cm)
 	assert.NoError(t, err)
 	wantCM := makeTestRBACConfigMap()
 	assert.Equal(t, wantCM.Data, cm.Data)
@@ -217,7 +216,7 @@ func TestArgoCDRoleReconciler_RoleHasRoleBinding(t *testing.T) {
 	}
 
 	cm := &corev1.ConfigMap{}
-	err = reconciler.Client.Get(context.TODO(), types.NamespacedName{Name: common.ArgoCDRBACConfigMapName, Namespace: testRBACCMNamespace}, cm)
+	err = reconciler.Client.Get(context.TODO(), types.NamespacedName{Name: testRBACCMName, Namespace: testRBACCMNamespace}, cm)
 	assert.NoError(t, err)
 	resCM := makeTestCM_ArgoCDRole_WithRoleBindingRoleSubject_Expected()
 	assert.Equal(t, resCM.Data, cm.Data)

internal/controller/argocdrolebinding_controller.go

@@ -35,8 +35,10 @@ import (
 // ArgoCDRoleBindingReconciler reconciles a ArgoCDRoleBinding object
 type ArgoCDRoleBindingReconciler struct {
 	client.Client
-	Log    logr.Logger
-	Scheme *runtime.Scheme
+	Log                          logr.Logger
+	Scheme                       *runtime.Scheme
+	ArgoCDRBACConfigMapName      string
+	ArgoCDRBACConfigMapNamespace string
 }
 
 // +kubebuilder:rbac:groups=rbac-operator.argoproj-labs.io,resources=argocdrolebindings,verbs=*
@@ -95,7 +97,7 @@ func (r *ArgoCDRoleBindingReconciler) Reconcile(ctx context.Context, req ctrl.Re
 		return ctrl.Result{}, nil
 	}
 
-	cm := newConfigMap()
+	cm := newConfigMap(r.ArgoCDRBACConfigMapName, r.ArgoCDRBACConfigMapNamespace)
 
 	r.Log.Info("Checking if ConfigMap exists")
 	if !IsObjectFound(r.Client, cm.Namespace, cm.Name, cm) {
@@ -155,9 +157,9 @@ func (r *ArgoCDRoleBindingReconciler) Reconcile(ctx context.Context, req ctrl.Re
 
 	switch roleName {
 	case "admin":
-		role = createBuiltInAdminRole()
+		role = r.createBuiltInAdminRole()
 	case "readonly":
-		role = createBuiltInReadOnlyRole()
+		role = r.createBuiltInReadOnlyRole()
 	}
 
 	r.Log.Info("Reconciling RBAC ConfigMap")

internal/controller/argocdrolebinding_controller_test.go

@@ -22,7 +22,6 @@ import (
 	"time"
 
 	rbacoperatorv1alpha1 "github.com/argoproj-labs/argocd-rbac-operator/api/v1alpha1"
-	"github.com/argoproj-labs/argocd-rbac-operator/internal/controller/common"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -63,7 +62,7 @@ func TestArgoCDRoleBindingReconciler_ReconcileRoleSubject(t *testing.T) {
 	}
 
 	cm := &corev1.ConfigMap{}
-	err = reconciler.Client.Get(context.TODO(), types.NamespacedName{Name: common.ArgoCDRBACConfigMapName, Namespace: testRBACCMNamespace}, cm)
+	err = reconciler.Client.Get(context.TODO(), types.NamespacedName{Name: testRBACCMName, Namespace: testRBACCMNamespace}, cm)
 	assert.NoError(t, err)
 	resCM := makeTestCM_ArgoCDRole_WithRoleBindingRoleSubject_Expected()
 	assert.Equal(t, resCM.Data, cm.Data)
@@ -198,7 +197,7 @@ func TestArgoCDRoleBindingReconciler_HandleFinalizer(t *testing.T) {
 	}
 
 	cm := &corev1.ConfigMap{}
-	err = reconciler.Client.Get(context.TODO(), types.NamespacedName{Name: common.ArgoCDRBACConfigMapName, Namespace: testRBACCMNamespace}, cm)
+	err = reconciler.Client.Get(context.TODO(), types.NamespacedName{Name: testRBACCMName, Namespace: testRBACCMNamespace}, cm)
 	assert.NoError(t, err)
 	wantCM := makeTestCMArgoCDRoleExpected()
 	assert.Equal(t, wantCM.Data, cm.Data)
@@ -262,7 +261,7 @@ func TestArgoCDRoleBindingReconciler_ReconcileSSOSubject(t *testing.T) {
 	}
 
 	cm := &corev1.ConfigMap{}
-	err = reconciler.Client.Get(context.TODO(), types.NamespacedName{Name: common.ArgoCDRBACConfigMapName, Namespace: testRBACCMNamespace}, cm)
+	err = reconciler.Client.Get(context.TODO(), types.NamespacedName{Name: testRBACCMName, Namespace: testRBACCMNamespace}, cm)
 	assert.NoError(t, err)
 	resCM := makeTestCM_ArgoCDRole_WithRoleBindingSSOSubject_Expected()
 	assert.Equal(t, resCM.Data, cm.Data)
@@ -297,7 +296,7 @@ func TestArgoCDRoleBindingReconciler_ReconcileLocalSubject(t *testing.T) {
 	}
 
 	cm := &corev1.ConfigMap{}
-	err = reconciler.Client.Get(context.TODO(), types.NamespacedName{Name: common.ArgoCDRBACConfigMapName, Namespace: testRBACCMNamespace}, cm)
+	err = reconciler.Client.Get(context.TODO(), types.NamespacedName{Name: testRBACCMName, Namespace: testRBACCMNamespace}, cm)
 	assert.NoError(t, err)
 	resCM := makeTestCM_ArgoCDRole_WithRoleBindingLocalSubject_Expected()
 	assert.Equal(t, resCM.Data, cm.Data)
@@ -331,7 +330,7 @@ func TestArgoCDRoleBindingReconciler_ReconcileBuiltInAdmin(t *testing.T) {
 	}
 
 	cm := &corev1.ConfigMap{}
-	err = reconciler.Client.Get(context.TODO(), types.NamespacedName{Name: common.ArgoCDRBACConfigMapName, Namespace: testRBACCMNamespace}, cm)
+	err = reconciler.Client.Get(context.TODO(), types.NamespacedName{Name: testRBACCMName, Namespace: testRBACCMNamespace}, cm)
 	assert.NoError(t, err)
 	resCM := makeTestCM_BuiltInAdmin_WithRoleBinding_Expected()
 	assert.Equal(t, resCM.Data, cm.Data)
@@ -365,7 +364,7 @@ func TestArgoCDRoleBindingReconciler_ReconcileBuiltInReadOnly(t *testing.T) {
 	}
 
 	cm := &corev1.ConfigMap{}
-	err = reconciler.Client.Get(context.TODO(), types.NamespacedName{Name: common.ArgoCDRBACConfigMapName, Namespace: testRBACCMNamespace}, cm)
+	err = reconciler.Client.Get(context.TODO(), types.NamespacedName{Name: testRBACCMName, Namespace: testRBACCMNamespace}, cm)
 	assert.NoError(t, err)
 	resCM := makeTestCM_BuiltInReadOnly_WithRoleBinding_Expected()
 	assert.Equal(t, resCM.Data, cm.Data)
@@ -399,7 +398,7 @@ func TestArgoCDRoleBindingReconciler_HandleFinalizerBuiltInRole(t *testing.T) {
 	}
 
 	cm := &corev1.ConfigMap{}
-	err = reconciler.Client.Get(context.TODO(), types.NamespacedName{Name: common.ArgoCDRBACConfigMapName, Namespace: testRBACCMNamespace}, cm)
+	err = reconciler.Client.Get(context.TODO(), types.NamespacedName{Name: testRBACCMName, Namespace: testRBACCMNamespace}, cm)
 	assert.NoError(t, err)
 	resCM := makeTestRBACConfigMap()
 	assert.Equal(t, resCM.Data, cm.Data)