diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml index 479914c4..ff455cf5 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml @@ -10,4 +10,6 @@ {{ include "cap-app-proxy.resources.service" . }} --- {{ include "cap-app-proxy.resources.sa" .}} +--- + {{ include "argo-cd.namespaced-rbac.all" . }} {{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml index 7751eb84..e615c50d 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml @@ -11,6 +11,7 @@ env: {{ .Values.config.env | quote}} isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} isExternalArgoCD: {{ .Values.global.runtime.isExternalArgoCD | quote }} runtimeName: {{ required "global.runtime.name is required" .Values.global.runtime.name | quote}} +runtimeSingleNamespace: {{ .Values.singleNamespace | quote }} skipGitPermissionValidation: {{ .Values.config.skipGitPermissionValidation | quote }} logLevel: {{ .Values.config.logLevel | quote }} {{- $enrichmentValues := get .Values "image-enrichment" }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml new file mode 100644 index 00000000..d731eade --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml @@ -0,0 +1,7 @@ +{{- if (get .Values "app-proxy").singleNamespace }} +{{- include "argo-cd.namespaced-rbac.serviceaccount" . }} +--- +{{- include "argo-cd.namespaced-rbac.role" . }} +--- +{{- include "argo-cd.namespaced-rbac.rolebinding" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml new file mode 100644 index 00000000..9d138964 --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml @@ -0,0 +1,26 @@ +{{- define "argo-cd.namespaced-rbac.role" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: argocd-namespaced-role + namespace: {{ .Release.Namespace }} + labels: + {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }} + codefresh.io/component: argocd-namespaced-rbac +rules: +- apiGroups: [""] + resources: ["pods", "services", "endpoints", "persistentvolumeclaims", "events", "configmaps", "secrets", "serviceaccounts"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["apps"] + resources: ["deployments", "replicasets", "statefulsets", "daemonsets"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["batch"] + resources: ["jobs", "cronjobs"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "networkpolicies"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["roles", "rolebindings"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +{{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml new file mode 100644 index 00000000..28c52949 --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml @@ -0,0 +1,18 @@ +{{- define "argo-cd.namespaced-rbac.rolebinding" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: argocd-namespaced-rolebinding + namespace: {{ .Release.Namespace }} + labels: + {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }} + codefresh.io/component: argocd-namespaced-rbac +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argocd-namespaced-role +subjects: +- kind: ServiceAccount + name: argocd-manager + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_serviceaccount.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_serviceaccount.yaml new file mode 100644 index 00000000..1f94e491 --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_serviceaccount.yaml @@ -0,0 +1,10 @@ +{{- define "argo-cd.namespaced-rbac.serviceaccount" }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argocd-manager + namespace: {{ .Release.Namespace }} + labels: + {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }} + codefresh.io/component: argocd-namespaced-rbac +{{- end }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml index f59f769e..b00b6afb 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml @@ -109,6 +109,12 @@ RUNTIME_NAME: configMapKeyRef: name: cap-app-proxy-cm key: runtimeName +RUNTIME_SINGLE_NAMESPACE: + valueFrom: + configMapKeyRef: + name: cap-app-proxy-cm + key: runtimeSingleNamespace + optional: true RUNTIME_TOKEN: valueFrom: secretKeyRef: @@ -210,6 +216,7 @@ IRW_JIRA_ENRICHMENT_TASK_IMAGE: name: cap-app-proxy-cm key: enrichmentJiraEnrichmentImage optional: true + NODE_EXTRA_CA_CERTS: /app/config/all/all.cer {{- if gt (int .Values.replicaCount) 1 }} LEADER_ID: diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml index f2e10f74..1321e06c 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml @@ -15,6 +15,7 @@ COMMIT_STATUS_POLLING_INTERVAL: {{ .Values.config.commitStatusPollingInterval }} WORKFLOW_MONITOR_POLLING_INTERVAL: {{ .Values.config.workflowMonitorPollingInterval }} MAX_CONCURRENT_RELEASES: {{ .Values.config.maxConcurrentReleases }} PROMOTION_WRAPPER_TEMPLATE: {{ .Values.config.promotionWrapperTemplate | quote }} +RUNTIME_SINGLE_NAMESPACE: {{ (get .Values "app-proxy").singleNamespace }} {{- end }} {{- define "gitops-operator.resources.environment-variables.defaults" -}} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml index 956c1b6f..d7d598f9 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml @@ -14,7 +14,9 @@ --- {{- include "gitops-operator.crds.product" $context }} --- + {{- if not (get .Values "app-proxy").singleNamespace }} {{- include "gitops-operator.crds.restricted-gitsource" $context }} + {{- end }} --- {{- include "gitops-operator.crds.promotion-policy" $context }} {{- end }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml index 8760f422..db0a7c7a 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml @@ -13,7 +13,9 @@ --- {{- include "gitops-operator.resources.leader-election-rbac" $context }} --- + {{- if not (get .Values "app-proxy").singleNamespace }} {{- include "gitops-operator.resources.restricted-git-source-rbac" $context }} + {{- end }} --- {{- include "gitops-operator.resources.rbac-operator" $context }} {{- end }} diff --git a/charts/gitops-runtime/templates/codefresh-cm.yaml b/charts/gitops-runtime/templates/codefresh-cm.yaml index d070c4d6..3fba68b9 100644 --- a/charts/gitops-runtime/templates/codefresh-cm.yaml +++ b/charts/gitops-runtime/templates/codefresh-cm.yaml @@ -15,4 +15,5 @@ data: ingressController: {{ .Values.global.runtime.ingress.className | default "" | quote }} ingressHost: {{ include "codefresh-gitops-runtime.ingress-url" . }} isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} + singleNamespace: {{ (get .Values "app-proxy").singleNamespace | quote }} version: {{ .Chart.AppVersion }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml index 81b56609..6038cbbc 100644 --- a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml @@ -5,6 +5,7 @@ {{- $_ := set $context "Values" $vals }} {{- $_ := set $context.Values "global" (deepCopy (get .Values "global")) }} +{{- $_ := set $context.Values "app-proxy" (deepCopy (get .Values "app-proxy")) }} {{- if and (not (index .Values "argo-cd" "enabled")) }} {{- if and (eq (index .Values "global" "external-argo-cd" "auth" "type") "token") }} diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 9035df0a..8acfd399 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -519,6 +519,8 @@ tunnel-client: #----------------------------------------------------------------------------------------------------------------------- app-proxy: replicaCount: 1 + # -- Runtime single namespace mode. When true, runtime operates in single namespace scope. + singleNamespace: false # -- Image enrichment process configuration image-enrichment: # -- Enable or disable enrichment process. Please note that for enrichemnt, argo-workflows has to be enabled as well.