From b66b7fa13dce9fa8852371ddb9c565ac5b036c12 Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Fri, 25 Jul 2025 11:04:57 +0300 Subject: [PATCH 1/6] feat: multi runtime install From 03343f5f7a2939a20dae67e3a50daebd599d54ac Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Fri, 25 Jul 2025 17:26:20 +0300 Subject: [PATCH 2/6] feat: multi runtime install --- charts/gitops-runtime/Chart.yaml | 1 + .../cf-argocd-extras/event-reporter/_rbac.yaml | 12 ++++++++++++ .../_components/gitops-operator/_default_values.tpl | 3 +++ .../gitops-operator/promotion-template/_rbac.yaml | 6 +++--- .../gitops-operator/rbac/_auth_proxy_rbac.yaml | 6 +++--- .../gitops-operator/rbac/_rbac_operator.yaml | 12 +++++++----- .../rbac/_restricted_git_source.rbac.yaml | 2 ++ charts/gitops-runtime/templates/_helpers.tpl | 7 +++++-- .../templates/app-proxy/workflows-crb.yaml | 4 ++-- charts/gitops-runtime/values.yaml | 7 ++++++- 10 files changed, 44 insertions(+), 16 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index e750650a..0528c04e 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -32,6 +32,7 @@ dependencies: - name: sealed-secrets repository: https://bitnami-labs.github.io/sealed-secrets/ version: 2.17.2 + condition: sealed-secrets.enabled - name: codefresh-tunnel-client repository: oci://quay.io/codefresh/charts version: 0.1.21 diff --git a/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_rbac.yaml b/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_rbac.yaml index 64cd6d27..6049e633 100644 --- a/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_rbac.yaml @@ -11,6 +11,18 @@ {{/* Workaround to NOT change label selectors from previous runtime release when event-reporter was part of cf-argocd-extras Subchart */}} {{- $_ := set $context.Values "nameOverride" "cf-argocd-extras" }} +{{/* Remove nonResourceURLs when RBAC is namespaced */}} +{{- $rules := $context.Values.rbac.rules }} +{{- if $context.Values.rbac.namespaced }} + {{- $rules = list }} + {{- range $context.Values.rbac.rules }} + {{- if not .nonResourceURLs }} + {{- $rules = append $rules . }} + {{- end }} + {{- end }} +{{- end }} +{{- $_ := set $context.Values.rbac "rules" $rules }} + {{- $templateName := printf "cf-common-%s.rbac" (index .Subcharts "cf-common").Chart.Version }} {{- include $templateName $context }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_default_values.tpl b/charts/gitops-runtime/templates/_components/gitops-operator/_default_values.tpl index dd552eb8..58ece965 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/_default_values.tpl +++ b/charts/gitops-runtime/templates/_components/gitops-operator/_default_values.tpl @@ -14,6 +14,9 @@ global: replicaCount: 1 +# -- Restrict the gitops operator to a single namespace (by the namespace of Helm release) +singleNamespace: false + # -- Codefresh gitops operator crds crds: # -- Whether or not to install CRDs diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml index 0f2d1f3e..812ae1dd 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml @@ -1,7 +1,7 @@ {{- define "gitops-operator.resources.promotion-template-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} @@ -45,14 +45,14 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: promotion-template roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} name: promotion-template subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml index 4ec54d31..96f47030 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml @@ -1,7 +1,7 @@ {{- define "gitops-operator.resources.auth-proxy-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} @@ -22,14 +22,14 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: codefresh-gitops-operator-proxy roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} name: codefresh-gitops-operator-proxy subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml index 38df174b..26832600 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml @@ -1,7 +1,7 @@ {{- define "gitops-operator.resources.rbac-operator" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} @@ -26,6 +26,7 @@ rules: - patch - update - watch +{{- if not .Values.singleNamespace }} - apiGroups: - codefresh.io resources: @@ -52,6 +53,7 @@ rules: - get - patch - update +{{- end }} - apiGroups: - "" resources: @@ -72,14 +74,14 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: codefresh-gitops-operator roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} name: codefresh-gitops-operator subjects: - kind: ServiceAccount @@ -87,14 +89,14 @@ subjects: namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: codefresh-gitops-operator-workflows roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} name: argo-edit subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml index be27879c..913d131d 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_restricted_git_source.rbac.yaml @@ -1,5 +1,6 @@ {{- define "gitops-operator.resources.restricted-git-source-rbac" }} + {{- if not .Values.singleNamespace }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -80,4 +81,5 @@ subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} namespace: {{ .Release.Namespace }} + {{- end }} {{- end }} diff --git a/charts/gitops-runtime/templates/_helpers.tpl b/charts/gitops-runtime/templates/_helpers.tpl index 130a9f73..59454268 100644 --- a/charts/gitops-runtime/templates/_helpers.tpl +++ b/charts/gitops-runtime/templates/_helpers.tpl @@ -431,11 +431,14 @@ Output comma separated list of installed runtime components */}} {{- define "codefresh-gitops-runtime.component-list"}} {{- $argoEvents := dict "name" "argo-events" "version" (get .Subcharts "argo-events").Chart.AppVersion }} - {{- $sealedSecrets := dict "name" "sealed-secrets" "version" (get .Subcharts "sealed-secrets").Chart.AppVersion }} {{- $internalRouter := dict "name" "internal-router" "version" .Chart.AppVersion }} {{- $appProxy := dict "name" "app-proxy" "version" (index (get .Values "app-proxy") "image" "tag") }} {{- $sourcesServer := dict "name" "sources-server" "version" (get .Values "cf-argocd-extras").sourcesServer.container.image.tag }} - {{- $comptList := list $argoEvents $appProxy $sealedSecrets $internalRouter $sourcesServer }} + {{- $comptList := list $argoEvents $appProxy $internalRouter $sourcesServer }} +{{- if and (index .Values "sealed-secrets" "enabled") }} + {{- $sealedSecrets := dict "name" "sealed-secrets" "version" (get .Subcharts "sealed-secrets").Chart.AppVersion }} + {{- $comptList = append $comptList $sealedSecrets }} +{{- end }} {{- if and (index .Values "argo-cd" "enabled") }} {{- $argoCD := dict "name" "argocd" "version" (get .Subcharts "argo-cd").Chart.AppVersion }} {{- $comptList = append $comptList $argoCD }} diff --git a/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml b/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml index d3a0b4e2..35010bf0 100644 --- a/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml +++ b/charts/gitops-runtime/templates/app-proxy/workflows-crb.yaml @@ -4,12 +4,12 @@ {{- $_ := set $appProxyContext "Values" (deepCopy (get .Values "app-proxy")) }} {{- $_ := set $appProxyContext.Values "global" (deepCopy (get .Values "global")) }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ $appProxyContext.Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: name: cap-app-proxy-argo-workflows roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ $appProxyContext.Values.singleNamespace | ternary "Role" "ClusterRole" }} name: {{ include "codefresh-gitops-runtime.argo-workflows.server.name" . }} subjects: - kind: ServiceAccount diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 756874ad..7a01562c 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -519,6 +519,8 @@ tunnel-client: #----------------------------------------------------------------------------------------------------------------------- app-proxy: replicaCount: 1 + # -- Restrict the app-proxy to a single namespace (by the namespace of Helm release) + singleNamespace: false # -- Image enrichment process configuration image-enrichment: # -- Enable or disable enrichment process. Please note that for enrichemnt, argo-workflows has to be enabled as well. @@ -685,6 +687,9 @@ gitops-operator: annotations: {} # -- Additional labels for gitops operator CRDs additionalLabels: {} + # -- Restrict the gitops operator to a single namespace (by the namespace of Helm release) + singleNamespace: false + # -- GitOps operator configuration config: # -- Task polling interval taskPollingInterval: 10s @@ -696,8 +701,8 @@ gitops-operator: maxConcurrentReleases: 100 # -- An optional template for the promotion wrapper (empty default will use the embedded one) promotionWrapperTemplate: '' + # -- GitOps operator image image: - # -- defaults registry: quay.io repository: codefresh/codefresh-gitops-operator tag: v0.8.7 From e3715f22a4ebf5c248efaeb77614ce7769780396 Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Fri, 25 Jul 2025 17:47:53 +0300 Subject: [PATCH 3/6] feat: multi runtime install --- charts/gitops-runtime/templates/gitops-operator/crds.yaml | 4 +++- .../gitops-runtime/templates/gitops-operator/deployment.yaml | 2 ++ .../templates/gitops-operator/promotion-operator.yaml | 4 +++- charts/gitops-runtime/templates/gitops-operator/rbac.yaml | 4 +++- .../templates/gitops-operator/serviceaccount.yaml | 4 ++++ 5 files changed, 15 insertions(+), 3 deletions(-) diff --git a/charts/gitops-runtime/templates/gitops-operator/crds.yaml b/charts/gitops-runtime/templates/gitops-operator/crds.yaml index e78bb700..171bf6f0 100644 --- a/charts/gitops-runtime/templates/gitops-operator/crds.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/crds.yaml @@ -1 +1,3 @@ -{{- include "gitops-operator.crds" . }} +{{- if and (index .Values "gitops-operator" "enabled") }} + {{- include "gitops-operator.crds" . }} +{{- end }} diff --git a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml index 81b56609..9f4c03f3 100644 --- a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml @@ -1,3 +1,4 @@ +{{- if and (index .Values "gitops-operator" "enabled") }} {{- $context := deepCopy . }} {{- $defaultVals := include "gitops-operator.default-values" . | fromYaml }} @@ -44,3 +45,4 @@ {{- end }} {{- include "gitops-operator.resources.deployment" $context }} +{{- end }} diff --git a/charts/gitops-runtime/templates/gitops-operator/promotion-operator.yaml b/charts/gitops-runtime/templates/gitops-operator/promotion-operator.yaml index 5eb7884c..78956245 100644 --- a/charts/gitops-runtime/templates/gitops-operator/promotion-operator.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/promotion-operator.yaml @@ -1 +1,3 @@ -{{- include "gitops-operator.resources.promotion-template" . }} +{{- if and (index .Values "gitops-operator" "enabled") }} + {{- include "gitops-operator.resources.promotion-template" . }} +{{- end }} diff --git a/charts/gitops-runtime/templates/gitops-operator/rbac.yaml b/charts/gitops-runtime/templates/gitops-operator/rbac.yaml index 41df10f0..96489708 100644 --- a/charts/gitops-runtime/templates/gitops-operator/rbac.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/rbac.yaml @@ -1 +1,3 @@ -{{- include "gitops-operator.resources.rbac" . }} +{{- if and (index .Values "gitops-operator" "enabled") }} + {{- include "gitops-operator.resources.rbac" . }} +{{- end }} diff --git a/charts/gitops-runtime/templates/gitops-operator/serviceaccount.yaml b/charts/gitops-runtime/templates/gitops-operator/serviceaccount.yaml index 022cf431..87517d1d 100644 --- a/charts/gitops-runtime/templates/gitops-operator/serviceaccount.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/serviceaccount.yaml @@ -1,3 +1,5 @@ +{{- if and (index .Values "gitops-operator" "enabled") }} + {{- $context := deepCopy . }} {{- $defaultVals := include "gitops-operator.default-values" . | fromYaml }} @@ -7,3 +9,5 @@ {{- $_ := set $context.Values "global" (deepCopy (get .Values "global")) }} {{- include "gitops-operator.resources.sa" $context }} + +{{- end }} From 8a0b0d4a037f5d14cd53e6099f353adc6da98d34 Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Wed, 30 Jul 2025 11:10:27 +0300 Subject: [PATCH 4/6] feat: multi runtime install --- .../promotion-template/_rbac.yaml | 12 ++++++------ .../gitops-operator/rbac/_auth_proxy_rbac.yaml | 12 ++++++------ .../gitops-operator/rbac/_rbac_operator.yaml | 18 +++++++++--------- 3 files changed, 21 insertions(+), 21 deletions(-) diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml index 812ae1dd..92d712d3 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/promotion-template/_rbac.yaml @@ -1,11 +1,11 @@ {{- define "gitops-operator.resources.promotion-template-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} +kind: ClusterRole metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: promotion-template + name: {{ .Values.singleNamespace | ternary (printf "promotion-template-%s" .Release.Namespace) "promotion-template" }} rules: - apiGroups: - "" @@ -45,15 +45,15 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} +kind: ClusterRoleBinding metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: promotion-template + name: {{ .Values.singleNamespace | ternary (printf "promotion-template-%s" .Release.Namespace) "promotion-template" }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} - name: promotion-template + kind: ClusterRole + name: {{ .Values.singleNamespace | ternary (printf "promotion-template-%s" .Release.Namespace) "promotion-template" }} subjects: - kind: ServiceAccount name: {{ include "gitops-operator.promotionTemplate.serviceAccountName" . }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml index 96f47030..9338fbde 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_auth_proxy_rbac.yaml @@ -1,11 +1,11 @@ {{- define "gitops-operator.resources.auth-proxy-rbac" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} +kind: ClusterRole metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: codefresh-gitops-operator-proxy + name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-proxy-%s" .Release.Namespace) "codefresh-gitops-operator-proxy" }} rules: - apiGroups: - authentication.k8s.io @@ -22,15 +22,15 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} +kind: ClusterRoleBinding metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: codefresh-gitops-operator-proxy + name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-proxy-%s" .Release.Namespace) "codefresh-gitops-operator-proxy" }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} - name: codefresh-gitops-operator-proxy + kind: ClusterRole + name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-proxy-%s" .Release.Namespace) "codefresh-gitops-operator-proxy" }} subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml index 26832600..aee5c759 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml @@ -1,11 +1,11 @@ {{- define "gitops-operator.resources.rbac-operator" }} apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} +kind: ClusterRole metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: codefresh-gitops-operator + name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-%s" .Release.Namespace) "codefresh-gitops-operator" }} rules: - apiGroups: - "" @@ -74,29 +74,29 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} +kind: ClusterRoleBinding metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: codefresh-gitops-operator + name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-%s" .Release.Namespace) "codefresh-gitops-operator" }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} - name: codefresh-gitops-operator + kind: ClusterRole + name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-%s" .Release.Namespace) "codefresh-gitops-operator" }} subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} +kind: ClusterRoleBinding metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} - name: codefresh-gitops-operator-workflows + name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-workflows-%s" .Release.Namespace) "codefresh-gitops-operator-workflows" }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} + kind: ClusterRole name: argo-edit subjects: - kind: ServiceAccount From 0a33b9e728fce8e803d3f850c1325e13637e5c0e Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Wed, 30 Jul 2025 11:40:41 +0300 Subject: [PATCH 5/6] wip: Wed Jul 30 11:40:41 +03 2025 --- .../_components/gitops-operator/rbac/_rbac_operator.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml index aee5c759..ffefcf58 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml @@ -89,15 +89,15 @@ subjects: namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.singleNamespace | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: labels: {{- include "gitops-operator.selectorLabels" . | nindent 4 }} name: {{ .Values.singleNamespace | ternary (printf "codefresh-gitops-operator-workflows-%s" .Release.Namespace) "codefresh-gitops-operator-workflows" }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argo-edit + kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} + name: {{ .Values.singleNamespace | ternary "argo-workflow-controller" "argo-edit" }} subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }} From 26379cba97ec5a0d73aea00b1144694df4f597d7 Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Wed, 30 Jul 2025 12:19:46 +0300 Subject: [PATCH 6/6] wip: Wed Jul 30 12:19:46 +03 2025 --- .../gitops-operator/rbac/_rbac_operator.yaml | 122 +++++++++++++++++- 1 file changed, 121 insertions(+), 1 deletion(-) diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml index ffefcf58..75310814 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_rbac_operator.yaml @@ -71,6 +71,126 @@ rules: - get - list - watch +--- +{{- if .Values.singleNamespace }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: argo-role +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +- apiGroups: + - "" + resources: + - pods + - pods/exec + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - persistentvolumeclaims + - persistentvolumeclaims/finalizers + verbs: + - create + - update + - delete + - get +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workflowtasksets + - workflowtasksets/finalizers + - workflowartifactgctasks + verbs: + - get + - list + - watch + - update + - patch + - delete + - create +- apiGroups: + - argoproj.io + resources: + - workflowtemplates + - workflowtemplates/finalizers + verbs: + - get + - list + - watch +- apiGroups: + - argoproj.io + resources: + - workflowtaskresults + verbs: + - list + - watch + - deletecollection +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +- apiGroups: + - argoproj.io + resources: + - cronworkflows + - cronworkflows/finalizers + verbs: + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - get + - delete +{{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 @@ -97,7 +217,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: {{ .Values.singleNamespace | ternary "Role" "ClusterRole" }} - name: {{ .Values.singleNamespace | ternary "argo-workflow-controller" "argo-edit" }} + name: {{ .Values.singleNamespace | ternary "argo-role" "argo-edit" }} subjects: - kind: ServiceAccount name: {{ include "gitops-operator.serviceAccountName" . }}