argocd-operator-extension

command module

v1.2.1 Latest Latest Go to latest Published: Jun 18, 2021 License: Apache-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/snorwin/argocd-operator-extension

Links

Open Source Insights

README ¶

argocd-operator-extension

The argocd-operator-extension is an operator extension for the Argo CD Operator in order to automate the handling of the Kubernetes RBAC (i.e. service accounts, roles, role bindings) for multiple Argo CD instances in a shared cluster.

Use case

By default, Argo CD requires cluster-wide read privileges. However, this approach is not recommended at all and it does not follow the least privilege principle. The service accounts of Argo CD should not have more capabilities as the user using it in order to prevent bypassing the Kubernetes RBAC and other security measures protected by Kubernetes RBAC using Argo CD. For the same reason it is also not recommended that multiple teams with different Kubernetes RBAC policies share the same Argo CD instances, because the Kubernetes RBAC needs to somehow be converted to the Argo CD RBAC which can lead to mistakes and the integrity of each team's application cannot be guaranteed. The ArgoCD service account, and not Argo CD RBAC, defines the baseline of capabilities that must not exceed the capabilities granted to the user by the Kubernetes RBAC.

The argocd-operator-extension solves all the issue described in the previous section by facilitating that an Argo CD instance is used only for a defined subset of the namespaces without using cluster role bindings. The view and edit roles are only granted to the individual Argo CD service accounts for dedicated namespaces.

How it works

The argocd-operator-extension reconciles the ArgoCD customer resource of the Argo CD Operator and installs a Helm chart which contains the internal service accounts and role bindings as well as the role bindings to the argocd-edit and argocd-view cluster role for all the namespaces with the label argocd.snorwin.io/name and argocd.snorwin.io/namespace set to the namespaced name of the reconciled object. The ArgoCD RBAC blueprint is defined as a Helm chart and mounted to the extension using a config map which allows you to use this operator with your existing roles and adapt it that it fits your requirements without re-building the image of the extension.

Upgrading many Argo CD instances in a cluster by hand is inefficient, therefore the extension is able to manage the images and versions of Argo CD, Dex and Redis automatically in the ArgoCD customer resource based on the update policy (None, Always or IfNotPresent) annotated to the resource itself. The images and versions can be set using environment variables.

Getting Started

Installation

There are two ways how the argocd-operator-extension can be installed:

Helm

Clone this repository and if required adapt the Argo CD RBAC blueprint helm chart.
Install the Helm chart in order to install the bundle of the Argo CD Operator including the extension.

Docker

Prerequisite: Argo CD Operator is already installed

Clone this repository and if required adapt the Argo CD RBAC blueprint helm chart.

Create a Dockerfile:

FROM ghcr.io/snorwin/argocd-operator-extension:latest

ENV HELM_DIRECTORY=/data/helm

ADD ./helm/charts/argocd-operator-extension/resources /data/helm/

Deploy the image.

Deploy the first ArgoCD instance

Create an ArgoCD instance See the ArgoCD Reference.

apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
    name: example-argocd
    namespace: example
    annotations:
        argocd.snorwin.io/image-update-policy: Always
spec: {}

Add labels to the application's target namespace:

kubectl label namespace <app namespace> argocd.snorwin.io/name=example-argocd argocd.snorwin.io/namespace=example

Configuration

Environment Variables

HELM_DIRECTORY - directory of the Helm chart in the container
HELM_DRIVER - helm storage driver. It can be set to one of the values: configmap, secret, memory (default value: secret)
HELM_MAX_HISTORY - limit the maximum number of revisions saved per helm release (default: 10). Use 0 for no limit.
CLUSTER_ARGOCD_NAMESPACEDNAMES - comma separated list of NamespacedNames (namespace/name) of Argo CD instances which run in cluster mode
ARGOCD_IMAGE - ArgoCD image and version [<image>][:<version>] used for automated version updates
DEX_IMAGE - Dex image and version [<image>][:<version>] used for automated version updates
REDIS_IMAGE - Redis image and version [<image>][:<version>] used for automated version updates

Compatibility

The argocd-operator-extension is compatible with the version v0.0.14 of the Argo CD Operator.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
controllers
argocd
pkg
constants
helm
mapper
mocks/helm Package mock_helm is a generated GoMock package.	Package mock_helm is a generated GoMock package.
utils

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL