Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ability to skip cluster RBAC setup in CLI #3183

Closed
alexandrfox opened this issue Mar 3, 2020 · 1 comment
Closed

Add ability to skip cluster RBAC setup in CLI #3183

alexandrfox opened this issue Mar 3, 2020 · 1 comment
Labels
enhancement New feature or request

Comments

@alexandrfox
Copy link
Contributor

Summary

It would be useful to be able to skip setting up cluster manager RBAC for ArgoCD SA when performing argocd cluster add in environments where predefined roles described by ArgoCDManagerNamespacePolicyRules and
ArgoCDManagerClusterPolicyRules do not comply with specific access and/or legal/policy requirements.

Motivation

InstallClusterManagerRBAC method of the clusterauth package is somewhat opinionated about rolebindings and role definitions for "argocd-manager" SA (read: those definitions are hardcoded). It is called whenever users tries to add a new cluster via argocd cluster add command.

Sometimes it is desirable however to manually pre-configure such bindings and/or modify them in order to comply with existing infrastructure requirements. For example, user might choose to create customized definitions for argocd-manager-role-binding and argocd-manager-role before adding a cluster or its namespace into ArgoCD.

Proposal

A simple CLI flag --skip-rbac-setup for argocd cluster add command should suffice for most use-cases. If flag is present command should skip setting up pre-defined RBAC entities and only get SA token to be passed to the server.
@alexandrfox alexandrfox added the enhancement New feature or request label Mar 3, 2020
@alexandrfox alexandrfox mentioned this issue Mar 3, 2020
Merged
5 tasks
jannfis pushed a commit that referenced this issue Mar 4, 2020
@alexandrfox
feat: add "service-account" flag to "cluster add" command (#3183) (#3184
4d23fe8 
)

* Add "skip-rbac-setup" flag to "cluster add" command

"InstallClusterManagerRBAC" method of the clusterauth package
is somewhat opinionated about rolebindings and role definitions
for "argocd-manager" SA. Sometimes it is desirable however to manually
pre-configure such bindings and/or modify them in order to comply
with existing infrastructure requirements.

This commit introduces a new option "--skip-rbac-setup" which allows operator
to skip the aforementioned "InstallClusterManagerRBAC" method call.

* Modified --skip-rbac-setup into --service-account flag

* use reference instead of hardoded SA name
@alexandrfox
Copy link
Contributor Author

Implemented via #3184

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@alexandrfox