Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed the default ArgoCD role for default instance openshift-gitops #586

Merged
merged 4 commits into from
Sep 5, 2023
Merged

Fixed the default ArgoCD role for default instance openshift-gitops #586

merged 4 commits into from
Sep 5, 2023

Conversation

anandf
Copy link
Member

@anandf anandf commented Aug 17, 2023
edited

What type of PR is this?

Uncomment only one /kind line, and delete the rest.
For example, > /kind bug would simply become: /kind bug
/kind enhancement
/kind bug
/kind cleanup
/kind failing-test
/kind enhancement
/kind documentation
/kind code-refactoring

What does this PR do / why we need it:
This PR is to make the default ArgoCD instance with name openshift-gitops in namespace openshift-gitops to have restricted default permissions. With default readonly permission, any non-admin user will be able to view the Application and other manifest resource managed by ArgoCD which can contain sensitive information. By setting the default permission to '' this read only access can be avoided.

Have you updated the necessary documentation?

  • Documentation update is required by this PR.
  • Documentation has been updated.

Which issue(s) this PR fixes:

Fixes #?

Test acceptance criteria:

  • Unit Test
  • E2E Test

How to test changes / Special notes to the reviewer:

@anandf
Copy link
Member Author

anandf commented Aug 17, 2023

/test v4.14-kuttl-sequential-periodic

@anandf
Copy link
Member Author

anandf commented Aug 17, 2023

/test v4.13-e2e

@anandf
Copy link
Member Author

anandf commented Aug 17, 2023

/test v4.14-kuttl-parallel

@jaideepr97
Copy link
Collaborator

@anandf could this be a breaking change for users that haven't specifically defined their argocd rbac because the default policy was already letting them do what they needed ? Not that that is a reason not to make this change

@anandf
Copy link
Member Author

anandf commented Aug 23, 2023

@anandf could this be a breaking change for users that haven't specifically defined their argocd rbac because the default policy was already letting them do what they needed ? Not that that is a reason not to make this change

I agree that this change can cause surprise in behaviour especially if customers were leveraging this default read only role. Would it be sufficient to mention this change in behaviour in the release notes ? Please not that this change being applicable only for the default gitops instance and other customer managed ArgoCD instances will continue working as before.

@anandf
Copy link
Member Author

anandf commented Aug 25, 2023

/retest-required

jaideepr97
jaideepr97 previously approved these changes Aug 30, 2023
View reviewed changes
Copy link
Collaborator

@jaideepr97 jaideepr97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @anandf

@anandf
Fixed the default ArgoCD role for default instance openshift-gitops
0782d02 
Signed-off-by: Anand Francis Joseph <anjoseph@redhat.com>
@anandf
Added E2E tests to validate the default argocd policy for different s…
fb19f53 
…cenarios

Signed-off-by: Anand Francis Joseph <anjoseph@redhat.com>
@anandf
Documented the behaviour of default argocd role from v1.10 onwards
01aa0a4 
Signed-off-by: Anand Francis Joseph <anjoseph@redhat.com>
@anandf
Changed the custom namespace used for the test argocd instance creation
f1c616d 
Signed-off-by: Anand Francis Joseph <anjoseph@redhat.com>
@anandf
Copy link
Member Author

anandf commented Sep 2, 2023

/test v4.13-kuttl-parallel

1 similar comment
@anandf
Copy link
Member Author

anandf commented Sep 3, 2023

/test v4.13-kuttl-parallel

@iam-veeramalla
Copy link
Collaborator

/lgtm
/approve

@openshift-ci openshift-ci bot added the lgtm label Sep 5, 2023
@openshift-ci
Copy link

openshift-ci bot commented Sep 5, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: iam-veeramalla

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved label Sep 5, 2023
@openshift-merge-robot openshift-merge-robot merged commit 1d728ef into redhat-developer:master Sep 5, 2023
18 checks passed
@anandf anandf deleted the fix_default_argocd_role branch September 25, 2023 09:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jaideepr97 jaideepr97 jaideepr97 left review comments

@svghadi svghadi Awaiting requested review from svghadi

Assignees

@iam-veeramalla iam-veeramalla

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@anandf @jaideepr97 @iam-veeramalla @openshift-merge-robot