Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(rbac): fine-grained update/delete for application resources #18124

Merged
merged 16 commits into from
May 13, 2024
Merged

feat(rbac): fine-grained update/delete for application resources #18124

merged 16 commits into from
May 13, 2024

Conversation

agaudreault
Copy link
Member

@agaudreault agaudreault commented May 8, 2024
edited
Loading

Closes #17991
Closes #12777
Closes #3593
Closes #14379

Task to do

  • Rewrite RBAC docs
  • Update validation
Screen.Recording.2024-05-08.at.3.50.15.PM.mov

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Toolchain Guide
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • My new feature complies with the feature status guidelines.
  • I have added a brief description of why this PR is necessary and/or what this PR solves.
  • Optional. My organization is added to USERS.md.
  • Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

agaudreault added 8 commits May 7, 2024 18:32
@agaudreault
feat(rbac): fine-grained update/delete for application resources
d8df94b 
Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
@agaudreault
Merge remote-tracking branch 'upstream/master' into rbac-granular-delete
cefa74d
@agaudreault
rewrite rbac (draft)
eabd4e8 
Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
@agaudreault
add other stuff
1c69892 
Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
@agaudreault
spellcheck
dd2b11b 
Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
@agaudreault
update map
4f6ea93 
Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
@agaudreault
spell check
4f9c426 
Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
@agaudreault
Merge branch 'master' into rbac-granular-delete
209a7e5
@agaudreault agaudreault marked this pull request as ready for review May 10, 2024 14:54
@agaudreault agaudreault requested review from a team as code owners May 10, 2024 14:54
@agaudreault
linter not happy about deprecated claims
a87890d 
Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
@agaudreault
not happy about claims at all
607dfe6 
Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
@agaudreault
Merge branch 'rbac-granular-delete' of github.com:agaudreault-jive/ar…
4dde680 
…go-cd into rbac-granular-delete
@agaudreault
generated
9194aae 
Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
@agaudreault
fix list syntax
ba09a92 
Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
@agaudreault
use same link pattern
74f9a49 
Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
leoluz
leoluz requested changes May 10, 2024
View reviewed changes
Copy link
Collaborator

@leoluz leoluz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please check my comments

cmd/argocd/commands/admin/settings_rbac.go Show resolved Hide resolved
docs/operator-manual/rbac.md Outdated Show resolved Hide resolved
docs/operator-manual/rbac.md Show resolved Hide resolved
docs/operator-manual/rbac.md Outdated Show resolved Hide resolved
docs/operator-manual/rbac.md Show resolved Hide resolved
docs/operator-manual/rbac.md Show resolved Hide resolved
leoluz
leoluz requested changes May 10, 2024
View reviewed changes
docs/operator-manual/rbac.md Show resolved Hide resolved
docs/operator-manual/rbac.md Show resolved Hide resolved
@agaudreault
rewrite permissions to policy when it applies
391b8c8 
Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
@agaudreault agaudreault requested a review from leoluz May 13, 2024 14:17
@agaudreault
Update docs/operator-manual/rbac.md
1f34454 
Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
@davidfalconego
Copy link

¿Is this feature available in argocd 2.9.16?

@BenCoughlan15
Copy link

hey, when will this be available?

@agaudreault
Copy link
Member Author

@davidfalconego @BenCoughlan15
This will be available in 2.12

@agaudreault agaudreault deleted the rbac-granular-delete branch June 10, 2024 12:48
mkieweg pushed a commit to mkieweg/argo-cd that referenced this pull request Jun 11, 2024
@agaudreault @mkieweg
feat(rbac): fine-grained update/delete for application resources (arg…
573b5e6 
…oproj#18124)

* feat(rbac): fine-grained update/delete for application resources

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* rewrite rbac (draft)

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* add other stuff

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* spellcheck

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* update map

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* spell check

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* linter not happy about deprecated claims

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* not happy about claims at all

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* generated

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* fix list syntax

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* use same link pattern

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* rewrite permissions to policy when it applies

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* Update docs/operator-manual/rbac.md

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

---------

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
Hariharasuthan99 pushed a commit to AmadeusITGroup/argo-cd that referenced this pull request Jun 16, 2024
@agaudreault @Hariharasuthan99
feat(rbac): fine-grained update/delete for application resources (arg…
c55f8cd 
…oproj#18124)

* feat(rbac): fine-grained update/delete for application resources

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* rewrite rbac (draft)

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* add other stuff

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* spellcheck

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* update map

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* spell check

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* linter not happy about deprecated claims

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* not happy about claims at all

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* generated

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* fix list syntax

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* use same link pattern

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* rewrite permissions to policy when it applies

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* Update docs/operator-manual/rbac.md

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

---------

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
@nbarrientos nbarrientos mentioned this pull request Jun 18, 2024
Closed
@kishoregv
Copy link

Looks like the milestone is not updated https://github.com/argoproj/argo-cd/milestone/34

Can you please help to update the milestone?

jsolana pushed a commit to jsolana/argo-cd that referenced this pull request Jul 24, 2024
@agaudreault
feat(rbac): fine-grained update/delete for application resources (arg…
fa9a53f 
…oproj#18124)

* feat(rbac): fine-grained update/delete for application resources

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* rewrite rbac (draft)

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* add other stuff

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* spellcheck

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* update map

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* spell check

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* linter not happy about deprecated claims

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* not happy about claims at all

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* generated

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* fix list syntax

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* use same link pattern

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* rewrite permissions to policy when it applies

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

* Update docs/operator-manual/rbac.md

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>

---------

Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
Signed-off-by: Javier Solana <javier.solana@cabify.com>
Signed-off-by: Javier Solana <javier.solana@cabify.com>
@agaudreault agaudreault mentioned this pull request Aug 1, 2024
Merged
@agaudreault agaudreault mentioned this pull request Sep 18, 2024
Closed
@fffinkel fffinkel mentioned this pull request Oct 30, 2024
Open
fffinkel added a commit to fffinkel/argo-cd that referenced this pull request Nov 4, 2024
@fffinkel
Enable fine-grained update/delete RBAC enforcement by default
3f368f9 
Change applications resource RBAC to use fine-grained update/delete
enforcement by default. This allows us to enforce RBAC on the
application itself, separately from the sub-resources related to it.

See also GitHub argoproj#18124, argoproj#20600
fffinkel added a commit to fffinkel/argo-cd that referenced this pull request Nov 5, 2024
@fffinkel
Enable fine-grained update/delete RBAC enforcement by default
a931647 
Change applications resource RBAC to use fine-grained update/delete
enforcement by default. This allows us to enforce RBAC on the
application itself, separately from the sub-resources related to it.

See also GitHub argoproj#18124, argoproj#20600
fffinkel added a commit to fffinkel/argo-cd that referenced this pull request Nov 5, 2024
@fffinkel
Enable fine-grained update/delete RBAC enforcement by default (argopr…
fd8ae22 
…oj#19988)

Change applications resource RBAC to use fine-grained update/delete
enforcement by default. This allows us to enforce RBAC on the
application itself, separately from the sub-resources related to it.

(see also argoproj#18124, argoproj#20600)
fffinkel added a commit to fffinkel/argo-cd that referenced this pull request Nov 5, 2024
@fffinkel
Add config setting to preserve V2 update/delete RBAC (argoproj#19988)
59b597b 
A breaking change was introduced in a previous commit that is planned to
be a part of the next major version of Argo CD (v3) where it's okay to
introduce breaking changes. We want this feature before we hit v3, so
we add a config setting that allows us to explicitly turn this new v3
behavior on in v2. The current v2 behavior is the default, so this
change will not affect folks who do not explicitly opt in.

This commit to add the gating code is added separately so it will be
easy to either cherry pick that pervious commit or revert this one.

(see also argoproj#18124, argoproj#20600)
fffinkel added a commit to fffinkel/argo-cd that referenced this pull request Nov 5, 2024
@fffinkel
Enable fine-grained update/delete RBAC enforcement by default (argopr…
f1f2b9e 
…oj#19988)

Change applications resource RBAC to use fine-grained update/delete
enforcement by default. This allows us to enforce RBAC on the
application itself, separately from the sub-resources related to it.

(see also argoproj#18124, argoproj#20600)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this pull request Nov 5, 2024
@fffinkel
Add config setting to preserve V2 update/delete RBAC (argoproj#19988)
b80c8b3 
A breaking change was introduced in a previous commit that is planned to
be a part of the next major version of Argo CD (v3) where it's okay to
introduce breaking changes. We want this feature before we hit v3, so
we add a config setting that allows us to explicitly turn this new v3
behavior on in v2. The current v2 behavior is the default, so this
change will not affect folks who do not explicitly opt in.

This commit to add the gating code is added separately so it will be
easy to either cherry pick that pervious commit or revert this one.

(see also argoproj#18124, argoproj#20600)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this pull request Nov 5, 2024
@fffinkel
Enable fine-grained update/delete RBAC enforcement by default (argopr…
6ab13bd 
…oj#19988)

Change applications resource RBAC to use fine-grained update/delete
enforcement by default. This allows us to enforce RBAC on the
application itself, separately from the sub-resources related to it.

(see also argoproj#18124, argoproj#20600)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this pull request Nov 5, 2024
@fffinkel
Add config setting to preserve V2 update/delete RBAC (argoproj#20600)
62574fa 
A breaking change was introduced in a previous commit that is planned to
be a part of the next major version of Argo CD (v3) where it's okay to
introduce breaking changes. We want this feature before we hit v3, so
we add a config setting that allows us to explicitly turn this new v3
behavior on in v2. The current v2 behavior is the default, so this
change will not affect folks who do not explicitly opt in.

This commit to add the gating code is added separately so it will be
easy to either cherry pick that pervious commit or revert this one.

(see also argoproj#18124, argoproj#19988)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this pull request Nov 5, 2024
@fffinkel
Add config setting to preserve V2 update/delete RBAC (argoproj#20600)
63aefe4 
A breaking change was introduced in a previous commit that is planned to
be a part of the next major version of Argo CD (v3) where it's okay to
introduce breaking changes. We want this feature before we hit v3, so
we add a config setting that allows us to explicitly turn this new v3
behavior on in v2. The current v2 behavior is the default, so this
change will not affect folks who do not explicitly opt in.

This commit to add the gating code is added separately so it will be
easy to either cherry pick that pervious commit or revert this one.

(see also argoproj#18124, argoproj#19988)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this pull request Nov 5, 2024
@fffinkel
Enable fine-grained update/delete RBAC enforcement by default (argopr…
a5f8e15 
…oj#19988)

Change applications resource RBAC to use fine-grained update/delete
enforcement by default. This allows us to enforce RBAC on the
application itself, separately from the sub-resources related to it.

(see also argoproj#18124, argoproj#20600)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this pull request Nov 5, 2024
@fffinkel
Add config setting to preserve V2 update/delete RBAC (argoproj#20600)
bfb52e4 
A breaking change was introduced in a previous commit that is planned to
be a part of the next major version of Argo CD (v3) where it's okay to
introduce breaking changes. We want this feature before we hit v3, so
we add a config setting that allows us to explicitly turn this new v3
behavior on in v2. The current v2 behavior is the default, so this
change will not affect folks who do not explicitly opt in.

This commit to add the gating code is added separately so it will be
easy to either cherry pick that pervious commit or revert this one.

(see also argoproj#18124, argoproj#19988)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this pull request Jan 7, 2025
@fffinkel
Rename config setting used to preserve V2 update/delete RBAC (argopro…
0c34972 
…j#20600)

We don't know if this will go out with v3, and furthermore, the name is
not very descriptive.

(see also argoproj#18124, argoproj#19988)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this pull request Jan 8, 2025
@fffinkel
Enable fine-grained update/delete RBAC enforcement by default (argopr…
5309048 
…oj#19988)

Change applications resource RBAC to use fine-grained update/delete
enforcement by default. This allows us to enforce RBAC on the
application itself, separately from the sub-resources related to it.

(see also argoproj#18124, argoproj#20600)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this pull request Jan 8, 2025
@fffinkel
Add config setting to preserve V2 update/delete RBAC (argoproj#20600)
c3931f1 
A breaking change was introduced in a previous commit that is planned to
be a part of the next major version of Argo CD (v3) where it's okay to
introduce breaking changes. We want this feature before we hit v3, so
we add a config setting that allows us to explicitly turn this new v3
behavior on in v2. The current v2 behavior is the default, so this
change will not affect folks who do not explicitly opt in.

This commit to add the gating code is added separately so it will be
easy to either cherry pick that pervious commit or revert this one.

(see also argoproj#18124, argoproj#19988)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this pull request Jan 8, 2025
@fffinkel
Rename config setting used to preserve V2 update/delete RBAC (argopro…
9d6f8a7 
…j#20600)

We don't know if this will go out with v3, and furthermore, the name is
not very descriptive.

(see also argoproj#18124, argoproj#19988)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this pull request Jan 8, 2025
@fffinkel
Add config setting to preserve V2 update/delete RBAC (argoproj#20600)
c44747f 
A breaking change was introduced in a previous commit that is planned to
be a part of the next major version of Argo CD (v3) where it's okay to
introduce breaking changes. We want this feature before we hit v3, so we
add a config setting that allows us to explicitly turn this new v3
behavior on in v2. The current v2 behavior is the default, so this
change will not affect folks who do not explicitly opt in.

This commit to add the gating code is added separately so it will be
easy to either cherry pick that pervious commit or revert this one.

(see also argoproj#18124, argoproj#19988)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this pull request Jan 8, 2025
@fffinkel
Enable fine-grained update/delete RBAC enforcement by default (argopr…
2edd102 
…oj#19988)

Change applications resource RBAC to use fine-grained update/delete
enforcement by default. This allows us to enforce RBAC on the
application itself, separately from the sub-resources related to it.

(see also argoproj#18124, argoproj#20600)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this pull request Jan 8, 2025
@fffinkel
Add config setting to preserve V2 update/delete RBAC (argoproj#20600)
78d89af 
A breaking change was introduced in a previous commit that is planned to
be a part of the next major version of Argo CD (v3) where it's okay to
introduce breaking changes. We want this feature before we hit v3, so we
add a config setting that allows us to explicitly turn this new v3
behavior on in v2. The current v2 behavior is the default, so this
change will not affect folks who do not explicitly opt in.

This commit to add the gating code is added separately so it will be
easy to either cherry pick that pervious commit or revert this one.

(see also argoproj#18124, argoproj#19988)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leoluz leoluz leoluz approved these changes

@crenshaw-dev crenshaw-dev Awaiting requested review from crenshaw-dev

@alexmt alexmt Awaiting requested review from alexmt

@jannfis jannfis Awaiting requested review from jannfis

@csantanapr csantanapr Awaiting requested review from csantanapr

@todaywasawesome todaywasawesome Awaiting requested review from todaywasawesome

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
5 participants
@agaudreault @davidfalconego @BenCoughlan15 @kishoregv @leoluz