Skip to content

Commit 78b8375

Browse files
foster-rhfoster-rh
authored
Merge pull request #18 from rh-mobb/foster/acm-stuff
added acm spoke hub clusters
2 parents eb9852a + bc4a453 commit 78b8375

2 files changed

Lines changed: 44 additions & 1 deletion

File tree

charts/acm-operator/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,6 @@ dependencies:
99
version: 1.1.0
1010
repository: https://rh-mobb.github.io/validated-pattern-helm-charts/
1111
name: acm-operator
12-
version: 0.5.19
12+
version: 0.5.20
1313
apiVersion: v2
1414
description: Chart to deploy Red Hat Advanced Cluster Management (RHACM) with ArgoCD ApplicationSets for spoke cluster management

charts/acm-operator/templates/applicationset-controller-rbac.yaml

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,6 @@
1+
# The clusterDecisionResource generator in ApplicationSets requires the
2+
# ApplicationSet controller to read ACM PlacementDecisions. The GitOps
3+
# operator does not grant this by default.
14
---
25
apiVersion: rbac.authorization.k8s.io/v1
36
kind: ClusterRole
@@ -15,6 +18,7 @@ rules:
1518
- list
1619
- watch
1720
---
21+
# Bind to openshift-gitops ApplicationSet controller
1822
apiVersion: rbac.authorization.k8s.io/v1
1923
kind: ClusterRoleBinding
2024
metadata:
@@ -30,6 +34,8 @@ subjects:
3034
name: cluster-gitops-applicationset-controller
3135
namespace: openshift-gitops
3236
---
37+
# Bind to application-gitops ApplicationSet controller so team
38+
# ApplicationSets in *-team namespaces can use clusterDecisionResource
3339
apiVersion: rbac.authorization.k8s.io/v1
3440
kind: ClusterRoleBinding
3541
metadata:
@@ -44,3 +50,40 @@ subjects:
4450
- kind: ServiceAccount
4551
name: application-gitops-applicationset-controller
4652
namespace: application-gitops
53+
---
54+
# When applicationSet.sourceNamespaces is set on the ArgoCD CR, the
55+
# ApplicationSet controller needs cluster-scoped read access to AppProjects
56+
# to validate project membership across namespaces. The OpenShift GitOps
57+
# operator does not add this to the controller's ClusterRole automatically.
58+
apiVersion: rbac.authorization.k8s.io/v1
59+
kind: ClusterRole
60+
metadata:
61+
name: applicationset-appproject-reader
62+
annotations:
63+
argocd.argoproj.io/sync-wave: "10"
64+
rules:
65+
- apiGroups:
66+
- argoproj.io
67+
resources:
68+
- appprojects
69+
verbs:
70+
- get
71+
- list
72+
- watch
73+
---
74+
# Bind to application-gitops ApplicationSet controller which has
75+
# applicationSet.sourceNamespaces: ["*-team", "application-gitops"]
76+
apiVersion: rbac.authorization.k8s.io/v1
77+
kind: ClusterRoleBinding
78+
metadata:
79+
name: application-gitops-applicationset-appproject-reader
80+
annotations:
81+
argocd.argoproj.io/sync-wave: "10"
82+
roleRef:
83+
apiGroup: rbac.authorization.k8s.io
84+
kind: ClusterRole
85+
name: applicationset-appproject-reader
86+
subjects:
87+
- kind: ServiceAccount
88+
name: application-gitops-applicationset-controller
89+
namespace: application-gitops

0 commit comments

Comments
 (0)