ROB-1026: improve argocd (#1774)

nherment · web-flow · commit 3e4ddaa20aee · 2025-04-03T10:57:00.000+03:00
diff --git a/docs/configuration/holmesgpt/toolsets/argocd.rst b/docs/configuration/holmesgpt/toolsets/argocd.rst
@@ -12,7 +12,35 @@ This toolset requires an ``ARGOCD_AUTH_TOKEN`` environment variable. Generate su
 You can consult the `available environment variables <https://argo-cd.readthedocs.io/en/latest/user-guide/environment-variables/>`_
 on argocd's official documentation for the CLI.
 
-In addition to the auth token, you will need to tell argocd how to connect to the server. This can be done two ways:
+The permissions required are below (``kubectl edit configmap argocd-rbac-cm -n argocd``). You can consult
+ArgoCD's documentation on `user creation <https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/>`_
+and `permissions <https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/>`_.
+
+.. code-block:: yaml
+
+  # Ensure this data block is present in your argocd-rbac-cm configmap.
+  # It enables the permissions for holmes to fetch the data it needs to
+  # investifate argocd issues.
+  # -
+  # These permissions depend on a new user `holmesgpt` being created,
+  # for example using the `argocd-cm` configmap
+  data:
+    policy.default: role:readonly
+    policy.csv: |
+      p, role:admin, *, *, *, allow
+      p, role:admin, accounts, apiKey, *, allow
+      p, holmesgpt, accounts, apiKey, holmesgpt, allow
+      p, holmesgpt, projects, get, *, allow
+      p, holmesgpt, applications, get, *, allow
+      p, holmesgpt, repositories, get, *, allow
+      p, holmesgpt, clusters, get, *, allow
+      p, holmesgpt, applications, manifests, */*, allow
+      p, holmesgpt, applications, resources, */*, allow
+      g, admin, role:admin
+
+
+In addition to setting permissiong and generating an auth token, you will need to tell argocd how to connect to the server.
+This can be done two ways:
 
 1. **Using port forwarding**. This is the recommended approach if your argocd is inside your Kubernetes cluster.
 2. **Setting the env var** ``SERVER_URL``. This is the recommended approach if your argocd is reachable through a public DNS
@@ -39,7 +67,7 @@ HolmesGPT needs permission to establish a port-forward to ArgoCD. The configurat
         toolsets:
             argocd/core:
                 enabled: true
-                
+
 .. note::
 
     Change the namespace ``--port-forward-namespace <your_argocd_namespace>`` to the namespace in which your argocd service
@@ -92,10 +120,10 @@ This is the recommended approach if your argocd is reachable through a public DN
               argocd/core:
                   enabled: true
 
-    To test, run: 
+    To test, run:
 
     .. code-block:: yaml
-      
+
         holmes ask "Which argocd applications are failing and why?"
 
 Capabilities
@@ -109,12 +137,16 @@ Capabilities
 
    * - Tool Name
      - Description
+   * - argocd_app_list
+     - List the applications in Argocd
    * - argocd_app_get
      - Retrieve information about an existing application, such as its status and configuration
+   * - argocd_app_manifests
+     - Retrieve manifests for an application
+   * - argocd_app_resources
+     - List resources of an application
    * - argocd_app_diff
      - Display the differences between the current state of an application and the desired state specified in its Git repository
-   * - argocd_app_list
-     - List the applications in Argocd
    * - argocd_app_history
      - List the deployment history of an application in ArgoCD
    * - argocd_repo_list
