From bbd715be14841b1d3a2e32f99c763f2330cf8d6e Mon Sep 17 00:00:00 2001
From: Stephan Feurer <stephan.feurer@vshn.net>
Date: Thu, 7 Nov 2024 13:08:24 +0100
Subject: [PATCH] Support RBAC and SSO configuration for syn-argocd

---
 class/defaults.yml                            |  7 ++++++
 component/argocd.jsonnet                      |  4 ++-
 .../ROOT/pages/references/parameters.adoc     |  6 +++++
 .../argocd/argocd/30_argocd/10_argocd.yaml    | 23 ++++++++++++++++-
 tests/openshift.yml                           | 25 +++++++++++++++++++
 5 files changed, 63 insertions(+), 2 deletions(-)

diff --git a/class/defaults.yml b/class/defaults.yml
index 1f661f5f..aa1f19e1 100644
--- a/class/defaults.yml
+++ b/class/defaults.yml
@@ -2,10 +2,13 @@
 parameters:
   argocd:
     namespace: syn
+
     distribution: ${facts:distribution}
+
     network_policies:
       enabled: true
       allow_from_namespaces: []
+
     monitoring:
       enabled: true
       dashboards: false
@@ -13,12 +16,16 @@ parameters:
         prometheus: platform
         cluster_id: ${cluster:name}
         tenant_id: ${cluster:tenant}
+
     resync_time: 3m0s
+
     log_format:
       default: text
     log_level:
       default: info
 
+    override: {}
+
     images:
       kubectl:
         registry: docker.io
diff --git a/component/argocd.jsonnet b/component/argocd.jsonnet
index 1a569abb..b902381a 100644
--- a/component/argocd.jsonnet
+++ b/component/argocd.jsonnet
@@ -213,6 +213,8 @@ local repoServer = {
   ],
 };
 
+local argocdOverride = com.makeMergeable({ spec: params.override });
+
 local argocd(name) =
   kube._Object('argoproj.io/v1beta1', 'ArgoCD', name) {
     metadata+: {
@@ -368,7 +370,7 @@ local argocd(name) =
       repo: repoServer,
       server: server,
     },
-  };
+  } + if std.length(params.override) > 0 then argocdOverride else {};
 
 local ssh_secret = kube._Object('v1', 'Secret', 'argo-ssh-key') {
   type: 'Opaque',
diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc
index a7779d02..29d5615d 100644
--- a/docs/modules/ROOT/pages/references/parameters.adoc
+++ b/docs/modules/ROOT/pages/references/parameters.adoc
@@ -91,6 +91,12 @@ default:: []
 
 Additional namespaces which should be able to access ArgoCD.
 
+== `override`
+[horizontal]
+type:: dictionary
+default:: {}
+
+Override specs of the ProjectSyn ArgoCD instance.
 
 == `images`
 
diff --git a/tests/golden/openshift/argocd/argocd/30_argocd/10_argocd.yaml b/tests/golden/openshift/argocd/argocd/30_argocd/10_argocd.yaml
index 8dfc762b..10527fca 100644
--- a/tests/golden/openshift/argocd/argocd/30_argocd/10_argocd.yaml
+++ b/tests/golden/openshift/argocd/argocd/30_argocd/10_argocd.yaml
@@ -42,6 +42,12 @@ spec:
       gitlab-dev.syn.tools ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDybOH3scUSfAJFkskpVn1VcL1mPNSiV05asrCCjDTzSJOeJuCE99KkHf7eTA29as9NaqtMtJcCxhptLfNaRzUR3zf29eUuPhkh2B5PUaqLpsbm6330QxvWsZNJyI8Cf7i78O3qe4dv7p2Fe78ayLKX/q3dRj0PZnl7kMj7YpCfY7VCndqoIKEOlIEqNjzAFhHLgHEMJ8f8cM5s4qorgc3TdCqORGVs5vqkeNm977yz2hMxB7iEET4O2jfBUHzzZ68T5h5AtrL5YVBMP0xTgaLskk7/QnoEsfKAgTXo/AaUuXbzM6N0nIjH00Ll0s6P2fWyRVXz05eauZZhBS85GQTD
       gitlab-dev.syn.tools ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCz/gtGxqX+WS6E9/NLYTkRLkM7r7JHU5N7vz2kJjRbjhR91JvP7NaHtuN5aPm5Wv9rtPKSackQ9B78VCkr6GLw=
       gitlab-dev.syn.tools ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtv4stHQjApa7wkgvgo4dB52qLzI/zN2Us+89cQXXm0
+  rbac:
+    defaultPolicy: role:readonly
+    policy: |-
+      g, openshiftroot, role:admin
+      g, openshiftrootswissonly, role:admin
+    scopes: '[groups]'
   redis:
     image: docker.io/library/redis
     resources:
@@ -238,11 +244,26 @@ spec:
         group: apiextensions.k8s.io
         kind: CustomResourceDefinition
   server:
-    insecure: true
+    host: syn-argocd.example.com
+    ingress:
+      enabled: false
+    insecure: false
     logFormat: text
     logLevel: info
     resources:
       requests:
         cpu: 10m
         memory: 32Mi
+    route:
+      enabled: true
+      tls:
+        insecureEdgeTerminationPolicy: Redirect
+        termination: reencrypt
+  sso:
+    dex:
+      groups:
+        - openshiftroot
+        - openshiftrootswissonly
+      openShiftOAuth: true
+    provider: dex
   version: v2.11.12
diff --git a/tests/openshift.yml b/tests/openshift.yml
index d3f1a3ee..f873c696 100644
--- a/tests/openshift.yml
+++ b/tests/openshift.yml
@@ -28,3 +28,28 @@ parameters:
   argocd:
     network_policies:
       enabled: true
+
+    override:
+      rbac:
+        defaultPolicy: 'role:readonly'
+        policy: |-
+          g, openshiftroot, role:admin
+          g, openshiftrootswissonly, role:admin
+        scopes: '[groups]'
+      sso:
+        provider: dex
+        dex:
+          openShiftOAuth: true
+          groups:
+            - openshiftroot
+            - openshiftrootswissonly
+      server:
+        host: syn-argocd.example.com
+        insecure: false
+        ingress:
+          enabled: false
+        route:
+          enabled: true
+          tls:
+            insecureEdgeTerminationPolicy: Redirect
+            termination: reencrypt