Add a way to manage AppProject RBAC with the Operator #36
Description
As of now we can only manage the global RBAC with this Operator. We should extend the functionality to allow users to manage AppProject's RBAC.
We could use the ArgoCDRoles, bind them to groups and patch it to AppProject. This could be done with existing ArgoCDRoleBindings (e.g. labelSelector). In adopting this pattern we could reuse the same ArgoCDRoles and "bind" them to multiple AppProjects. Changes in ArgoCDRole's permissions would result in update of the AppProject referenced.
There are some things to be considered:
- It is very important that policy roles follow the pattern
proj:<project-name>:<role-name>or they won't be effective during the Argo CD authorization process. - each project role policy rule must be scoped to that project only.
Example AppProject manifest:
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: sample-test-project
spec:
...
roles:
- name: custom-project-role
description: The "custom-project-role" will be applied to the `some-user` group.
groups:
- some-user
policies:
- p, proj:sample-test-project:custom-project-role, applications, *, *, allow
...References: