feat: Support for multiple rbac ConfigMaps (Alpha) #17828
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Checklist:
Fixes #8324
This work is based on these abandoned PRs:
In large multi-tenant instances, the size of the policy.csv may exceed the limit for a single Kubernetes resource.
This patch adds the label
argocd.argoproj.io/cm-type=policy-csv
, which, when placed on a configmap in the same namespace, causes it to be included in the casbin policy according to the same rules as the existingargocd-cm-rbac
configmap, with outputs sorted alphabetically by configmap name before concatenation to ensure predictable outputs.The admin CLI has been updated to also check for these additional configmaps and generate the final policy accordingly.
E2E tests have been added to ensure that these extra configmaps' policies are included when created, as well as correctly removed when they are changed or updated.
NOTE: I could have sworn I made this PR as a draft a few days ago, but it was gone when I went to update it. Please excuse me if I've accidentally made a duplicate