Merge branch 'master' into add-plugin-tar-inclusion

Signed-off-by: Clément Legrand <[email protected]>

applicationset/controllers/applicationset_controller_test.go

@@ -220,7 +220,7 @@ func TestExtractApplications(t *testing.T) {
 				Cache:         &fakeCache{},
 			}
 
-			got, reason, err := r.generateApplications(v1alpha1.ApplicationSet{
+			got, reason, err := r.generateApplications(log.NewEntry(log.StandardLogger()), v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "name",
 					Namespace: "namespace",
@@ -333,7 +333,7 @@ func TestMergeTemplateApplications(t *testing.T) {
 				KubeClientset: kubefake.NewSimpleClientset(),
 			}
 
-			got, _, _ := r.generateApplications(v1alpha1.ApplicationSet{
+			got, _, _ := r.generateApplications(log.NewEntry(log.StandardLogger()), v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "name",
 					Namespace: "namespace",
@@ -1003,7 +1003,7 @@ func TestCreateOrUpdateInCluster(t *testing.T) {
 				Cache:    &fakeCache{},
 			}
 
-			err = r.createOrUpdateInCluster(context.TODO(), c.appSet, c.desiredApps)
+			err = r.createOrUpdateInCluster(context.TODO(), log.NewEntry(log.StandardLogger()), c.appSet, c.desiredApps)
 			assert.Nil(t, err)
 
 			for _, obj := range c.expected {
@@ -1491,7 +1491,7 @@ func TestCreateApplications(t *testing.T) {
 				Cache:    &fakeCache{},
 			}
 
-			err = r.createInCluster(context.TODO(), c.appSet, c.apps)
+			err = r.createInCluster(context.TODO(), log.NewEntry(log.StandardLogger()), c.appSet, c.apps)
 			assert.Nil(t, err)
 
 			for _, obj := range c.expected {
@@ -1635,7 +1635,7 @@ func TestDeleteInCluster(t *testing.T) {
 			KubeClientset: kubefake.NewSimpleClientset(),
 		}
 
-		err = r.deleteInCluster(context.TODO(), c.appSet, c.desiredApps)
+		err = r.deleteInCluster(context.TODO(), log.NewEntry(log.StandardLogger()), c.appSet, c.desiredApps)
 		assert.Nil(t, err)
 
 		// For each of the expected objects, verify they exist on the cluster
@@ -2525,7 +2525,7 @@ func TestGenerateAppsUsingPullRequestGenerator(t *testing.T) {
 				KubeClientset: kubefake.NewSimpleClientset(),
 			}
 
-			gotApp, _, _ := appSetReconciler.generateApplications(v1alpha1.ApplicationSet{
+			gotApp, _, _ := appSetReconciler.generateApplications(log.NewEntry(log.StandardLogger()), v1alpha1.ApplicationSet{
 				Spec: v1alpha1.ApplicationSetSpec{
 					GoTemplate: true,
 					Generators: []v1alpha1.ApplicationSetGenerator{{
@@ -2814,7 +2814,7 @@ func TestSetApplicationSetApplicationStatus(t *testing.T) {
 				KubeClientset:    kubeclientset,
 			}
 
-			err = r.setAppSetApplicationStatus(context.TODO(), &cc.appSet, cc.appStatuses)
+			err = r.setAppSetApplicationStatus(context.TODO(), log.NewEntry(log.StandardLogger()), &cc.appSet, cc.appStatuses)
 			assert.Nil(t, err)
 
 			assert.Equal(t, cc.expectedAppStatuses, cc.appSet.Status.ApplicationStatus)
@@ -3577,7 +3577,7 @@ func TestBuildAppDependencyList(t *testing.T) {
 				KubeClientset:    kubeclientset,
 			}
 
-			appDependencyList, appStepMap, err := r.buildAppDependencyList(context.TODO(), cc.appSet, cc.apps)
+			appDependencyList, appStepMap, err := r.buildAppDependencyList(log.NewEntry(log.StandardLogger()), cc.appSet, cc.apps)
 			assert.Equal(t, err, nil, "expected no errors, but errors occured")
 			assert.Equal(t, cc.expectedList, appDependencyList, "expected appDependencyList did not match actual")
 			assert.Equal(t, cc.expectedStepMap, appStepMap, "expected appStepMap did not match actual")
@@ -4831,7 +4831,7 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 				KubeClientset:    kubeclientset,
 			}
 
-			appStatuses, err := r.updateApplicationSetApplicationStatus(context.TODO(), &cc.appSet, cc.apps, cc.appStepMap)
+			appStatuses, err := r.updateApplicationSetApplicationStatus(context.TODO(), log.NewEntry(log.StandardLogger()), &cc.appSet, cc.apps, cc.appStepMap)
 
 			// opt out of testing the LastTransitionTime is accurate
 			for i := range appStatuses {
@@ -5585,7 +5585,7 @@ func TestUpdateApplicationSetApplicationStatusProgress(t *testing.T) {
 				KubeClientset:    kubeclientset,
 			}
 
-			appStatuses, err := r.updateApplicationSetApplicationStatusProgress(context.TODO(), &cc.appSet, cc.appSyncMap, cc.appStepMap, cc.appMap)
+			appStatuses, err := r.updateApplicationSetApplicationStatusProgress(context.TODO(), log.NewEntry(log.StandardLogger()), &cc.appSet, cc.appSyncMap, cc.appStepMap, cc.appMap)
 
 			// opt out of testing the LastTransitionTime is accurate
 			for i := range appStatuses {

cmd/argocd/commands/admin/settings_rbac.go

@@ -189,7 +189,6 @@ argocd admin settings rbac can someuser create application 'default/app' --defau
 			}
 		},
 	}
-
 	clientConfig = cli.AddKubectlFlagsToCmd(command)
 	command.Flags().StringVar(&policyFile, "policy-file", "", "path to the policy file to use")
 	command.Flags().StringVar(&defaultRole, "default-role", "", "name of the default role to use")
@@ -202,24 +201,55 @@ argocd admin settings rbac can someuser create application 'default/app' --defau
 // NewRBACValidateCommand returns a new rbac validate command
 func NewRBACValidateCommand() *cobra.Command {
 	var (
-		policyFile string
+		policyFile   string
+		namespace    string
+		clientConfig clientcmd.ClientConfig
 	)
 
 	var command = &cobra.Command{
-		Use:   "validate --policy-file=POLICYFILE",
+		Use:   "validate [--policy-file POLICYFILE] [--namespace NAMESPACE]",
 		Short: "Validate RBAC policy",
 		Long: `
 Validates an RBAC policy for being syntactically correct. The policy must be
-a local file, and in either CSV or K8s ConfigMap format.
+a local file or a K8s ConfigMap in the provided namespace, and in either CSV or K8s ConfigMap format.
+`,
+		Example: `
+# Check whether a given policy file is valid using a local policy.csv file.
+argocd admin settings rbac validate --policy-file policy.csv
+
+# Policy file can also be K8s config map with data keys like argocd-rbac-cm,
+# i.e. 'policy.csv' and (optionally) 'policy.default'
+argocd admin settings rbac validate --policy-file argocd-rbac-cm.yaml
+
+# If --policy-file is not given, and instead --namespace is giventhe ConfigMap 'argocd-rbac-cm' 
+# from K8s is used. 
+argocd admin settings rbac validate --namespace argocd
+
+# Either --policy-file or --namespace must be given.
 `,
 		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()
 
-			if policyFile == "" {
+			if len(args) > 0 {
 				c.HelpFunc()(c, args)
-				log.Fatalf("Please specify policy to validate using --policy-file")
+				log.Fatalf("too many arguments")
+			}
+
+			if (namespace == "" && policyFile == "") || (namespace != "" && policyFile != "") {
+				c.HelpFunc()(c, args)
+				log.Fatalf("please provide exactly one of --policy-file or --namespace")
 			}
-			userPolicy, _, _ := getPolicy(ctx, policyFile, nil, "")
+
+			restConfig, err := clientConfig.ClientConfig()
+			if err != nil {
+				log.Fatalf("could not get config to create k8s client: %v", err)
+			}
+			realClientset, err := kubernetes.NewForConfig(restConfig)
+			if err != nil {
+				log.Fatalf("could not create k8s client: %v", err)
+			}
+
+			userPolicy, _, _ := getPolicy(ctx, policyFile, realClientset, namespace)
 			if userPolicy != "" {
 				if err := rbac.ValidatePolicy(userPolicy); err == nil {
 					fmt.Printf("Policy is valid.\n")
@@ -228,11 +258,15 @@ a local file, and in either CSV or K8s ConfigMap format.
 					fmt.Printf("Policy is invalid: %v\n", err)
 					os.Exit(1)
 				}
+			} else {
+				log.Fatalf("Policy is empty or could not be loaded.")
 			}
 		},
 	}
-
+	clientConfig = cli.AddKubectlFlagsToCmd(command)
 	command.Flags().StringVar(&policyFile, "policy-file", "", "path to the policy file to use")
+	command.Flags().StringVar(&namespace, "namespace", "", "namespace to get argo rbac configmap from")
+
 	return command
 }
 

cmd/argocd/commands/admin/settings_rbac_test.go

@@ -5,15 +5,42 @@ import (
 	"os"
 	"testing"
 
+	"github.com/argoproj/argo-cd/v2/util/assets"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes/fake"
-
-	"github.com/argoproj/argo-cd/v2/util/assets"
+	restclient "k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 )
 
+type FakeClientConfig struct {
+	clientConfig clientcmd.ClientConfig
+}
+
+func NewFakeClientConfig(clientConfig clientcmd.ClientConfig) *FakeClientConfig {
+	return &FakeClientConfig{clientConfig: clientConfig}
+}
+
+func (f *FakeClientConfig) RawConfig() (clientcmdapi.Config, error) {
+	config, err := f.clientConfig.RawConfig()
+	return config, err
+}
+
+func (f *FakeClientConfig) ClientConfig() (*restclient.Config, error) {
+	return f.clientConfig.ClientConfig()
+}
+
+func (f *FakeClientConfig) Namespace() (string, bool, error) {
+	return f.clientConfig.Namespace()
+}
+
+func (f *FakeClientConfig) ConfigAccess() clientcmd.ConfigAccess {
+	return nil
+}
+
 func Test_isValidRBACAction(t *testing.T) {
 	for k := range validRBACActions {
 		t.Run(k, func(t *testing.T) {
@@ -200,3 +227,19 @@ p, role:, certificates, get, .*, allow`
 		require.True(t, ok)
 	})
 }
+
+func TestNewRBACCanCommand(t *testing.T) {
+	command := NewRBACCanCommand()
+
+	require.NotNil(t, command)
+	assert.Equal(t, "can", command.Name())
+	assert.Equal(t, "Check RBAC permissions for a role or subject", command.Short)
+}
+
+func TestNewRBACValidateCommand(t *testing.T) {
+	command := NewRBACValidateCommand()
+
+	require.NotNil(t, command)
+	assert.Equal(t, "validate", command.Name())
+	assert.Equal(t, "Validate RBAC policy", command.Short)
+}

docs/snyk/index.md

@@ -15,49 +15,49 @@ recent minor releases.
 |---:|:--------:|:----:|:------:|:---:|
 | [go.mod](master/argocd-test.html) | 0 | 0 | 6 | 0 |
 | [ui/yarn.lock](master/argocd-test.html) | 0 | 0 | 0 | 0 |
-| [dex:v2.37.0](master/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 0 | 3 | 0 |
-| [haproxy:2.6.14-alpine](master/haproxy_2.6.14-alpine.html) | 0 | 0 | 0 | 0 |
-| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 4 | 19 |
-| [redis:7.0.11-alpine](master/redis_7.0.11-alpine.html) | 1 | 0 | 3 | 0 |
+| [dex:v2.37.0](master/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 0 | 3 | 1 |
+| [haproxy:2.6.14-alpine](master/haproxy_2.6.14-alpine.html) | 0 | 0 | 0 | 1 |
+| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 4 | 16 |
+| [redis:7.0.11-alpine](master/redis_7.0.11-alpine.html) | 1 | 0 | 3 | 1 |
 | [install.yaml](master/argocd-iac-install.html) | - | - | - | - |
 | [namespace-install.yaml](master/argocd-iac-namespace-install.html) | - | - | - | - |
 
-### v2.9.0-rc2
+### v2.9.0-rc3
 
 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v2.9.0-rc2/argocd-test.html) | 0 | 2 | 6 | 0 |
-| [ui/yarn.lock](v2.9.0-rc2/argocd-test.html) | 0 | 0 | 0 | 0 |
-| [dex:v2.37.0](v2.9.0-rc2/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 0 | 3 | 0 |
-| [haproxy:2.6.14-alpine](v2.9.0-rc2/haproxy_2.6.14-alpine.html) | 0 | 0 | 0 | 0 |
-| [argocd:v2.9.0-rc2](v2.9.0-rc2/quay.io_argoproj_argocd_v2.9.0-rc2.html) | 0 | 2 | 7 | 20 |
-| [redis:7.0.11-alpine](v2.9.0-rc2/redis_7.0.11-alpine.html) | 1 | 0 | 3 | 0 |
-| [install.yaml](v2.9.0-rc2/argocd-iac-install.html) | - | - | - | - |
-| [namespace-install.yaml](v2.9.0-rc2/argocd-iac-namespace-install.html) | - | - | - | - |
+| [go.mod](v2.9.0-rc3/argocd-test.html) | 0 | 2 | 6 | 0 |
+| [ui/yarn.lock](v2.9.0-rc3/argocd-test.html) | 0 | 0 | 0 | 0 |
+| [dex:v2.37.0](v2.9.0-rc3/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 0 | 3 | 1 |
+| [haproxy:2.6.14-alpine](v2.9.0-rc3/haproxy_2.6.14-alpine.html) | 0 | 0 | 0 | 1 |
+| [argocd:v2.9.0-rc3](v2.9.0-rc3/quay.io_argoproj_argocd_v2.9.0-rc3.html) | 0 | 0 | 4 | 16 |
+| [redis:7.0.11-alpine](v2.9.0-rc3/redis_7.0.11-alpine.html) | 1 | 0 | 3 | 1 |
+| [install.yaml](v2.9.0-rc3/argocd-iac-install.html) | - | - | - | - |
+| [namespace-install.yaml](v2.9.0-rc3/argocd-iac-namespace-install.html) | - | - | - | - |
 
-### v2.8.4
+### v2.8.5
 
 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v2.8.4/argocd-test.html) | 0 | 2 | 6 | 0 |
-| [ui/yarn.lock](v2.8.4/argocd-test.html) | 0 | 0 | 0 | 0 |
-| [dex:v2.37.0](v2.8.4/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 0 | 3 | 0 |
-| [haproxy:2.6.14-alpine](v2.8.4/haproxy_2.6.14-alpine.html) | 0 | 0 | 0 | 0 |
-| [argocd:v2.8.4](v2.8.4/quay.io_argoproj_argocd_v2.8.4.html) | 0 | 2 | 7 | 20 |
-| [redis:7.0.11-alpine](v2.8.4/redis_7.0.11-alpine.html) | 1 | 0 | 3 | 0 |
-| [install.yaml](v2.8.4/argocd-iac-install.html) | - | - | - | - |
-| [namespace-install.yaml](v2.8.4/argocd-iac-namespace-install.html) | - | - | - | - |
+| [go.mod](v2.8.5/argocd-test.html) | 0 | 0 | 6 | 0 |
+| [ui/yarn.lock](v2.8.5/argocd-test.html) | 0 | 0 | 0 | 0 |
+| [dex:v2.37.0](v2.8.5/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 0 | 3 | 1 |
+| [haproxy:2.6.14-alpine](v2.8.5/haproxy_2.6.14-alpine.html) | 0 | 0 | 0 | 1 |
+| [argocd:v2.8.5](v2.8.5/quay.io_argoproj_argocd_v2.8.5.html) | 0 | 0 | 4 | 16 |
+| [redis:7.0.11-alpine](v2.8.5/redis_7.0.11-alpine.html) | 1 | 0 | 3 | 1 |
+| [install.yaml](v2.8.5/argocd-iac-install.html) | - | - | - | - |
+| [namespace-install.yaml](v2.8.5/argocd-iac-namespace-install.html) | - | - | - | - |
 
 ### v2.7.14
 
 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
 | [go.mod](v2.7.14/argocd-test.html) | 0 | 3 | 5 | 0 |
 | [ui/yarn.lock](v2.7.14/argocd-test.html) | 0 | 1 | 0 | 0 |
-| [dex:v2.37.0](v2.7.14/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 0 | 3 | 0 |
-| [haproxy:2.6.14-alpine](v2.7.14/haproxy_2.6.14-alpine.html) | 0 | 0 | 0 | 0 |
-| [argocd:v2.7.14](v2.7.14/quay.io_argoproj_argocd_v2.7.14.html) | 0 | 2 | 7 | 20 |
-| [redis:7.0.11-alpine](v2.7.14/redis_7.0.11-alpine.html) | 1 | 0 | 3 | 0 |
+| [dex:v2.37.0](v2.7.14/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 0 | 3 | 1 |
+| [haproxy:2.6.14-alpine](v2.7.14/haproxy_2.6.14-alpine.html) | 0 | 0 | 0 | 1 |
+| [argocd:v2.7.14](v2.7.14/quay.io_argoproj_argocd_v2.7.14.html) | 0 | 2 | 8 | 20 |
+| [redis:7.0.11-alpine](v2.7.14/redis_7.0.11-alpine.html) | 1 | 0 | 3 | 1 |
 | [install.yaml](v2.7.14/argocd-iac-install.html) | - | - | - | - |
 | [namespace-install.yaml](v2.7.14/argocd-iac-namespace-install.html) | - | - | - | - |
 
@@ -67,9 +67,9 @@ recent minor releases.
 |---:|:--------:|:----:|:------:|:---:|
 | [go.mod](v2.6.15/argocd-test.html) | 0 | 3 | 5 | 0 |
 | [ui/yarn.lock](v2.6.15/argocd-test.html) | 0 | 1 | 0 | 0 |
-| [dex:v2.37.0](v2.6.15/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 0 | 3 | 0 |
-| [haproxy:2.6.14-alpine](v2.6.15/haproxy_2.6.14-alpine.html) | 0 | 0 | 0 | 0 |
-| [argocd:v2.6.15](v2.6.15/quay.io_argoproj_argocd_v2.6.15.html) | 0 | 2 | 7 | 20 |
-| [redis:7.0.11-alpine](v2.6.15/redis_7.0.11-alpine.html) | 1 | 0 | 3 | 0 |
+| [dex:v2.37.0](v2.6.15/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 0 | 3 | 1 |
+| [haproxy:2.6.14-alpine](v2.6.15/haproxy_2.6.14-alpine.html) | 0 | 0 | 0 | 1 |
+| [argocd:v2.6.15](v2.6.15/quay.io_argoproj_argocd_v2.6.15.html) | 0 | 2 | 8 | 20 |
+| [redis:7.0.11-alpine](v2.6.15/redis_7.0.11-alpine.html) | 1 | 0 | 3 | 1 |
 | [install.yaml](v2.6.15/argocd-iac-install.html) | - | - | - | - |
 | [namespace-install.yaml](v2.6.15/argocd-iac-namespace-install.html) | - | - | - | - |