diff --git a/config/samples/ephemeral-access_v1alpha1_accessbinding.yaml b/config/samples/ephemeral-access_v1alpha1_accessbinding.yaml new file mode 100644 index 0000000..b1f27b6 --- /dev/null +++ b/config/samples/ephemeral-access_v1alpha1_accessbinding.yaml @@ -0,0 +1,15 @@ +apiVersion: ephemeral-access.argoproj-labs.io/v1alpha1 +kind: AccessBinding +metadata: + labels: + app.kubernetes.io/name: argocd-ephemeral-access + app.kubernetes.io/managed-by: kustomize + name: some-access-binding +spec: + roleTemplateRef: + name: devops + subjects: + - group1 + if: "true" + ordinal: 1 + friendlyName: "Devops (AB)" diff --git a/config/samples/ephemeral-access_v1alpha1_roletemplate.yaml b/config/samples/ephemeral-access_v1alpha1_roletemplate.yaml index b83d08c..ff65261 100644 --- a/config/samples/ephemeral-access_v1alpha1_roletemplate.yaml +++ b/config/samples/ephemeral-access_v1alpha1_roletemplate.yaml @@ -4,6 +4,13 @@ metadata: labels: app.kubernetes.io/name: argocd-ephemeral-access app.kubernetes.io/managed-by: kustomize - name: roletemplate-sample + name: devops spec: - # TODO(user): Add fields here + description: write permission in application {{.Application}} + name: "DevOps (Write)" + policies: + - p, {{.Role}}, applications, sync, {{.Project}}/{{.Application}}, allow + - p, {{.Role}}, applications, get, {{.Project}}/{{.Application}}, deny + - p, {{.Role}}, applications, action/*, {{.Project}}/{{.Application}}, allow + - p, {{.Role}}, applications, delete/*/Pod/*, {{.Project}}/{{.Application}}, allow + - p, {{.Role}}, logs, get, {{.Project}}/{{.Namespace}}/{{.Application}}, allow diff --git a/internal/backend/service.go b/internal/backend/service.go index 51c393c..5c75a54 100644 --- a/internal/backend/service.go +++ b/internal/backend/service.go @@ -164,6 +164,10 @@ func (s *DefaultService) matchSubject(subjects, groups []string) bool { func (s *DefaultService) CreateAccessRequest(ctx context.Context, key *AccessRequestKey, binding *api.AccessBinding) (*api.AccessRequest, error) { roleName := binding.Spec.RoleTemplateRef.Name ar := &api.AccessRequest{ + TypeMeta: metav1.TypeMeta{ + Kind: "AccessRequest", + APIVersion: "v1alpha1", + }, ObjectMeta: metav1.ObjectMeta{ Namespace: key.Namespace, GenerateName: getAccessRequestPrefix(key.Username, roleName), @@ -213,6 +217,7 @@ func getAccessRequestPrefix(username, roleName string) string { } func (s *DefaultService) GetApplication(ctx context.Context, name string, namespace string) (*unstructured.Unstructured, error) { + s.logger.Debug(fmt.Sprintf("Getting application %s/%s", namespace, name)) app, err := s.k8s.GetApplication(ctx, name, namespace) if err != nil { if apierrors.IsNotFound(err) {