argoproj-labs · DonaldKellett · Apr 17, 2024 · Apr 17, 2024
diff --git a/api/v1beta1/argocd_types.go b/api/v1beta1/argocd_types.go
@@ -850,6 +850,9 @@ type ArgoCDSpec struct {
 	//+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:ArgoCD","urn:alm:descriptor:com.tectonic.ui:text"}
 	Version string `json:"version,omitempty"`
 
+	// WebTerminal defines the web terminal options for ArgoCD.
+	WebTerminal ArgoCDWebTerminalSpec `json:"webTerminal,omitempty"`
+
 	// Banner defines an additional banner to be displayed in Argo CD UI
 	Banner *Banner `json:"banner,omitempty"`
 }
@@ -957,6 +960,12 @@ type ArgoCDTLSSpec struct {
 	InitialCerts map[string]string `json:"initialCerts,omitempty"`
 }
 
+// ArgoCDWebTerminalSpec defines the web terminal options for ArgoCD.
+type ArgoCDWebTerminalSpec struct {
+	// Enabled defines whether the web terminal is enabled
+	Enabled bool `json:"enabled"`
+}
+
 type SSHHostsSpec struct {
 	// ExcludeDefaultHosts describes whether you would like to include the default
 	// list of SSH Known Hosts provided by ArgoCD.

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/common/defaults.go b/common/defaults.go
@@ -145,6 +145,9 @@ const (
 	// ArgoCDDefaultKustomizeBuildOptions is the default kustomize build options.
 	ArgoCDDefaultKustomizeBuildOptions = ""
 
+	// ArgoCDDefaultWebTerminalEnabled is the default web terminal enabled switch.
+	ArgoCDDefaultWebTerminalEnabled = "false"
+
 	// ArgoCDKeycloakImage is the default Keycloak Image used for the non-openshift platforms when not specified.
 	ArgoCDKeycloakImage = "quay.io/keycloak/keycloak"
 

diff --git a/common/keys.go b/common/keys.go
@@ -168,6 +168,9 @@ const (
 	// ArgoCDKeyUsersAnonymousEnabled is the configuration key for anonymous user access.
 	ArgoCDKeyUsersAnonymousEnabled = "users.anonymous.enabled"
 
+	// ArgoCDKeyWebTerminalEnabled is the configuration key for enabling the web terminal.
+	ArgoCDKeyWebTerminalEnabled = "exec.enabled"
+
 	// ArgoCDDexImageEnvName is the environment variable used to get the image
 	// to used for the Dex container.
 	ArgoCDDexImageEnvName = "ARGOCD_DEX_IMAGE"

diff --git a/config/crd/bases/argoproj.io_argocds.yaml b/config/crd/bases/argoproj.io_argocds.yaml
@@ -13798,6 +13798,15 @@ spec:
                 description: Version is the tag to use with the ArgoCD container image
                   for all ArgoCD components.
                 type: string
+              webTerminal:
+                description: WebTerminal defines the web terminal options for ArgoCD.
+                properties:
+                  enabled:
+                    description: Enabled defines whether the web terminal is enabled
+                    type: boolean
+                required:
+                - enabled
+                type: object
             type: object
           status:
             description: ArgoCDStatus defines the observed state of ArgoCD

diff --git a/controllers/argocd/configmap.go b/controllers/argocd/configmap.go
@@ -113,6 +113,15 @@ func getKustomizeBuildOptions(cr *argoproj.ArgoCD) string {
 	return kbo
 }
 
+// getWebTerminalEnabled will return whether the web terminal is enabled for the given ArgoCD.
+func getWebTerminalEnabled(cr *argoproj.ArgoCD) string {
+	wte := common.ArgoCDDefaultWebTerminalEnabled
+	if cr.Spec.WebTerminal.Enabled {
+		wte = "true"
+	}
+	return wte
+}
+
 // getOIDCConfig will return the OIDC configuration for the given ArgoCD.
 func getOIDCConfig(cr *argoproj.ArgoCD) string {
 	config := common.ArgoCDDefaultOIDCConfig
@@ -377,6 +386,7 @@ func (r *ReconcileArgoCD) reconcileArgoConfigMap(cr *argoproj.ArgoCD) error {
 	cm.Data[common.ArgoCDKeyHelpChatURL] = getHelpChatURL(cr)
 	cm.Data[common.ArgoCDKeyHelpChatText] = getHelpChatText(cr)
 	cm.Data[common.ArgoCDKeyKustomizeBuildOptions] = getKustomizeBuildOptions(cr)
+	cm.Data[common.ArgoCDKeyWebTerminalEnabled] = getWebTerminalEnabled(cr)
 
 	if len(cr.Spec.KustomizeVersions) > 0 {
 		for _, kv := range cr.Spec.KustomizeVersions {

diff --git a/controllers/argocd/configmap_test.go b/controllers/argocd/configmap_test.go
@@ -164,6 +164,7 @@ func TestReconcileArgoCD_reconcileArgoConfigMap(t *testing.T) {
 		"statusbadge.enabled":                "false",
 		"url":                                "https://argocd-server",
 		"users.anonymous.enabled":            "false",
+		"exec.enabled":                       "false",
 	}
 
 	cmdTests := []struct {

diff --git a/controllers/argocd/policyrule.go b/controllers/argocd/policyrule.go
@@ -5,6 +5,7 @@ import (
 
 	"golang.org/x/mod/semver"
 
+	argoproj "github.com/argoproj-labs/argocd-operator/api/v1beta1"
 	"github.com/argoproj-labs/argocd-operator/common"
 
 	v1 "k8s.io/api/rbac/v1"
@@ -81,8 +82,8 @@ func policyRuleForDexServer() []v1.PolicyRule {
 	}
 }
 
-func policyRuleForServer() []v1.PolicyRule {
-	return []v1.PolicyRule{
+func policyRuleForServer(cr *argoproj.ArgoCD) []v1.PolicyRule {
+	rules := []v1.PolicyRule{
 		{
 			APIGroups: []string{
 				"*",
@@ -159,6 +160,22 @@ func policyRuleForServer() []v1.PolicyRule {
 			},
 		},
 	}
+
+	if cr.Spec.WebTerminal.Enabled {
+		rules = append(rules, v1.PolicyRule{
+			APIGroups: []string{
+				"",
+			},
+			Resources: []string{
+				"pods/exec",
+			},
+			Verbs: []string{
+				"create",
+			},
+		})
+	}
+
+	return rules
 }
 
 func policyRuleForNotificationsController() []v1.PolicyRule {
@@ -316,7 +333,7 @@ func policyRuleForServerClusterRole() []v1.PolicyRule {
 	}
 }
 
-func getPolicyRuleList(client client.Client) []struct {
+func getPolicyRuleList(client client.Client, cr *argoproj.ArgoCD) []struct {
 	name       string
 	policyRule []v1.PolicyRule
 } {
@@ -332,7 +349,7 @@ func getPolicyRuleList(client client.Client) []struct {
 			policyRule: policyRuleForDexServer(),
 		}, {
 			name:       common.ArgoCDServerComponent,
-			policyRule: policyRuleForServer(),
+			policyRule: policyRuleForServer(cr),
 		}, {
 			name:       common.ArgoCDRedisHAComponent,
 			policyRule: policyRuleForRedisHa(client),

diff --git a/controllers/argocd/role.go b/controllers/argocd/role.go
@@ -64,7 +64,7 @@ func newClusterRole(name string, rules []v1.PolicyRule, cr *argoproj.ArgoCD) *v1
 
 // reconcileRoles will ensure that all ArgoCD Service Accounts are configured.
 func (r *ReconcileArgoCD) reconcileRoles(cr *argoproj.ArgoCD) error {
-	params := getPolicyRuleList(r.Client)
+	params := getPolicyRuleList(r.Client, cr)
 
 	for _, param := range params {
 		if _, err := r.reconcileRole(param.name, param.policyRule, cr); err != nil {

diff --git a/controllers/argocd/rolebinding.go b/controllers/argocd/rolebinding.go
@@ -84,7 +84,7 @@ func newRoleBindingWithname(name string, cr *argoproj.ArgoCD) *v1.RoleBinding {
 
 // reconcileRoleBindings will ensure that all ArgoCD RoleBindings are configured.
 func (r *ReconcileArgoCD) reconcileRoleBindings(cr *argoproj.ArgoCD) error {
-	params := getPolicyRuleList(r.Client)
+	params := getPolicyRuleList(r.Client, cr)
 
 	for _, param := range params {
 		if err := r.reconcileRoleBinding(param.name, param.policyRule, cr); err != nil {

diff --git a/controllers/argocd/service_account.go b/controllers/argocd/service_account.go
@@ -58,7 +58,7 @@ func getServiceAccountName(crName, name string) string {
 
 // reconcileServiceAccounts will ensure that all ArgoCD Service Accounts are configured.
 func (r *ReconcileArgoCD) reconcileServiceAccounts(cr *argoproj.ArgoCD) error {
-	params := getPolicyRuleList(r.Client)
+	params := getPolicyRuleList(r.Client, cr)
 
 	for _, param := range params {
 		if err := r.reconcileServiceAccountPermissions(param.name, param.policyRule, cr); err != nil {