fix(rbac): ensure Prometheus runs with correct permissions in ArgoCD-managed namespaces (#291)

- Add conditional node access rule for non-OpenShift environments
  - Pass config to Role for templating RBAC based on setup context
  - Replace hardcoded namespace list with config.application.activeNamespaces
  - Move validation logic into Role, RoleBinding, and ServiceAccountRef constructors
  - Update templates and tests to reflect RBAC and config handling changes

  This fixes permission issues that prevented Prometheus from working in a namespace-isolated setup via ArgoCD.

Author: pmarkiewka

.dockerignore

@@ -13,6 +13,7 @@
 !scripts/utils.sh
 !scripts/apply-ng.sh
 !scripts/downloadHelmCharts.sh
+!templates/kubernetes/rbac/
 !.curlrc
 !LICENSE
 

argocd/cluster-resources/misc/namespaces.ftl.yaml

@@ -1,4 +1,4 @@
-<#if config.application.openshift == false>
+<#if !config.application.openshift && !config.application.namespaceIsolation>
 apiVersion: v1
 kind: Namespace
 metadata:

src/main/groovy/com/cloudogu/gitops/features/argocd/ArgoCD.groovy

@@ -326,6 +326,7 @@ class ArgoCD extends Feature {
                             namespace,
                             ["argocd-argocd-server", "argocd-argocd-application-controller", "argocd-applicationset-controller"]
                     )
+                    .withConfig(config)
                     .withRepo(argocdRepoInitializationAction.repo)
                     .withSubfolder(OPERATOR_RBAC_PATH)
                     .generate()

src/main/groovy/com/cloudogu/gitops/kubernetes/rbac/RbacDefinition.groovy

@@ -1,5 +1,6 @@
 package com.cloudogu.gitops.kubernetes.rbac
 
+import com.cloudogu.gitops.config.Config
 import com.cloudogu.gitops.scmm.ScmmRepo
 import com.cloudogu.gitops.utils.TemplatingEngine
 import groovy.util.logging.Slf4j
@@ -15,6 +16,7 @@ class RbacDefinition {
     private List<ServiceAccountRef> serviceAccounts = []
     private String subfolder = "rbac"
     private ScmmRepo repo
+    private Config config
 
     private final TemplatingEngine templater = new TemplatingEngine()
 
@@ -51,17 +53,24 @@ class RbacDefinition {
         return this
     }
 
+    RbacDefinition withConfig(Config config) {
+        this.config = config
+        return this
+    }
+
     void generate() {
-        validateInputs()
+        if (!repo) {
+            throw new IllegalStateException("SCMM repo must be set using withRepo() before calling generate()")
+        }
+
+        def role = new Role(name, namespace, variant, config)
+        def binding = new RoleBinding(name, namespace, name, serviceAccounts)
 
-        log.debug("Generating RBAC for name='${name}', namespace='${namespace}', subfolder='${subfolder}'")
+        log.trace("Generating RBAC for name='${name}', namespace='${namespace}', subfolder='${subfolder}'")
 
         def outputDir = Path.of(repo.absoluteLocalRepoTmpDir, subfolder).toFile()
         outputDir.mkdirs()
 
-        def role = new Role(name, namespace, variant)
-        def binding = new RoleBinding(name, namespace, name, serviceAccounts)
-
         templater.template(
                 role.getTemplateFile(),
                 role.getOutputFile(outputDir),
@@ -75,18 +84,4 @@ class RbacDefinition {
         )
     }
 
-    private void validateInputs() {
-        if (!repo) {
-            throw new IllegalStateException("SCMM repo must be set using withRepo() before calling generate()")
-        }
-        if (!name?.trim()) {
-            throw new IllegalStateException("RBAC definition requires a non-empty name")
-        }
-        if (!namespace?.trim()) {
-            throw new IllegalStateException("RBAC definition requires a non-empty namespace")
-        }
-        if (!serviceAccounts || serviceAccounts.isEmpty()) {
-            throw new IllegalStateException("RBAC definition requires at least one service account")
-        }
-    }
 }

src/main/groovy/com/cloudogu/gitops/kubernetes/rbac/Role.groovy

@@ -1,14 +1,23 @@
 package com.cloudogu.gitops.kubernetes.rbac
 
+import com.cloudogu.gitops.config.Config
+
 class Role {
     String name
     String namespace
     Variant variant
+    Config config
+
+    Role(String name, String namespace, Variant variant, Config config) {
+        if (!name?.trim()) throw new IllegalArgumentException("Role name must not be blank")
+        if (!namespace?.trim()) throw new IllegalArgumentException("Role namespace must not be blank")
+        if (!variant) throw new IllegalArgumentException("Role variant must not be null")
+        if (!config) throw new IllegalArgumentException("Config must not be null")
 
-    Role(String name, String namespace, Variant variant) {
         this.name = name
         this.namespace = namespace
         this.variant = variant
+        this.config = config
     }
 
     enum Variant {
@@ -24,7 +33,8 @@ class Role {
     Map<String, Object> toTemplateParams() {
         return [
                 name     : name,
-                namespace: namespace
+                namespace: namespace,
+                config   : config
         ]
     }
 

src/main/groovy/com/cloudogu/gitops/kubernetes/rbac/RoleBinding.groovy

@@ -7,6 +7,11 @@ class RoleBinding {
     List<ServiceAccountRef> serviceAccounts
 
     RoleBinding(String name, String namespace, String roleName, List<ServiceAccountRef> serviceAccounts) {
+        if (!name?.trim()) throw new IllegalArgumentException("RoleBinding name must not be blank")
+        if (!namespace?.trim()) throw new IllegalArgumentException("RoleBinding namespace must not be blank")
+        if (!roleName?.trim()) throw new IllegalArgumentException("Role name must not be blank")
+        if (!serviceAccounts || serviceAccounts.isEmpty()) throw new IllegalArgumentException("At least one service account is required")
+
         this.name = name
         this.namespace = namespace
         this.roleName = roleName

src/main/groovy/com/cloudogu/gitops/kubernetes/rbac/ServiceAccountRef.groovy

@@ -1,16 +1,29 @@
 package com.cloudogu.gitops.kubernetes.rbac
 
 class ServiceAccountRef {
-    final String name
-    final String namespace
+    String name
+    String namespace
 
     ServiceAccountRef(String name, String namespace) {
+        if (!name?.trim()) {
+            throw new IllegalArgumentException("ServiceAccount name must not be blank")
+        }
+        if (!namespace?.trim()) {
+            throw new IllegalArgumentException("ServiceAccount namespace must not be blank")
+        }
         this.name = name
         this.namespace = namespace
     }
 
     static List<ServiceAccountRef> fromNames(String namespace, List<String> names) {
-        return names.collect { new ServiceAccountRef(it, namespace) }
+        if (!namespace?.trim()) {
+            throw new IllegalArgumentException("Namespace must not be blank for service accounts")
+        }
+
+        return names
+                .findAll { it?.trim() }
+                .unique()
+                .collect { new ServiceAccountRef(it, namespace) }
     }
 
     Map<String, String> toMap() {

src/test/groovy/com/cloudogu/gitops/features/argocd/ArgoCDTest.groovy

@@ -1179,24 +1179,22 @@ class ArgoCDTest {
 
     @Test
     void 'RBACs with operator using RbacDefinition outputs'() {
-        config.application.namePrefix = "testPrefix-"
-        def argoCD = setupOperatorTest(openshift: false)
-
         List<String> expectedNamespaces = [
                 "testPrefix-monitoring",
                 "testPrefix-secrets",
                 "testPrefix-ingress-nginx",
                 "testPrefix-example-apps-staging",
                 "testPrefix-example-apps-production"
         ]
-    // have to prepare activeNamespaces for unit-test, Application.groovy is setting this in integration way
-        config.application.activeNamespaces = expectedNamespaces
+        config.application.namePrefix = "testPrefix-"
+
+        def argoCD = setupOperatorTest(openshift: false)
+
 
         argoCD.install()
 
         File rbacPath = Path.of(argocdRepo.getAbsoluteLocalRepoTmpDir(), ArgoCD.OPERATOR_RBAC_PATH).toFile()
 
-
         expectedNamespaces.each { String ns ->
             File roleFile = new File(rbacPath, "role-argocd-${ns}.yaml")
             File bindingFile = new File(rbacPath, "rolebinding-argocd-${ns}.yaml")
@@ -1478,6 +1476,46 @@ class ArgoCDTest {
                 .doesNotExist()
     }
 
+    @Test
+    void 'Operator RBAC includes node access rules when not on OpenShift'() {
+        config.application.namePrefix = "testprefix-"
+
+        def argoCD = setupOperatorTest(openshift: false)
+        argoCD.install()
+
+        print config.toMap()
+
+        File rbacDir = Path.of(argocdRepo.getAbsoluteLocalRepoTmpDir(), ArgoCD.OPERATOR_RBAC_PATH).toFile()
+        File roleFile = new File(rbacDir, "role-argocd-testprefix-monitoring.yaml")
+
+        Map yaml = new YamlSlurper().parse(roleFile) as Map
+        List<Map<String, Object>> rules = yaml["rules"] as List<Map<String, Object>>
+
+        assertThat(rules).anyMatch { rule ->
+            List<String> resources = rule["resources"] as List<String>
+            resources.contains("nodes") && resources.contains("nodes/metrics")
+        }
+    }
+
+    @Test
+    void 'Operator RBAC does not include node access rules when on OpenShift'() {
+        config.application.namePrefix = "testprefix-"
+
+        def argoCD = setupOperatorTest(openshift: true)
+        argoCD.install()
+
+        File rbacDir = Path.of(argocdRepo.getAbsoluteLocalRepoTmpDir(), ArgoCD.OPERATOR_RBAC_PATH).toFile()
+        File roleFile = new File(rbacDir, "role-argocd-testprefix-monitoring.yaml")
+        println roleFile
+
+        Map yaml = new YamlSlurper().parse(roleFile) as Map
+        List<Map<String, Object>> rules = yaml["rules"] as List<Map<String, Object>>
+
+        assertThat(rules).noneMatch { rule ->
+            List<String> resources = rule["resources"] as List<String>
+            resources.contains("nodes") && resources.contains("nodes/metrics")
+        }
+    }
 
     private ArgoCD setupOperatorTest(Map options = [:]) {
         config.features.argocd.operator = true
@@ -1517,10 +1555,20 @@ class ArgoCDTest {
         )
     }
 
+    private static mockPrefixActiveNamespaces(Config config) {
+        def namespaces = config.application.activeNamespaces
+        def prefix = config.application.namePrefix ?: ""
+
+        config.application.activeNamespaces = namespaces.collect { ns ->
+            "${prefix}${ns}".toString()
+        } as List<String>
+    }
+
     class ArgoCDForTest extends ArgoCD {
         ArgoCDForTest(Config config, CommandExecutorForTest k8sCommands, CommandExecutorForTest helmCommands) {
             super(config, new K8sClientForTest(config, k8sCommands), new HelmClient(helmCommands), new FileSystemUtils(),
                     new TestScmmRepoProvider(config, new FileSystemUtils()))
+            mockPrefixActiveNamespaces(config)
         }
 
         @Override