From 53bab7f85f6b9f9c9c8b3967c208c0452c8dbd7b Mon Sep 17 00:00:00 2001
From: Giulio Cardillo <giulio.cardillo@gmail.com>
Date: Sat, 18 Apr 2026 22:18:41 +0200
Subject: [PATCH] Add custom ArgoCD rbac

---
 README.md                      |  2 ++
 README.md.gotmpl               |  1 +
 templates/plumbing/argocd.yaml |  4 ++++
 tests/argocd_rbac_test.yaml    | 37 ++++++++++++++++++++++++++++++++++
 values.schema.json             |  5 +++++
 values.yaml                    |  1 +
 6 files changed, 50 insertions(+)
 create mode 100644 tests/argocd_rbac_test.yaml

diff --git a/README.md b/README.md
index 7a7bca7..ca0ecdf 100644
--- a/README.md
+++ b/README.md
@@ -8,6 +8,7 @@ This chart is used to set up the basic building blocks in [Validated Patterns](h
 
 ### Notable changes
 
+* v0.9.50: Add support to custom `rbac` in `ArgoDC.spec`
 * v0.9.49: Boolean Templates in override values now also render correctly
 * v0.9.48: Templates in override values now render
 * v0.9.45: Default value of `resourceTrackingMethod` is now `annotation`
@@ -68,6 +69,7 @@ clusterGroup:
 | clusterGroup.argoCD.configManagementPlugins | list | `[]` |  |
 | clusterGroup.argoCD.env | list | `[]` |  |
 | clusterGroup.argoCD.initContainers | list | `[]` |  |
+| clusterGroup.argoCD.rbac | object | `{}` |  |
 | clusterGroup.argoCD.resourceActions | list | `[]` |  |
 | clusterGroup.argoCD.resourceExclusions | string | `"- apiGroups:\n  - tekton.dev\n  kinds:\n  - TaskRun\n  - PipelineRun\n"` |  |
 | clusterGroup.argoCD.resourceHealthChecks[0].check | string | `"hs = {}\nif obj.status ~= nil then\n  if obj.status.phase ~= nil then\n    if obj.status.phase == \"Pending\" then\n      hs.status = \"Healthy\"\n      hs.message = obj.status.phase\n      return hs\n    elseif obj.status.phase == \"Bound\" then\n      hs.status = \"Healthy\"\n      hs.message = obj.status.phase\n      return hs\n    end\n  end\nend\nhs.status = \"Progressing\"\nhs.message = \"Waiting for PVC\"\nreturn hs\n"` |  |
diff --git a/README.md.gotmpl b/README.md.gotmpl
index 4dbf142..2701416 100644
--- a/README.md.gotmpl
+++ b/README.md.gotmpl
@@ -9,6 +9,7 @@ This chart is used to set up the basic building blocks in [Validated Patterns](h
 
 ### Notable changes
 
+* v0.9.50: Add support to custom `rbac` in `ArgoDC.spec`
 * v0.9.49: Boolean Templates in override values now also render correctly
 * v0.9.48: Templates in override values now render
 * v0.9.45: Default value of `resourceTrackingMethod` is now `annotation`
diff --git a/templates/plumbing/argocd.yaml b/templates/plumbing/argocd.yaml
index 8d81b31..97746a3 100644
--- a/templates/plumbing/argocd.yaml
+++ b/templates/plumbing/argocd.yaml
@@ -53,12 +53,16 @@ spec:
           memory: 128Mi
   initialSSHKnownHosts: {}
   rbac:
+  {{- if $.Values.clusterGroup.argoCD.rbac }}
+    {{- toYaml $.Values.clusterGroup.argoCD.rbac | nindent 4 }}
+  {{- else }}
     defaultPolicy: role:readonly
     policy: |-
       g, system:cluster-admins, role:admin
       g, cluster-admins, role:admin
       g, admin, role:admin
     scopes: '[groups, email]'
+  {{- end }}
   repo:
     env: {{ $.Values.clusterGroup.argoCD.env | toPrettyJson }}
     initContainers:
diff --git a/tests/argocd_rbac_test.yaml b/tests/argocd_rbac_test.yaml
new file mode 100644
index 0000000..0b11056
--- /dev/null
+++ b/tests/argocd_rbac_test.yaml
@@ -0,0 +1,37 @@
+suite: Test argocd with rbac
+templates:
+  - templates/plumbing/argocd.yaml
+release:
+  name: release-test
+tests:
+  - it: should render default rbac
+    documentIndex: 0
+    asserts:
+      - isSubset:
+          path: spec.rbac
+          content:
+            defaultPolicy: role:readonly
+            policy: |-
+              g, system:cluster-admins, role:admin
+              g, cluster-admins, role:admin
+              g, admin, role:admin
+            scopes: '[groups, email]'
+
+  - it: should render custom rbac correctly
+    set:
+      clusterGroup:
+        argoCD:
+          rbac:
+            defaultPolicy: default
+            policy: |-
+              g, test-group, role:admin
+            scopes: '[one, two]'
+    documentIndex: 0
+    asserts:
+      - isSubset:
+          path: spec.rbac
+          content:
+            defaultPolicy: default
+            policy: |-
+              g, test-group, role:admin
+            scopes: '[one, two]'
diff --git a/values.schema.json b/values.schema.json
index 8c20a22..c17c0d1 100644
--- a/values.schema.json
+++ b/values.schema.json
@@ -719,6 +719,11 @@
             "$ref": "#/definitions/ArgoCDResourceActions"
           },
           "description": "ResourceActions customizes resource action behavior."
+        },
+        "rbac": {
+          "type": "object",
+          "description": "Rbac customizes ArgoCD RBAC policies.",
+          "additionalProperties": true
         }
       }
     },
diff --git a/values.yaml b/values.yaml
index 569c25c..c62f67e 100644
--- a/values.yaml
+++ b/values.yaml
@@ -33,6 +33,7 @@ clusterGroup:
   argoCD:
     initContainers: []
     env: []
+    rbac: {}
     volumes: []
     volumeMounts: []
     configManagementPlugins: []