RBAC Support for Actions

[simster7]

See #2002

[codecov]

Codecov Report

Merging #2110 into master will decrease coverage by 0.27%.
The diff coverage is 16.32%.

@@            Coverage Diff             @@
##           master    #2110      +/-   ##
==========================================
- Coverage   38.53%   38.25%   -0.28%     
==========================================
  Files         103      103              
  Lines       14732    14547     -185     
==========================================
- Hits         5677     5565     -112     
+ Misses       8294     8239      -55     
+ Partials      761      743      -18

Impacted Files	Coverage Δ
server/rbacpolicy/rbacpolicy.go	79.68% <ø> (ø)	⬆️
pkg/apis/application/v1alpha1/types.go	59.24% <ø> (ø)	⬆️
cmd/argocd/commands/app.go	1.81% <0%> (ø)	⬆️
server/application/application.go	25.19% <0%> (+0.09%)	⬆️
cmd/argocd/commands/app_actions.go	0% <0%> (ø)	⬆️
util/lua/lua.go	76.75% <72.72%> (-0.31%)	⬇️
util/ksonnet/ksonnet.go	34.61% <0%> (-8.79%)	⬇️
util/helm/helm.go	66.07% <0%> (-7.05%)	⬇️
util/kube/ctl.go	19.9% <0%> (-4.68%)	⬇️
util/kustomize/kustomize.go	71.84% <0%> (-3.84%)	⬇️
... and 1 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b502555...81dcae8. Read the comment docs.

[alexec]

CI failure looks unrelated to change. Re-building.

[evrardjp]

Not sure which tests are running, but it seems there is an error in build just after a git diff showing a spacing issue

-	ActionAction = "action"
+	ActionAction   = "action"

[simster7]

Thanks @evrardjp. Seems current failure is due to unrelated tests? @alexec

[alexec]

The failed test is known flaky.

[simster7]

Perfect. @jessesuen should be ready to merge

[jessesuen]

There is a UI change to this which is not captured here.

[jessesuen]

Thinking about this more, action/<actionname> is not specific enough. We may have the same action name "pause", which works for both a Deployment, Rollout, and CronJob object. Granting "pause" privileges to all object types is potentially undesirable. We need a convention for actions which reflect the finer grained rbac. For example:

action/argoproj.io/Rollout/resume

[simster7]

Responded in #2181

[jessesuen]

As I understand, the convention being introduced is action/argoproj.io/Rollout:resume instead of action/argoproj.io/Rollout/resume. I feel the slash is more consistent with all our other RBAC as opposed to the colon.

For example, rbac rules may be:
action/argoproj.io/Rollout/*

Which seems better than:
action/argoproj.io/Rollout:*

[jessesuen]

For the UI to understand and present the available actions. We need to implement action discovery better, as described in item (1) in #2181

[simster7]

@jessesuen @alexec Sorry for the crazy delay, but points 1 and 2 from Jesse's issue (#2110) are now done. I intend to open a separate PR for the UI changes. A few points:

1. The new syntax for actions is group/kind:actionName. Because of this, I have removed the group and kind parameters in argocd app actions run as they are now a part of the action name. Therefore, this is currently a breaking change as the call

argocd app actions run APPNAME resume --kind Rollout

is no longer supported and instead must be

argocd app actions run APPNAME argoproj.io/Rollout:resume

Not sure how to approach this, should I allow backwards compatibility with resume commands?

2. argocd app actions list APPNAME now lists all actions across all resources by default and shows if they are available:

$ argocd app actions list blue-green

GROUP        KIND     NAME                       ACTION                      AVAILABLE
argoproj.io  Rollout  blue-green-helm-guestbook  argoproj.io/Rollout:resume  true

3. Running an action no longer checks if it is available or not.

[jessesuen]

Very close to what I was looking for. Great job.

[jessesuen]

It appears we are making breaking changes here by requiring a new convention for running actions. I think it's okay if we start introducing a new convention, but we may need to preserve previous flags for backwards compatibility since many pipelines are depending on this behavior.

[simster7]

Introduced backwards compatibility with the following message:

$ argocd app actions run blue-green resume --kind Rollout

Warning: "resume" action has been deprecated. Please run the action as

	argocd app run blue-green argoproj.io/Rollout/resume

[jessesuen]

As I understand, the convention being introduced is action/argoproj.io/Rollout:resume instead of action/argoproj.io/Rollout/resume. I feel the slash is more consistent with all our other RBAC as opposed to the colon.

For example, rbac rules may be:
action/argoproj.io/Rollout/*

Which seems better than:
action/argoproj.io/Rollout:*

[jessesuen]

My review comments above were made without first reading comment #2110 (comment). But yes, I am glad you recognized the breaking change.

is no longer supported and instead must be argocd app actions run APPNAME argoproj.io/Rollout:resume

How does this work when a user wants to run it against a specific rollout by name?

[simster7]

@jessesuen Addressed all of your comments.

How does this work when a user wants to run it against a specific rollout by name?

There is a --resource-name argument available

[jessesuen]

Conditional approval: there's one place where we still use the colon, but otherwise this LGTM. Please fix the last statement.

[simster7]

@alexec @jessesuen This should also be good to go!

[alexec]

@jessesuen do you want to merge please?

[alexec]

Yay!