Multi-tenant git repo management

[wouter2397]

Hello all,

We are using ArgoCD in an enterprise setup within OpenShift.
We configured individual ArgoCD projects to allow users to only sync their workloads to specific namespaces (their own).

We now fase an issue where we ran into the RBAC limitations of ArgoCD.
Each application team uses their own git repo's.
We configured their ArgoCD projects to allow them to use only their own git repo's.

We setup the following RBAC role so users can see the git repo's in the dropdown view of their application:

      p, role:argocduser, repositories, get, *, allow

We expected the dropdown to show only the git repo's they are allowed to use, but in reality they can list all git repo's present in ArgoCD.

We would like to see that ArgoCD restrics the repository URL field dropdown to only the git repo's the user/project is allowed to use.

Please let me know what's your opinion of current ArgoCD setup and my requested setup.

[jannfis]

I actually like the idea of only showing the repositories allowed by the project. But I also guess there's a little more work to the UI required to accomplish that.

IMHO, it all boils down to the UI being a little more user-friendly, in pre-validating data and presenting only allowed choices before data is being submitted to the API for final validation.

At least the following questions need an answer, I think:

1. How should the repositories drop-down behave if there is no project selected?
2. How should the repository field be handled if a different project is selected during app creation dialogue, and the repository already set is not allowed in the new project?
3. How should user feedback be given, in case a non allowed repository is entered in the repository field?

And I also think something similar could be done for the destination cluster.

[wouter2397]

Good to hear that you like the idea and are open for this improvement.

To awnser you questions from our perspective:

1. I think to only way to do pre-validation of the repositories field, the project field is mandatory. I think the best way is to show a message that you need to fill in the project field first. Other option I can think of is to disable the repository field of no project is selected. I would not advice the second option though because from my point of view a user should always be able to manually paste a complete URL into the field without using the drop-down at all.
2. I would continue the normal process and only show a error message when you try to create the the application that you do not have access to use the giving repo.
3. As I sad in question 2, all other errors/validation are done through an error message on creation, so I would use the same setup for this feature.

I hope to help you with gathering all required information to come up with a design on this feature.
If you need anymore information or help please let me know.

[alexmt]

@wouter2397 this is probably duplicate of #3045 . Can you check? Would #3045 solve your use case?

[wouter2397]

@alexmt I'm not really sure. The validation of git repo's is already done through the appproject.spec.sourceRepos.
With the configuration below it's already impossible to create a new application with a git repo that is not specified in the AppProject. So I'm not sure what this webhook will add in functionality...

spec:
  description: Example Project
  # Allow manifests to deploy from any Git repos
  sourceRepos:
  - 'xxxx'

We are looking for an mechanism that prevents git repo's from showing in the dropdown list if the users/appproject has no permission to it as listed in the appproject.spec.sourceRepos.

[jannfis]

@alexmt I think this would be purely an UI change in the "Repository" drop-down