diff --git a/README.md b/README.md index a610daa..11f62a0 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ functionality that `sudo` command provides as users can execute actions that require higher permissions. The exact access the user is allowed to be elevated to and for how long the access should be granted are configurable. The elevated access are automatically -managed by creating and updating Argo CD AppProject roles. +managed by creating and updating Argo CD AppProject roles. Note: This project requires that the Argo CD `Applications` are associated with an `AppProjects` different than `default`. @@ -94,7 +94,8 @@ spec: "EPHEMERAL_ACCESS_LABEL_VALUE": "true", "EPHEMERAL_ACCESS_MAIN_BANNER": "All production changes require an associated change request. Click the REQUEST ACCESS button above to automatically create a change request associated with your user", "EPHEMERAL_ACCESS_MAIN_BANNER_ADDITIONAL_INFO_LINK": "https://link-to-some-documentation.com", - "EPHEMERAL_ACCESS_DEFAULT_ROLE": "devops" + "EPHEMERAL_ACCESS_DEFAULT_DISPLAY_ACCESS": "Read", + "EPHEMERAL_ACCESS_DEFAULT_TARGET_ROLE": "devops" } volumeMounts: - name: extensions @@ -120,13 +121,14 @@ spec: > table describes the js variables accepted by the EphemeralAccess UI > extension: -| Name | Description | Required | Default | -| --------------------------------------------------- | ------------------------------------------------------------------------------------------------- | -------- | ------- | -| `EPHEMERAL_ACCESS_DEFAULT_ROLE` | Defines the RoleName to be associated with users once the AccessRequest is created | Yes | - | -| `EPHEMERAL_ACCESS_LABEL_KEY` | If provided, it will only enable the UI extension if the Argo CD Application has this label key | No | - | -| `EPHEMERAL_ACCESS_LABEL_VALUE` | If provided, it will only enable the UI extension if the Argo CD Application has this label value | No | - | -| `EPHEMERAL_ACCESS_MAIN_BANNER` | A text with the brief description to instruct users about how the extension works | No | - | -| `EPHEMERAL_ACCESS_MAIN_BANNER_ADDITIONAL_INFO_LINK` | An additional link to provide users with more detailed documentation | No | - | +| Name | Description | Required | Default | +| --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | -------- | ------- | +| `EPHEMERAL_ACCESS_DEFAULT_DISPLAY_ACCESS` | Defines the default name displayed as the current access level in the plugin, this is for display only and does not impact role assignment | No | Read | +| `EPHEMERAL_ACCESS_DEFAULT_TARGET_ROLE` | Defines the RoleName to be associated with users once the AccessRequest is created | Yes | - | +| `EPHEMERAL_ACCESS_LABEL_KEY` | If provided, it will only enable the UI extension if the Argo CD Application has this label key | No | - | +| `EPHEMERAL_ACCESS_LABEL_VALUE` | If provided, it will only enable the UI extension if the Argo CD Application has this label value | No | - | +| `EPHEMERAL_ACCESS_MAIN_BANNER` | A text with the brief description to instruct users about how the extension works | No | - | +| `EPHEMERAL_ACCESS_MAIN_BANNER_ADDITIONAL_INFO_LINK` | An additional link to provide users with more detailed documentation | No | - | ### Enabling the EphemeralAccess extension in Argo CD @@ -160,7 +162,7 @@ section in the `argocd-cm`. ``` **Attention**: Make sure to change the `EPHEMERAL_ACCESS_BACKEND_URL` -to the URL where backend service is configured. The backend service +to the URL where backend service is configured. The backend service URL needs to be reacheable by the Argo CD API server. ## How it Works @@ -210,7 +212,7 @@ metadata: spec: ordinal: 1 friendlyName: "Devops (Write)" - subjects: + subjects: - group1 - role-{{.application.metadata.labels.some-label}} if: "application.metadata.labels.some-label != nil" @@ -252,7 +254,7 @@ spec: The `RoleTemplate` defines a templated Argo CD RBAC policies. Once the elevated access is requested and approved, the policies will be rendered and dynamicaly associated with the AppProject related with -the access request. +the access request. The following variable are available to be used in the templated fields (.spec.description and .spec.policies): diff --git a/test/manifests/samples/extension-0-EPHEMERAL_ACCESS_vars.js b/test/manifests/samples/extension-0-EPHEMERAL_ACCESS_vars.js index 78e4f44..2569692 100644 --- a/test/manifests/samples/extension-0-EPHEMERAL_ACCESS_vars.js +++ b/test/manifests/samples/extension-0-EPHEMERAL_ACCESS_vars.js @@ -4,7 +4,8 @@ // "EPHEMERAL_ACCESS_LABEL_VALUE": "some-label-value", "EPHEMERAL_ACCESS_MAIN_BANNER": "All production changes require an associated change request. Click the REQUEST ACCESS button above to automatically create a change request associated with your user", "EPHEMERAL_ACCESS_MAIN_BANNER_ADDITIONAL_INFO_LINK": "https://additional-info-link.com", - "EPHEMERAL_ACCESS_DEFAULT_ROLE": "devops" + "EPHEMERAL_ACCESS_DEFAULT_DISPLAY_ACCESS": "Read", + "EPHEMERAL_ACCESS_DEFAULT_TARGET_ROLE": "devops" }; window.EPHEMERAL_ACCESS_VARS = vars; })(window); diff --git a/ui/src/component/ephemeral-access-details.tsx b/ui/src/component/ephemeral-access-details.tsx index 0f5b7b9..6d7cb4b 100644 --- a/ui/src/component/ephemeral-access-details.tsx +++ b/ui/src/component/ephemeral-access-details.tsx @@ -88,7 +88,7 @@ const EphemeralAccessDetails: React.FC = ({ try { await createAccessrequest( { - roleName: window?.EPHEMERAL_ACCESS_VARS?.EPHEMERAL_ACCESS_DEFAULT_ROLE + roleName: window?.EPHEMERAL_ACCESS_VARS?.EPHEMERAL_ACCESS_DEFAULT_TARGET_ROLE }, { baseURL: '/extensions/ephemeral/', diff --git a/ui/src/global.d.ts b/ui/src/global.d.ts index bc5ea84..d1c2a3c 100644 --- a/ui/src/global.d.ts +++ b/ui/src/global.d.ts @@ -5,7 +5,8 @@ interface Window { EPHEMERAL_ACCESS_MAIN_BANNER: string; EPHEMERAL_ACCESS_MAIN_BANNER_ADDITIONAL_INFO_LINK: string; EPHEMERAL_ACCESS_CHANGE_REQUEST_URL: string; - EPHEMERAL_ACCESS_DEFAULT_ROLE: string; + EPHEMERAL_ACCESS_DEFAULT_DISPLAY_ACCESS: string; + EPHEMERAL_ACCESS_DEFAULT_TARGET_ROLE: string; }; } diff --git a/ui/src/utils/utils.tsx b/ui/src/utils/utils.tsx index 2975938..c04521a 100644 --- a/ui/src/utils/utils.tsx +++ b/ui/src/utils/utils.tsx @@ -12,8 +12,13 @@ export const Spinner = ({ show, style = {} }: { show: boolean; style?: React.CSS ) : null; export enum AccessRole { - DEFAULT_ACCESS = 'Read' + DEFAULT_DISPLAY_ACCESS = 'Read' } + +const getDefaultDisplayAccessRole = (): string => { + return window?.EPHEMERAL_ACCESS_VARS?.EPHEMERAL_ACCESS_DEFAULT_DISPLAY_ACCESS || AccessRole.DEFAULT_DISPLAY_ACCESS; +}; + export const AccessPanel = ({ accessRequest }: { accessRequest: AccessRequestResponseBody }) => { let color = ACCESS_DEFAULT_COLOR; let icon = 'fa-solid fa-lock'; @@ -41,7 +46,7 @@ export const AccessPanel = ({ accessRequest }: { accessRequest: AccessRequestRes const getRoleTitle = (accessRequest: AccessRequestResponseBody) => { if (accessRequest === null) { - return AccessRole.DEFAULT_ACCESS; + return getDefaultDisplayAccessRole(); } else { return accessRequest.permission; }