Skip to content

gnunn-gitops/gitops-admin-plugin

Repository files navigation

Introduction

This project provides an OpenShift Console plugin to manage OpenShift GitOps (aka Argo CD and Rollouts) as well as External Secrets.

This plugin is not intended as a 1:1 replacement for the Argo CD UI, rather it enables users to accomplish ~70 percent of their tasks in the OpenShift console with ability to easily "punch-out" to the Argo CD UI if more features are required. This plugin follows the OpenShift Console's philosophy in that it interacts with resources via the Kubernetes API, it does not use Argo CD RBAC. Please review the Philosophy section for more details.

Note: This plugin is community supported and is not part of the OpenShift GitOps product nor is it supported by Red Hat. I assume no responsibility for anything that goes wrong so caveat emptor.

Features

Here are some features of the plugin:

Feature Description                                                                                         Screenshots
Dashboard - Inventory
  • Adds Applications and ApplicationSets to Inventory Dashboard
Application
  • Filter on sync and health statuses
  • View synced resources
  • View last synced status
  • Modify sync properties (automated,self-heal, prune)
  • Common actions: Sync, Refresh (Soft and Hard), Terminate
  • Punch out to Argo CD UI for app as well as specific resource
ApplicationSet
  • Filter on status
  • View generators
  • View list of Applications for AppSet
AppProject
  • View list of Applications for project (if in same namespace)
  • View resource allow/deny lists
  • View defined roles
  • View sync windows
Rollouts
  • Filter on status of Rollout
  • Actions: Promote, Full Promote, Retry, Restart, Abort
  • View Revisions
  • View AnalysisRuns
ExternalSecrets
  • Support ExternalSecret Kind
  • Filter on ExternalSecret status
  • Refresh ExternalSecret

Philosophy

As mentioned previously, this plugin is not intended as a general replacement for the Argo CD UI since it operates under a different philosophy. Specifically the OpenShift Console is a Kubernetes resource driven view of the cluster and this plugin adheres to that philosophy.

If the user has Kubernetes RBAC permissions to view Application objects then it will appear in this plugin. If the user has permissions to update and patch the Application objects then they will be able to sync and refresh the application. Argo RBAC is not used at all in the plugin.

As a result this plugin is not particularly suitable for users working with Argo CD in multi-tenant deployments. This is because in a multi-tenant scenario Argo RBAC must be used to enforce separation between tenants and tenants cannot be allowed direct access to the namespace where Argo CD and the Applications are deployed. Otherwise the user will be able to view secrets they should not have access to, potentially modify Application objects to bypass Argo CD RBAC, etc.

This plugin does work well with Applications in Any Namespace which is my preferred way to handle multi-tenancy.

Outside of Applications in Any Namespace, at this time the plugin is best suited for cluster and Argo CD administrators who will typically have elevated permissions.

Limitations

There are some limitations in this current implementation:

  • Limited testing across the wide swath of Argo CD features, for example Helm apps have only been lightly tested.
  • Limited error handling, if something does not work as expected check the browser console logs
  • No general editing capabilities beyond editing the yaml
  • Limited useability testing but suggestions for UI improvements definitely welcome!

Prerequisites

The following prerequisites are required to use this plugin:

  • OpenShift 4.15+
  • OpenShift GitOps 1.8+ or Argo CD 2.6+ (tested with OpenShift GitOps 1.9/Argo CD 2.7)

Versioning

OpenShift 4.15 made many incompatible changes in the plugin API, notably it supports React 5 and Patternfly 5. I have opted to upgrade the plugin to the newer versions and as a result the 4.15 branch and image tag should be used to install the plugin on 4.15. The main branch covers 4.15, the 4.14 version is not recommended as no further work is being for that version.

OpenShift Version Branch Image Tag
4.14 (not supported) 4.14-0.0.21 4.14
4.15 main 4.15, latest
4.16 4.16 4.16

Deployment on cluster

The plugin can be installed from the manifests included in the /manifests folder using kustomize, make sure to use the correct branch for the desired version.

oc apply -k https://github.com/gnunn-gitops/gitops-admin-plugin/manifests/overlays/install

Note the install overlay includes a job with the elevated permissions needed to patch consoles.operator.openshift.io to include this specific plugin. This enables deployment via Argo CD since everything is automated.

After running this command it may take a few minutes for the plugin to appear, check oc get co to see the status of the console operator.

Local development

Option 1:

In one terminal window, run:

  1. yarn install
  2. yarn run start

In another terminal window, run:

  1. oc login
  2. yarn run start-console (requires Docker or podman)

You will then be able to access the console with the plugin at http://localhost:9000 in a browser.

Container image

You can build the plugin as a container image using podman (or docker if you prefer) with the following command:

podman build . -t <your-image-name>

The image used by the manifests is hosted at quay.io/gnunn/gitops-admin-plugin.

Acknowledgements

Thanks to the following individuals:

  • Pavel Kratochvíl whose crontab example provides a great starting point for building plugins needed to support CRDs.
  • Andrew Block for Kyverno policy plugin and getting me over the Typescript/react hump
  • Keith Chong for his work on the Developers perspective GitOps plugin from which I borrowed a few things.
  • Thanks to the OpenShift Virtualization folks, their kubevirt-plugin repository is an invaluable reference.
  • Argo CD UI where I leveraged it for A/B testing plus re-used some of the existing code there instead of re-inventing the wheel. All rights remain with original authors, code I specifically use:
    • code for determining Operation State
    • code for calculating URLs for git repos and paths

Note some ActionDropDown stuff taken from kubevirt console plugin here.

About

Console plugin for OpenShift GitOps

Resources

License

Stars

Watchers

Forks

Packages

No packages published