Merge branch 'master' into feat/retry

Signed-off-by: Pavel <[email protected]>

CODEOWNERS

@@ -2,8 +2,9 @@
 ** @argoproj/argocd-approvers
 
 # Docs
-/docs/**  @argoproj/argocd-approvers @argoproj/argocd-approvers-docs
-/USERS.md @argoproj/argocd-approvers @argoproj/argocd-approvers-docs
+/docs/**    @argoproj/argocd-approvers @argoproj/argocd-approvers-docs
+/USERS.md   @argoproj/argocd-approvers @argoproj/argocd-approvers-docs
+/mkdocs.yml @argoproj/argocd-approvers @argoproj/argocd-approvers-docs
 
 # CI
 /.github/**       @argoproj/argocd-approvers @argoproj/argocd-approvers-ci

cmd/argocd/commands/admin/project_allowlist.go

@@ -41,6 +41,8 @@ func NewProjectAllowListGenCommand() *cobra.Command {
 	var command = &cobra.Command{
 		Use:   "generate-allow-list CLUSTERROLE_PATH PROJ_NAME",
 		Short: "Generates project allow list from the specified clusterRole file",
+		Example: `# Generates project allow list from the specified clusterRole file
+argocd admin proj generate-allow-list /path/to/clusterrole.yaml my-project`,
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) != 2 {
 				c.HelpFunc()(c, args)

cmd/argocd/commands/admin/settings_rbac.go

@@ -189,7 +189,6 @@ argocd admin settings rbac can someuser create application 'default/app' --defau
 			}
 		},
 	}
-
 	clientConfig = cli.AddKubectlFlagsToCmd(command)
 	command.Flags().StringVar(&policyFile, "policy-file", "", "path to the policy file to use")
 	command.Flags().StringVar(&defaultRole, "default-role", "", "name of the default role to use")
@@ -202,24 +201,55 @@ argocd admin settings rbac can someuser create application 'default/app' --defau
 // NewRBACValidateCommand returns a new rbac validate command
 func NewRBACValidateCommand() *cobra.Command {
 	var (
-		policyFile string
+		policyFile   string
+		namespace    string
+		clientConfig clientcmd.ClientConfig
 	)
 
 	var command = &cobra.Command{
-		Use:   "validate --policy-file=POLICYFILE",
+		Use:   "validate [--policy-file POLICYFILE] [--namespace NAMESPACE]",
 		Short: "Validate RBAC policy",
 		Long: `
 Validates an RBAC policy for being syntactically correct. The policy must be
-a local file, and in either CSV or K8s ConfigMap format.
+a local file or a K8s ConfigMap in the provided namespace, and in either CSV or K8s ConfigMap format.
+`,
+		Example: `
+# Check whether a given policy file is valid using a local policy.csv file.
+argocd admin settings rbac validate --policy-file policy.csv
+
+# Policy file can also be K8s config map with data keys like argocd-rbac-cm,
+# i.e. 'policy.csv' and (optionally) 'policy.default'
+argocd admin settings rbac validate --policy-file argocd-rbac-cm.yaml
+
+# If --policy-file is not given, and instead --namespace is giventhe ConfigMap 'argocd-rbac-cm' 
+# from K8s is used. 
+argocd admin settings rbac validate --namespace argocd
+
+# Either --policy-file or --namespace must be given.
 `,
 		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()
 
-			if policyFile == "" {
+			if len(args) > 0 {
 				c.HelpFunc()(c, args)
-				log.Fatalf("Please specify policy to validate using --policy-file")
+				log.Fatalf("too many arguments")
+			}
+
+			if (namespace == "" && policyFile == "") || (namespace != "" && policyFile != "") {
+				c.HelpFunc()(c, args)
+				log.Fatalf("please provide exactly one of --policy-file or --namespace")
 			}
-			userPolicy, _, _ := getPolicy(ctx, policyFile, nil, "")
+
+			restConfig, err := clientConfig.ClientConfig()
+			if err != nil {
+				log.Fatalf("could not get config to create k8s client: %v", err)
+			}
+			realClientset, err := kubernetes.NewForConfig(restConfig)
+			if err != nil {
+				log.Fatalf("could not create k8s client: %v", err)
+			}
+
+			userPolicy, _, _ := getPolicy(ctx, policyFile, realClientset, namespace)
 			if userPolicy != "" {
 				if err := rbac.ValidatePolicy(userPolicy); err == nil {
 					fmt.Printf("Policy is valid.\n")
@@ -228,11 +258,15 @@ a local file, and in either CSV or K8s ConfigMap format.
 					fmt.Printf("Policy is invalid: %v\n", err)
 					os.Exit(1)
 				}
+			} else {
+				log.Fatalf("Policy is empty or could not be loaded.")
 			}
 		},
 	}
-
+	clientConfig = cli.AddKubectlFlagsToCmd(command)
 	command.Flags().StringVar(&policyFile, "policy-file", "", "path to the policy file to use")
+	command.Flags().StringVar(&namespace, "namespace", "", "namespace to get argo rbac configmap from")
+
 	return command
 }
 

cmd/argocd/commands/admin/settings_rbac_test.go

@@ -5,15 +5,42 @@ import (
 	"os"
 	"testing"
 
+	"github.com/argoproj/argo-cd/v2/util/assets"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes/fake"
-
-	"github.com/argoproj/argo-cd/v2/util/assets"
+	restclient "k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 )
 
+type FakeClientConfig struct {
+	clientConfig clientcmd.ClientConfig
+}
+
+func NewFakeClientConfig(clientConfig clientcmd.ClientConfig) *FakeClientConfig {
+	return &FakeClientConfig{clientConfig: clientConfig}
+}
+
+func (f *FakeClientConfig) RawConfig() (clientcmdapi.Config, error) {
+	config, err := f.clientConfig.RawConfig()
+	return config, err
+}
+
+func (f *FakeClientConfig) ClientConfig() (*restclient.Config, error) {
+	return f.clientConfig.ClientConfig()
+}
+
+func (f *FakeClientConfig) Namespace() (string, bool, error) {
+	return f.clientConfig.Namespace()
+}
+
+func (f *FakeClientConfig) ConfigAccess() clientcmd.ConfigAccess {
+	return nil
+}
+
 func Test_isValidRBACAction(t *testing.T) {
 	for k := range validRBACActions {
 		t.Run(k, func(t *testing.T) {
@@ -200,3 +227,19 @@ p, role:, certificates, get, .*, allow`
 		require.True(t, ok)
 	})
 }
+
+func TestNewRBACCanCommand(t *testing.T) {
+	command := NewRBACCanCommand()
+
+	require.NotNil(t, command)
+	assert.Equal(t, "can", command.Name())
+	assert.Equal(t, "Check RBAC permissions for a role or subject", command.Short)
+}
+
+func TestNewRBACValidateCommand(t *testing.T) {
+	command := NewRBACValidateCommand()
+
+	require.NotNil(t, command)
+	assert.Equal(t, "validate", command.Name())
+	assert.Equal(t, "Validate RBAC policy", command.Short)
+}

cmd/argocd/commands/gpg.go

@@ -43,6 +43,17 @@ func NewGPGListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
 		Use:   "list",
 		Short: "List configured GPG public keys",
+		Example: templates.Examples(`
+  # List all configured GPG public keys in wide format (default).
+  argocd gpg list
+		
+  # List all configured GPG public keys in JSON format.
+  argocd gpg list -o json
+		
+  # List all configured GPG public keys in YAML format.
+  argocd gpg list -o yaml
+  		`),
+
 		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()
 
@@ -73,6 +84,17 @@ func NewGPGGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
 		Use:   "get KEYID",
 		Short: "Get the GPG public key with ID <KEYID> from the server",
+		Example: templates.Examples(`  
+  # Get a GPG public key with the specified KEYID in wide format (default).
+  argocd gpg get KEYID
+		
+  # Get a GPG public key with the specified KEYID in JSON format.
+  argocd gpg get KEYID -o json
+		
+  # Get a GPG public key with the specified KEYID in YAML format.
+  argocd gpg get KEYID -o yaml
+  		`),
+
 		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()
 

cmd/argocd/commands/project_role.go

@@ -57,6 +57,30 @@ func NewProjectRoleAddPolicyCommand(clientOpts *argocdclient.ClientOptions) *cob
 	var command = &cobra.Command{
 		Use:   "add-policy PROJECT ROLE-NAME",
 		Short: "Add a policy to a project role",
+		Example: `# Before adding new policy
+$ argocd proj role get test-project test-role
+Role Name:     test-role
+Description:
+Policies:
+p, proj:test-project:test-role, projects, get, test-project, allow
+JWT Tokens:
+ID          ISSUED-AT                                EXPIRES-AT
+1696759698  2023-10-08T11:08:18+01:00 (3 hours ago)  <none>
+
+# Add a new policy to allow update to the project
+$ argocd proj role add-policy test-project test-role -a update -p allow -o project
+
+# Policy should be updated
+$  argocd proj role get test-project test-role
+Role Name:     test-role
+Description:
+Policies:
+p, proj:test-project:test-role, projects, get, test-project, allow
+p, proj:test-project:test-role, applications, update, test-project/project, allow
+JWT Tokens:
+ID          ISSUED-AT                                EXPIRES-AT
+1696759698  2023-10-08T11:08:18+01:00 (3 hours ago)  <none>
+`,
 		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()
 
@@ -94,6 +118,30 @@ func NewProjectRoleRemovePolicyCommand(clientOpts *argocdclient.ClientOptions) *
 	var command = &cobra.Command{
 		Use:   "remove-policy PROJECT ROLE-NAME",
 		Short: "Remove a policy from a role within a project",
+		Example: `List the policy of the test-role before removing a policy
+$ argocd proj role get test-project test-role
+Role Name:     test-role
+Description:
+Policies:
+p, proj:test-project:test-role, projects, get, test-project, allow
+p, proj:test-project:test-role, applications, update, test-project/project, allow
+JWT Tokens:
+ID          ISSUED-AT                                EXPIRES-AT
+1696759698  2023-10-08T11:08:18+01:00 (3 hours ago)  <none>
+
+# Remove the policy to allow update to objects
+$ argocd proj role remove-policy test-project test-role -a update -p allow -o project
+
+# The role should be removed now.
+$ argocd proj role get test-project test-role
+Role Name:     test-role
+Description:
+Policies:
+p, proj:test-project:test-role, projects, get, test-project, allow
+JWT Tokens:
+ID          ISSUED-AT                                EXPIRES-AT
+1696759698  2023-10-08T11:08:18+01:00 (4 hours ago)  <none>
+`,
 		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()
 
@@ -141,6 +189,11 @@ func NewProjectRoleCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 	var command = &cobra.Command{
 		Use:   "create PROJECT ROLE-NAME",
 		Short: "Create a project role",
+		Example: templates.Examples(`  
+  # Create a project role in the "my-project" project with the name "my-role".
+  argocd proj role create my-project my-role --description "My project role description"
+  		`),
+
 		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()
 
@@ -175,13 +228,9 @@ func NewProjectRoleCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 // NewProjectRoleDeleteCommand returns a new instance of an `argocd proj role delete` command
 func NewProjectRoleDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
-		Use:   "delete PROJECT ROLE-NAME",
-		Short: "Delete a project role",
-		Example: templates.Examples(`  
-  # Delete a project role from the "my-project" project with the name "my-role".
-  argocd proj role delete my-project my-role
-  		`),
-
+		Use:     "delete PROJECT ROLE-NAME",
+		Short:   "Delete a project role",
+		Example: `$ argocd proj role delete test-project test-role`,
 		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()
 
@@ -229,8 +278,15 @@ func NewProjectRoleCreateTokenCommand(clientOpts *argocdclient.ClientOptions) *c
 		tokenID         string
 	)
 	var command = &cobra.Command{
-		Use:     "create-token PROJECT ROLE-NAME",
-		Short:   "Create a project token",
+		Use:   "create-token PROJECT ROLE-NAME",
+		Short: "Create a project token",
+		Example: `$ argocd proj role create-token test-project test-role
+Create token succeeded for proj:test-project:test-role.
+  ID: f316c466-40bd-4cfd-8a8c-1392e92255d4
+  Issued At: 2023-10-08T15:21:40+01:00
+  Expires At: Never
+  Token: xxx
+`,
 		Aliases: []string{"token-create"},
 		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()
@@ -294,8 +350,13 @@ func NewProjectRoleListTokensCommand(clientOpts *argocdclient.ClientOptions) *co
 		useUnixTime bool
 	)
 	var command = &cobra.Command{
-		Use:     "list-tokens PROJECT ROLE-NAME",
-		Short:   "List tokens for a given role.",
+		Use:   "list-tokens PROJECT ROLE-NAME",
+		Short: "List tokens for a given role.",
+		Example: `$ argocd proj role list-tokens test-project test-role
+ID                                      ISSUED AT                    EXPIRES AT
+f316c466-40bd-4cfd-8a8c-1392e92255d4    2023-10-08T15:21:40+01:00    Never
+fa9d3517-c52d-434c-9bff-215b38508842    2023-10-08T11:08:18+01:00    Never
+`,
 		Aliases: []string{"list-token", "token-list"},
 		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()
@@ -345,8 +406,35 @@ func NewProjectRoleListTokensCommand(clientOpts *argocdclient.ClientOptions) *co
 // NewProjectRoleDeleteTokenCommand returns a new instance of an `argocd proj role delete-token` command
 func NewProjectRoleDeleteTokenCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
-		Use:     "delete-token PROJECT ROLE-NAME ISSUED-AT",
-		Short:   "Delete a project token",
+		Use:   "delete-token PROJECT ROLE-NAME ISSUED-AT",
+		Short: "Delete a project token",
+		Example: `#Create project test-project
+$ argocd proj create test-project
+
+# Create a role associated with test-project
+$ argocd proj role create test-project test-role
+Role 'test-role' created
+
+# Create test-role associated with test-project
+$ argocd proj role create-token test-project test-role
+Create token succeeded for proj:test-project:test-role.
+  ID: c312450e-12e1-4e0d-9f65-fac9cb027b32
+  Issued At: 2023-10-08T13:58:57+01:00
+  Expires At: Never
+  Token: xxx
+
+# Get test-role id to input into the delete-token command below
+$ argocd proj role get test-project test-role
+Role Name:     test-role
+Description:
+Policies:
+p, proj:test-project:test-role, projects, get, test-project, allow
+JWT Tokens:
+ID          ISSUED-AT                                  EXPIRES-AT
+1696769937  2023-10-08T13:58:57+01:00 (6 minutes ago)  <none>
+
+$ argocd proj role delete-token test-project test-role 1696769937
+`,
 		Aliases: []string{"token-delete", "remove-token"},
 		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()
@@ -439,6 +527,16 @@ func NewProjectRoleGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Com
 	var command = &cobra.Command{
 		Use:   "get PROJECT ROLE-NAME",
 		Short: "Get the details of a specific role",
+		Example: `$ argocd proj role get test-project test-role
+Role Name:     test-role
+Description:
+Policies:
+p, proj:test-project:test-role, projects, get, test-project, allow
+JWT Tokens:
+ID          ISSUED-AT                                  EXPIRES-AT
+1696774900  2023-10-08T15:21:40+01:00 (4 minutes ago)  <none>
+1696759698  2023-10-08T11:08:18+01:00 (4 hours ago)    <none>
+`,
 		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()