Add namespace scoping to extension backends

.github/workflows/release.yml

@@ -65,7 +65,7 @@ jobs:
           labels: ${{ steps.docker-meta.outputs.labels }}
           cache-from: type=gha,scope=${{ matrix.extension }}
           cache-to: type=gha,mode=max,scope=${{ matrix.extension }}
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
 
   # --- Build and push UI extensions init container ---
   ui-extensions-image:
@@ -128,7 +128,7 @@ jobs:
           labels: ${{ steps.docker-meta.outputs.labels }}
           cache-from: type=gha,scope=ui-extensions
           cache-to: type=gha,mode=max,scope=ui-extensions
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
 
   # --- Build and push docs image ---
   docs-image:
@@ -165,7 +165,7 @@ jobs:
           labels: ${{ steps.docker-meta.outputs.labels }}
           cache-from: type=gha,scope=docs
           cache-to: type=gha,mode=max,scope=docs
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
 
   # --- Package and push Helm chart ---
   helm-chart:

deploy/extensions/backups/deployment.yaml

@@ -24,6 +24,10 @@ rules:
   - apiGroups: ["velero.io"]
     resources: ["schedules"]
     verbs: ["patch"]
+  # Reads ArgoCD Applications to authorize namespace scoping.
+  - apiGroups: ["argoproj.io"]
+    resources: ["applications"]
+    verbs: ["get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

deploy/extensions/events/deployment.yaml

@@ -21,6 +21,10 @@ rules:
   - apiGroups: ["events.k8s.io"]
     resources: ["events"]
     verbs: ["list", "watch"]
+  # Reads ArgoCD Applications to authorize namespace scoping.
+  - apiGroups: ["argoproj.io"]
+    resources: ["applications"]
+    verbs: ["get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

deploy/extensions/logs/deployment.yaml

@@ -1,3 +1,41 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argoplane-logs-backend
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: argoplane-logs-backend
+    app.kubernetes.io/part-of: argoplane
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argoplane-logs
+  labels:
+    app.kubernetes.io/name: argoplane-logs-backend
+    app.kubernetes.io/part-of: argoplane
+rules:
+  # Reads ArgoCD Applications to authorize namespace scoping.
+  - apiGroups: ["argoproj.io"]
+    resources: ["applications"]
+    verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argoplane-logs
+  labels:
+    app.kubernetes.io/name: argoplane-logs-backend
+    app.kubernetes.io/part-of: argoplane
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argoplane-logs
+subjects:
+  - kind: ServiceAccount
+    name: argoplane-logs-backend
+    namespace: argocd
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -17,6 +55,7 @@ spec:
         app.kubernetes.io/name: argoplane-logs-backend
         app.kubernetes.io/part-of: argoplane
     spec:
+      serviceAccountName: argoplane-logs-backend
       containers:
         - name: backend
           image: argoplane-logs-backend:dev

deploy/extensions/metrics/deployment.yaml

@@ -1,3 +1,41 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argoplane-metrics-backend
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: argoplane-metrics-backend
+    app.kubernetes.io/part-of: argoplane
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argoplane-metrics
+  labels:
+    app.kubernetes.io/name: argoplane-metrics-backend
+    app.kubernetes.io/part-of: argoplane
+rules:
+  # Reads ArgoCD Applications to authorize namespace scoping.
+  - apiGroups: ["argoproj.io"]
+    resources: ["applications"]
+    verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argoplane-metrics
+  labels:
+    app.kubernetes.io/name: argoplane-metrics-backend
+    app.kubernetes.io/part-of: argoplane
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argoplane-metrics
+subjects:
+  - kind: ServiceAccount
+    name: argoplane-metrics-backend
+    namespace: argocd
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -17,6 +55,7 @@ spec:
         app.kubernetes.io/name: argoplane-metrics-backend
         app.kubernetes.io/part-of: argoplane
     spec:
+      serviceAccountName: argoplane-metrics-backend
       containers:
         - name: backend
           image: argoplane-metrics-backend:dev

deploy/extensions/networking/deployment.yaml

@@ -94,6 +94,10 @@ rules:
       - ciliumendpoints
       - ciliumidentities
     verbs: ["get", "list", "watch"]
+  # Reads ArgoCD Applications to authorize namespace scoping.
+  - apiGroups: ["argoproj.io"]
+    resources: ["applications"]
+    verbs: ["get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

deploy/extensions/vulnerabilities/deployment.yaml

@@ -18,6 +18,10 @@ rules:
   - apiGroups: ["aquasecurity.github.io"]
     resources: ["vulnerabilityreports", "configauditreports", "exposedsecretreports", "sbomreports"]
     verbs: ["get", "list", "watch"]
+  # Reads ArgoCD Applications to authorize namespace scoping.
+  - apiGroups: ["argoproj.io"]
+    resources: ["applications"]
+    verbs: ["get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

deploy/helm/argoplane/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: argoplane
 description: A package of ArgoCD UI extensions
 type: application
-version: 0.1.0
-appVersion: "0.1.0"
+version: 1.4.1
+appVersion: "1.4.1"
 home: https://argoplane.io
 annotations:
   artifacthub.io/license: Apache-2.0

deploy/helm/argoplane/values.yaml

@@ -101,12 +101,17 @@ extensions:
     # -- ServiceAccount configuration
     serviceAccount:
       # -- Create a dedicated ServiceAccount
-      create: false
+      create: true
       # -- Annotations for the ServiceAccount
       annotations: {}
     # -- RBAC rules for the extension (creates ClusterRole + ClusterRoleBinding)
     rbac:
-      rules: []
+      # Reads ArgoCD Applications to authorize that a requested namespace is
+      # one the calling application manages (namespace scoping).
+      rules:
+        - apiGroups: ["argoproj.io"]
+          resources: ["applications"]
+          verbs: ["get"]
 
   backups:
     enabled: true
@@ -164,6 +169,9 @@ extensions:
         - apiGroups: ["velero.io"]
           resources: ["schedules"]
           verbs: ["patch"]
+        - apiGroups: ["argoproj.io"]
+          resources: ["applications"]
+          verbs: ["get"]
 
   networking:
     enabled: false
@@ -209,6 +217,9 @@ extensions:
         - apiGroups: ["cilium.io"]
           resources: ["ciliumnetworkpolicies", "ciliumclusterwidenetworkpolicies", "ciliumendpoints", "ciliumidentities"]
           verbs: ["get", "list", "watch"]
+        - apiGroups: ["argoproj.io"]
+          resources: ["applications"]
+          verbs: ["get"]
 
   logs:
     enabled: false
@@ -248,10 +259,14 @@ extensions:
     tolerations: []
     affinity: {}
     serviceAccount:
-      create: false
+      create: true
       annotations: {}
     rbac:
-      rules: []
+      # Reads ArgoCD Applications to authorize namespace scoping.
+      rules:
+        - apiGroups: ["argoproj.io"]
+          resources: ["applications"]
+          verbs: ["get"]
 
   vulnerabilities:
     enabled: false
@@ -296,6 +311,9 @@ extensions:
         - apiGroups: ["aquasecurity.github.io"]
           resources: ["vulnerabilityreports", "configauditreports", "exposedsecretreports", "sbomreports"]
           verbs: ["get", "list", "watch"]
+        - apiGroups: ["argoproj.io"]
+          resources: ["applications"]
+          verbs: ["get"]
 
   events:
     enabled: false
@@ -343,6 +361,9 @@ extensions:
         - apiGroups: ["events.k8s.io"]
           resources: ["events"]
           verbs: ["list", "watch"]
+        - apiGroups: ["argoproj.io"]
+          resources: ["applications"]
+          verbs: ["get"]
 
 # -- Optional ArgoPlane services (docs site)
 services:

extensions/backups/backend/cmd/main.go

@@ -45,17 +45,21 @@ func main() {
 		os.Exit(1)
 	}
 
+	// Authorizer scopes mutations and per-app reads to namespaces the calling
+	// ArgoCD Application manages.
+	auth := handler.NewAuthorizer(dynClient)
+
 	// Create handlers.
 	storageHandler := handler.NewStorageHandler(dynClient, config.VeleroNamespace)
-	schedulesHandler := handler.NewSchedulesHandler(dynClient, config.VeleroNamespace)
-	backupsHandler := handler.NewBackupsHandler(dynClient, config.VeleroNamespace)
-	restoresHandler := handler.NewRestoresHandler(dynClient, config.VeleroNamespace)
-	overviewHandler := handler.NewOverviewHandler(dynClient, config.VeleroNamespace)
-	logsHandler := handler.NewLogsHandler(dynClient, config.VeleroNamespace, &handler.TLSConfig{
+	schedulesHandler := handler.NewSchedulesHandler(dynClient, config.VeleroNamespace, auth)
+	backupsHandler := handler.NewBackupsHandler(dynClient, config.VeleroNamespace, auth)
+	restoresHandler := handler.NewRestoresHandler(dynClient, config.VeleroNamespace, auth)
+	overviewHandler := handler.NewOverviewHandler(dynClient, config.VeleroNamespace, auth)
+	logsHandler := handler.NewLogsHandler(dynClient, config.VeleroNamespace, auth, &handler.TLSConfig{
 		CACertPath:  config.CACertPath,
 		InsecureTLS: config.InsecureTLS,
 	})
-	volumesHandler := handler.NewVolumesHandler(dynClient, config.VeleroNamespace)
+	volumesHandler := handler.NewVolumesHandler(dynClient, config.VeleroNamespace, auth)
 
 	mux := http.NewServeMux()
 	mux.HandleFunc("GET /api/v1/storage-locations", storageHandler.Handle)