Extend the sync api to allow target revision to be limited via RBAC

[theobarberbany]

Summary

Can ArgoCD (via RBAC?) be configured so an argocd app sync can only be issued to a certain target revision for a specific project? Or can a project be set up so only certain users can sync away from a target revision e.g master?

Motivation

We want to be able to do this to allow code owners based review process to be put in place so only authorised code is deployable.

We want people to be able to issue a sync, especially via the UI. (It's a nice workflow!) Just not to specify a target revision (that isn't authorised?)

Proposal

Is there a way to add granularity with the permission, i.e user x can't sync a custom target revision in environment production, but can in development? It seems this is possible with some actions: e.g action/argoproj.io/Rollout/*, it would be great to do something like sync/targetRevision/master

I don't think this is possible currently?

Looking at the Patch function in server/application/application.go, would it be possible to add something like this to the Sync function in the same file?

if err = s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionUpdate, appRBACName(*app)); err != nil {
		return nil, err
	}

(I hope an enhancement is appropriate, as I'm not sure if there is a simple way to do this that I'm missing.)

[theobarberbany]

@jessesuen any chance of some thoughts on this? :)

[frmrm]

@jessesuen Bumping this request as this is something that I would like to see. Any chance of getting this on the roadmap?