From 134581bcce35f3b4f138f79812f9b513f3f8717f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20Groothuis?= Date: Wed, 5 Nov 2025 20:54:00 +0100 Subject: [PATCH] chore(backstage): Added SA for backstage to ArgoCD --- manifests/artemis/argocd/kustomization.yaml | 50 +++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/manifests/artemis/argocd/kustomization.yaml b/manifests/artemis/argocd/kustomization.yaml index a82e5e8..29eaaf0 100644 --- a/manifests/artemis/argocd/kustomization.yaml +++ b/manifests/artemis/argocd/kustomization.yaml @@ -119,3 +119,53 @@ patches: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: argocd-server + + # Backstage ServiceAccount + - target: + kind: ServiceAccount + name: backstage-argocd + patch: |- + apiVersion: v1 + kind: ServiceAccount + metadata: + name: backstage-argocd + namespace: argocd + + # Map Backstage SA to Argo CD role:admin (full Argo CD permissions) + - target: + kind: ConfigMap + name: argocd-rbac-cm + patch: |- + apiVersion: v1 + kind: ConfigMap + metadata: + name: argocd-rbac-cm + namespace: argocd + data: + policy.csv: | + g, argocd_admins, role:admin + p, argocd_users, applications, list, *, allow + p, argocd_users, applications, sync, *, allow + p, argocd_users, applications, refresh, *, allow + p, argocd_users, applications, get, *, allow + # Backstage SA -> role:admin + g, system:serviceaccount:argocd:backstage-argocd, role:admin + + # Optional: bind Backstage SA to argocd-server ClusterRole for Kubernetes-level API verbs Argo CD server uses + # If you only need Argo CD RBAC, you can omit this block + - target: + kind: ClusterRoleBinding + name: backstage-argocd-server-access + patch: |- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: backstage-argocd-server-access + subjects: + - kind: ServiceAccount + name: backstage-argocd + namespace: argocd + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argocd-server