chore(backstage): Added SA for backstage to ArgoCD

2025-11-05 20:54:00 +01:00
parent 3f3d99e8d0
commit 134581bcce
1 changed files with 50 additions and 0 deletions
--- a/manifests/artemis/argocd/kustomization.yaml
+++ b/manifests/artemis/argocd/kustomization.yaml
@@ -119,3 +119,53 @@ patches:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: argocd-server
+
+  # Backstage ServiceAccount
+  - target:
+      kind: ServiceAccount
+      name: backstage-argocd
+    patch: |-
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: backstage-argocd
+        namespace: argocd
+
+  # Map Backstage SA to Argo CD role:admin (full Argo CD permissions)
+  - target:
+      kind: ConfigMap
+      name: argocd-rbac-cm
+    patch: |-
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: argocd-rbac-cm
+        namespace: argocd
+      data:
+        policy.csv: |
+          g, argocd_admins, role:admin
+          p, argocd_users, applications, list, *, allow
+          p, argocd_users, applications, sync, *, allow
+          p, argocd_users, applications, refresh, *, allow
+          p, argocd_users, applications, get, *, allow
+          # Backstage SA -> role:admin
+          g, system:serviceaccount:argocd:backstage-argocd, role:admin
+
+  # Optional: bind Backstage SA to argocd-server ClusterRole for Kubernetes-level API verbs Argo CD server uses
+  # If you only need Argo CD RBAC, you can omit this block
+  - target:
+      kind: ClusterRoleBinding
+      name: backstage-argocd-server-access
+    patch: |-
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRoleBinding
+      metadata:
+        name: backstage-argocd-server-access
+      subjects:
+        - kind: ServiceAccount
+          name: backstage-argocd
+          namespace: argocd
+      roleRef:
+        apiGroup: rbac.authorization.k8s.io
+        kind: ClusterRole
+        name: argocd-server