chore(backstage): Added SA for backstage to ArgoCD

2025-11-05 21:00:46 +01:00
parent 134581bcce
commit c4754ea41a
3 changed files with 21 additions and 30 deletions
--- a/manifests/artemis/argocd/backstage-rbac.yaml
+++ b/manifests/artemis/argocd/backstage-rbac.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backstage-argocd-server-access
+subjects:
+  - kind: ServiceAccount
+    name: backstage-argocd
+    namespace: argocd
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argocd-server
--- a/manifests/artemis/argocd/backstage-sa.yaml
+++ b/manifests/artemis/argocd/backstage-sa.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: backstage-argocd
+  namespace: argocd
--- a/manifests/artemis/argocd/kustomization.yaml
+++ b/manifests/artemis/argocd/kustomization.yaml
@@ -8,6 +8,8 @@ resources:
  - github.com/argoproj/argo-cd/manifests/cluster-install?ref=v3.2.0
  - ingressRoute.yaml
  - certificate.yaml
+  - backstage-sa.yaml
+  - backstage-rbac.yaml

 patches:
  - target:
@@ -120,17 +122,6 @@ patches:
        kind: ClusterRole
        name: argocd-server

-  # Backstage ServiceAccount
-  - target:
-      kind: ServiceAccount
-      name: backstage-argocd
-    patch: |-
-      apiVersion: v1
-      kind: ServiceAccount
-      metadata:
-        name: backstage-argocd
-        namespace: argocd
-
  # Map Backstage SA to Argo CD role:admin (full Argo CD permissions)
  - target:
      kind: ConfigMap
@@ -150,22 +141,3 @@ patches:
          p, argocd_users, applications, get, *, allow
          # Backstage SA -> role:admin
          g, system:serviceaccount:argocd:backstage-argocd, role:admin
-
-  # Optional: bind Backstage SA to argocd-server ClusterRole for Kubernetes-level API verbs Argo CD server uses
-  # If you only need Argo CD RBAC, you can omit this block
-  - target:
-      kind: ClusterRoleBinding
-      name: backstage-argocd-server-access
-    patch: |-
-      apiVersion: rbac.authorization.k8s.io/v1
-      kind: ClusterRoleBinding
-      metadata:
-        name: backstage-argocd-server-access
-      subjects:
-        - kind: ServiceAccount
-          name: backstage-argocd
-          namespace: argocd
-      roleRef:
-        apiGroup: rbac.authorization.k8s.io
-        kind: ClusterRole
-        name: argocd-server