--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization metadata: name: argocd resources: - github.com/argoproj/argo-cd/manifests/cluster-install?ref=v3.2.4 - ingressRoute.yaml - certificate.yaml - backstage-sa.yaml - backstage-rbac.yaml patches: - target: kind: ConfigMap name: argocd-cmd-params-cm patch: |- apiVersion: v1 kind: ConfigMap metadata: name: argocd-cmd-params-cm data: server.insecure: "true" application.namespaces: "*" - target: kind: ConfigMap name: argocd-rbac-cm patch: |- apiVersion: v1 kind: ConfigMap metadata: name: argocd-rbac-cm data: policy.csv: | g, argocd_admins, role:admin p, argocd_users, applications, list, *, allow p, argocd_users, applications, sync, *, allow p, argocd_users, applications, refresh, *, allow p, argocd_users, applications, get, *, allow - target: kind: ConfigMap name: argocd-cm patch: |- apiVersion: v1 kind: ConfigMap metadata: name: argocd-cm data: accounts.admin: "apiKey, login" accounts.backstage.enabled: "true" admin.enabled: "true" kustomize.buildOptions: --enable-helm url: https://cd.dgse.cloud oidc.config: | name: DGSE issuer: https://auth.dgse.cloud clientID: 7f58ae97-de06-4de2-9be4-3bac6b58e6e7 clientSecret: $oidc.keycloak.clientSecret requestedScopes: ["openid", "profile", "email", "groups"] allowedAudiences: - "7f58ae97-de06-4de2-9be4-3bac6b58e6e7" - target: kind: ClusterRole name: argocd-application-controller patch: |- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: argocd-application-controller rules: - apiGroups: ["*"] resources: ["*"] verbs: ["*"] - target: kind: ClusterRoleBinding name: argocd-application-controller patch: |- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: argocd-application-controller subjects: - kind: ServiceAccount name: argocd-application-controller namespace: argocd roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: argocd-application-controller - target: kind: ClusterRole name: argocd-server patch: |- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: argocd-server rules: - apiGroups: ["argoproj.io"] resources: ["applications", "applications/status", "applications/finalizers"] verbs: ["get", "list", "watch", "update", "patch", "delete"] - apiGroups: ["argoproj.io"] resources: ["appprojects"] verbs: ["get", "list", "watch"] - apiGroups: ["*"] resources: ["namespaces", "events"] verbs: ["get", "list", "watch"] - target: kind: ClusterRoleBinding name: argocd-server patch: |- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: argocd-server subjects: - kind: ServiceAccount name: argocd-server namespace: argocd roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: argocd-server # Map Backstage SA to Argo CD role:admin (full Argo CD permissions) - target: kind: ConfigMap name: argocd-rbac-cm patch: |- apiVersion: v1 kind: ConfigMap metadata: name: argocd-rbac-cm namespace: argocd data: policy.csv: | g, argocd_admins, role:admin p, argocd_users, applications, list, *, allow p, argocd_users, applications, sync, *, allow p, argocd_users, applications, refresh, *, allow p, argocd_users, applications, get, *, allow g, system:serviceaccount:argocd:backstage-argocd, role:admin p, system:serviceaccount:argocd:backstage-argocd, applications, *, */*, allow