DGSE/kubernetes
1
0
Fork 0
Code Issues 3 Pull Requests 8 Actions Packages Projects Releases Wiki Activity
Files
a64bdf2ed079bfdade8e19fa03b06e9b9e77924f
kubernetes/manifests/artemis/argocd/kustomization.yaml
Daniël Groothuis a64bdf2ed0 chore(backstage): Added SA for backstage to ArgoCD
2025-11-05 21:14:17 +01:00

143 lines
4.0 KiB
YAML
Raw Blame History

---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
metadata:
name: argocd
resources:
- github.com/argoproj/argo-cd/manifests/cluster-install?ref=v3.2.0
- ingressRoute.yaml
- certificate.yaml
- backstage-sa.yaml
- backstage-rbac.yaml
patches:
- target:
kind: ConfigMap
name: argocd-cmd-params-cm
patch: |-
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cmd-params-cm
data:
server.insecure: "true"
application.namespaces: "*"
- target:
kind: ConfigMap
name: argocd-rbac-cm
patch: |-
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
data:
policy.csv: |
g, argocd_admins, role:admin
p, argocd_users, applications, list, *, allow
p, argocd_users, applications, sync, *, allow
p, argocd_users, applications, refresh, *, allow
p, argocd_users, applications, get, *, allow
- target:
kind: ConfigMap
name: argocd-cm
patch: |-
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
data:
accounts.admin: "apiKey, login"
admin.enabled: "true"
kustomize.buildOptions: --enable-helm
url: https://cd.dgse.cloud
oidc.config: |
name: DGSE
issuer: https://auth.dgse.cloud
clientID: 7f58ae97-de06-4de2-9be4-3bac6b58e6e7
clientSecret: $oidc.keycloak.clientSecret
requestedScopes: ["openid", "profile", "email", "groups"]
allowedAudiences:
- "7f58ae97-de06-4de2-9be4-3bac6b58e6e7"
- target:
kind: ClusterRole
name: argocd-application-controller
patch: |-
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: argocd-application-controller
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
- target:
kind: ClusterRoleBinding
name: argocd-application-controller
patch: |-
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: argocd-application-controller
subjects:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: argocd-application-controller
- target:
kind: ClusterRole
name: argocd-server
patch: |-
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: argocd-server
rules:
- apiGroups: ["argoproj.io"]
resources: ["applications", "applications/status", "applications/finalizers"]
verbs: ["get", "list", "watch", "update", "patch", "delete"]
- apiGroups: ["argoproj.io"]
resources: ["appprojects"]
verbs: ["get", "list", "watch"]
- apiGroups: ["*"]
resources: ["namespaces", "events"]
verbs: ["get", "list", "watch"]
- target:
kind: ClusterRoleBinding
name: argocd-server
patch: |-
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: argocd-server
subjects:
- kind: ServiceAccount
name: argocd-server
namespace: argocd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: argocd-server
# Map Backstage SA to Argo CD role:admin (full Argo CD permissions)
- target:
kind: ConfigMap
name: argocd-rbac-cm
patch: |-
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: argocd
data:
policy.csv: |
g, argocd_admins, role:admin
p, argocd_users, applications, list, *, allow
p, argocd_users, applications, sync, *, allow
p, argocd_users, applications, refresh, *, allow
p, argocd_users, applications, get, *, allow
g, system:serviceaccount:argocd:backstage-argocd, role:admin
Reference in New Issue View Git Blame Copy Permalink