145 lines
4.2 KiB
YAML
145 lines
4.2 KiB
YAML
---
|
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
kind: Kustomization
|
|
metadata:
|
|
name: argocd
|
|
|
|
resources:
|
|
- github.com/argoproj/argo-cd/manifests/cluster-install?ref=v3.3.0
|
|
- ingressRoute.yaml
|
|
- certificate.yaml
|
|
- backstage-sa.yaml
|
|
- backstage-rbac.yaml
|
|
|
|
patches:
|
|
- target:
|
|
kind: ConfigMap
|
|
name: argocd-cmd-params-cm
|
|
patch: |-
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: argocd-cmd-params-cm
|
|
data:
|
|
server.insecure: "true"
|
|
application.namespaces: "*"
|
|
- target:
|
|
kind: ConfigMap
|
|
name: argocd-rbac-cm
|
|
patch: |-
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: argocd-rbac-cm
|
|
data:
|
|
policy.csv: |
|
|
g, argocd_admins, role:admin
|
|
p, argocd_users, applications, list, *, allow
|
|
p, argocd_users, applications, sync, *, allow
|
|
p, argocd_users, applications, refresh, *, allow
|
|
p, argocd_users, applications, get, *, allow
|
|
- target:
|
|
kind: ConfigMap
|
|
name: argocd-cm
|
|
patch: |-
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: argocd-cm
|
|
data:
|
|
accounts.admin: "apiKey, login"
|
|
accounts.backstage.enabled: "true"
|
|
admin.enabled: "true"
|
|
kustomize.buildOptions: --enable-helm
|
|
url: https://cd.dgse.cloud
|
|
oidc.config: |
|
|
name: DGSE
|
|
issuer: https://auth.dgse.cloud
|
|
clientID: 7f58ae97-de06-4de2-9be4-3bac6b58e6e7
|
|
clientSecret: $oidc.keycloak.clientSecret
|
|
requestedScopes: ["openid", "profile", "email", "groups"]
|
|
allowedAudiences:
|
|
- "7f58ae97-de06-4de2-9be4-3bac6b58e6e7"
|
|
- target:
|
|
kind: ClusterRole
|
|
name: argocd-application-controller
|
|
patch: |-
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: argocd-application-controller
|
|
rules:
|
|
- apiGroups: ["*"]
|
|
resources: ["*"]
|
|
verbs: ["*"]
|
|
- target:
|
|
kind: ClusterRoleBinding
|
|
name: argocd-application-controller
|
|
patch: |-
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: argocd-application-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: argocd-application-controller
|
|
namespace: argocd
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: argocd-application-controller
|
|
- target:
|
|
kind: ClusterRole
|
|
name: argocd-server
|
|
patch: |-
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: argocd-server
|
|
rules:
|
|
- apiGroups: ["argoproj.io"]
|
|
resources: ["applications", "applications/status", "applications/finalizers"]
|
|
verbs: ["get", "list", "watch", "update", "patch", "delete"]
|
|
- apiGroups: ["argoproj.io"]
|
|
resources: ["appprojects"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["*"]
|
|
resources: ["namespaces", "events"]
|
|
verbs: ["get", "list", "watch"]
|
|
- target:
|
|
kind: ClusterRoleBinding
|
|
name: argocd-server
|
|
patch: |-
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: argocd-server
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: argocd-server
|
|
namespace: argocd
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: argocd-server
|
|
|
|
# Map Backstage SA to Argo CD role:admin (full Argo CD permissions)
|
|
- target:
|
|
kind: ConfigMap
|
|
name: argocd-rbac-cm
|
|
patch: |-
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: argocd-rbac-cm
|
|
namespace: argocd
|
|
data:
|
|
policy.csv: |
|
|
g, argocd_admins, role:admin
|
|
p, argocd_users, applications, list, *, allow
|
|
p, argocd_users, applications, sync, *, allow
|
|
p, argocd_users, applications, refresh, *, allow
|
|
p, argocd_users, applications, get, *, allow
|
|
g, system:serviceaccount:argocd:backstage-argocd, role:admin
|
|
p, system:serviceaccount:argocd:backstage-argocd, applications, *, */*, allow
|