Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity

argo access

Browse Source
This commit is contained in:
Danijel Simeunovic
2026-04-25 11:24:44 +02:00
parent a3fd2eb908
commit 0af08ca653
3 changed files with 33 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
docs/REFERENCE.md
View File

@@ -654,27 +654,25 @@ retry:
|---------|-------|---------|
| `application.resourceTrackingMethod` | `annotation` | Track resources via annotations |
| `timeout.reconciliation` | `60s` | Reconciliation interval |
| `admin.enabled` | `true` | Enable admin account |
| `admin.enabled` | `false` | Admin login disabled (SSO-only) |
| `url` | `https://argocd.forteapps.net` | External URL for ArgoCD UI |
**Git Submodule Disable**: Set via ConfigMap + `repoServer.envFrom` (NOT `repoServer.env` — that causes strategic merge conflicts with chart's `valueFrom` entries):
**Git Submodule Disable**: Set via `configs.params` (NOT `repoServer.env` — that causes strategic merge conflicts with chart's `valueFrom` entries):
```yaml
# cluster-resources/argocd-repo-server-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-repo-server-config
namespace: argocd
data:
ARGOCD_GIT_MODULES_ENABLED: "false"
# argocd-values.yaml
repoServer:
envFrom:
- configMapRef:
name: argocd-repo-server-config
configs:
params:
"reposerver.enable.git.submodule": "false"
```
The ConfigMap is applied by `bootstrap.sh` before `helm upgrade`. Submodules (e.g., `shared-prompts`) are not needed for K8s manifest generation.
This writes to `argocd-cmd-params-cm` ConfigMap, which the chart already reads via `valueFrom`. Submodules (e.g., `shared-prompts`) are not needed for K8s manifest generation.
**Break-Glass Admin Access**: Admin login is disabled (`admin.enabled: false`). The admin password remains in `argocd-secret`. To re-enable temporarily:
```bash
# Enable admin login
kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
# Log in as admin, do what's needed, then disable again
kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"false"}}'
```
ArgoCD picks up ConfigMap changes within the reconciliation timeout (60s). Note: ArgoCD will revert this on next sync — this is intentional (temporary access only).
**OIDC Authentication** (Keycloak):
```yaml
@@ -690,10 +688,13 @@ configs:
policy.csv: |
g, ArgoCD Admins, role:admin
g, ArgoCD Viewers, role:readonly
policy.default: role:readonly
# Deny users not in any declared KC group
policy.default: ""
scopes: '[groups]'
```
**Access Control**: Only users in Keycloak groups `ArgoCD Admins` or `ArgoCD Viewers` can access ArgoCD. Users not in either group are denied (empty `policy.default`). Assign users to groups in Keycloak admin console.
- ArgoCD does NOT add `openid` implicitly — must include in `requestedScopes`
- Do NOT add `groups` as a scope — the KC groups mapper emits the claim regardless
- `$oidc.clientSecret` references the `oidc.clientSecret` key in `argocd-secret`