argo access
This commit is contained in:
@@ -654,27 +654,25 @@ retry:
|
|||||||
|---------|-------|---------|
|
|---------|-------|---------|
|
||||||
| `application.resourceTrackingMethod` | `annotation` | Track resources via annotations |
|
| `application.resourceTrackingMethod` | `annotation` | Track resources via annotations |
|
||||||
| `timeout.reconciliation` | `60s` | Reconciliation interval |
|
| `timeout.reconciliation` | `60s` | Reconciliation interval |
|
||||||
| `admin.enabled` | `true` | Enable admin account |
|
| `admin.enabled` | `false` | Admin login disabled (SSO-only) |
|
||||||
| `url` | `https://argocd.forteapps.net` | External URL for ArgoCD UI |
|
| `url` | `https://argocd.forteapps.net` | External URL for ArgoCD UI |
|
||||||
|
|
||||||
**Git Submodule Disable**: Set via ConfigMap + `repoServer.envFrom` (NOT `repoServer.env` — that causes strategic merge conflicts with chart's `valueFrom` entries):
|
**Git Submodule Disable**: Set via `configs.params` (NOT `repoServer.env` — that causes strategic merge conflicts with chart's `valueFrom` entries):
|
||||||
```yaml
|
```yaml
|
||||||
# cluster-resources/argocd-repo-server-config.yaml
|
configs:
|
||||||
apiVersion: v1
|
params:
|
||||||
kind: ConfigMap
|
"reposerver.enable.git.submodule": "false"
|
||||||
metadata:
|
|
||||||
name: argocd-repo-server-config
|
|
||||||
namespace: argocd
|
|
||||||
data:
|
|
||||||
ARGOCD_GIT_MODULES_ENABLED: "false"
|
|
||||||
|
|
||||||
# argocd-values.yaml
|
|
||||||
repoServer:
|
|
||||||
envFrom:
|
|
||||||
- configMapRef:
|
|
||||||
name: argocd-repo-server-config
|
|
||||||
```
|
```
|
||||||
The ConfigMap is applied by `bootstrap.sh` before `helm upgrade`. Submodules (e.g., `shared-prompts`) are not needed for K8s manifest generation.
|
This writes to `argocd-cmd-params-cm` ConfigMap, which the chart already reads via `valueFrom`. Submodules (e.g., `shared-prompts`) are not needed for K8s manifest generation.
|
||||||
|
|
||||||
|
**Break-Glass Admin Access**: Admin login is disabled (`admin.enabled: false`). The admin password remains in `argocd-secret`. To re-enable temporarily:
|
||||||
|
```bash
|
||||||
|
# Enable admin login
|
||||||
|
kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
|
||||||
|
# Log in as admin, do what's needed, then disable again
|
||||||
|
kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"false"}}'
|
||||||
|
```
|
||||||
|
ArgoCD picks up ConfigMap changes within the reconciliation timeout (60s). Note: ArgoCD will revert this on next sync — this is intentional (temporary access only).
|
||||||
|
|
||||||
**OIDC Authentication** (Keycloak):
|
**OIDC Authentication** (Keycloak):
|
||||||
```yaml
|
```yaml
|
||||||
@@ -690,10 +688,13 @@ configs:
|
|||||||
policy.csv: |
|
policy.csv: |
|
||||||
g, ArgoCD Admins, role:admin
|
g, ArgoCD Admins, role:admin
|
||||||
g, ArgoCD Viewers, role:readonly
|
g, ArgoCD Viewers, role:readonly
|
||||||
policy.default: role:readonly
|
# Deny users not in any declared KC group
|
||||||
|
policy.default: ""
|
||||||
scopes: '[groups]'
|
scopes: '[groups]'
|
||||||
```
|
```
|
||||||
|
|
||||||
|
**Access Control**: Only users in Keycloak groups `ArgoCD Admins` or `ArgoCD Viewers` can access ArgoCD. Users not in either group are denied (empty `policy.default`). Assign users to groups in Keycloak admin console.
|
||||||
|
|
||||||
- ArgoCD does NOT add `openid` implicitly — must include in `requestedScopes`
|
- ArgoCD does NOT add `openid` implicitly — must include in `requestedScopes`
|
||||||
- Do NOT add `groups` as a scope — the KC groups mapper emits the claim regardless
|
- Do NOT add `groups` as a scope — the KC groups mapper emits the claim regardless
|
||||||
- `$oidc.clientSecret` references the `oidc.clientSecret` key in `argocd-secret`
|
- `$oidc.clientSecret` references the `oidc.clientSecret` key in `argocd-secret`
|
||||||
|
|||||||
@@ -10,7 +10,8 @@ configs:
|
|||||||
cm:
|
cm:
|
||||||
application.resourceTrackingMethod: annotation
|
application.resourceTrackingMethod: annotation
|
||||||
timeout.reconciliation: 60s
|
timeout.reconciliation: 60s
|
||||||
admin.enabled: "true"
|
# Admin login disabled — SSO only. Break-glass: kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
|
||||||
|
admin.enabled: "false"
|
||||||
url: https://argocd.forteapps.net
|
url: https://argocd.forteapps.net
|
||||||
oidc.config: |
|
oidc.config: |
|
||||||
name: Forte SSO
|
name: Forte SSO
|
||||||
@@ -22,7 +23,8 @@ configs:
|
|||||||
policy.csv: |
|
policy.csv: |
|
||||||
g, ArgoCD Admins, role:admin
|
g, ArgoCD Admins, role:admin
|
||||||
g, ArgoCD Viewers, role:readonly
|
g, ArgoCD Viewers, role:readonly
|
||||||
policy.default: role:readonly
|
# Deny users not in any declared KC group (ArgoCD Admins / ArgoCD Viewers)
|
||||||
|
policy.default: ""
|
||||||
scopes: '[groups]'
|
scopes: '[groups]'
|
||||||
params:
|
params:
|
||||||
"server.insecure": true
|
"server.insecure": true
|
||||||
|
|||||||
@@ -166,6 +166,16 @@ keycloakConfigCli:
|
|||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
],
|
||||||
|
"groups": [
|
||||||
|
{
|
||||||
|
"name": "ArgoCD Admins",
|
||||||
|
"path": "/ArgoCD Admins"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "ArgoCD Viewers",
|
||||||
|
"path": "/ArgoCD Viewers"
|
||||||
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user