argo access

docs/REFERENCE.md

@@ -654,27 +654,25 @@ retry:
 |---------|-------|---------|
 | `application.resourceTrackingMethod` | `annotation` | Track resources via annotations |
 | `timeout.reconciliation` | `60s` | Reconciliation interval |
-| `admin.enabled` | `true` | Enable admin account |
+| `admin.enabled` | `false` | Admin login disabled (SSO-only) |
 | `url` | `https://argocd.forteapps.net` | External URL for ArgoCD UI |
 
-**Git Submodule Disable**: Set via ConfigMap + `repoServer.envFrom` (NOT `repoServer.env` — that causes strategic merge conflicts with chart's `valueFrom` entries):
+**Git Submodule Disable**: Set via `configs.params` (NOT `repoServer.env` — that causes strategic merge conflicts with chart's `valueFrom` entries):
 ```yaml
-# cluster-resources/argocd-repo-server-config.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: argocd-repo-server-config
-  namespace: argocd
-data:
-  ARGOCD_GIT_MODULES_ENABLED: "false"
-
-# argocd-values.yaml
-repoServer:
-  envFrom:
-  - configMapRef:
-      name: argocd-repo-server-config
+configs:
+  params:
+    "reposerver.enable.git.submodule": "false"
 ```
-The ConfigMap is applied by `bootstrap.sh` before `helm upgrade`. Submodules (e.g., `shared-prompts`) are not needed for K8s manifest generation.
+This writes to `argocd-cmd-params-cm` ConfigMap, which the chart already reads via `valueFrom`. Submodules (e.g., `shared-prompts`) are not needed for K8s manifest generation.
+
+**Break-Glass Admin Access**: Admin login is disabled (`admin.enabled: false`). The admin password remains in `argocd-secret`. To re-enable temporarily:
+```bash
+# Enable admin login
+kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
+# Log in as admin, do what's needed, then disable again
+kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"false"}}'
+```
+ArgoCD picks up ConfigMap changes within the reconciliation timeout (60s). Note: ArgoCD will revert this on next sync — this is intentional (temporary access only).
 
 **OIDC Authentication** (Keycloak):
 ```yaml
@@ -690,10 +688,13 @@ configs:
     policy.csv: |
       g, ArgoCD Admins, role:admin
       g, ArgoCD Viewers, role:readonly
-    policy.default: role:readonly
+    # Deny users not in any declared KC group
+    policy.default: ""
     scopes: '[groups]'
 ```
 
+**Access Control**: Only users in Keycloak groups `ArgoCD Admins` or `ArgoCD Viewers` can access ArgoCD. Users not in either group are denied (empty `policy.default`). Assign users to groups in Keycloak admin console.
+
 - ArgoCD does NOT add `openid` implicitly — must include in `requestedScopes`
 - Do NOT add `groups` as a scope — the KC groups mapper emits the claim regardless
 - `$oidc.clientSecret` references the `oidc.clientSecret` key in `argocd-secret`

infra/values/base/argocd-values.yaml

@@ -10,7 +10,8 @@ configs:
   cm:
     application.resourceTrackingMethod: annotation
     timeout.reconciliation: 60s
-    admin.enabled: "true"
+    # Admin login disabled — SSO only. Break-glass: kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
+    admin.enabled: "false"
     url: https://argocd.forteapps.net
     oidc.config: |
       name: Forte SSO
@@ -22,7 +23,8 @@ configs:
     policy.csv: |
       g, ArgoCD Admins, role:admin
       g, ArgoCD Viewers, role:readonly
-    policy.default: role:readonly
+    # Deny users not in any declared KC group (ArgoCD Admins / ArgoCD Viewers)
+    policy.default: ""
     scopes: '[groups]'
   params:
     "server.insecure": true

infra/values/base/keycloak-values.yaml

@@ -166,6 +166,16 @@ keycloakConfigCli:
               }
             ]
           }
+        ],
+        "groups": [
+          {
+            "name": "ArgoCD Admins",
+            "path": "/ArgoCD Admins"
+          },
+          {
+            "name": "ArgoCD Viewers",
+            "path": "/ArgoCD Viewers"
+          }
         ]
       }