From 85d150d3d4d4adde2956f5a03fc84b1f21c886f3 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Mon, 27 Apr 2026 11:03:12 +0200 Subject: [PATCH] rbac --- docs/REFERENCE.md | 20 ++++++++++- infra/values/base/argocd-values.yaml | 47 +++++++++++++++++++++++++- infra/values/base/keycloak-values.yaml | 12 +++++++ 3 files changed, 77 insertions(+), 2 deletions(-) diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md index a507d9c..1fcfbd2 100644 --- a/docs/REFERENCE.md +++ b/docs/REFERENCE.md @@ -693,7 +693,25 @@ configs: scopes: '[groups]' ``` -**Access Control**: Only users in Keycloak groups `ArgoCD Admins` or `ArgoCD Viewers` can access ArgoCD. Users not in either group are denied (empty `policy.default`). Assign users to groups in Keycloak admin console. +**Access Control**: Only users in declared Keycloak groups can access ArgoCD. Users not in any group are denied (`policy.default: ""`). Assign users to groups in Keycloak admin console. + +| KC Group | ArgoCD Role | Access | +|----------|-------------|--------| +| `ArgoCD Admins` | `role:admin` | Full control over all apps | +| `ArgoCD Viewers` | `role:readonly` | Read-only access to all apps | +| `Observability Team` | `role:observability` | Get/sync monitoring apps (prometheus, loki, fluent-bit, tempo, grafana, opencost) | +| `Dev Tools Team` | `role:devtools` | Get/sync dev tool apps (gitea, gitea-actions, renovate, karpor) | +| `App Developers` | `role:app-dev` | Get/sync/action on enterprise-apps only | + +**Per-Cluster RBAC**: Add cluster-specific policies in `infra/values//argocd-values.yaml` using `configs.rbac.policy..csv`. ArgoCD concatenates all `policy.*.csv` keys alphabetically after `policy.csv`. Example: +```yaml +# infra/values/upc-dev/argocd-values.yaml +configs: + rbac: + policy.upc-dev.csv: | + p, role:staging-deployer, applications, sync, default/enterprise-apps, allow + g, Staging Deployers, role:staging-deployer +``` - ArgoCD does NOT add `openid` implicitly — must include in `requestedScopes` - Do NOT add `groups` as a scope — the KC groups mapper emits the claim regardless diff --git a/infra/values/base/argocd-values.yaml b/infra/values/base/argocd-values.yaml index 662812b..847bbf9 100644 --- a/infra/values/base/argocd-values.yaml +++ b/infra/values/base/argocd-values.yaml @@ -20,10 +20,55 @@ configs: clientSecret: $oidc.clientSecret requestedScopes: ["openid", "email", "profile"] rbac: + # Base RBAC — org-wide roles shared across all clusters. + # Per-cluster policies go in infra/values//argocd-values.yaml + # as configs.rbac.policy..csv (ArgoCD concatenates all policy.*.csv keys) policy.csv: | + # Platform administrators — full control g, ArgoCD Admins, role:admin + + # Read-only viewers — see all, change nothing g, ArgoCD Viewers, role:readonly - # Deny users not in any declared KC group (ArgoCD Admins / ArgoCD Viewers) + + # --- Per-team roles (scoped to default project app names) --- + # Observability team — manage monitoring stack + p, role:observability, applications, get, default/prometheus, allow + p, role:observability, applications, get, default/loki, allow + p, role:observability, applications, get, default/fluent-bit, allow + p, role:observability, applications, get, default/tempo, allow + p, role:observability, applications, get, default/grafana, allow + p, role:observability, applications, get, default/grafana-dashboards, allow + p, role:observability, applications, get, default/opencost, allow + p, role:observability, applications, sync, default/prometheus, allow + p, role:observability, applications, sync, default/loki, allow + p, role:observability, applications, sync, default/fluent-bit, allow + p, role:observability, applications, sync, default/tempo, allow + p, role:observability, applications, sync, default/grafana, allow + p, role:observability, applications, sync, default/grafana-dashboards, allow + p, role:observability, applications, sync, default/opencost, allow + p, role:observability, logs, get, default/*, allow + g, Observability Team, role:observability + + # Dev tools team — manage gitea, renovate, karpor + p, role:devtools, applications, get, default/gitea, allow + p, role:devtools, applications, get, default/gitea-actions, allow + p, role:devtools, applications, get, default/renovate, allow + p, role:devtools, applications, get, default/karpor, allow + p, role:devtools, applications, sync, default/gitea, allow + p, role:devtools, applications, sync, default/gitea-actions, allow + p, role:devtools, applications, sync, default/renovate, allow + p, role:devtools, applications, sync, default/karpor, allow + p, role:devtools, logs, get, default/*, allow + g, Dev Tools Team, role:devtools + + # App developers — manage enterprise apps only + p, role:app-dev, applications, get, default/enterprise-apps, allow + p, role:app-dev, applications, sync, default/enterprise-apps, allow + p, role:app-dev, applications, action, default/enterprise-apps, allow + p, role:app-dev, logs, get, default/enterprise-apps, allow + g, App Developers, role:app-dev + + # Deny users not in any declared KC group policy.default: "" scopes: '[groups]' params: diff --git a/infra/values/base/keycloak-values.yaml b/infra/values/base/keycloak-values.yaml index 109d14d..d6b44d3 100644 --- a/infra/values/base/keycloak-values.yaml +++ b/infra/values/base/keycloak-values.yaml @@ -175,6 +175,18 @@ keycloakConfigCli: { "name": "ArgoCD Viewers", "path": "/ArgoCD Viewers" + }, + { + "name": "Observability Team", + "path": "/Observability Team" + }, + { + "name": "Dev Tools Team", + "path": "/Dev Tools Team" + }, + { + "name": "App Developers", + "path": "/App Developers" } ] }