rbac

ignore diff
netpol all remove
2026-04-27 11:03:12 +02:00 · 2026-04-26 23:55:55 +02:00 · 2026-04-25 16:04:13 +02:00 · 2026-04-25 11:49:17 +02:00
14 changed files with 373 additions and 50 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1,2 @@
 # Force LF line endings for shell scripts
 *.sh text eol=lf
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -1,4 +1,5 @@
 #!/bin/zsh
 # in case of  $'\r': command not found error, run command below first
 # sed -i 's/\r$//' ./bootstrap.sh
@@ -27,8 +28,8 @@ Bootstrap()
 Gitea()
 {
    echo "Installing secret..."
-    kubectl apply -f private/gitea-repo-main.yaml
+    kubectl apply -f "private/${CLUSTER}/gitea-repo-main.yaml"
-    kubectl apply -f private/main.key
+    kubectl apply -f "private/${CLUSTER}/main.key"
 }
 ############################################################
@@ -36,10 +37,15 @@ Gitea()
 ############################################################
 ArgoCd()
 {
    # Pre-create ConfigMap for repo-server env (must exist before Helm upgrade)
    kubectl create namespace argocd --dry-run=client -o yaml | kubectl apply -f -
    kubectl apply -f cluster-resources/argocd-repo-server-config.yaml
    # install argocd
    echo "Installing ArgoCD..."
    helm upgrade --install argocd argo-cd \
            --repo https://argoproj.github.io/argo-helm \
            --version "7.8.0" \
            --namespace argocd --create-namespace \
            --values infra/values/base/argocd-values.yaml \
            --values "infra/values/${CLUSTER}/argocd-values.yaml" \
@@ -49,4 +55,4 @@ ArgoCd()
    kubectl apply -f "_app-of-apps-${CLUSTER}.yaml" -n argocd
 }
-# Bootstrap
+Bootstrap
--- a/cluster-resources/argocd-oidc-secret-sync.yaml
+++ b/cluster-resources/argocd-oidc-secret-sync.yaml
@@ -0,0 +1,83 @@
 # CronJob: syncs OIDC client secret from registrar-managed
 # argocd-oidc-credentials into argocd-secret (oidc.clientSecret key).
 # Runs every 2 min. No-ops if source secret doesn't exist yet
 # (safe for fresh deploys before Keycloak is up).
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: argocd-oidc-sync
  namespace: argocd
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: argocd-oidc-sync
  namespace: argocd
 rules:
 - apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["argocd-oidc-credentials", "argocd-secret"]
  verbs: ["get", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: argocd-oidc-sync
  namespace: argocd
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: argocd-oidc-sync
 subjects:
 - kind: ServiceAccount
  name: argocd-oidc-sync
  namespace: argocd
 ---
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  name: argocd-oidc-sync
  namespace: argocd
 spec:
  schedule: "*/2 * * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      backoffLimit: 1
      template:
        spec:
          serviceAccountName: argocd-oidc-sync
          restartPolicy: Never
          containers:
          - name: sync
            image: bitnami/kubectl:latest
            command: ["/bin/sh", "-c"]
            args:
            - |
              set -e
              # Exit gracefully if source secret doesn't exist yet
              if ! kubectl get secret argocd-oidc-credentials -n argocd >/dev/null 2>&1; then
                echo "argocd-oidc-credentials not found — skipping (Keycloak not ready yet)"
                exit 0
              fi
              # Read current OIDC client secret
              NEW_SECRET=$(kubectl get secret argocd-oidc-credentials -n argocd \
                -o jsonpath='{.data.client-secret}' | base64 -d)
              # Read current value in argocd-secret (if any)
              CURRENT=$(kubectl get secret argocd-secret -n argocd \
                -o jsonpath='{.data.oidc\.clientSecret}' 2>/dev/null | base64 -d || echo "")
              # Only patch if changed
              if [ "$NEW_SECRET" = "$CURRENT" ]; then
                echo "oidc.clientSecret already up to date"
                exit 0
              fi
              kubectl patch secret argocd-secret -n argocd --type merge \
                -p "{\"stringData\":{\"oidc.clientSecret\":\"${NEW_SECRET}\"}}"
              echo "Patched argocd-secret with oidc.clientSecret"
--- a/cluster-resources/argocd-repo-server-config.yaml
+++ b/cluster-resources/argocd-repo-server-config.yaml
@@ -0,0 +1,9 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: argocd-repo-server-config
  namespace: argocd
 data:
  # Disable git submodule checkout - submodules (e.g. shared-prompts)
  # are not needed for K8s manifest generation
  ARGOCD_GIT_MODULES_ENABLED: "false"
--- a/cluster-resources/network/deny-external-egress-trivy.yaml
+++ b/cluster-resources/network/deny-external-egress-trivy.yaml
@@ -0,0 +1,37 @@
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: deny-external-egress
  namespace: trivy-system
  labels:
    app.kubernetes.io/managed-by: argocd
    app.kubernetes.io/part-of: network-policies
 spec:
  endpointSelector: {}
  egress:
    # Allow DNS resolution
    - toEndpoints:
        - matchLabels:
            io.kubernetes.pod.namespace: kube-system
            k8s-app: kube-dns
      toPorts:
        - ports:
            - port: "53"
              protocol: UDP
            - port: "53"
              protocol: TCP
    # Allow cluster-internal traffic (RFC1918)
    - toCIDR:
        - 10.0.0.0/8
        - 172.16.0.0/12
        - 192.168.0.0/16
    # Allow Trivy vulnerability DB downloads (ghcr.io OCI registry)
    - toFQDNs:
        - matchName: ghcr.io
        - matchName: pkg-containers.githubusercontent.com
      toPorts:
        - ports:
            - port: "443"
              protocol: TCP
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -654,8 +654,88 @@ retry:
 |---------|-------|---------|
 | `application.resourceTrackingMethod` | `annotation` | Track resources via annotations |
 | `timeout.reconciliation` | `60s` | Reconciliation interval |
-| `admin.enabled` | `true` | Enable admin account |
+| `admin.enabled` | `false` | Admin login disabled (SSO-only) |
-| `git.submodule.enabled` | `false` | Disable git submodule checkout — submodules are not needed for manifest generation |
+| `url` | `https://argocd.forteapps.net` | External URL for ArgoCD UI |
 **Git Submodule Disable**: Set via `configs.params` (NOT `repoServer.env` — that causes strategic merge conflicts with chart's `valueFrom` entries):
 ```yaml
 configs:
  params:
    "reposerver.enable.git.submodule": "false"
 ```
 This writes to `argocd-cmd-params-cm` ConfigMap, which the chart already reads via `valueFrom`. Submodules (e.g., `shared-prompts`) are not needed for K8s manifest generation.
 **Break-Glass Admin Access**: Admin login is disabled (`admin.enabled: false`). The admin password remains in `argocd-secret`. To re-enable temporarily:
 ```bash
 # Enable admin login
 kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
 # Log in as admin, do what's needed, then disable again
 kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"false"}}'
 ```
 ArgoCD picks up ConfigMap changes within the reconciliation timeout (60s). Note: ArgoCD will revert this on next sync — this is intentional (temporary access only).
 **OIDC Authentication** (Keycloak):
 ```yaml
 configs:
  cm:
    oidc.config: |
      name: Forte SSO
      issuer: https://id.forteapps.net/realms/forte
      clientID: argocd
      clientSecret: $oidc.clientSecret
      requestedScopes: ["openid", "email", "profile"]
  rbacConfig:
    policy.csv: |
      g, ArgoCD Admins, role:admin
      g, ArgoCD Viewers, role:readonly
    # Deny users not in any declared KC group
    policy.default: ""
    scopes: '[groups]'
 ```
 **Access Control**: Only users in declared Keycloak groups can access ArgoCD. Users not in any group are denied (`policy.default: ""`). Assign users to groups in Keycloak admin console.
 | KC Group | ArgoCD Role | Access |
 |----------|-------------|--------|
 | `ArgoCD Admins` | `role:admin` | Full control over all apps |
 | `ArgoCD Viewers` | `role:readonly` | Read-only access to all apps |
 | `Observability Team` | `role:observability` | Get/sync monitoring apps (prometheus, loki, fluent-bit, tempo, grafana, opencost) |
 | `Dev Tools Team` | `role:devtools` | Get/sync dev tool apps (gitea, gitea-actions, renovate, karpor) |
 | `App Developers` | `role:app-dev` | Get/sync/action on enterprise-apps only |
 **Per-Cluster RBAC**: Add cluster-specific policies in `infra/values/<cluster>/argocd-values.yaml` using `configs.rbac.policy.<cluster>.csv`. ArgoCD concatenates all `policy.*.csv` keys alphabetically after `policy.csv`. Example:
 ```yaml
 # infra/values/upc-dev/argocd-values.yaml
 configs:
  rbac:
    policy.upc-dev.csv: |
      p, role:staging-deployer, applications, sync, default/enterprise-apps, allow
      g, Staging Deployers, role:staging-deployer
 ```
 - ArgoCD does NOT add `openid` implicitly — must include in `requestedScopes`
 - Do NOT add `groups` as a scope — the KC groups mapper emits the claim regardless
 - `$oidc.clientSecret` references the `oidc.clientSecret` key in `argocd-secret`
 - OIDC secret is synced by CronJob `argocd-oidc-sync` (see `cluster-resources/argocd-oidc-secret-sync.yaml`)
 - The CronJob bridges `argocd-oidc-credentials` (from KC registrar) → `argocd-secret` every 2 min
 - Safe for fresh deploys: no-ops if source secret doesn't exist yet
 **Ingress** (Traefik + TLS):
 ```yaml
 server:
  ingress:
    enabled: true
    ingressClassName: traefik
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    tls: true
  extraArgs:
  - --insecure
 configs:
  params:
    "server.insecure": true
 ```
 TLS terminates at Traefik; ArgoCD runs in insecure mode behind the proxy.
 ---
@@ -776,6 +856,15 @@ kubeStateMetrics:
 - Loki
 - Tempo
 **Ingress**: Exposed via Traefik at `https://grafana.forteapps.net` with cert-manager TLS.
 **OIDC Authentication** (Keycloak):
 - Uses `grafana.ini.auth.generic_oauth` with KC `grafana` client
 - Secret `grafana-oidc-credentials` synced by KC registrar, loaded via `envFromSecrets`
 - SSO-only mode: `auth.disable_login_form: true` + `auth.generic_oauth.auto_login: true`
 - Role mapping via JMESPath on `resource_access.grafana.roles` claim (requires KC client role mapper)
 - Roles: KC client roles `Admin`/`Editor` map to Grafana roles; default is `Viewer`
 ### Loki
 **Chart**: `grafana/loki-stack`
--- a/infra/base/keycloak.yaml
+++ b/infra/base/keycloak.yaml
@@ -15,7 +15,7 @@ spec:
  project: default
  sources:
-  - repoURL: https://charts.bitnami.com/bitnami
+  - repoURL: registry-1.docker.io/bitnamicharts
    chart: keycloak
    targetRevision: "25.2.0"
    helm:
@@ -47,3 +47,7 @@ spec:
    kind: CronJob
    jsonPointers:
    - /spec/jobTemplate/spec/template/spec/containers/0/args
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/infra/base/kustomization.yaml
+++ b/infra/base/kustomization.yaml
@@ -20,5 +20,4 @@ resources:
 - renovate.yaml
 - tempo.yaml
 - grafana-dashboards.yaml
 - network-policies-application.yaml
 - karpor.yaml
--- a/infra/base/loki.yaml
+++ b/infra/base/loki.yaml
@@ -40,3 +40,9 @@ spec:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
  ignoreDifferences:
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/infra/base/network-policies-application.yaml
+++ b/infra/base/network-policies-application.yaml
@@ -1,33 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: network-policies
  namespace: argocd
  labels:
    app.kubernetes.io/name: network-policies
    app.kubernetes.io/part-of: platform
    app.kubernetes.io/managed-by: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "1"
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    path: cluster-resources/network
  destination:
    server: https://kubernetes.default.svc
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - Validate=true
    - ServerSideApply=true
--- a/infra/base/tempo.yaml
+++ b/infra/base/tempo.yaml
@@ -40,3 +40,9 @@ spec:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
  ignoreDifferences:
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/infra/values/base/argocd-values.yaml
+++ b/infra/values/base/argocd-values.yaml
@@ -2,25 +2,85 @@ configs:
  secret:
    createSecret: true
    argocdServerAdminPassword: "$2b$12$Tmb1jH7ADvwWoUoNPXXsfOf6JqEluqhq8mL06a8DGT2AP1GzbNsCm"
    # oidc.clientSecret managed by argocd-oidc-sync CronJob
    # (reads from argocd-oidc-credentials, patches argocd-secret)
  ssh:
    knownHosts: |
      [git.forteapps.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTwi40de8yTGUuRT0i/XGicQ672BLhYR6D/lDquJrp/tdrWoZhVVPy0wxSkWsq1V92iiAUuQnXagOGsLBGZT9uDLWKvEmNDnCfjzTMq3J1iA3vk2rQ8WBlCzhvmeCV/r0ufl6vsgfwxSRomLZeqa2UkLHx69gy2Njb1S2/aZK1Q53f466hCUfDULZrTn2Nn5Sj8cEbJ8EyvVN2YG9HYBxQdzKRPZEmS1vyzmn8YrYIkZseIRQElabzWGh86owuaaqnwJhTJj1j2sEUeIet04sGKJcnxx2UL4H90N66LKMldmMiuli+ve/CjJmMwDl0zGkjIniT3XR8CyEXYHli7B1hR8Z+dbK6DBgjz+28lFgMIRY70KkZJNsJcBNZLZ5fHwCI13a9U3Uhg3Pu/6s0zlosM4CrAQNQCRe95ZPtCpdFhlGrOl4m1rdSK2meL6rND0TBBuZbaFF6Py7TawLCAiO2KRaVqhu9OFVjwJ/nifgLzFGwWj+WcYmpuR+DwozrF/Hl7QYsz1x4GO1SONY07KbIFkUCHOMAh0AELY5YE4eGI4mtG6SecdPaAdLREGZYK4IcyP5i1QW9g0wmfRSsV9jy+r0ivBxixxh4yJiNpkg6NXak40gQtGIme9EJ+DxrRLruNsfDILWcdSuH/wvuorv56NpQFGB0FzB6LXMloSYptQ==
  cm:
    application.resourceTrackingMethod: annotation
    timeout.reconciliation: 60s
-    admin.enabled: "true"
+    # Admin login disabled — SSO only. Break-glass: kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
    admin.enabled: "false"
    url: https://argocd.forteapps.net
    oidc.config: |
      name: Forte SSO
      issuer: https://id.forteapps.net/realms/forte
      clientID: argocd
      clientSecret: $oidc.clientSecret
      requestedScopes: ["openid", "email", "profile"]
  rbac:
    # Base RBAC — org-wide roles shared across all clusters.
    # Per-cluster policies go in infra/values/<cluster>/argocd-values.yaml
    # as configs.rbac.policy.<cluster>.csv (ArgoCD concatenates all policy.*.csv keys)
    policy.csv: |
      # Platform administrators — full control
      g, ArgoCD Admins, role:admin
      # Read-only viewers — see all, change nothing
      g, ArgoCD Viewers, role:readonly
      # --- Per-team roles (scoped to default project app names) ---
      # Observability team — manage monitoring stack
      p, role:observability, applications, get, default/prometheus, allow
      p, role:observability, applications, get, default/loki, allow
      p, role:observability, applications, get, default/fluent-bit, allow
      p, role:observability, applications, get, default/tempo, allow
      p, role:observability, applications, get, default/grafana, allow
      p, role:observability, applications, get, default/grafana-dashboards, allow
      p, role:observability, applications, get, default/opencost, allow
      p, role:observability, applications, sync, default/prometheus, allow
      p, role:observability, applications, sync, default/loki, allow
      p, role:observability, applications, sync, default/fluent-bit, allow
      p, role:observability, applications, sync, default/tempo, allow
      p, role:observability, applications, sync, default/grafana, allow
      p, role:observability, applications, sync, default/grafana-dashboards, allow
      p, role:observability, applications, sync, default/opencost, allow
      p, role:observability, logs, get, default/*, allow
      g, Observability Team, role:observability
      # Dev tools team — manage gitea, renovate, karpor
      p, role:devtools, applications, get, default/gitea, allow
      p, role:devtools, applications, get, default/gitea-actions, allow
      p, role:devtools, applications, get, default/renovate, allow
      p, role:devtools, applications, get, default/karpor, allow
      p, role:devtools, applications, sync, default/gitea, allow
      p, role:devtools, applications, sync, default/gitea-actions, allow
      p, role:devtools, applications, sync, default/renovate, allow
      p, role:devtools, applications, sync, default/karpor, allow
      p, role:devtools, logs, get, default/*, allow
      g, Dev Tools Team, role:devtools
      # App developers — manage enterprise apps only
      p, role:app-dev, applications, get, default/enterprise-apps, allow
      p, role:app-dev, applications, sync, default/enterprise-apps, allow
      p, role:app-dev, applications, action, default/enterprise-apps, allow
      p, role:app-dev, logs, get, default/enterprise-apps, allow
      g, App Developers, role:app-dev
    # Deny users not in any declared KC group
    policy.default: ""
    scopes: '[groups]'
  params:
    "server.insecure": true
-repoServer:
+    "reposerver.enable.git.submodule": "false"
  env:
  # Disable git submodule checkout - submodules (e.g. shared-prompts)
  # are not needed for K8s manifest generation
  - name: ARGOCD_GIT_MODULES_ENABLED
    value: "false"
 server:
  ingress:
-    enabled: false
+    enabled: true
-    ingressClassName: nginx
+    ingressClassName: traefik
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    tls: true
  extraArgs:
  - --insecure
--- a/infra/values/base/keycloak-values.yaml
+++ b/infra/values/base/keycloak-values.yaml
@@ -132,6 +132,61 @@ keycloakConfigCli:
                }
              }
            ]
          },
          {
            "clientId": "argocd",
            "name": "ArgoCD",
            "enabled": true,
            "protocol": "openid-connect",
            "clientAuthenticatorType": "client-secret",
            "standardFlowEnabled": true,
            "directAccessGrantsEnabled": false,
            "publicClient": false,
            "redirectUris": ["https://argocd.forteapps.net/auth/callback"],
            "webOrigins": ["https://argocd.forteapps.net"],
            "attributes": {
              "k8s.secret.sync": "true",
              "k8s.secret.namespace": "argocd",
              "k8s.secret.name": "argocd-oidc-credentials",
              "k8s.secret.client-id-key": "client-id",
              "k8s.secret.client-secret-key": "client-secret"
            },
            "protocolMappers": [
              {
                "name": "groups",
                "protocol": "openid-connect",
                "protocolMapper": "oidc-group-membership-mapper",
                "config": {
                  "claim.name": "groups",
                  "full.path": "false",
                  "id.token.claim": "true",
                  "access.token.claim": "true",
                  "userinfo.token.claim": "true"
                }
              }
            ]
          }
        ],
        "groups": [
          {
            "name": "ArgoCD Admins",
            "path": "/ArgoCD Admins"
          },
          {
            "name": "ArgoCD Viewers",
            "path": "/ArgoCD Viewers"
          },
          {
            "name": "Observability Team",
            "path": "/Observability Team"
          },
          {
            "name": "Dev Tools Team",
            "path": "/Dev Tools Team"
          },
          {
            "name": "App Developers",
            "path": "/App Developers"
          }
        ]
      }
--- a/infra/values/upc-dev/argocd-values.yaml
+++ b/infra/values/upc-dev/argocd-values.yaml
@@ -1,5 +1,5 @@
 global:
-  domain: argocd.127.0.0.1.nip.io
+  domain: argocd.forteapps.net
 notifications:
  context:
    clusterName: "dev-fd-eu-no-svg1"
Author	SHA1	Message	Date
Danijel Simeunovic	85d150d3d4	rbac	2026-04-27 11:03:12 +02:00
Danijel Simeunovic	cc9c9049eb	ignore diff	2026-04-26 23:55:55 +02:00
Danijel Simeunovic	9f6c5105af	netpol all remove	2026-04-25 16:04:13 +02:00
Danijel Simeunovic	45e502d74d	argocd tls	2026-04-25 11:49:17 +02:00
		`@@ -0,0 +1,2 @@`
							`# Force LF line endings for shell scripts`
							`*.sh text eol=lf`