Initial argo deployment
This commit is contained in:
30
cluster/platform/argocd/argocd-rbac-cm.yaml
Normal file
30
cluster/platform/argocd/argocd-rbac-cm.yaml
Normal file
@@ -0,0 +1,30 @@
|
||||
# ------------------------------------------------------------------------------
|
||||
# argocd-rbac-cm — RBAC Policy
|
||||
#
|
||||
# Maps Authentik groups to ArgoCD roles.
|
||||
# Groups must exist in Authentik and be assigned to users there.
|
||||
#
|
||||
# Roles:
|
||||
# role:admin — full access, all operations
|
||||
# role:readonly — read-only, can view but not sync/modify
|
||||
#
|
||||
# Single-user homelab: your user should be in argocd-admins in Authentik.
|
||||
# Add argocd-viewers later when you have guests/collaborators.
|
||||
# ------------------------------------------------------------------------------
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: argocd-rbac-cm
|
||||
namespace: argocd
|
||||
data:
|
||||
# Default policy for any authenticated user not in a mapped group
|
||||
# readonly is safe — they can see but not touch
|
||||
policy.default: role:readonly
|
||||
|
||||
policy.csv: |
|
||||
# Authentik group → ArgoCD role mappings
|
||||
g, argocd-admins, role:admin
|
||||
g, argocd-viewers, role:readonly
|
||||
|
||||
# Tell ArgoCD which OIDC claims to use for group mapping
|
||||
scopes: '[groups, email]'
|
||||
Reference in New Issue
Block a user