Merge commit 'fe564d72279f4ab061b961dd528623f0ed272667' as 'cluster-config'
This commit is contained in:
@@ -0,0 +1,125 @@
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: declarative-configurations
|
||||
namespace: stackrox
|
||||
spec:
|
||||
refreshInterval: 1h
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: doppler-cluster
|
||||
target:
|
||||
name: declarative-configurations
|
||||
creationPolicy: Owner
|
||||
template:
|
||||
data:
|
||||
keycloak-auth.yaml: |
|
||||
name: keycloak
|
||||
minimumRole: None
|
||||
uiEndpoint: central-stackrox.${SUB_DOMAIN}:443
|
||||
oidc:
|
||||
issuer: https://keycloak.${SUB_DOMAIN}/realms/openshift
|
||||
mode: auto
|
||||
clientID: acs
|
||||
clientSecret: {{ .keycloak_client_secret }}
|
||||
disableOfflineAccessScope: true
|
||||
groups:
|
||||
- key: email
|
||||
value: admin@ocplab.com
|
||||
role: Admin
|
||||
- key: email
|
||||
value: clusteradmin@workshop-noreply.com
|
||||
role: Admin
|
||||
- key: email
|
||||
value: gnunn+user1@redhat.com
|
||||
role: Product Catalog Admins
|
||||
openshift-auth.yaml: |
|
||||
name: openshift
|
||||
uiEndpoint: central-stackrox.${SUB_DOMAIN}:443
|
||||
openshift:
|
||||
enable: true
|
||||
minimumRole: None
|
||||
groups:
|
||||
- key: name
|
||||
value: admin
|
||||
role: Admin
|
||||
- key: groups
|
||||
value: product-catalog-admins
|
||||
role: Product Catalog Admins
|
||||
product-catalog-access-scope.yaml: |
|
||||
name: product-catalog-admins
|
||||
description: Access rights for users that can manage Product Catalog namespaces
|
||||
rules:
|
||||
includedNamespaces:
|
||||
- clusterName: home
|
||||
namespaceName: product-catalog-dev
|
||||
- clusterName: home
|
||||
namespaceName: product-catalog-test
|
||||
- clusterName: home
|
||||
namespaceName: product-catalog-monitor
|
||||
- clusterName: home
|
||||
namespaceName: product-catalog-prod
|
||||
- clusterName: home
|
||||
namespaceName: product-catalog-cicd
|
||||
- clusterName: home
|
||||
namespaceName: product-catalog-gitops
|
||||
namespace-admin-permission-set.yaml: |
|
||||
name: Namespace Administrator
|
||||
description: A user that is an administrator of one or namespaces across various clusters
|
||||
resources:
|
||||
- resource: Access
|
||||
access: NO_ACCESS
|
||||
- resource: Administration
|
||||
access: NO_ACCESS
|
||||
- resource: Alert
|
||||
access: READ_ACCESS
|
||||
- resource: CVE
|
||||
access: READ_ACCESS
|
||||
- resource: Cluster
|
||||
access: READ_ACCESS
|
||||
- resource: Compliance
|
||||
access: READ_ACCESS
|
||||
- resource: Deployment
|
||||
access: READ_ACCESS
|
||||
- resource: DeploymentExtension
|
||||
access: READ_ACCESS
|
||||
- resource: Detection
|
||||
access: READ_ACCESS
|
||||
- resource: Image
|
||||
access: READ_ACCESS
|
||||
- resource: Integration
|
||||
access: NO_ACCESS
|
||||
- resource: K8sRole
|
||||
access: READ_ACCESS
|
||||
- resource: K8sRoleBinding
|
||||
access: READ_ACCESS
|
||||
- resource: K8sSubject
|
||||
access: READ_ACCESS
|
||||
- resource: Namespace
|
||||
access: READ_ACCESS
|
||||
- resource: NetworkGraph
|
||||
access: READ_ACCESS
|
||||
- resource: NetworkPolicy
|
||||
access: READ_ACCESS
|
||||
- resource: Node
|
||||
access: READ_ACCESS
|
||||
- resource: Secret
|
||||
access: READ_ACCESS
|
||||
- resource: ServiceAccount
|
||||
access: READ_ACCESS
|
||||
- resource: WatchedImage
|
||||
access: READ_WRITE_ACCESS
|
||||
- resource: VulnerabilityManagementApprovals
|
||||
access: READ_ACCESS
|
||||
- resource: VulnerabilityManagementRequests
|
||||
access: READ_WRITE_ACCESS
|
||||
product-catalog-roles.yaml: |
|
||||
name: Product Catalog Admins
|
||||
description: Administrators of product catalog namespaces
|
||||
permissionSet: Namespace Administrator
|
||||
accessScope: product-catalog-admins
|
||||
globalAccess: NO_ACCESS
|
||||
data:
|
||||
- secretKey: keycloak_client_secret
|
||||
remoteRef:
|
||||
key: ACS_KEYCLOAK_CLIENT_SECRET
|
||||
Reference in New Issue
Block a user