Files
homelab/cluster-config/components/acs-config/base/declarative-config.yaml

126 lines
4.3 KiB
YAML

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: declarative-configurations
namespace: stackrox
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: doppler-cluster
target:
name: declarative-configurations
creationPolicy: Owner
template:
data:
keycloak-auth.yaml: |
name: keycloak
minimumRole: None
uiEndpoint: central-stackrox.${SUB_DOMAIN}:443
oidc:
issuer: https://keycloak.${SUB_DOMAIN}/realms/openshift
mode: auto
clientID: acs
clientSecret: {{ .keycloak_client_secret }}
disableOfflineAccessScope: true
groups:
- key: email
value: admin@ocplab.com
role: Admin
- key: email
value: clusteradmin@workshop-noreply.com
role: Admin
- key: email
value: gnunn+user1@redhat.com
role: Product Catalog Admins
openshift-auth.yaml: |
name: openshift
uiEndpoint: central-stackrox.${SUB_DOMAIN}:443
openshift:
enable: true
minimumRole: None
groups:
- key: name
value: admin
role: Admin
- key: groups
value: product-catalog-admins
role: Product Catalog Admins
product-catalog-access-scope.yaml: |
name: product-catalog-admins
description: Access rights for users that can manage Product Catalog namespaces
rules:
includedNamespaces:
- clusterName: home
namespaceName: product-catalog-dev
- clusterName: home
namespaceName: product-catalog-test
- clusterName: home
namespaceName: product-catalog-monitor
- clusterName: home
namespaceName: product-catalog-prod
- clusterName: home
namespaceName: product-catalog-cicd
- clusterName: home
namespaceName: product-catalog-gitops
namespace-admin-permission-set.yaml: |
name: Namespace Administrator
description: A user that is an administrator of one or namespaces across various clusters
resources:
- resource: Access
access: NO_ACCESS
- resource: Administration
access: NO_ACCESS
- resource: Alert
access: READ_ACCESS
- resource: CVE
access: READ_ACCESS
- resource: Cluster
access: READ_ACCESS
- resource: Compliance
access: READ_ACCESS
- resource: Deployment
access: READ_ACCESS
- resource: DeploymentExtension
access: READ_ACCESS
- resource: Detection
access: READ_ACCESS
- resource: Image
access: READ_ACCESS
- resource: Integration
access: NO_ACCESS
- resource: K8sRole
access: READ_ACCESS
- resource: K8sRoleBinding
access: READ_ACCESS
- resource: K8sSubject
access: READ_ACCESS
- resource: Namespace
access: READ_ACCESS
- resource: NetworkGraph
access: READ_ACCESS
- resource: NetworkPolicy
access: READ_ACCESS
- resource: Node
access: READ_ACCESS
- resource: Secret
access: READ_ACCESS
- resource: ServiceAccount
access: READ_ACCESS
- resource: WatchedImage
access: READ_WRITE_ACCESS
- resource: VulnerabilityManagementApprovals
access: READ_ACCESS
- resource: VulnerabilityManagementRequests
access: READ_WRITE_ACCESS
product-catalog-roles.yaml: |
name: Product Catalog Admins
description: Administrators of product catalog namespaces
permissionSet: Namespace Administrator
accessScope: product-catalog-admins
globalAccess: NO_ACCESS
data:
- secretKey: keycloak_client_secret
remoteRef:
key: ACS_KEYCLOAK_CLIENT_SECRET