Skip to content

Commit

Permalink
moving to sealed secrets
Browse files Browse the repository at this point in the history
Signed-off-by: greg pereira <grpereir@redhat.com>
  • Loading branch information
Gregory-Pereira committed Oct 25, 2024
1 parent fdb130f commit e40cc03
Show file tree
Hide file tree
Showing 22 changed files with 170 additions and 262 deletions.
13 changes: 0 additions & 13 deletions argocd/overlays/applicaitons/sealed-secrets.yaml

This file was deleted.

3 changes: 3 additions & 0 deletions argocd/overlays/configs/argo_cm/envs
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
admin.enabled=true
kustomize.buildOptions=--enable-alpha-plugins
users.anonymous.enabled=false
7 changes: 7 additions & 0 deletions argocd/overlays/configs/argo_cm_rbac/argocd_admins_group.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: user.openshift.io/v1
kind: Group
metadata:
name: argocd-admins
users:
- IAM#avishnoi@redhat.com
- IAM#grpereir@redhat.com
9 changes: 9 additions & 0 deletions argocd/overlays/configs/argo_cm_rbac/policy.csv
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# Define a standard user template that has read access to argocd resources
p, role:standard-user, certificates, get, *, allow
p, role:standard-user, clusters, get, *, allow
p, role:standard-user, repositories, get, *, allow
p, role:standard-user, projects, get, *, allow
p, role:standard-user, accounts, get, *, allow

# Give Openshift group (argocd-admins) the argocd admin role with unrestricted argocd access
g, argocd-admins, role:admin
1 change: 1 addition & 0 deletions argocd/overlays/configs/argo_cm_rbac/policy.default
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
role:readonly
7 changes: 7 additions & 0 deletions argocd/overlays/configs/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- argo_cm/envs
- argo_cm_rbac/policy.csv
- argo_cm_rbac/policy.default
- argo_cm_rbac/argocd_admins_group.yaml
89 changes: 89 additions & 0 deletions argocd/overlays/projects/ilab.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: ilab
namespace: openshift-gitops
spec:
destinations:
- namespace: '*'
server: '*'
namespaceResourceWhitelist:
- group: argoproj.io
kind: Application
- group: logging.openshift.io
kind: ClusterLogging
- group: external-secrets.io
kind: ExternalSecret
- group: ''
kind: Binding
- group: ''
kind: ConfigMap
- group: ''
kind: Endpoints
- group: ''
kind: Event
- group: ''
kind: LimitRange
- group: ''
kind: PersistentVolumeClaim
- group: ''
kind: Pod
- group: ''
kind: ReplicationController
- group: ''
kind: ResourceQuota
- group: ''
kind: Secret
- group: ''
kind: ServiceAccount
- group: ''
kind: Service
- group: apps
kind: ControllerRevision
- group: apps
kind: DaemonSet
- group: apps
kind: Deployment
- group: apps
kind: ReplicaSet
- group: apps
kind: StatefulSet
- group: apps.openshift.io
kind: DeploymentConfig
- group: argoproj.io
kind: CronWorkflow
- group: argoproj.io
kind: Workflow
- group: argoproj.io
kind: WorkflowTemplate
- group: authorization.openshift.io
kind: RoleBindingRestriction
- group: authorization.openshift.io
kind: RoleBinding
- group: authorization.openshift.io
kind: Role
- group: autoscaling
kind: HorizontalPodAutoscaler
- group: batch
kind: CronJob
- group: batch
kind: Job
- group: build.openshift.io
kind: BuildConfig
- group: build.openshift.io
kind: Build
roles:
- description: Read/Write access to this project only
groups:
- argocd-admins
name: project-admin
policies:
- 'p, proj:ilab:project-admin, applications, get, ilab/*, allow'
- 'p, proj:ilab:project-admin, applications, create, ilab/*, allow'
- 'p, proj:ilab:project-admin, applications, update, ilab/*, allow'
- 'p, proj:ilab:project-admin, applications, delete, ilab/*, allow'
- 'p, proj:ilab:project-admin, applications, sync, ilab/*, allow'
- 'p, proj:ilab:project-admin, applications, override, ilab/*, allow'
- 'p, proj:ilab:project-admin, applications, action/*, ilab/*, allow'
sourceRepos:
- '*'
4 changes: 4 additions & 0 deletions argocd/overlays/projects/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ilab.yaml
46 changes: 0 additions & 46 deletions argocd/sealed-secrets/clusterrole.yaml

This file was deleted.

15 changes: 0 additions & 15 deletions argocd/sealed-secrets/clusterrolebinding.yaml

This file was deleted.

63 changes: 0 additions & 63 deletions argocd/sealed-secrets/deployment.yaml

This file was deleted.

10 changes: 0 additions & 10 deletions argocd/sealed-secrets/kustomization.yaml

This file was deleted.

45 changes: 0 additions & 45 deletions argocd/sealed-secrets/role.yaml

This file was deleted.

33 changes: 0 additions & 33 deletions argocd/sealed-secrets/rolebinding.yaml

This file was deleted.

15 changes: 0 additions & 15 deletions argocd/sealed-secrets/service.yaml

This file was deleted.

8 changes: 0 additions & 8 deletions argocd/sealed-secrets/serviceaccount.yaml

This file was deleted.

2 changes: 1 addition & 1 deletion deploy/k8s/base/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: instructlab
namespace: instructlab-test
resources:
- namespace.yaml
- ui
Expand Down
2 changes: 1 addition & 1 deletion deploy/k8s/base/namespace.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: instructlab
name: instructlab-test
Loading

0 comments on commit e40cc03

Please sign in to comment.