DEV-796: added argocd-rbac stuff to restrict mobene-access

clusterspecifics/appprojects/mobene.yaml

@@ -34,28 +34,3 @@ spec:
     server: https://kubernetes.default.svc
   - namespace: mobene-keycloak
     server: https://kubernetes.default.svc
-
-  roles:
-    - description: Group to developers to deploy on DEV environment
-      groups:
-        - mobenedevs
-      name: mobene-devs
-      policies:
-        - >-
-          p, proj:mobene:mobenedevs, applications, get,
-          mobene/*, allow
-        - >-
-          p, proj:mobene:mobenedevs, applications, create,
-          mobene/*, deny
-        - >-
-          p, proj:mobene:mobenedevs, applications, update,
-          mobene/*, deny
-        - >-
-          p, proj:mobene:mobenedevs, applications, delete,
-          mobene/*, deny
-        - >-
-          p, proj:mobene:mobenedevs, applications, sync,
-          mobene/*, allow
-        - >-
-          p, proj:mobene:mobenedevs, applications, override,
-          mobene/*, deny

values.yaml

@@ -16,11 +16,15 @@ bootstrap:
           clientSecret: $oidc.keycloak.clientSecret
           requestedScopes: ["openid", "profile", "email", "groups"]
       rbacConfig:
-        policy.default: role:readonly
+        policy.default: ''
         policy.csv: |
           g, admin, role:admin
           g, argocd-admins, role:admin
-          g, mobenedevs, role:mobene-devs
+          g, mobenedevs, role:mobene-users
+          p, role:mobene-users, project, get, mobene, allow
+          p, role:mobene-users, applications, get, mobene/*, allow
+          p, role:mobene-users, applications, sync, mobene/*, allow
+          p, role:mobene-users, repositories, get, *, allow
 
   stage: prodwork01
   domain: smardigo.digital