From 5794da087d71b1f9f94ac04fc497aefaa039f96e Mon Sep 17 00:00:00 2001 From: friedrich goerz Date: Fri, 13 Jan 2023 17:25:18 +0100 Subject: [PATCH 1/6] DEV-796: pimped policy.csv for mobene-DEV in argocd --- values.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/values.yaml b/values.yaml index 420768b..dd1124d 100644 --- a/values.yaml +++ b/values.yaml @@ -18,8 +18,12 @@ bootstrap: rbacConfig: policy.default: role:readonly policy.csv: | + p, role:mobene-devs, projects, get, mobene, allow + p, role:mobene-devs, applications, sync, mobene/*, allow + p, role:mobene-devs, logs, get, mobene/*, allow g, admin, role:admin g, argocd-admins, role:admin + g, mobenedevs, role:mobene-devs stage: prodwork01 domain: smardigo.digital From 43de72cab473af32ca91131827ae47da383affb4 Mon Sep 17 00:00:00 2001 From: friedrich goerz Date: Fri, 13 Jan 2023 18:51:13 +0100 Subject: [PATCH 2/6] DEV-796: doing argocd RBAC stuff --- clusterspecifics/appprojects/mobene.yaml | 25 ++++++++++++++++++++++++ values.yaml | 3 --- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/clusterspecifics/appprojects/mobene.yaml b/clusterspecifics/appprojects/mobene.yaml index 0ef5d3b..dd2afeb 100644 --- a/clusterspecifics/appprojects/mobene.yaml +++ b/clusterspecifics/appprojects/mobene.yaml @@ -34,3 +34,28 @@ spec: server: https://kubernetes.default.svc - namespace: mobene-keycloak server: https://kubernetes.default.svc + + roles: + - description: Group to developers to deploy on DEV environment + groups: + - mobenedevs + name: mobene-devs + policies: + - >- + p, proj:mobene:mobenedevs, applications, get, + mobene/*, allow + - >- + p, proj:mobene:mobenedevs, applications, create, + mobene/*, deny + - >- + p, proj:mobene:mobenedevs, applications, update, + mobene/*, deny + - >- + p, proj:mobene:mobenedevs, applications, delete, + mobene/*, deny + - >- + p, proj:mobene:mobenedevs, applications, sync, + mobene/*, allow + - >- + p, proj:mobene:mobenedevs, applications, override, + mobene/*, deny diff --git a/values.yaml b/values.yaml index dd1124d..c9ac581 100644 --- a/values.yaml +++ b/values.yaml @@ -18,9 +18,6 @@ bootstrap: rbacConfig: policy.default: role:readonly policy.csv: | - p, role:mobene-devs, projects, get, mobene, allow - p, role:mobene-devs, applications, sync, mobene/*, allow - p, role:mobene-devs, logs, get, mobene/*, allow g, admin, role:admin g, argocd-admins, role:admin g, mobenedevs, role:mobene-devs From 02bc32893f0bad945eede1a62b2faa035cddd1ac Mon Sep 17 00:00:00 2001 From: friedrich goerz Date: Mon, 16 Jan 2023 16:50:21 +0100 Subject: [PATCH 3/6] DEV-752: inc.dep.cahrt version due to needed hcloud-lb-annotation --- Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Chart.yaml b/Chart.yaml index dbf1460..2e583a1 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -25,5 +25,5 @@ appVersion: "0.1.1" dependencies: - name: bootstrap - version: 0.1.45 + version: 0.1.46 repository: oci://prodnso-harbor-01.smardigo.digital/infrastructure From 702786fe774f939009e2bb02b63be0b8262d3878 Mon Sep 17 00:00:00 2001 From: friedrich goerz Date: Thu, 19 Jan 2023 14:22:52 +0100 Subject: [PATCH 4/6] DEV-788: changed keycloak URL ... maybe it hasn't worked before or it doesn't work anymore due to keycloak update --- values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/values.yaml b/values.yaml index c9ac581..dfe6935 100644 --- a/values.yaml +++ b/values.yaml @@ -11,7 +11,7 @@ bootstrap: config: oidcConfig: name: sso - issuer: "https://prodwork01-keycloak-01-keycloak.smardigo.digital/auth/realms/infrastructure" + issuer: "https://prodwork01-keycloak-01.smardigo.digital/auth/realms/infrastructure" clientID: "argocd" clientSecret: $oidc.keycloak.clientSecret requestedScopes: ["openid", "profile", "email", "groups"] @@ -48,7 +48,7 @@ bootstrap: iam: secret_name_keycloak_creds: iam-keycloak-creds envvars: - iam_keycloak_auth_server_url: "https://prodwork01-keycloak-01-keycloak.smardigo.digital/auth/" + iam_keycloak_auth_server_url: "https://prodwork01-keycloak-01.smardigo.digital/auth/" prometheus: retention: 30d From ced3516ffc9d6e04ebaf73f727e56c9737962e63 Mon Sep 17 00:00:00 2001 From: friedrich goerz Date: Thu, 19 Jan 2023 16:30:12 +0100 Subject: [PATCH 5/6] DEV-788: rollback changed keycloak url --- values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/values.yaml b/values.yaml index dfe6935..c9ac581 100644 --- a/values.yaml +++ b/values.yaml @@ -11,7 +11,7 @@ bootstrap: config: oidcConfig: name: sso - issuer: "https://prodwork01-keycloak-01.smardigo.digital/auth/realms/infrastructure" + issuer: "https://prodwork01-keycloak-01-keycloak.smardigo.digital/auth/realms/infrastructure" clientID: "argocd" clientSecret: $oidc.keycloak.clientSecret requestedScopes: ["openid", "profile", "email", "groups"] @@ -48,7 +48,7 @@ bootstrap: iam: secret_name_keycloak_creds: iam-keycloak-creds envvars: - iam_keycloak_auth_server_url: "https://prodwork01-keycloak-01.smardigo.digital/auth/" + iam_keycloak_auth_server_url: "https://prodwork01-keycloak-01-keycloak.smardigo.digital/auth/" prometheus: retention: 30d From 6aa96049c7b65f6f540052d11a56dab0c31a8b7a Mon Sep 17 00:00:00 2001 From: friedrich goerz Date: Fri, 20 Jan 2023 17:08:31 +0100 Subject: [PATCH 6/6] DEV-796: added argocd-rbac stuff to restrict mobene-access --- clusterspecifics/appprojects/mobene.yaml | 25 ------------------------ values.yaml | 8 ++++++-- 2 files changed, 6 insertions(+), 27 deletions(-) diff --git a/clusterspecifics/appprojects/mobene.yaml b/clusterspecifics/appprojects/mobene.yaml index dd2afeb..0ef5d3b 100644 --- a/clusterspecifics/appprojects/mobene.yaml +++ b/clusterspecifics/appprojects/mobene.yaml @@ -34,28 +34,3 @@ spec: server: https://kubernetes.default.svc - namespace: mobene-keycloak server: https://kubernetes.default.svc - - roles: - - description: Group to developers to deploy on DEV environment - groups: - - mobenedevs - name: mobene-devs - policies: - - >- - p, proj:mobene:mobenedevs, applications, get, - mobene/*, allow - - >- - p, proj:mobene:mobenedevs, applications, create, - mobene/*, deny - - >- - p, proj:mobene:mobenedevs, applications, update, - mobene/*, deny - - >- - p, proj:mobene:mobenedevs, applications, delete, - mobene/*, deny - - >- - p, proj:mobene:mobenedevs, applications, sync, - mobene/*, allow - - >- - p, proj:mobene:mobenedevs, applications, override, - mobene/*, deny diff --git a/values.yaml b/values.yaml index c9ac581..f0eee71 100644 --- a/values.yaml +++ b/values.yaml @@ -16,11 +16,15 @@ bootstrap: clientSecret: $oidc.keycloak.clientSecret requestedScopes: ["openid", "profile", "email", "groups"] rbacConfig: - policy.default: role:readonly + policy.default: '' policy.csv: | g, admin, role:admin g, argocd-admins, role:admin - g, mobenedevs, role:mobene-devs + g, mobenedevs, role:mobene-users + p, role:mobene-users, project, get, mobene, allow + p, role:mobene-users, applications, get, mobene/*, allow + p, role:mobene-users, applications, sync, mobene/*, allow + p, role:mobene-users, repositories, get, *, allow stage: prodwork01 domain: smardigo.digital