argocd-projects

This is an EXAMPLE(!) ArgoCD Projects (kind: AppProject) repository.
The ArgoCD application named "projects" (kind: Application) AUTO sync's these files!

Kustomize is used to patch the base files over with environment specific configs.
For local testing get the kustomize tool from https://kustomize.io

NB! Only ArgoCD admins should be allowed to manage this repository!

Linked repositories

Splitting up the repositories provides option to manage permissions separately.

https://github.com/villisco/argocd-setup - creates the projects application that auto syncs this repository.
https://github.com/villisco/argocd-apps - sync source for apps (kind: Application)

Repository structure

argocd-projects
├── README.md
├── base
│   ├── kustomization.yaml
│   └── projects/
│       └── project1.yaml            <!--- shared part of the project manifest for all envs
└── overlays
    ├── dev                          <!--- kubernetes cluster
    │   ├── kustomization.yaml
    │   └── projects
    │       └── project1.yaml        <!--- patch over base project with env sepcific conf
    ├── live
    │   └── ...
    └── test
        └── ...

Projects

Project is an logical way of grouping Applications together in ArgoCD.
All Applications (kind: Application) must belong to an Project (kind: AppProject)!

Projects provide following features:

restrict what may be deployed (trusted repositories)
restrict where apps may be deployed to (destination clusters and namespaces)
restrict what kinds of resources may or may not be deployed (e.g., RBAC, CRDs, DaemonSets, NetworkPolicy etc…)
defining project roles to provide application RBAC (bound to OIDC groups and/or JWT tokens)
define when application(s) are allowed to be synced with "Sync Windows"

Please define all new user Applications in argocd-apps repository!

RBAC permissions

RBAC permission structure:

p, <role/user/group>, <resource>, <action>, <appproject>/<object>, allow|deny

PS. Under project: p, proj:<project-name>/<role-name>

Possible resources:

clusters, projects, applications, applicationsets, repositories, certificates, accounts, gpgkeys, logs, exec, extensions

NB! Roles under project inherit the restrictions configured to Project - you can not give permissions outside Projects allowed scope!

Possible actions:

get, create, update, delete, sync, override, action/<group/kind/action-name>

Defining roles in Project

Define permissions under role and map role to an group.

Example:

apiVersion: argoproj.io/v1alpha1
kind: AppProject
  name: my-project
spec:
  roles:
    - name: read-only
      description: Read-only privileges to all apps in project
      policies:
        - p, proj:my-project:read-only, applications, get, my-project/*, allow
      groups:
        # add this group to users in keycloak
        - my-project_read-only
    - name: developer
      description: Developer privileges to all apps in project
      policies:
        # allow all app actions except delete & create
        - p, proj:my-project:developer, applications, *, my-project/*, allow
        - p, proj:my-project:developer, applications, delete, my-project/*, deny
        - p, proj:my-project:developer, applications, create, my-project/*, deny
        # allow viewing project
        - p, proj:my-project:developer, projects, get, my-project/*, allow
        # allow viewing projects repositories
        - p, proj:my-project:developer, repositories, get, my-project/*, allow
        # allow viewing pod logs
        - p, proj:my-project:developer, logs, get, my-project/*, allow
        # do not allow exec into pods
        - p, proj:my-project:developer, exec, create, my-project/*, deny
      groups:
        # add this group to users in keycloak
        - my-project_developer

NB! After defining you can add groups (my-project_read-only, my-project_developer) to selected users in Keycloak "argocd" realm!

Keycloak realm

Create same named ArgoCD groups there (see permissions example).
Add users to groups to give them permissions in ArgoCD.

villisco / argocd-projects