From fb25dc82997a5ca0c906f3bfa4988c8888f45ed3 Mon Sep 17 00:00:00 2001 From: HDW Date: Wed, 3 Jun 2026 20:50:05 +0200 Subject: [PATCH] feat: ArgoCD extern erreichbar + RBAC-Grundkonfiguration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ingress via Traefik auf argocd.unreg-hdw.de mit Let's Encrypt, insecure-Mode für TLS-Terminierung durch Traefik, lokale User und RBAC-Vorlage (role:readonly). Co-Authored-By: Claude Sonnet 4.6 --- infrastructure/argocd/argocd-config.yaml | 7 ++++++ infrastructure/argocd/argocd-ingress.yaml | 26 +++++++++++++++++++++++ infrastructure/argocd/argocd-rbac.yaml | 18 ++++++++++++++++ infrastructure/argocd/argocd-users.yaml | 9 ++++++++ 4 files changed, 60 insertions(+) create mode 100644 infrastructure/argocd/argocd-config.yaml create mode 100644 infrastructure/argocd/argocd-ingress.yaml create mode 100644 infrastructure/argocd/argocd-rbac.yaml create mode 100644 infrastructure/argocd/argocd-users.yaml diff --git a/infrastructure/argocd/argocd-config.yaml b/infrastructure/argocd/argocd-config.yaml new file mode 100644 index 0000000..235e5af --- /dev/null +++ b/infrastructure/argocd/argocd-config.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-cmd-params-cm + namespace: argocd +data: + server.insecure: "true" diff --git a/infrastructure/argocd/argocd-ingress.yaml b/infrastructure/argocd/argocd-ingress.yaml new file mode 100644 index 0000000..ec0b5a9 --- /dev/null +++ b/infrastructure/argocd/argocd-ingress.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: argocd-ingress + namespace: argocd + annotations: + kubernetes.io/ingress.class: traefik + cert-manager.io/cluster-issuer: letsencrypt-prod + argocd.argoproj.io/sync-wave: "6" +spec: + ingressClassName: traefik + rules: + - host: argocd.unreg-hdw.de + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: argocd-server + port: + number: 80 + tls: + - hosts: + - argocd.unreg-hdw.de + secretName: argocd-tls-cert diff --git a/infrastructure/argocd/argocd-rbac.yaml b/infrastructure/argocd/argocd-rbac.yaml new file mode 100644 index 0000000..e426809 --- /dev/null +++ b/infrastructure/argocd/argocd-rbac.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-rbac-cm + namespace: argocd +data: + # Unangemeldete / unbekannte User haben keinen Zugriff + policy.default: role:'' + policy.csv: | + # readonly: darf alles sehen, nichts ändern + p, role:readonly, applications, get, */*, allow + p, role:readonly, projects, get, *, allow + p, role:readonly, repositories, get, *, allow + p, role:readonly, clusters, get, *, allow + p, role:readonly, logs, get, */*, allow + + # Beispiel: alice bekommt readonly-Zugriff + # g, alice, role:readonly diff --git a/infrastructure/argocd/argocd-users.yaml b/infrastructure/argocd/argocd-users.yaml new file mode 100644 index 0000000..992888e --- /dev/null +++ b/infrastructure/argocd/argocd-users.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-cm + namespace: argocd +data: + url: https://argocd.unreg-hdw.de + # Weitere lokale User hier hinzufügen: accounts.: login + # accounts.alice: login