⚡️ :: xquare-application, role

⚡️ :: xquare-role

.github/workflows/publish.yaml

@@ -5,7 +5,7 @@ on:
     branches:
       - main
     paths:
-      - "helm/**"
+      - "charts/**"
 
 permissions:
   contents: read

charts/xquare-application/templates/argocd-application.yaml

@@ -1,37 +1,41 @@
+{{- range .Values.projects }}
+{{ $projectName := .name }}
+{{- range .applications }}
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: xquare
+  name: {{ .name }}
   namespace: argocd
 spec:
   destination:
     namespace: argocd
     server: https://kubernetes.default.svc
-  project: xquare
+  project: {{ $projectName }}
   source:
-    path: deploy
-    repoURL: https://github.com/team-xquare/xquare-gitops-repo.git
-    targetRevision: HEAD
+    path: {{ .source.path }}
+    repoURL: {{ .source.repoURL }}
+    targetRevision: {{ .source.rtargetRevision }}
   syncPolicy:
     automated:
-      prune: true
-      selfHeal: true
-
+      prune: {{ .syncPolicy.prune }}
+      selfHeal: {{ .syncPolicy.selfHeal }}
+{{- end }}
+---
 apiVersion: argoproj.io/v1alpha1
-kind: Application
+kind: AppProject
 metadata:
-  name: {{ .Values.application.name }}
-  namespace: {{ .Values.application.namespace }}
+  name: {{ $projectName }}
+  namespace: argocd
+  # Finalizer that ensures that project is not deleted until it is not referenced by any application
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
 spec:
-  destination:
-    namespace: {{ .Values.application.namespace }}
-    server: https://kubernetes.default.svc
-  project: {{ .Values.application.project }}
-  source:
-    path: {{ .Values.application.source.path }}
-    repoURL: {{ .Values.application.source.repoURL }}
-    targetRevision: {{ .Values.application.source.targetRevision }}
-  syncPolicy:
-    automated:
-      prune: {{ .Values.application.syncPolicy.automated.prune }}
-      selfHeal: {{ .Values.application.syncPolicy.automated.selfHeal }}
+  sourceRepos:
+  - '*'
+  destinations:
+  - namespace: '*'
+    server: '*'
+  clusterResourceWhitelist:
+  - group: '*'
+    kind: '*'
+{{- end }}

charts/xquare-application/values.yaml

@@ -0,0 +1,23 @@
+projects:
+  - name: xquare-application
+    applications:
+      - name: xquare
+        source:
+          path: deploy
+          repoURL: https://github.com/team-xquare/xquare-gitops-repo.git
+          targetRevision: HEAD
+        syncPolicy:
+          automated:
+            prune: true
+            selfHeal: true
+  - name: xquare-k8s-resources
+    applications:
+      - name: xquare-role
+        source:
+          path: charts/xquare-role
+          repoURL: https://github.com/team-xquare/k8s-resource.git
+          targetRevision: HEAD
+        syncPolicy:
+          automated:
+            prune: true
+            selfHeal: true

charts/xquare-role/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+type: application
+name: xquare-role
+version: 1.0.1
+appVersion: "1.0.0"
+description: Xquare role

charts/xquare-role/templates/role.yaml

@@ -0,0 +1,45 @@
+{{- range .Values.clubs }}
+{{- $clubname := .name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: 
+  name: {{ $clubname }}-role
+rules:
+- apiGroups: [""]
+  resources: ["pods", "pods/log"]
+  verbs: ["get", "list"]
+  resourceNames:
+    {{- range .deployments }}
+      - name: {{ . }}
+    {{- end }}
+{{- range .users }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $clubname }}-rolebinding
+  namespace: xquare-prod
+subjects:
+- kind: User 
+  name: {{ . }}
+roleRef:
+  kind: Role
+  name: {{ $clubname }}-pod-read-and-logs
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $clubname }}-rolebinding
+  namespace: xquare-stag
+subjects:
+- kind: User 
+  name: {{ . }}
+roleRef:
+  kind: Role
+  name: {{ $clubname }}-pod-read-and-logs
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end }}

charts/xquare-role/values.yaml

@@ -0,0 +1,6 @@
+clubs:
+  - name: dms
+    deployments: 
+      - "feed-fe-prod"
+    users:
+      - "[email protected]"