Restrict incluster deploy (#8)

roi-codefresh · web-flow · commit a037ed0015c3 · 2022-06-23T13:56:08.000+03:00
* wip

* wip
diff --git a/csdp/base/kustomization.yaml b/csdp/base/kustomization.yaml
@@ -1,11 +1,14 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
+resources:
+  - ./project.yaml
+
 generatorOptions:
   disableNameSuffixHash: true
 
 configMapGenerator:
   - name: codefresh-cm
     behavior: create
     literals:
-      - version=0.0.391
+      - version=0.0.392
diff --git a/csdp/base/project.yaml b/csdp/base/project.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: PruneLast=true
+    argocd.argoproj.io/sync-wave: "-2"
+  creationTimestamp: null
+  name: csdp
+  namespace: default # replace
+spec:
+  clusterResourceWhitelist:
+    - group: "*"
+      kind: "*"
+  description: csdp project
+  destinations:
+    - namespace: "*"
+      server: "*"
+  namespaceResourceWhitelist:
+    - group: "*"
+      kind: "*"
+  sourceRepos:
+    - "*"
diff --git a/csdp/hybrid/appset.yaml b/csdp/hybrid/appset.yaml
@@ -1,28 +1,4 @@
 apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-options: PruneLast=true
-    argocd.argoproj.io/sync-wave: "-2"
-  creationTimestamp: null
-  name: csdp
-  namespace: default # replace
-spec:
-  clusterResourceWhitelist:
-    - group: "*"
-      kind: "*"
-  description: csdp project
-  destinations:
-    - namespace: "*"
-      server: "*"
-  namespaceResourceWhitelist:
-    - group: "*"
-      kind: "*"
-  sourceRepos:
-    - "*"
-
----
-apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
   annotations:
diff --git a/csdp/managed/appset.yaml b/csdp/managed/appset.yaml
@@ -1,28 +1,4 @@
 apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-options: PruneLast=true
-    argocd.argoproj.io/sync-wave: "-2"
-  creationTimestamp: null
-  name: csdp
-  namespace: default # replace
-spec:
-  clusterResourceWhitelist:
-    - group: "*"
-      kind: "*"
-  description: csdp project
-  destinations:
-    - namespace: "*"
-      server: "*"
-  namespaceResourceWhitelist:
-    - group: "*"
-      kind: "*"
-  sourceRepos:
-    - "*"
-
----
-apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
   annotations:
diff --git a/csdp/managed/argo-cd/allowed-apps-patch.yaml b/csdp/managed/argo-cd/allowed-apps-patch.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
+data:
+  application.allowedDeliverToIncluster: |
+    - csdp-bootstrap
+    - csdp-argo-cd
+    - csdp-app-proxy
+    - csdp-argo-workflows
+    - csdp-sealed-secrets
+    - csdp-argo-events
+    - csdp-events-reporter
+    - csdp-workflow-reporter
+    - isc
+    - in-cluster
diff --git a/csdp/managed/argo-cd/kustomization.yaml b/csdp/managed/argo-cd/kustomization.yaml
@@ -3,3 +3,6 @@ kind: Kustomization
 namespace: argocd
 resources:
   - ../../base/argo-cd
+
+patchesStrategicMerge:
+  - ./allowed-apps-patch.yaml
diff --git a/csdp/managed/in-cluster-project.yaml b/csdp/managed/in-cluster-project.yaml
@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: git-sources
+  namespace: default # replace
+spec:
+  description: All of the git-sources will be in this project, destination is in-cluster and only applications resources may be deployed
+  clusterResourceWhitelist:
+    - group: "argoproj.io"
+      kind: "Application"
+  namespaceResourceWhitelist:
+    - group: "argoproj.io"
+      kind: "Application"
+  destinations:
+    - namespace: "*"
+      server: "https://kubernetes.default.svc"
+  sourceRepos:
+    - "*"
diff --git a/csdp/managed/kustomization.yaml b/csdp/managed/kustomization.yaml
@@ -3,6 +3,7 @@ kind: Kustomization
 resources:
   - ../base
   - ./appset.yaml
+  - ./in-cluster-project.yaml
 
 patches:
   - target:
