Update Headlamp and Vault documentation; enhance RBAC configurations in Argo CD. Modify Headlamp README to clarify sessionTTL handling and ServiceAccount permissions. Add Cilium network policy instructions to Vault README. Update Argo CD values.yaml for default RBAC settings, ensuring local admin retains full access while new users start with read-only permissions. Reflect these changes in CLUSTER-BUILD.md.

clusters/noble/bootstrap/argocd/README.md

@@ -15,6 +15,8 @@ helm upgrade --install argocd argo/argo-cd \
   --wait
 ```
 
+**RBAC:** `values.yaml` sets **`policy.default: role:readonly`** and **`g, admin, role:admin`** so the local **`admin`** user keeps full access while future OIDC users default to read-only until you add **`policy.csv`** mappings.
+
 ## 2. UI / CLI address
 
 **HTTPS:** `https://argo.apps.noble.lab.pcenicni.dev` (Ingress via Traefik; cert from **`values.yaml`**).

clusters/noble/bootstrap/argocd/values.yaml

@@ -21,6 +21,13 @@ configs:
     # TLS terminates at Traefik / cert-manager; Argo CD serves HTTP behind the Ingress.
     server.insecure: true
 
+  # RBAC: default authenticated users to read-only; keep local **admin** as full admin.
+  # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/
+  rbac:
+    policy.default: role:readonly
+    policy.csv: |
+      g, admin, role:admin
+
 server:
   certificate:
     enabled: true