Update Headlamp and Vault documentation; enhance RBAC configurations in Argo CD. Modify Headlamp README to clarify sessionTTL handling and ServiceAccount permissions. Add Cilium network policy instructions to Vault README. Update Argo CD values.yaml for default RBAC settings, ensuring local admin retains full access while new users start with read-only permissions. Reflect these changes in CLUSTER-BUILD.md.

2026-03-28 02:02:17 -04:00
parent 906c24b1d5
commit 445a1ac211
15 changed files with 188 additions and 13 deletions
--- a/clusters/noble/bootstrap/argocd/values.yaml
+++ b/clusters/noble/bootstrap/argocd/values.yaml
@@ -21,6 +21,13 @@ configs:
    # TLS terminates at Traefik / cert-manager; Argo CD serves HTTP behind the Ingress.
    server.insecure: true

+  # RBAC: default authenticated users to read-only; keep local **admin** as full admin.
+  # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/
+  rbac:
+    policy.default: role:readonly
+    policy.csv: |
+      g, admin, role:admin
+
 server:
  certificate:
    enabled: true