Segurança, RBAC e Produção
Aula 5 de 5
RBAC no ArgoCD
# argocd-rbac-cm ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: argocd
data:
policy.default: role:readonly
policy.csv: |
p, role:developer, applications, get, *, allow
p, role:developer, applications, sync, *, allow
p, role:developer, clusters, get, *, allow
p, role:developer, repositories, get, *, allow
p, role:admin, *, *, *, allow
g, my-org/developers, role:developer
g, my-org/devops, role:admin
g, my-org/sre, role:admin
# SSO: OIDC (Keycloak, Google, Okta)
# argocd-cm ConfigMap
data:
url: https://argocd.app.empresa.com
oidc.config: |
name: Keycloak
issuer: https://auth.empresa.com/realms/argocd
clientID: argocd
clientSecret: $oidc.argocd.clientSecret
requestedScopes:
- openid
- profile
- email
- groups
# Contas locais
argocd account list
argocd account update-password
SSO com Dex
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: argocd
data:
url: https://argocd.empresa.com
dex.config: |
connectors:
- type: github
id: github
name: GitHub
config:
clientID: $dex.github.clientID
clientSecret: $dex.github.clientSecret
orgs:
- name: my-org
teams:
- devops
- sre
Webhook — Sincronização Automática
# argocd-cm ConfigMap
data:
# GitHub webhook secret
webhook.github.secret: "webhook-secret-shared"
# Configurar no GitHub:
# Repo > Settings > Webhooks > Add webhook
# Payload URL: https://argocd.empresa.com/api/webhook
# Content type: application/json
# Secret: webhook-secret-shared
# Events: Push, Pull Request
Notificações
# argocd-notifications-cm
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-notifications-cm
namespace: argocd
data:
template.app-sync-succeeded: |
message: |
Application {{.app.metadata.name}} sync succeeded.
trigger.on-sync-succeeded: |
- description: Sync succeeded
send:
- app-sync-succeeded
when: app.status.sync.status == 'Synced'
service.slack: |
token: $slack-token
service.email: |
host: smtp.gmail.com
port: 587
# Instalar notificações
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj-labs/argocd-notifications/stable/manifests/install.yaml
Rollback e History
# Histórico de deploys
argocd app get guestbook
# Deployment History:
# ID DATE STATUS
# 12 2024-06-01 14:30:22 +0000 Synced
# 11 2024-06-01 14:00:00 +0000 Synced
# 10 2024-05-31 09:00:00 +0000 Synced
# Rollback para revisão específica
argocd app rollback guestbook 11
# Rollback = git revert (git commit + push) é mais recomendado
Production Checklist
- AppProject com sourceRepos e destinations restritos
- RBAC com SSO (OIDC/GitHub)
- Webhook configurado para sync automático
- Sync windows para produção (horário comercial)
- Notificações (Slack, email)
- Finalizers em apps críticas
- Backup de argocd Secrets
- Criptografia: argocd-secret (TLS), secrets externos
- HA: ArgoCD com 3+ réplicas
- Read-only do ArgoCD: estado real nunca alterado manualmente
- Monitoring: métricas ArgoCD (requests, sync duration)
- Audit trail: argocd-server log + Kubernetes audit log
# Finalizer protege contra deleção acidental
metadata:
finalizers:
- resources-finalizer.argocd.argoproj.io
ArgoCD é o padrão GitOps. Produção exige: SSO + RBAC + Webhooks + Notificações + Monitoring. Finalizers evitam que apps sejam deletadas sem limpeza. Sempre git revert, nunca argocd app rollback.