fix: use platform-admin group instead of team-admin (#1762)

Author: j-zimnowoda

charts/team-ns/templates/argocd/argocd-project.yaml

@@ -51,13 +51,13 @@ spec:
   #   kind: StatefulSet
   roles:
 {{- if $v.otomi.isMultitenant }}
-  # we create a scoped team-admin role since we are only allowed access to team-* projects as team-admin in multitenant setup
-  - name: team-admin
+  # we create a scoped platform-admin role since we are only allowed access to team-* projects as platform-admin in multitenant setup
+  - name: platform-admin
     description: Team member privileges to team-{{ $v.teamId }}
     policies:
-    - p, proj:team-{{ $v.teamId }}:team-admin, *, *, team-{{ $v.teamId }}/*, allow
+    - p, proj:team-{{ $v.teamId }}:platform-admin, *, *, team-{{ $v.teamId }}/*, allow
     groups:
-    - team-admin
+    - platform-admin
     - team-{{ $v.teamId }}
 {{- end }}
   - name: team-member

charts/team-ns/templates/istio-virtualservices.yaml

@@ -333,7 +333,7 @@ spec:
         {{- if not $s.isShared }}
       when:
         - key: request.auth.claims[groups]
-          values: [{{ if not (eq $v.teamId "admin") }}team-{{ $v.teamId }},{{ end }}team-admin,admin]
+          values: [{{ if not (eq $v.teamId "admin") }}team-{{ $v.teamId }},{{ end }}platform-admin,admin]
         {{- end }}
       to:
         - operation:

helmfile.d/helmfile-60.teams.yaml

@@ -79,7 +79,7 @@ releases:
           fullnameOverride: {{ $teamId }}-po-grafana
           grafana.ini:
             "auth.generic_oauth":
-              role_attribute_path: contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'team-admin') && 'Admin' || contains(groups[*], 'team-{{ $teamId }}') && 'Editor'{{ if not ($team | get "managedMonitoring.private" false) }} || 'Viewer'{{- end }}
+              role_attribute_path: contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'platform-admin') && 'Admin' || contains(groups[*], 'team-{{ $teamId }}') && 'Editor'{{ if not ($team | get "managedMonitoring.private" false) }} || 'Viewer'{{- end }}
             server:
               root_url: https://grafana-{{ $teamId }}.{{ $domain }}
           sidecar:

helmfile.d/snippets/grafana.gotmpl

@@ -11,7 +11,7 @@
   auth_url: {{ printf "%s/protocol/openid-connect/auth" .keycloakBase }}
   token_url: {{ printf "%s/protocol/openid-connect/token" .keycloakBase }}
   api_url: {{ printf "%s/protocol/openid-connect/userinfo" .keycloakBase }}
-  role_attribute_path: contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'team-admin') && 'Admin'
+  role_attribute_path: contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'platform-admin') && 'Admin'
   role_attribute_strict: true
 log:
   level: error

values/argocd/argocd.gotmpl

@@ -139,10 +139,11 @@ configs:
       g, image-updater, role:image-updater
       # admin
       g, admin, role:admin
+      g, platform-admin, role:admin
     {{- if $v.otomi.isMultitenant }}
     policy.default: ''
     {{- else }}
-      # not multitenant, make team-admin admin and keep global read-only
-      g, team-admin, role:admin
+      # not multitenant, make platform-admin admin and keep global read-only
+      g, platform-admin, role:admin
     policy.default: role:readonly
     {{- end }}