promote iris-iam argocd config to prod

Author: anish-mudaraddi

charts/prod/argocd/values.yaml

@@ -25,6 +25,11 @@ argo-cd:
 
       oidc.skip.insecure.verify: true
 
+    rbac:
+      policy.csv: |
+        g, stfc-cloud/team, role:readonly
+        g, stfc-cloud/admins, role:admin
+
   server:
     ingress:
       enabled: true

clusters/prod/management/secrets/apps/.sops.yaml

@@ -0,0 +1,10 @@
+creation_rules:
+  - unencrypted_regex: "^(apiVersion|metadata|kind|type)$"
+    key_groups:
+      - age:
+          # Temporary Key for ArgoCD
+          - age1p9q4tzawn9jh3evsgkuslklm2d4zhwhyhtcfls7n62a8cdpv8vqq7t9hqv
+          
+          # Access Keys
+          # Prod Access Key
+          - age1cq92796c46d06s43t079xc89exe4vd52rh30c9mcafmne62dxyhqrupl4l

clusters/prod/management/secrets/apps/argocd.yaml

@@ -0,0 +1,32 @@
+argo-cd:
+    configs:
+        secret:
+            extra:
+                oidc.irisiam.clientID: ENC[AES256_GCM,data:X/HbjE/uVc6C7FxRt44qjKHK4umoxS3ZysNpzQo3dP/roJie,iv:LnqTfWQaAgNw9c6HoSSdd2AwYn/wjjOjoL9BWEdh718=,tag:AKNsg5LNvHERx3VAcHHvIQ==,type:str]
+                oidc.irisiam.clientSecret: ENC[AES256_GCM,data:ixp/Vd4B/Rew0sMMlcHMjw0TgzZhwfdmIkzqJGetv/tvG3pwfLRn6Df12KrKcDw2nG2omyL6fHlZIDzVLECUSOu1QW3xkD4ihgc3Hz7m8VhBhJvCGZdY,iv:lbjTLWpPrPBINJbbrEss5spYNfyA2/1Pf2H5U+HwzXE=,tag:4EMmU+tr6PqZwJ0XbHOHJQ==,type:str]
+            #ENC[AES256_GCM,data:s5QWV4qI5mSSvz/PWIM7bRmT4KGNgbakWw==,iv:vfeBx/IKmThX2Mx18hT0mfx0f0FE2vig5F7hSUzKOug=,tag:HIhYH9Ln/bT7nJzh7hz62w==,type:comment]
+            argocdServerAdminPassword: ENC[AES256_GCM,data:o89wLyz0ZSbLWon9B9c/4DoMACxKBlWHfec3vw3slEe8jcP3fHv13ku62ILWH/WqE8exgncK4Owa4yzY,iv:21lvK6KdRsfwS9Fss4xT4L7ANzxf3tGQhz5yYFxhbHE=,tag:450s1AlvYAadIRSKzeZuSA==,type:str]
+sops:
+    age:
+        - recipient: age1p9q4tzawn9jh3evsgkuslklm2d4zhwhyhtcfls7n62a8cdpv8vqq7t9hqv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3T1IveWg2Mk9zMGJ1ODhZ
+            VTE3eUZjYjhJT290OTI3ZmxENFRTNWpubHhFCm4zT01oN3kxcUJVcktUUDJsRk40
+            NEN4czJWaFhybW04b3VLelpyZ0JsdkEKLS0tIDdWdmQzWEJ4TCtwelNYc0UxcVky
+            empUb25xN2JMUnQrWS9valdPNkpUelUKthqTmDtn+ivKQCbbW24Cepmk+Mru6wHe
+            rBjNLkitJK4ZO7ufvibhYnscjJDvuFexCMr9dmiodyLJ52T7s+2ofQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1cq92796c46d06s43t079xc89exe4vd52rh30c9mcafmne62dxyhqrupl4l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPK2hicEJsWjI3YW4zb2Yz
+            bTlaWWY3SEovRHBOWHE0NGRKSm1wUU80YjBVCnJSYjFob2JoWUV6T3ZTNGJGM2Fa
+            Sk9HMzB6dTRLYkc5RzJSdHZpais1dkkKLS0tIFhiU3VSTzE0aWxKazhsamN2cFVa
+            UUNCUlVwYjVySWRPTXlCUENoOW1kUjAK1R/iTB5k9ZIIh2W7iy144CQoXFGYNlaJ
+            NUTZ7/gPXXSXVFnHsvPI+c+2WK4QMw78Idjr+3U5DcBV3CYTZVFKrQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-11-04T16:02:36Z"
+    mac: ENC[AES256_GCM,data:0LJ7Juw8HPFVtIcyzj1JZGp+/riQ6GD5R4Dqap7R/2Ya3UYcfh9ndANfaCc7iznsszdIkj+H5CWDzWbreSqIA6Mn8ojKWAPOl7rtG6YgQkJ6oMlO7LuEDjDBxjpUMlFcrPjcpFrLiY867ZsZEfdJ3qYn4PzIwlu7VNGbADFCIZ8=,iv:7XWAHFwnj4LW8Lo74Zz0K11zRvSKkWwdSXjJYIL4rt8=,tag:Z2lOJoE8YlMZ6kc4w3Fl5g==,type:str]
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.11.0

clusters/prod/worker/secrets/apps/argocd.yaml

@@ -0,0 +1,32 @@
+argo-cd:
+    configs:
+        secret:
+            extra:
+                oidc.irisiam.clientID: ENC[AES256_GCM,data:Bu9czzLzimuQdBMBSQyJykssKgNoSBlZz2Qu8S0+fYZEQZOQ,iv:rGNpU0RZOylQDndpmVcxslxeol4v5tltvQnoBDsZFxU=,tag:p4mfuaaaNq0TRYxgCBBBDQ==,type:str]
+                oidc.irisiam.clientSecret: ENC[AES256_GCM,data:Pf79veV9pbIimjCbgNZYSrW12G7EGhrZnmsvVKZCTsUpDo77DlfxCRZbyhjZDczhtbsINeITCB4ISjs4yf3Pv9iN3TJXCrvQ4Uj6YfOh1ogpthb8hbDa,iv:2682QXKc1+PhcZkTH1c4fIqA9hADV0CcLyXZvNwXmdg=,tag:ZKBqqmKOuyGqnu90pZi6pg==,type:str]
+            #ENC[AES256_GCM,data:TWScxnB9wm4jB7C9qMu1ybuNhHYOJNtAOQ==,iv:g1EL6UoeqPsxlXLGKxVNHTjF/xTjHytfE3YcpdQu8XE=,tag:y66Dgm//lnMByZF3nhN76Q==,type:comment]
+            argocdServerAdminPassword: ENC[AES256_GCM,data:knrbvV+pnX+b3TZGGf9w/OAomFsina0WX/tc4+6uCKjS5KJpiOfSDO7HV+y+kHSiMOaXIePbNE9AzQXc,iv:U+Uxhxn8x66rRsN4HVtrnnXWQCPp+M2fEf94+q8qH24=,tag:qXsa3wVFdBC1OqIRJu5whw==,type:str]
+sops:
+    age:
+        - recipient: age1cpv0ejrvuv2hslsy4nq66zwkmkqrn4c3km66lwfkmcyqpxr8v4wsfajuck
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDYXR4N3RPWlV5RVJyTk1B
+            Tm5Qb3FjaXZNSW9SdWQxSXY1Q1V0L2huUW04CkkyT01VR3IwNWdFeFp4WXM5TjBW
+            SUtZTDJhNEJhVHhmTlZEeVdabHMyTGsKLS0tIFlJeGp4b1hTMS9lYUlOL0RMTDRw
+            T3Z2VG83M2I1bnpDWXBIWm90TXB0SGcK7vT50bI07km4inD3CSLwEYo1zr16hi3y
+            aUG8nIgfL3cEVK0t08Jc0CZaojKjbIg4HtdprTk5i624gNpiH9rlsA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1cq92796c46d06s43t079xc89exe4vd52rh30c9mcafmne62dxyhqrupl4l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLc3lmckdmem9hZlp1Skh2
+            Q1p6MXJUeW5wMkZGeTF2RDlKZWpGNUROSFFrCllNU3JkeDVpNjgxZGd1RVljd1hm
+            eEFjSTIwUTdnbzJ0U20xRElPZURWT2sKLS0tIGN3ditwVFBkU1ZGcC8ydTJCYzdv
+            TGZoT0VpV3lmTHJRZmNwM09mclFidnMKm6bLvGEN4Bt9fp+Q9enmn0jF5USE3J9q
+            N1G/msqxVT6ngrGpjiGDCYisMQvugcOrYEa2M1rRohcAUB/EqNyN9g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-11-04T16:08:53Z"
+    mac: ENC[AES256_GCM,data:m8t9mgzPUYk6eAYTnfh/B5K2XYPFfj5APza0fQYa4LTYAN/plvS1BKz4fyC0n7TyLJX43fGo16oxvq1VAlt/nnhy9I8lMc7v168w7kuIakAf242RXg2c/X4N9fbpzoWDrhYrpzfmSZv9b28/NQC30mUd+S8j8DWJPrdC1ydqRtY=,iv:4DbnuRWp9xbIU/jY8i8SaVdG2VjXQFc40LzPBWXw+oo=,tag:7fxB+0oDti8cBHoGj23UBg==,type:str]
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.11.0