From 8435cb2583e9a94da0c272b643665f6a2b165f3b Mon Sep 17 00:00:00 2001
From: Jehoszafat Zimnowoda <17126497+j-zimnowoda@users.noreply.github.com>
Date: Tue, 15 Oct 2024 10:18:30 +0200
Subject: [PATCH 1/2] fix: use platform-admin group instead of team-admin

---
 charts/team-ns/templates/argocd/argocd-project.yaml | 8 ++++----
 charts/team-ns/templates/istio-virtualservices.yaml | 2 +-
 helmfile.d/helmfile-60.teams.yaml                   | 2 +-
 helmfile.d/snippets/grafana.gotmpl                  | 2 +-
 values/argocd/argocd.gotmpl                         | 4 ++--
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/charts/team-ns/templates/argocd/argocd-project.yaml b/charts/team-ns/templates/argocd/argocd-project.yaml
index 4c0f344ef4..d7400fe393 100644
--- a/charts/team-ns/templates/argocd/argocd-project.yaml
+++ b/charts/team-ns/templates/argocd/argocd-project.yaml
@@ -51,13 +51,13 @@ spec:
   #   kind: StatefulSet
   roles:
 {{- if $v.otomi.isMultitenant }}
-  # we create a scoped team-admin role since we are only allowed access to team-* projects as team-admin in multitenant setup
-  - name: team-admin
+  # we create a scoped platform-admin role since we are only allowed access to team-* projects as platform-admin in multitenant setup
+  - name: platform-admin
     description: Team member privileges to team-{{ $v.teamId }}
     policies:
-    - p, proj:team-{{ $v.teamId }}:team-admin, *, *, team-{{ $v.teamId }}/*, allow
+    - p, proj:team-{{ $v.teamId }}:platform-admin, *, *, team-{{ $v.teamId }}/*, allow
     groups:
-    - team-admin
+    - platform-admin
     - team-{{ $v.teamId }}
 {{- end }}
   - name: team-member
diff --git a/charts/team-ns/templates/istio-virtualservices.yaml b/charts/team-ns/templates/istio-virtualservices.yaml
index 2c92a0e6fb..fe206a2106 100644
--- a/charts/team-ns/templates/istio-virtualservices.yaml
+++ b/charts/team-ns/templates/istio-virtualservices.yaml
@@ -333,7 +333,7 @@ spec:
         {{- if not $s.isShared }}
       when:
         - key: request.auth.claims[groups]
-          values: [{{ if not (eq $v.teamId "admin") }}team-{{ $v.teamId }},{{ end }}team-admin,admin]
+          values: [{{ if not (eq $v.teamId "admin") }}team-{{ $v.teamId }},{{ end }}platform-admin,admin]
         {{- end }}
       to:
         - operation:
diff --git a/helmfile.d/helmfile-60.teams.yaml b/helmfile.d/helmfile-60.teams.yaml
index 8f207f1bf7..926d45521e 100644
--- a/helmfile.d/helmfile-60.teams.yaml
+++ b/helmfile.d/helmfile-60.teams.yaml
@@ -79,7 +79,7 @@ releases:
           fullnameOverride: {{ $teamId }}-po-grafana
           grafana.ini:
             "auth.generic_oauth":
-              role_attribute_path: contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'team-admin') && 'Admin' || contains(groups[*], 'team-{{ $teamId }}') && 'Editor'{{ if not ($team | get "managedMonitoring.private" false) }} || 'Viewer'{{- end }}
+              role_attribute_path: contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'platform-admin') && 'Admin' || contains(groups[*], 'team-{{ $teamId }}') && 'Editor'{{ if not ($team | get "managedMonitoring.private" false) }} || 'Viewer'{{- end }}
             server:
               root_url: https://grafana-{{ $teamId }}.{{ $domain }}
           sidecar:
diff --git a/helmfile.d/snippets/grafana.gotmpl b/helmfile.d/snippets/grafana.gotmpl
index 945652db65..1058003085 100644
--- a/helmfile.d/snippets/grafana.gotmpl
+++ b/helmfile.d/snippets/grafana.gotmpl
@@ -11,7 +11,7 @@
   auth_url: {{ printf "%s/protocol/openid-connect/auth" .keycloakBase }}
   token_url: {{ printf "%s/protocol/openid-connect/token" .keycloakBase }}
   api_url: {{ printf "%s/protocol/openid-connect/userinfo" .keycloakBase }}
-  role_attribute_path: contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'team-admin') && 'Admin'
+  role_attribute_path: contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'platform-admin') && 'Admin'
   role_attribute_strict: true
 log:
   level: error
diff --git a/values/argocd/argocd.gotmpl b/values/argocd/argocd.gotmpl
index f50c74403d..64229d9122 100644
--- a/values/argocd/argocd.gotmpl
+++ b/values/argocd/argocd.gotmpl
@@ -142,7 +142,7 @@ configs:
     {{- if $v.otomi.isMultitenant }}
     policy.default: ''
     {{- else }}
-      # not multitenant, make team-admin admin and keep global read-only
-      g, team-admin, role:admin
+      # not multitenant, make platform-admin admin and keep global read-only
+      g, platform-admin, role:admin
     policy.default: role:readonly
     {{- end }}

From 385b8031e550936bfa3a9e4ad1b4b5ed29e36f19 Mon Sep 17 00:00:00 2001
From: Jehoszafat Zimnowoda <17126497+j-zimnowoda@users.noreply.github.com>
Date: Tue, 15 Oct 2024 11:07:04 +0200
Subject: [PATCH 2/2] fix: map platform-admin to argocd admin role

---
 values/argocd/argocd.gotmpl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/values/argocd/argocd.gotmpl b/values/argocd/argocd.gotmpl
index 64229d9122..8518dd252a 100644
--- a/values/argocd/argocd.gotmpl
+++ b/values/argocd/argocd.gotmpl
@@ -139,6 +139,7 @@ configs:
       g, image-updater, role:image-updater
       # admin
       g, admin, role:admin
+      g, platform-admin, role:admin
     {{- if $v.otomi.isMultitenant }}
     policy.default: ''
     {{- else }}