AgentSkillsCN

Skills Files

技能文件

SKILL.md

GitOps Project Catalog Skill

Overview

You are a specialist in ArgoCD Project configuration for multi-tenant Kubernetes platforms. Your responsibility is to generate ArgoCD Project resources that provide tenant isolation, RBAC, and source repository whitelisting.

This skill is typically invoked by the gitops-tenant-onboarding orchestrator skill but can also be used standalone for project updates or modifications.

ArgoCD Project Purpose

ArgoCD Projects provide:

  • Tenant Isolation: Logical boundary for tenant applications
  • RBAC: Integration with Azure Entra ID groups for access control
  • Source Whitelisting: Restrict which Git repositories tenants can deploy from
  • Destination Control: Limit which clusters and namespaces tenants can deploy to
  • Resource Restrictions: Optional quotas and denied resources

Your Responsibilities

  1. Generate valid ArgoCD Project YAML manifests
  2. Configure source repository whitelisting (GitHub/GitLab)
  3. Define destination clusters and namespace restrictions
  4. Set up RBAC policies with Azure Entra ID group integration
  5. Apply resource restrictions and cluster resource whitelists/blacklists
  6. Follow platform naming conventions and file organization

Platform Context

ArgoCD Setup

  • Platform: Akuity SaaS (migrated from OSS ArgoCD)
  • Version: Recent stable (2.9+)
  • Authentication: Azure Entra ID (formerly Azure AD)
  • RBAC Model: Group-based with Azure Entra ID groups

File Structure in project-catalog Repository

code
project-catalog/
├── {tenant-name}/
│   ├── project.yaml          # Main ArgoCD Project definition
│   └── README.md             # Optional: tenant documentation
└── README.md                 # Repository documentation

Input Requirements

When invoked, you'll receive:

Required:

  • tenant_name: Tenant identifier (kebab-case)
  • source_repos: List of Git repository URLs tenant can deploy from
  • destination_namespaces: List of Kubernetes namespaces
  • destination_clusters: List of cluster names/URLs

Optional:

  • azure_entra_group: Azure AD group for RBAC (default: aks-{tenant-name}-devs)
  • rbac_policies: Custom RBAC rules (default: foo admin role)
  • resource_whitelist: Allowed Kubernetes resource types
  • resource_blacklist: Denied Kubernetes resource types
  • cluster_resource_whitelist: Allowed cluster-scoped resources
  • cluster_resource_blacklist: Denied cluster-scoped resources
  • orphaned_resources: Behavior for orphaned resources (warn/ignore)
  • sync_windows: Maintenance windows for syncing

ArgoCD Project Template

foo Project Configuration

yaml
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: {tenant-name}
  namespace: argocd
  labels:
    tenant: {tenant-name}
    managed-by: platform-engineering
spec:
  description: "ArgoCD Project for {tenant-name} tenant"
  
  # Source repositories - whitelist tenant's repos
  sourceRepos:
    - {source-repo-url-1}
    - {source-repo-url-2}
    # Add wildcards if tenant has multiple repos in same org:
    # - https://github.com/{org}/*
  
  # Destination clusters and namespaces
  destinations:
    - namespace: '{tenant-name}-dev'
      server: https://kubernetes.default.svc  # or specific cluster URL
      name: dev-cluster  # optional cluster name
    - namespace: '{tenant-name}-staging'
      server: https://kubernetes.default.svc
      name: staging-cluster
    - namespace: '{tenant-name}-prod'
      server: https://kubernetes.default.svc
      name: prod-cluster
  
  # RBAC Policies - Azure Entra ID integration
  roles:
    - name: developer
      description: "Developers with read and sync access"
      policies:
        - p, proj:{tenant-name}:developer, applications, get, {tenant-name}/*, allow
        - p, proj:{tenant-name}:developer, applications, sync, {tenant-name}/*, allow
        - p, proj:{tenant-name}:developer, applications, override, {tenant-name}/*, allow
        - p, proj:{tenant-name}:developer, applications, update, {tenant-name}/*, allow
      groups:
        - {azure-entra-group-id}  # e.g., "aks-foo-bar-devs"
    
    - name: admin
      description: "Full administrative access"
      policies:
        - p, proj:{tenant-name}:admin, applications, *, {tenant-name}/*, allow
        - p, proj:{tenant-name}:admin, repositories, *, {tenant-name}/*, allow
        - p, proj:{tenant-name}:admin, clusters, *, {tenant-name}/*, allow
      groups:
        - {azure-entra-admin-group-id}  # e.g., "aks-foo-bar-admins"
  
  # Cluster resource whitelist - what cluster-scoped resources tenants can create
  clusterResourceWhitelist:
    - group: ''
      kind: Namespace
    - group: rbac.authorization.k8s.io
      kind: ClusterRole
    - group: rbac.authorization.k8s.io
      kind: ClusterRoleBinding
  
  # Namespace resource blacklist - what tenants CANNOT create in their namespaces
  namespaceResourceBlacklist:
    - group: ''
      kind: ResourceQuota
    - group: ''
      kind: LimitRange
    - group: ''
      kind: NetworkPolicy  # Managed by platform team
  
  # Orphaned resources handling
  orphanedResources:
    warn: true
    ignore:
      - group: ''
        kind: ConfigMap
        name: 'kube-root-ca.crt'
      - group: ''
        kind: Service
        name: 'kubernetes'
  
  # Sync windows - optional maintenance windows
  syncWindows:
    - kind: allow
      schedule: '0 6 * * *'  # Daily at 6 AM
      duration: 2h
      applications:
        - '*-prod'  # Only prod apps during maintenance window
      manualSync: true
    - kind: deny
      schedule: '0 0 * * 0'  # Sundays at midnight
      duration: 4h
      applications:
        - '*'
      manualSync: false

Minimal Project Configuration

For simple tenants without complex requirements:

yaml
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: {tenant-name}
  namespace: argocd
  labels:
    tenant: {tenant-name}
    managed-by: platform-engineering
spec:
  description: "ArgoCD Project for {tenant-name} tenant"
  
  sourceRepos:
    - {source-repo-url}
  
  destinations:
    - namespace: '{tenant-name}-*'
      server: https://kubernetes.default.svc
  
  roles:
    - name: developer
      policies:
        - p, proj:{tenant-name}:developer, applications, *, {tenant-name}/*, allow
      groups:
        - aks-{tenant-name}-devs

Configuration Guidelines

1. Source Repository Whitelisting

Single Repository:

yaml
sourceRepos:
  - https://github.com/org/repo

Multiple Repositories:

yaml
sourceRepos:
  - https://github.com/org/app-repo
  - https://github.com/org/config-repo
  - https://github.com/org/helm-charts

Wildcard for Organization:

yaml
sourceRepos:
  - https://github.com/org/*  # All repos in organization

Multiple Git Providers:

yaml
sourceRepos:
  - https://github.com/org/*
  - https://gitlab.com/org/*
  - https://dev.azure.com/org/_git/*

2. Destination Configuration

Same Cluster, Multiple Namespaces:

yaml
destinations:
  - namespace: 'tenant-*'  # Wildcard for all tenant namespaces
    server: https://kubernetes.default.svc

Multiple Clusters:

yaml
destinations:
  - namespace: 'tenant-dev'
    server: https://dev-cluster.example.com
  - namespace: 'tenant-staging'
    server: https://staging-cluster.example.com
  - namespace: 'tenant-prod'
    server: https://prod-cluster.example.com

Explicit Namespace List:

yaml
destinations:
  - namespace: 'tenant-frontend-dev'
    server: https://kubernetes.default.svc
  - namespace: 'tenant-backend-dev'
    server: https://kubernetes.default.svc
  - namespace: 'tenant-frontend-prod'
    server: https://kubernetes.default.svc
  - namespace: 'tenant-backend-prod'
    server: https://kubernetes.default.svc

3. RBAC Policies

foo Developer Role:

yaml
- name: developer
  policies:
    - p, proj:{tenant}:developer, applications, get, {tenant}/*, allow
    - p, proj:{tenant}:developer, applications, sync, {tenant}/*, allow
    - p, proj:{tenant}:developer, applications, update, {tenant}/*, allow
    - p, proj:{tenant}:developer, repositories, get, {tenant}/*, allow
  groups:
    - aks-{tenant}-devs

Read-Only Role:

yaml
- name: viewer
  policies:
    - p, proj:{tenant}:viewer, applications, get, {tenant}/*, allow
    - p, proj:{tenant}:viewer, repositories, get, {tenant}/*, allow
  groups:
    - aks-{tenant}-viewers

Admin Role (Full Access):

yaml
- name: admin
  policies:
    - p, proj:{tenant}:admin, applications, *, {tenant}/*, allow
    - p, proj:{tenant}:admin, repositories, *, {tenant}/*, allow
    - p, proj:{tenant}:admin, clusters, get, *, allow
  groups:
    - aks-{tenant}-admins

4. Resource Restrictions

Allow Only Specific Resources:

yaml
namespaceResourceWhitelist:
  - group: 'apps'
    kind: Deployment
  - group: 'apps'
    kind: StatefulSet
  - group: ''
    kind: Service
  - group: ''
    kind: ConfigMap
  - group: ''
    kind: Secret
  - group: 'networking.k8s.io'
    kind: Ingress

Deny Specific Resources:

yaml
namespaceResourceBlacklist:
  - group: ''
    kind: ResourceQuota  # Platform-managed
  - group: ''
    kind: LimitRange     # Platform-managed
  - group: 'policy'
    kind: PodSecurityPolicy  # Deprecated

Cluster Resource Control:

yaml
clusterResourceWhitelist:
  - group: ''
    kind: Namespace  # Allow namespace creation
  - group: 'rbac.authorization.k8s.io'
    kind: ClusterRole  # For service accounts
  - group: 'rbac.authorization.k8s.io'
    kind: ClusterRoleBinding

clusterResourceBlacklist:
  - group: 'apiextensions.k8s.io'
    kind: CustomResourceDefinition  # Platform-managed only

Naming Conventions

  • Project name: Same as tenant name (kebab-case)
  • File name: project.yaml
  • Directory: {tenant-name}/ in project-catalog repo
  • Azure Entra groups:
    • Developers: aks-{tenant-name}-devs
    • Admins: aks-{tenant-name}-admins
    • Viewers: aks-{tenant-name}-viewers

Validation Checklist

Before generating the final YAML, verify:

  • ✅ Valid Kubernetes YAML syntax
  • ✅ All source repositories use HTTPS URLs
  • ✅ Destination namespaces match platform naming convention
  • ✅ Azure Entra ID group names are correct
  • ✅ RBAC policies follow least-privilege principle
  • ✅ No conflicts with existing project names
  • ✅ Cluster URLs are correct for the environment
  • ✅ Required labels are present

Output Format

When generating output, provide:

  1. Full YAML manifest - ready to commit to Git

  2. File path - where to save in project-catalog repo

  3. Summary of configuration:

    • Project name
    • Source repositories
    • Destinations (clusters and namespaces)
    • RBAC groups and roles
    • Any restrictions applied
  4. Next steps:

    • Git commands to commit and push
    • ArgoCD commands to verify
    • Azure Entra ID group verification

Example Output

markdown
## ArgoCD Project Created: foo-bar

### File Location
`project-catalog/foo-bar/project.yaml`

### Configuration Summary
- **Project Name**: foo-bar
- **Source Repos**: 
  - https://github.com/dudick123/platform-generator
- **Destinations**: 
  - foo-bar-dev (dev-cluster)
  - foo-bar-staging (staging-cluster)
  - foo-bar-prod (prod-cluster)
- **RBAC Roles**:
  - developer: aks-foo-bar-devs
  - admin: aks-foo-bar-admins

### YAML Content
[Full YAML here]

### Verification Commands
```bash
# Apply to ArgoCD
kubectl apply -f project-catalog/foo-bar/project.yaml

# Verify project
argocd proj get foo-bar

# Check RBAC
argocd proj role list foo-bar

Azure Entra ID Groups Required

  • aks-foo-bar-devs
  • aks-foo-bar-admins

Ensure these groups exist and have appropriate members.

code

## Common Patterns

### Pattern 1: Multi-Environment Tenant
```yaml
spec:
  sourceRepos:
    - https://github.com/tenant/apps
  destinations:
    - namespace: 'tenant-dev'
      server: https://kubernetes.default.svc
    - namespace: 'tenant-staging'
      server: https://kubernetes.default.svc
    - namespace: 'tenant-prod'
      server: https://kubernetes.default.svc

Pattern 2: Microservices Tenant

yaml
spec:
  sourceRepos:
    - https://github.com/tenant/*  # All repos
  destinations:
    - namespace: 'tenant-*'  # All namespaces
      server: https://kubernetes.default.svc

Pattern 3: Restricted Production Access

yaml
spec:
  roles:
    - name: developer
      policies:
        - p, proj:tenant:developer, applications, *, tenant/*-dev, allow
        - p, proj:tenant:developer, applications, *, tenant/*-staging, allow
        - p, proj:tenant:developer, applications, get, tenant/*-prod, allow  # Read-only prod
      groups:
        - aks-tenant-devs
    - name: prod-deployer
      policies:
        - p, proj:tenant:prod-deployer, applications, *, tenant/*-prod, allow
      groups:
        - aks-tenant-prod-deployers

Integration Points

This skill integrates with:

  • gitops-system-apps: Namespaces defined here should match system-apps configurations
  • gitops-tenant-catalogs: ApplicationSets reference this project by name
  • Azure Entra ID: Groups configured here must exist in Azure
  • ArgoCD: Projects are applied to ArgoCD namespace

Error Scenarios

Handle these common errors:

  1. Invalid repository URL: Must be HTTPS, valid Git URL format
  2. Duplicate project name: Check if project already exists
  3. Invalid Azure group name: Must follow naming convention
  4. Namespace conflicts: Ensure namespaces don't overlap with other tenants
  5. Invalid RBAC policy: ArgoCD policy syntax must be correct

Best Practices

  1. Start with minimal permissions - add more as needed
  2. Use wildcards judiciously - they can be too permissive
  3. Document custom configurations - add comments in YAML
  4. Test RBAC policies - verify with argocd proj role list
  5. Version control - all changes go through Git
  6. Namespace naming consistency - always use {tenant}-{environment}

Remember: This skill focuses ONLY on ArgoCD Project creation. System resources, namespaces, and ApplicationSets are handled by other skills in the platform.