From 18826ee3cc1741ab780d6656617d6b340f324f84 Mon Sep 17 00:00:00 2001 From: Russell Dempsey <1173416+SgtPooki@users.noreply.github.com> Date: Fri, 19 Jun 2026 13:26:09 -0400 Subject: [PATCH] Add infra-* teams for Dex SSO group mapping Adds the GitHub teams that FilOzone/infra's Dex SSO maps into OIDC groups for Argo CD, Grafana, and Kubernetes RBAC. github-mgmt is the source of truth for membership; FilOzone/infra consumes these teams as groups. Teams: - infra-admin -> infra:admin (platform operators) - infra-viewer -> infra:viewer (broad read-only; cluster-wide binding deferred) - infra-argocd-admin -> argocd:admin - infra-argocd-viewer -> argocd:viewer - infra-grafana-admin -> grafana:admin - infra-grafana-viewer -> grafana:viewer - infra-dealbot-admin -> k8s:dealbot:admin - infra-dealbot-viewer -> k8s:dealbot:viewer See FilOzone/infra docs/SSO_ACCESS.md. --- github/FilOzone.yml | 67 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/github/FilOzone.yml b/github/FilOzone.yml index 7cc233d..a83e741 100644 --- a/github/FilOzone.yml +++ b/github/FilOzone.yml @@ -1211,6 +1211,73 @@ teams: - jennijuju - rjan90 - rvagg + infra-admin: + # Maps to the `infra:admin` OIDC group via Dex (FilOzone/infra). + # Platform-operator team: broad Kubernetes admin, full Argo CD admin, full Grafana admin. + # See FilOzone/infra docs/SSO_ACCESS.md for the team-to-group model. + create_default_maintainer: false + members: + member: + - BigLep + - jennijuju + - Kubuxu + - momack2 + - rjan90 + - rvagg + - SgtPooki + infra-argocd-admin: + # Maps to the `argocd:admin` OIDC group via Dex (FilOzone/infra). Full Argo CD administration. + create_default_maintainer: false + members: + member: + - Kubuxu + - SgtPooki + infra-argocd-viewer: + # Maps to the `argocd:viewer` OIDC group via Dex (FilOzone/infra). Read-only Argo CD access. + create_default_maintainer: false + members: + member: + - Kubuxu + - SgtPooki + infra-dealbot-admin: + # Maps to the `k8s:dealbot:admin` OIDC group via Dex (FilOzone/infra). + # Namespace-scoped operational admin for the `dealbot` namespace. + create_default_maintainer: false + members: + member: + - Kubuxu + - SgtPooki + infra-dealbot-viewer: + # Maps to the `k8s:dealbot:viewer` OIDC group via Dex (FilOzone/infra). + # Namespace-scoped read-only access for the `dealbot` namespace. + create_default_maintainer: false + members: + member: + - Kubuxu + - SgtPooki + infra-grafana-admin: + # Maps to the `grafana:admin` OIDC group via Dex (FilOzone/infra). Elevated Grafana access. + create_default_maintainer: false + members: + member: + - Kubuxu + - SgtPooki + infra-grafana-viewer: + # Maps to the `grafana:viewer` OIDC group via Dex (FilOzone/infra). Read-only Grafana access. + create_default_maintainer: false + members: + member: + - Kubuxu + - SgtPooki + infra-viewer: + # Maps to the `infra:viewer` OIDC group via Dex (FilOzone/infra). Broad read-only infra access. + # NOTE: cluster-wide Kubernetes read bindings for this group are still deferred in FilOzone/infra; + # only app-scoped viewers (e.g. infra-dealbot-viewer) are wired today. + create_default_maintainer: false + members: + member: + - Kubuxu + - SgtPooki ProbeLab: create_default_maintainer: false members: