apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: freeleaps-data-backup
  namespace: freeleaps-devops-system
  labels:
    app: freeleaps-data-backup
    component: backup
    environment: production
spec:
  description: Freeleaps Data Backup Project
  
  # Source repositories
  sourceRepos:
    - https://freeleaps@dev.azure.com/freeleaps/freeleaps-ops/_git/freeleaps-ops
  
  # Destination clusters and namespaces
  destinations:
    - namespace: freeleaps-prod
      server: https://kubernetes.default.svc
  
  # Allowed cluster resources
  clusterResourceWhitelist:
    - group: rbac.authorization.k8s.io
      kind: ClusterRole
    - group: rbac.authorization.k8s.io
      kind: ClusterRoleBinding
  
  # Allowed namespaced resources
  namespaceResourceWhitelist:
    - group: ""
      kind: ServiceAccount
    - group: ""
      kind: PersistentVolumeClaim
    - group: batch
      kind: CronJob
    - group: batch
      kind: Job
    - group: snapshot.storage.k8s.io
      kind: VolumeSnapshot
    - group: snapshot.storage.k8s.io
      kind: VolumeSnapshotClass
  
  # Allowed roles
  roles:
    - name: backup-admin
      description: Backup administrator role
      policies:
        - p, proj:freeleaps-data-backup:backup-admin, applications, *, freeleaps-data-backup/*, allow
        - p, proj:freeleaps-data-backup:backup-admin, applications, sync, freeleaps-data-backup/*, allow
        - p, proj:freeleaps-data-backup:backup-admin, applications, update, freeleaps-data-backup/*, allow
        - p, proj:freeleaps-data-backup:backup-admin, applications, delete, freeleaps-data-backup/*, allow
      groups:
        - freeleaps-devops