apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: argocd namespace: argocd annotations: argocd.argoproj.io/sync-wave: "-1" spec: destination: namespace: argocd server: 'https://kubernetes.default.svc' sources: - path: {{ .Values.cluster_config.policies }}/argocd repoURL: {{ .Values.cluster_config.manifests }} targetRevision: HEAD - repoURL: 'https://argoproj.github.io/argo-helm' targetRevision: {{ .Values.argocd.version }} chart: argo-cd helm: values: | global: domain: argocd.{{ .Values.cluster_config.domain }} ## ArgoCD configuration ## Ref: https://github.com/argoproj/argo-cd ## configs: {{- if .Values.argocd.anyNamespaces.enabled }} params: applicationsetcontroller.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}" # TODO(kai): anyapp will disable PR review apps. Look into anyapp settings to fix it applicationsetcontroller.enable.scm.providers: "false" application.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}" {{- end }} cm: application.resourceTrackingMethod: annotation+label application.instanceLabelKey: app.kubernetes.io/instance create: true # NOTE(kai): callback URL for dex url: "https://argocd.{{ .Values.cluster_config.domain }}" resource.compareoptions: | ignoreAggregatedRoles: true resource.exclusions: | - apiGroups: - cilium.io kinds: - CiliumIdentity clusters: - "*" - apiGroups: - kyverno.io kinds: - AdmissionReport - BackgroundScanReport - ClusterAdmissionReport - ClusterBackgroundScanReport clusters: - "*" # dex saml config dex.config: | logger: level: debug format: json connectors: {{- with .Values.cluster_config.oidc }} {{- range . }} {{- if eq .provider "azuread" }} - type: oidc id: {{ .name }} name: {{ .name }} config: issuer: https://login.microsoftonline.com/{{ .tenant }}/v2.0 clientID: ${{ .name | replace "-" "_" }}_client_id clientSecret: ${{ .name | replace "-" "_" }}_client_secret insecureSkipEmailVerified: true requestedIDTokenClaims: groups: essential: true insecureEnableGroups: true requestedScopes: - openid - profile - email - groups {{- else if eq .provider "github" }} - type: github id: {{ .name }} name: {{ .name }} config: clientID: ${{ .name | replace "-" "_" }}_client_id clientSecret: ${{ .name | replace "-" "_" }}_client_secret redirectURI: https://argocd.{{ $.Values.cluster_config.domain }}/api/dex/callback orgs: - name: {{ .allowed_organizations }} loadAllGroups: true teamNameField: slug useLoginAsID: false staticClients: - id: ${{ .name | replace "-" "_" }}_client_id name: Kubernetes # These are kubectl oidc plugin internal URLs redirectURIs: - http://localhost:8000 - http://localhost:18000 # Random secret for the user to authenticat dex client secret: 8d52926efe879ee505391b75f4b046cf {{- end }} {{- end }} {{- end }} admin.enabled: '{{ .Values.argocd.adminLogin }}' rbac: # NOTE(kai): dd2aa2d6 ... is ID for azure kubernetes_operator group policy.csv: | p, role:org-admin, applications, *, */*, allow p, role:org-admin, projects, *, *, allow p, role:org-admin, logs, get, *, allow p, role:org-admin, clusters, get, *, allow p, role:org-admin, clusters, update, *, allow p, role:org-admin, repositories, get, *, allow p, role:org-admin, repositories, create, *, allow p, role:org-admin, repositories, update, *, allow p, role:org-admin, repositories, delete, *, allow g, "dd2aa2d6-269d-48fe-90cc-04fd5c08bd29", role:org-admin {{- if .Values.cluster_config.external_access.enabled }} p, role:external-admin, applications, *, sys/*, deny p, role:external-admin, applications, *, oxb/*, deny p, role:external-admin, applications, *, */*, allow p, role:external-admin, projects, *, oxb, deny p, role:external-admin, projects, *, sys, deny p, role:external-admin, projects, get, *, allow p, role:external-admin, logs, get, *, allow p, role:external-admin, clusters, get, *, allow p, role:external-admin, repositories, get, *, allow p, role:external-admin, repositories, create, *, allow p, role:external-admin, repositories, update, *, allow p, role:external-admin, repositories, delete, *, allow g, "{{ .Values.cluster_config.external_access.admin_group }}", role:external-admin {{- end }} {{- if .Values.cluster_config.external_access.enabled }} {{- range .Values.cluster_config.external_access.groups }} {{- "\n" -}} {{- $name := .name }} p, role:{{$name}}, projects, get, {{$name}}, allow p, role:{{$name}}, applications, get, {{$name}}/*, allow p, role:{{$name}}, logs, get, {{$name}}/*, allow {{- range .group_id }} g, {{ . }}, role:{{$name}} {{- end }} {{- end }} {{- end }} {{- with .Values.argocd.additional_rbac_settings }} {{- range .}} {{ . }} {{- end }} {{- end }} repositories: # Repositories for applications argo-helm: type: helm url: https://argoproj.github.io/argo-helm # UI changes based on env styles: | /* blue, orange, red depending on env */ :root { --test-color: #0f2cbd; --dev-color: #33b025; --staging-color: #ebac2f; --prod-color: #ff000d; } .top-bar__breadcrumbs::after { content: "cluster: {{.Values.cluster_config.cluster}}, env: {{.Values.cluster_config.env}} "; color: var(--{{.Values.cluster_config.env}}-color); font-weight: bolder; font-size: larger; position: fixed; left: 50%; } controller: metrics: enabled: true serviceMonitor: enabled: true resources: limits: memory: {{ .Values.argocd.resources.controller.memory | default "1000Mi" }} requests: cpu: {{ .Values.argocd.resources.controller.cpu | default "250m" }} memory: {{ .Values.argocd.resources.controller.memory | default "1000Mi" }} # Mount azure ca as file for SAML auth dex: metrics: enabled: true serviceMonitor: enabled: true {{- with .Values.cluster_config.oidc }} env: {{- range . }} - name: {{ .name | replace "-" "_" }}_client_secret valueFrom: secretKeyRef: name: {{ .secret_ref.name }} key: client_secret - name: {{ .name | replace "-" "_" }}_client_id valueFrom: secretKeyRef: name: {{ .secret_ref.name }} key: client_id {{- end }} {{- end }} redis: metrics: enabled: true serviceMonitor: enabled: true repoServer: metrics: enabled: true serviceMonitor: enabled: true {{- if .Values.argocd.repoServer.cmp.enabled }} extraContainers: - command: - /var/run/argocd/argocd-cmp-server image: {{ .Values.argocd.repoServer.cmp.image }} imagePullPolicy: Always name: {{ .Values.argocd.repoServer.cmp.name }} securityContext: runAsNonRoot: true runAsUser: 999 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/argocd name: var-files - mountPath: /home/argocd/cmp-server/plugins name: plugins - mountPath: /tmp name: cmp-tmp {{- with .Values.argocd.repoServer.cmp.initContainers }} initContainers: {{- toYaml . | nindent 10}} {{- end }} volumes: - name: cmp-tmp emptyDir: {} {{- if .Values.argocd.repoServer.cmp.imagePullSecret }} imagePullSecrets: {{- range .Values.argocd.repoServer.cmp.imagePullSecret}} - name: {{ .name }} {{- end }} {{- end }} {{- end }} # Configuration for argocd server instance server: metrics: enabled: true serviceMonitor: enabled: true ingress: enabled: {{ .Values.argocd.ingress.enabled }} ingressClassName: nginx annotations: cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }} nginx.ingress.kubernetes.io/ssl-passthrough: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" {{- with .Values.cluster_config.ingress_whitelist_ips }} nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }} {{- end }} hosts: - "argocd.{{ .Values.cluster_config.domain }}" tls: - secretName: argocd-tls hosts: - "argocd.{{ .Values.cluster_config.domain }}" applicationSet: metrics: enabled: true serviceMonitor: enabled: true {{- if .Values.argocd.anyNamespaces.enabled }} allowAnyNamespaces: true {{- end }} ingress: enabled: {{ .Values.argocd.applicationset_webhook.enabled }} ingressClassName: nginx annotations: cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }} # {{- with .Values.cluster_config.ingress_whitelist_ips}} # NOTE(kai): include gitlab and github webhook ranges # nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }},192.30.252.0/22,140.82.112.0/20,34.74.226.27/28,34.74.226.0/24 # {{- end }} hostname: "argocd-applicationset.{{ .Values.cluster_config.domain }}" tls: - secretName: argocd-applicationset-tls hosts: - "argocd-applicationset.{{ .Values.cluster_config.domain }}" notifications: metrics: enabled: true serviceMonitor: enabled: true secret: create: false cm: create: false project: sys syncPolicy: managedNamespaceMetadata: labels: component: sys syncOptions: - CreateNamespace=true - ApplyOutOfSyncOnly=true {{- if .Values.argocd.autosync }} automated: prune: true # selfHeal: false {{- end }}