global: domain: argocd.{{ .Values.clusterConfig.domain }} ## ArgoCD configuration ## Ref: https://github.com/argoproj/argo-cd ## configs: {{- if .Values.argocd.anyNamespaces.enabled }} params: applicationsetcontroller.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}" # TODO(kai): anyapp will disable PR review apps. Look into anyapp settings to fix it applicationsetcontroller.enable.scm.providers: "false" application.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}" {{- end }} cm: application.resourceTrackingMethod: annotation+label application.instanceLabelKey: app.kubernetes.io/instance create: true # NOTE: callback URL for dex url: "https://argocd.{{ .Values.clusterConfig.domain }}" resource.compareoptions: | ignoreAggregatedRoles: true resource.exclusions: | - apiGroups: - cilium.io kinds: - CiliumIdentity clusters: - "*" - apiGroups: - kyverno.io kinds: - AdmissionReport - BackgroundScanReport - ClusterAdmissionReport - ClusterBackgroundScanReport clusters: - "*" # dex saml config dex.config: | logger: level: debug format: json connectors: {{- with .Values.clusterConfig.oidc }} {{- range . }} {{- if eq .group "devel" }} - type: oidc id: {{ .name }} name: {{ .name }} config: issuer: https://login.microsoftonline.com/{{ .tenant }}/v2.0 clientID: ${{ .name | replace "-" "_" }}_client_id clientSecret: ${{ .name | replace "-" "_" }}_client_secret insecureSkipEmailVerified: true requestedIDTokenClaims: groups: essential: true insecureEnableGroups: true requestedScopes: - openid - profile - email - groups staticClients: - id: ${{ .name | replace "-" "_" }}_client_id name: Kubernetes # These are kubectl oidc plugin internal URLs redirectURIs: - https://localhost:8000 - http://localhost:8000 - http://localhost:18000 # Random secret for the user to authenticat dex client secret: 8d52926efe879ee505391b75f4b046cf {{- end }} {{- end }} {{- end }} admin.enabled: false rbac: # NOTE(kai): dd2aa2d6 ... is ID for azure kubernetes_operator group policy.csv: | p, role:org-admin, applications, *, */*, allow p, role:org-admin, projects, *, *, allow p, role:org-admin, logs, get, *, allow p, role:org-admin, clusters, get, *, allow p, role:org-admin, clusters, update, *, allow p, role:org-admin, repositories, get, *, allow p, role:org-admin, repositories, create, *, allow p, role:org-admin, repositories, update, *, allow p, role:org-admin, repositories, delete, *, allow g, "dd2aa2d6-269d-48fe-90cc-04fd5c08bd29", role:org-admin {{- with .Values.argocd.additional_rbac_settings }} {{- range .}} {{ . }} {{- end }} {{- end }} repositories: # Repositories for applications argo-helm: type: helm url: https://argoproj.github.io/argo-helm # UI changes based on env styles: | /* blue, orange, red depending on env */ :root { --test-color: #0f2cbd; --dev-color: #33b025; --staging-color: #ebac2f; --prod-color: #ff000d; } .top-bar__breadcrumbs::after { content: "cluster: {{.Values.clusterConfig.cluster}}, env: {{.Values.clusterConfig.env}} "; color: var(--{{.Values.clusterConfig.env}}-color); font-weight: bolder; font-size: larger; position: fixed; left: 50%; } controller: metrics: enabled: true serviceMonitor: enabled: true resources: limits: memory: {{ .Values.argocd.resources.controller.memory | default "1000Mi" }} requests: cpu: {{ .Values.argocd.resources.controller.cpu | default "250m" }} memory: {{ .Values.argocd.resources.controller.memory | default "1000Mi" }} # Mount azure ca as file for SAML auth dex: metrics: enabled: true serviceMonitor: enabled: true {{- with .Values.clusterConfig.oidc }} env: {{- range . }} {{- if eq .group "devel" }} - name: {{ .name | replace "-" "_" }}_client_secret valueFrom: secretKeyRef: name: {{ .secret_ref.name }} key: client_secret - name: {{ .name | replace "-" "_" }}_client_id valueFrom: secretKeyRef: name: {{ .secret_ref.name }} key: client_id {{- end }} {{- end }} {{- end }} redis: metrics: enabled: true serviceMonitor: enabled: true repoServer: metrics: enabled: true serviceMonitor: enabled: true {{- range .Values.argocd.repoServers }} extraContainers: - command: - /var/run/argocd/argocd-cmp-server image: git.oceanbox.io/platform/manifests/helmfile-cmp:latest env: - name: HELM_GIT_ACCESS_TOKEN valueFrom: secretKeyRef: key: password name: oceanbox-gitops-repo optional: false imagePullPolicy: Always name: helmfile-cmp securityContext: runAsNonRoot: true runAsUser: 999 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/argocd name: var-files - mountPath: /home/argocd/cmp-server/plugins name: plugins - mountPath: /tmp name: cmp-tmp - mountPath: /helm-working-dir name: helm-working-dir - command: - /var/run/argocd/argocd-cmp-server image: {{ .image }} imagePullPolicy: Always name: {{ .name }} securityContext: runAsNonRoot: true runAsUser: 999 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /var/run/argocd name: var-files - mountPath: /home/argocd/cmp-server/plugins name: plugins - mountPath: /tmp name: cmp-tmp volumes: - name: cmp-tmp emptyDir: {} imagePullSecrets: {{- range .imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} initContainers: - command: - /bin/sh - /plugin/init-helm-repos.sh env: - name: OCEANBOX_HELM_ACCESS_TOKEN valueFrom: secretKeyRef: key: token name: oceanbox-helm optional: false image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest imagePullPolicy: Always name: init-helm-repos resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 999 seccompProfile: type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /helm-working-dir name: helm-working-dir # Configuration for argocd server instance server: metrics: enabled: true serviceMonitor: enabled: true ingress: enabled: true ingressClassName: nginx annotations: cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }} nginx.ingress.kubernetes.io/ssl-passthrough: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" {{- with .Values.clusterConfig.ingress_whitelist }} nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }} {{- end }} hosts: - "argocd.{{ .Values.clusterConfig.domain }}" tls: - secretName: argocd-tls hosts: - "argocd.{{ .Values.clusterConfig.domain }}" applicationSet: metrics: enabled: true serviceMonitor: enabled: true {{- if .Values.argocd.anyNamespaces.enabled }} allowAnyNamespaces: true {{- end }} ingress: enabled: false ingressClassName: nginx annotations: cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }} hostname: "argocd-applicationset.{{ .Values.clusterConfig.domain }}" tls: - secretName: argocd-applicationset-tls hosts: - "argocd-applicationset.{{ .Values.clusterConfig.domain }}" notifications: metrics: enabled: true serviceMonitor: enabled: true secret: create: false cm: create: false