326 lines
12 KiB
YAML
326 lines
12 KiB
YAML
apiVersion: argoproj.io/v1alpha1
|
|
kind: Application
|
|
metadata:
|
|
name: argocd
|
|
namespace: argocd
|
|
annotations:
|
|
argocd.argoproj.io/sync-wave: "-1"
|
|
spec:
|
|
destination:
|
|
namespace: argocd
|
|
server: 'https://kubernetes.default.svc'
|
|
sources:
|
|
- path: {{ .Values.cluster_config.policies }}/argocd
|
|
repoURL: {{ .Values.cluster_config.manifests }}
|
|
targetRevision: HEAD
|
|
- repoURL: 'https://argoproj.github.io/argo-helm'
|
|
targetRevision: {{ .Values.argocd.version }}
|
|
chart: argo-cd
|
|
helm:
|
|
values: |
|
|
global:
|
|
domain: argocd.{{ .Values.cluster_config.domain }}
|
|
## ArgoCD configuration
|
|
## Ref: https://github.com/argoproj/argo-cd
|
|
##
|
|
configs:
|
|
{{- if .Values.argocd.anyNamespaces.enabled }}
|
|
params:
|
|
applicationsetcontroller.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
|
|
# TODO(kai): anyapp will disable PR review apps. Look into anyapp settings to fix it
|
|
applicationsetcontroller.enable.scm.providers: "false"
|
|
application.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
|
|
{{- end }}
|
|
cm:
|
|
application.resourceTrackingMethod: annotation+label
|
|
application.instanceLabelKey: app.kubernetes.io/instance
|
|
create: true
|
|
# NOTE(kai): callback URL for dex
|
|
url: "https://argocd.{{ .Values.cluster_config.domain }}"
|
|
resource.compareoptions: |
|
|
ignoreAggregatedRoles: true
|
|
resource.exclusions: |
|
|
- apiGroups:
|
|
- cilium.io
|
|
kinds:
|
|
- CiliumIdentity
|
|
clusters:
|
|
- "*"
|
|
- apiGroups:
|
|
- kyverno.io
|
|
kinds:
|
|
- AdmissionReport
|
|
- BackgroundScanReport
|
|
- ClusterAdmissionReport
|
|
- ClusterBackgroundScanReport
|
|
clusters:
|
|
- "*"
|
|
# dex saml config
|
|
dex.config: |
|
|
logger:
|
|
level: debug
|
|
format: json
|
|
connectors:
|
|
{{- with .Values.cluster_config.oidc }}
|
|
{{- range . }}
|
|
{{- if eq .provider "azuread" }}
|
|
- type: oidc
|
|
id: {{ .name }}
|
|
name: {{ .name }}
|
|
config:
|
|
issuer: https://login.microsoftonline.com/{{ .tenant }}/v2.0
|
|
clientID: ${{ .name | replace "-" "_" }}_client_id
|
|
clientSecret: ${{ .name | replace "-" "_" }}_client_secret
|
|
insecureSkipEmailVerified: true
|
|
requestedIDTokenClaims:
|
|
groups:
|
|
essential: true
|
|
insecureEnableGroups: true
|
|
requestedScopes:
|
|
- openid
|
|
- profile
|
|
- email
|
|
- groups
|
|
{{- else if eq .provider "github" }}
|
|
- type: github
|
|
id: {{ .name }}
|
|
name: {{ .name }}
|
|
config:
|
|
clientID: ${{ .name | replace "-" "_" }}_client_id
|
|
clientSecret: ${{ .name | replace "-" "_" }}_client_secret
|
|
redirectURI: https://argocd.{{ $.Values.cluster_config.domain }}/api/dex/callback
|
|
orgs:
|
|
- name: {{ .allowed_organizations }}
|
|
loadAllGroups: true
|
|
teamNameField: slug
|
|
useLoginAsID: false
|
|
staticClients:
|
|
- id: ${{ .name | replace "-" "_" }}_client_id
|
|
name: Kubernetes
|
|
# These are kubectl oidc plugin internal URLs
|
|
redirectURIs:
|
|
- http://localhost:8000
|
|
- http://localhost:18000
|
|
# Random secret for the user to authenticat dex client
|
|
secret: 8d52926efe879ee505391b75f4b046cf
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
admin.enabled: '{{ .Values.argocd.adminLogin }}'
|
|
rbac:
|
|
# NOTE(kai): dd2aa2d6 ... is ID for azure kubernetes_operator group
|
|
policy.csv: |
|
|
p, role:org-admin, applications, *, */*, allow
|
|
p, role:org-admin, projects, *, *, allow
|
|
p, role:org-admin, logs, get, *, allow
|
|
p, role:org-admin, clusters, get, *, allow
|
|
p, role:org-admin, clusters, update, *, allow
|
|
p, role:org-admin, repositories, get, *, allow
|
|
p, role:org-admin, repositories, create, *, allow
|
|
p, role:org-admin, repositories, update, *, allow
|
|
p, role:org-admin, repositories, delete, *, allow
|
|
g, "dd2aa2d6-269d-48fe-90cc-04fd5c08bd29", role:org-admin
|
|
{{- if .Values.cluster_config.external_access.enabled }}
|
|
p, role:external-admin, applications, *, sys/*, deny
|
|
p, role:external-admin, applications, *, oxb/*, deny
|
|
p, role:external-admin, applications, *, */*, allow
|
|
p, role:external-admin, projects, *, oxb, deny
|
|
p, role:external-admin, projects, *, sys, deny
|
|
p, role:external-admin, projects, get, *, allow
|
|
p, role:external-admin, logs, get, *, allow
|
|
p, role:external-admin, clusters, get, *, allow
|
|
p, role:external-admin, repositories, get, *, allow
|
|
p, role:external-admin, repositories, create, *, allow
|
|
p, role:external-admin, repositories, update, *, allow
|
|
p, role:external-admin, repositories, delete, *, allow
|
|
g, "{{ .Values.cluster_config.external_access.admin_group }}", role:external-admin
|
|
{{- end }}
|
|
{{- if .Values.cluster_config.external_access.enabled }}
|
|
{{- range .Values.cluster_config.external_access.groups }}
|
|
{{- "\n" -}}
|
|
{{- $name := .name }}
|
|
p, role:{{$name}}, projects, get, {{$name}}, allow
|
|
p, role:{{$name}}, applications, get, {{$name}}/*, allow
|
|
p, role:{{$name}}, logs, get, {{$name}}/*, allow
|
|
{{- range .group_id }}
|
|
g, {{ . }}, role:{{$name}}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with .Values.argocd.additional_rbac_settings }}
|
|
{{- range .}}
|
|
{{ . }}
|
|
{{- end }}
|
|
{{- end }}
|
|
repositories:
|
|
# Repositories for applications
|
|
argo-helm:
|
|
type: helm
|
|
url: https://argoproj.github.io/argo-helm
|
|
# UI changes based on env
|
|
styles: |
|
|
/* blue, orange, red depending on env */
|
|
:root {
|
|
--test-color: #0f2cbd;
|
|
--dev-color: #33b025;
|
|
--staging-color: #ebac2f;
|
|
--prod-color: #ff000d;
|
|
}
|
|
.top-bar__breadcrumbs::after {
|
|
content: "cluster: {{.Values.cluster_config.cluster}}, env: {{.Values.cluster_config.env}} ";
|
|
color: var(--{{.Values.cluster_config.env}}-color);
|
|
font-weight: bolder;
|
|
font-size: larger;
|
|
position: fixed;
|
|
left: 50%;
|
|
}
|
|
|
|
controller:
|
|
metrics:
|
|
enabled: true
|
|
serviceMonitor:
|
|
enabled: true
|
|
resources:
|
|
limits:
|
|
memory: {{ .Values.argocd.resources.controller.memory | default "1000Mi" }}
|
|
requests:
|
|
cpu: {{ .Values.argocd.resources.controller.cpu | default "250m" }}
|
|
memory: {{ .Values.argocd.resources.controller.memory | default "1000Mi" }}
|
|
|
|
# Mount azure ca as file for SAML auth
|
|
dex:
|
|
metrics:
|
|
enabled: true
|
|
serviceMonitor:
|
|
enabled: true
|
|
{{- with .Values.cluster_config.oidc }}
|
|
env:
|
|
{{- range . }}
|
|
- name: {{ .name | replace "-" "_" }}_client_secret
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ .secret_ref.name }}
|
|
key: client_secret
|
|
- name: {{ .name | replace "-" "_" }}_client_id
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ .secret_ref.name }}
|
|
key: client_id
|
|
{{- end }}
|
|
{{- end }}
|
|
|
|
redis:
|
|
metrics:
|
|
enabled: true
|
|
serviceMonitor:
|
|
enabled: true
|
|
|
|
repoServer:
|
|
metrics:
|
|
enabled: true
|
|
serviceMonitor:
|
|
enabled: true
|
|
{{- if .Values.argocd.repoServer.cmp.enabled }}
|
|
extraContainers:
|
|
- command:
|
|
- /var/run/argocd/argocd-cmp-server
|
|
image: {{ .Values.argocd.repoServer.cmp.image }}
|
|
imagePullPolicy: Always
|
|
name: {{ .Values.argocd.repoServer.cmp.name }}
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 999
|
|
terminationMessagePath: /dev/termination-log
|
|
terminationMessagePolicy: File
|
|
volumeMounts:
|
|
- mountPath: /var/run/argocd
|
|
name: var-files
|
|
- mountPath: /home/argocd/cmp-server/plugins
|
|
name: plugins
|
|
- mountPath: /tmp
|
|
name: cmp-tmp
|
|
- mountPath: /helm-working-dir
|
|
name: helm-working-dir
|
|
{{- with .Values.argocd.repoServer.cmp.initContainers }}
|
|
initContainers:
|
|
{{- toYaml . | nindent 10}}
|
|
{{- end }}
|
|
volumes:
|
|
- name: cmp-tmp
|
|
emptyDir: {}
|
|
{{- if .Values.argocd.repoServer.cmp.imagePullSecret }}
|
|
imagePullSecrets:
|
|
{{- range .Values.argocd.repoServer.cmp.imagePullSecret}}
|
|
- name: {{ .name }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
|
|
# Configuration for argocd server instance
|
|
server:
|
|
metrics:
|
|
enabled: true
|
|
serviceMonitor:
|
|
enabled: true
|
|
ingress:
|
|
enabled: {{ .Values.argocd.ingress.enabled }}
|
|
ingressClassName: nginx
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
|
|
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
|
|
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
|
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
|
|
{{- with .Values.cluster_config.ingress_whitelist_ips }}
|
|
nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
|
|
{{- end }}
|
|
hosts:
|
|
- "argocd.{{ .Values.cluster_config.domain }}"
|
|
tls:
|
|
- secretName: argocd-tls
|
|
hosts:
|
|
- "argocd.{{ .Values.cluster_config.domain }}"
|
|
applicationSet:
|
|
metrics:
|
|
enabled: true
|
|
serviceMonitor:
|
|
enabled: true
|
|
{{- if .Values.argocd.anyNamespaces.enabled }}
|
|
allowAnyNamespaces: true
|
|
{{- end }}
|
|
ingress:
|
|
enabled: {{ .Values.argocd.applicationset_webhook.enabled }}
|
|
ingressClassName: nginx
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
|
|
# {{- with .Values.cluster_config.ingress_whitelist_ips}}
|
|
# NOTE(kai): include gitlab and github webhook ranges
|
|
# nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }},192.30.252.0/22,140.82.112.0/20,34.74.226.27/28,34.74.226.0/24
|
|
# {{- end }}
|
|
hostname: "argocd-applicationset.{{ .Values.cluster_config.domain }}"
|
|
tls:
|
|
- secretName: argocd-applicationset-tls
|
|
hosts:
|
|
- "argocd-applicationset.{{ .Values.cluster_config.domain }}"
|
|
notifications:
|
|
metrics:
|
|
enabled: true
|
|
serviceMonitor:
|
|
enabled: true
|
|
secret:
|
|
create: false
|
|
cm:
|
|
create: false
|
|
project: sys
|
|
syncPolicy:
|
|
managedNamespaceMetadata:
|
|
labels:
|
|
component: sys
|
|
syncOptions:
|
|
- CreateNamespace=true
|
|
- ApplyOutOfSyncOnly=true
|
|
{{- if .Values.argocd.autosync }}
|
|
automated:
|
|
prune: true
|
|
# selfHeal: false
|
|
{{- end }}
|