manifests/helmfiles/argocd/values.yaml.gotmpl

global:
  domain: argocd.{{ .Values.cluster_config.domain }}
## ArgoCD configuration
## Ref: https://github.com/argoproj/argo-cd
##
configs:
  {{- if .Values.argocd.anyNamespaces.enabled }}
  params:
    applicationsetcontroller.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
    # TODO(kai): anyapp will disable PR review apps. Look into anyapp settings to fix it
    applicationsetcontroller.enable.scm.providers: "false"
    application.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
  {{- end }}
  cm:
    application.resourceTrackingMethod: annotation+label
    application.instanceLabelKey: app.kubernetes.io/instance
    create: true
    # NOTE(kai): callback URL for dex
    url: "https://argocd.{{ .Values.cluster_config.domain }}"
    resource.compareoptions: |
      ignoreAggregatedRoles: true
    resource.exclusions: |
      - apiGroups:
        - cilium.io
        kinds:
        - CiliumIdentity
        clusters:
        - "*"
      - apiGroups:
        - kyverno.io
        kinds:
        - AdmissionReport
        - BackgroundScanReport
        - ClusterAdmissionReport
        - ClusterBackgroundScanReport
        clusters:
        - "*"
    # dex saml config
    dex.config: |
      logger:
        level: debug
        format: json
      connectors:
      {{- with .Values.cluster_config.oidc }}
      {{- range . }}
      {{- if eq .provider "azuread" }}
      - type: oidc
        id: {{ .name }}
        name: {{ .name }}
        config:
          issuer: https://login.microsoftonline.com/{{ .tenant }}/v2.0
          clientID: ${{ .name | replace "-" "_" }}_client_id
          clientSecret: ${{ .name | replace "-" "_" }}_client_secret
          insecureSkipEmailVerified: true
          requestedIDTokenClaims:
            groups:
               essential: true
          insecureEnableGroups: true
          requestedScopes:
            - openid
            - profile
            - email
            - groups
      {{- else if eq .provider "github" }}
      - type: github
        id: {{ .name }}
        name: {{ .name }}
        config:
          clientID: ${{ .name | replace "-" "_" }}_client_id
          clientSecret: ${{ .name | replace "-" "_" }}_client_secret
          redirectURI: https://argocd.{{ $.Values.cluster_config.domain }}/api/dex/callback
          orgs:
          - name: {{ .allowed_organizations }}
          loadAllGroups: true
          teamNameField: slug
          useLoginAsID: false
      staticClients:
      - id: ${{ .name | replace "-" "_" }}_client_id
        name: Kubernetes
        # These are kubectl oidc plugin internal URLs
        redirectURIs:
          - http://localhost:8000
          - http://localhost:18000
        # Random secret for the user to authenticat dex client
        secret: 8d52926efe879ee505391b75f4b046cf
      {{- end }}
      {{- end }}
      {{- end }}
    admin.enabled: '{{ .Values.argocd.adminLogin }}'
  rbac:
    # NOTE(kai): dd2aa2d6 ... is ID for azure kubernetes_operator group
    policy.csv: |
      p, role:org-admin, applications, *, */*, allow
      p, role:org-admin, projects, *, *, allow
      p, role:org-admin, logs, get, *, allow
      p, role:org-admin, clusters, get, *, allow
      p, role:org-admin, clusters, update, *, allow
      p, role:org-admin, repositories, get, *, allow
      p, role:org-admin, repositories, create, *, allow
      p, role:org-admin, repositories, update, *, allow
      p, role:org-admin, repositories, delete, *, allow
      g, "dd2aa2d6-269d-48fe-90cc-04fd5c08bd29", role:org-admin
      {{- if .Values.cluster_config.external_access.enabled }}
      p, role:external-admin, applications, *, sys/*, deny
      p, role:external-admin, applications, *, oxb/*, deny
      p, role:external-admin, applications, *, */*, allow
      p, role:external-admin, projects, *, oxb, deny
      p, role:external-admin, projects, *, sys, deny
      p, role:external-admin, projects, get, *, allow
      p, role:external-admin, logs, get, *, allow
      p, role:external-admin, clusters, get, *, allow
      p, role:external-admin, repositories, get, *, allow
      p, role:external-admin, repositories, create, *, allow
      p, role:external-admin, repositories, update, *, allow
      p, role:external-admin, repositories, delete, *, allow
      g, "{{ .Values.cluster_config.external_access.admin_group }}", role:external-admin
      {{- end }}
      {{- if .Values.cluster_config.external_access.enabled }}
      {{- range .Values.cluster_config.external_access.groups }}
      {{- "\n" -}}
        {{- $name := .name }}
      p, role:{{$name}}, projects, get, {{$name}}, allow
      p, role:{{$name}}, applications, get, {{$name}}/*, allow
      p, role:{{$name}}, logs, get, {{$name}}/*, allow
        {{- range .group_id }}
      g, {{ . }}, role:{{$name}}
          {{- end }}
        {{- end }}
      {{- end }}
      {{- with .Values.argocd.additional_rbac_settings }}
      {{- range .}}
      {{ . }}
      {{- end }}
      {{- end }}
  repositories:
    # Repositories for applications
    argo-helm:
      type: helm
      url: https://argoproj.github.io/argo-helm
  # UI changes based on env
  styles: |
    /* blue, orange, red depending on env */
    :root {
      --test-color: #0f2cbd;
      --dev-color: #33b025;
      --staging-color: #ebac2f;
      --prod-color: #ff000d;
    }
    .top-bar__breadcrumbs::after {
      content: "cluster: {{.Values.cluster_config.cluster}},  env: {{.Values.cluster_config.env}} ";
      color: var(--{{.Values.cluster_config.env}}-color);
      font-weight: bolder;
      font-size: larger;
      position: fixed;
      left: 50%;
    }

controller:
  metrics:
    enabled: true
    serviceMonitor:
      enabled: true
  resources:
    limits:
      memory: {{ .Values | get "argocd.resources.controller.memory" "1000Mi" }}
    requests:
      cpu: {{ .Values | get "argocd.resources.controller.cpu" "250m" }}
      memory: {{ .Values | get "argocd.resources.controller.memory" "1000Mi" }}

# Mount azure ca as file for SAML auth
dex:
  metrics:
    enabled: true
    serviceMonitor:
      enabled: true
  {{- with .Values.cluster_config.oidc }}
  env:
  {{- range . }}
  - name: {{ .name | replace "-" "_" }}_client_secret
    valueFrom:
      secretKeyRef:
        name: {{ .secret_ref.name }}
        key: client_secret
  - name: {{ .name | replace "-" "_" }}_client_id
    valueFrom:
      secretKeyRef:
        name: {{ .secret_ref.name }}
        key: client_id
  {{- end }}
  {{- end }}

redis:
  metrics:
    enabled: true
    serviceMonitor:
      enabled: true

repoServer:
  metrics:
    enabled: true
    serviceMonitor:
      enabled: true
  {{- if .Values.argocd.repoServer.cmp.enabled }}
  extraContainers:
  - command:
    - /var/run/argocd/argocd-cmp-server
    image: {{ .Values.argocd.repoServer.cmp.image }}
    imagePullPolicy: Always
    name: {{ .Values.argocd.repoServer.cmp.name }}
    securityContext:
      runAsNonRoot: true
      runAsUser: 999
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /var/run/argocd
      name: var-files
    - mountPath: /home/argocd/cmp-server/plugins
      name: plugins
    - mountPath: /tmp
      name: cmp-tmp
  {{- with .Values.argocd.repoServer.cmp.initContainers }}
  initContainers:
    {{- toYaml . | nindent 10}}
  {{- end }}
  volumes:
  - name: cmp-tmp
    emptyDir: {}
  {{- if .Values.argocd.repoServer.cmp.imagePullSecret }}
  imagePullSecrets:
    {{- range .Values.argocd.repoServer.cmp.imagePullSecret}}
    - name: {{ .name }}
  {{- end }}
  {{- end }}
{{- end }}

# Configuration for argocd server instance
server:
  metrics:
    enabled: true
    serviceMonitor:
      enabled: true
  ingress:
    enabled: {{ .Values.argocd.ingress.enabled }}
    ingressClassName: nginx
    annotations:
      cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
      nginx.ingress.kubernetes.io/ssl-passthrough: "true"
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
      nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
      {{- with .Values.cluster_config.ingress_whitelist_ips }}
      nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
      {{- end }}
    hosts:
      - "argocd.{{ .Values.cluster_config.domain }}"
    tls:
      - secretName: argocd-tls
        hosts:
          - "argocd.{{ .Values.cluster_config.domain }}"
applicationSet:
  metrics:
    enabled: true
    serviceMonitor:
      enabled: true
  {{- if .Values.argocd.anyNamespaces.enabled }}
  allowAnyNamespaces: true
  {{- end }}
  ingress:
    enabled: {{ .Values.argocd.applicationset_webhook.enabled }}
    ingressClassName: nginx
    annotations:
      cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
      # {{- with .Values.cluster_config.ingress_whitelist_ips}}
      # NOTE(kai): include gitlab and github webhook ranges
      # nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }},192.30.252.0/22,140.82.112.0/20,34.74.226.27/28,34.74.226.0/24
      # {{- end }}
    hostname: "argocd-applicationset.{{ .Values.cluster_config.domain }}"
    tls:
      - secretName: argocd-applicationset-tls
        hosts:
          - "argocd-applicationset.{{ .Values.cluster_config.domain }}"
notifications:
  metrics:
    enabled: true
    serviceMonitor:
      enabled: true
  secret:
    create: false
  cm:
    create: false