platform/manifests
1
1
Fork 0
Code Issues 7 Pull Requests 6 Actions Packages Projects Releases Wiki Activity
Files
e36d36951c58f0737932e0ebb080adf1738eb99f
manifests/values/argo/values/argocd.yaml.gotmpl
T
mrtz e36d36951c fix: Add to default whitelist
2026-02-17 17:13:36 +01:00

300 lines
8.4 KiB
Go Template
Raw Blame History

global:
domain: argocd.{{ .Values.clusterConfig.domain }}
## ArgoCD configuration
## Ref: https://github.com/argoproj/argo-cd
##
configs:
{{- if .Values.argocd.anyNamespaces.enabled }}
params:
applicationsetcontroller.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
# TODO(kai): anyapp will disable PR review apps. Look into anyapp settings to fix it
applicationsetcontroller.enable.scm.providers: "false"
application.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
{{- end }}
cm:
application.resourceTrackingMethod: annotation+label
application.instanceLabelKey: app.kubernetes.io/instance
create: true
# NOTE: callback URL for dex
url: "https://argocd.{{ .Values.clusterConfig.domain }}"
resource.compareoptions: |
ignoreAggregatedRoles: true
resource.exclusions: |
- apiGroups:
- cilium.io
kinds:
- CiliumIdentity
clusters:
- "*"
- apiGroups:
- kyverno.io
kinds:
- AdmissionReport
- BackgroundScanReport
- ClusterAdmissionReport
- ClusterBackgroundScanReport
clusters:
- "*"
# dex saml config
dex.config: |
logger:
level: debug
format: json
connectors:
{{- with .Values.clusterConfig.oidc }}
{{- range . }}
{{- if eq .group "devel" }}
- type: oidc
id: {{ .name }}
name: {{ .name }}
config:
issuer: https://login.microsoftonline.com/{{ .tenant }}/v2.0
clientID: ${{ .name | replace "-" "_" }}_client_id
clientSecret: ${{ .name | replace "-" "_" }}_client_secret
insecureSkipEmailVerified: true
requestedIDTokenClaims:
groups:
essential: true
insecureEnableGroups: true
requestedScopes:
- openid
- profile
- email
- groups
staticClients:
- id: ${{ .name | replace "-" "_" }}_client_id
name: Kubernetes
# These are kubectl oidc plugin internal URLs
redirectURIs:
- https://localhost:8000
- http://localhost:8000
- http://localhost:18000
# Random secret for the user to authenticat dex client
secret: 8d52926efe879ee505391b75f4b046cf
{{- end }}
{{- end }}
{{- end }}
admin.enabled: false
rbac:
# NOTE(kai): dd2aa2d6 ... is ID for azure kubernetes_operator group
policy.csv: |
p, role:org-admin, applications, *, */*, allow
p, role:org-admin, projects, *, *, allow
p, role:org-admin, logs, get, *, allow
p, role:org-admin, clusters, get, *, allow
p, role:org-admin, clusters, update, *, allow
p, role:org-admin, repositories, get, *, allow
p, role:org-admin, repositories, create, *, allow
p, role:org-admin, repositories, update, *, allow
p, role:org-admin, repositories, delete, *, allow
g, "dd2aa2d6-269d-48fe-90cc-04fd5c08bd29", role:org-admin
{{- with .Values.argocd.additional_rbac_settings }}
{{- range .}}
{{ . }}
{{- end }}
{{- end }}
repositories:
# Repositories for applications
argo-helm:
type: helm
url: https://argoproj.github.io/argo-helm
# UI changes based on env
styles: |
/* blue, orange, red depending on env */
:root {
--test-color: #0f2cbd;
--dev-color: #33b025;
--staging-color: #ebac2f;
--prod-color: #ff000d;
}
.top-bar__breadcrumbs::after {
content: "cluster: {{.Values.clusterConfig.cluster}}, env: {{.Values.clusterConfig.env}} ";
color: var(--{{.Values.clusterConfig.env}}-color);
font-weight: bolder;
font-size: larger;
position: fixed;
left: 50%;
}
controller:
metrics:
enabled: true
serviceMonitor:
enabled: true
resources:
limits:
memory: {{ .Values.argocd.resources.controller.memory | default "1000Mi" }}
requests:
cpu: {{ .Values.argocd.resources.controller.cpu | default "250m" }}
memory: {{ .Values.argocd.resources.controller.memory | default "1000Mi" }}
# Mount azure ca as file for SAML auth
dex:
metrics:
enabled: true
serviceMonitor:
enabled: true
{{- with .Values.clusterConfig.oidc }}
env:
{{- range . }}
{{- if eq .group "devel" }}
- name: {{ .name | replace "-" "_" }}_client_secret
valueFrom:
secretKeyRef:
name: {{ .secret_ref.name }}
key: client_secret
- name: {{ .name | replace "-" "_" }}_client_id
valueFrom:
secretKeyRef:
name: {{ .secret_ref.name }}
key: client_id
{{- end }}
{{- end }}
{{- end }}
redis:
metrics:
enabled: true
serviceMonitor:
enabled: true
repoServer:
metrics:
enabled: true
serviceMonitor:
enabled: true
{{- range .Values.argocd.repoServers }}
extraContainers:
- command:
- /var/run/argocd/argocd-cmp-server
image: git.oceanbox.io/platform/manifests/helmfile-cmp:latest
env:
- name: HELM_GIT_ACCESS_TOKEN
valueFrom:
secretKeyRef:
key: password
name: oceanbox-gitops-repo
optional: false
imagePullPolicy: Always
name: helmfile-cmp
securityContext:
runAsNonRoot: true
runAsUser: 999
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: cmp-tmp
- mountPath: /helm-working-dir
name: helm-working-dir
- command:
- /var/run/argocd/argocd-cmp-server
image: {{ .image }}
imagePullPolicy: Always
name: {{ .name }}
securityContext:
runAsNonRoot: true
runAsUser: 999
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: cmp-tmp
volumes:
- name: cmp-tmp
emptyDir: {}
imagePullSecrets:
{{- range .imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
initContainers:
- command:
- /bin/sh
- /plugin/init-helm-repos.sh
env:
- name: OCEANBOX_HELM_ACCESS_TOKEN
valueFrom:
secretKeyRef:
key: token
name: oceanbox-helm
optional: false
image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
imagePullPolicy: Always
name: init-helm-repos
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 999
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /helm-working-dir
name: helm-working-dir
# Configuration for argocd server instance
server:
metrics:
enabled: true
serviceMonitor:
enabled: true
ingress:
enabled: true
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }}
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
{{- with .Values.clusterConfig.ingress_whitelist }}
nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
{{- end }}
hosts:
- "argocd.{{ .Values.clusterConfig.domain }}"
tls:
- secretName: argocd-tls
hosts:
- "argocd.{{ .Values.clusterConfig.domain }}"
applicationSet:
metrics:
enabled: true
serviceMonitor:
enabled: true
{{- if .Values.argocd.anyNamespaces.enabled }}
allowAnyNamespaces: true
{{- end }}
ingress:
enabled: false
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }}
hostname: "argocd-applicationset.{{ .Values.clusterConfig.domain }}"
tls:
- secretName: argocd-applicationset-tls
hosts:
- "argocd-applicationset.{{ .Values.clusterConfig.domain }}"
notifications:
metrics:
enabled: true
serviceMonitor:
enabled: true
secret:
create: false
cm:
create: false
Reference in New Issue View Git Blame Copy Permalink