mirror of
https://github.com/nold360/hive-apps
synced 2025-01-10 15:54:54 +00:00
228 lines
5.1 KiB
YAML
228 lines
5.1 KiB
YAML
## ArgoCD configuration
|
|
## Ref: https://github.com/argoproj/argo-cd
|
|
##
|
|
|
|
# Optional CRD installation for those without Helm hooks
|
|
installCRDs: true
|
|
|
|
global:
|
|
image:
|
|
repository: quay.io/argoproj/argocd
|
|
tag: v2.7.2
|
|
# imagePullPolicy: IfNotPresent
|
|
securityContext:
|
|
runAsUser: 999
|
|
runAsGroup: 999
|
|
fsGroup: 999
|
|
## Controller
|
|
controller:
|
|
## Labels to set container specific security contexts
|
|
containerSecurityContext:
|
|
capabilities:
|
|
drop:
|
|
- all
|
|
readOnlyRootFilesystem: true
|
|
|
|
## Server metrics controller configuration
|
|
metrics:
|
|
enabled: true
|
|
service:
|
|
annotations:
|
|
prometheus.io/scrape: 'true'
|
|
prometheus.io/port: '8082'
|
|
|
|
clusterAdminAccess:
|
|
enabled: true
|
|
|
|
## Dex
|
|
dex:
|
|
enabled: true
|
|
|
|
## Labels to set container specific security contexts
|
|
containerSecurityContext:
|
|
capabilities:
|
|
drop:
|
|
- all
|
|
readOnlyRootFilesystem: true
|
|
|
|
## Redis
|
|
redis:
|
|
enabled: true
|
|
|
|
## Labels to set container specific security contexts
|
|
containerSecurityContext:
|
|
capabilities:
|
|
drop:
|
|
- all
|
|
readOnlyRootFilesystem: true
|
|
|
|
## Redis Pod specific security context
|
|
securityContext:
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
fsGroup: 1000
|
|
runAsNonRoot: true
|
|
|
|
## Server
|
|
server:
|
|
extraArgs:
|
|
- --insecure
|
|
|
|
## Labels to set container specific security contexts
|
|
containerSecurityContext:
|
|
capabilities:
|
|
drop:
|
|
- all
|
|
readOnlyRootFilesystem: true
|
|
|
|
## Server metrics service configuration
|
|
metrics:
|
|
enabled: true
|
|
service:
|
|
annotations:
|
|
prometheus.io/scrape: 'true'
|
|
prometheus.io/port: '8083'
|
|
servicePort: 8083
|
|
|
|
ingress:
|
|
enabled: true
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: vault-issuer
|
|
traefik.ingress.kubernetes.io/router.tls: 'true'
|
|
hosts:
|
|
- argocd.dc
|
|
paths:
|
|
- /
|
|
tls:
|
|
- secretName: argocd-tls
|
|
hosts:
|
|
- argocd.dc
|
|
https: false
|
|
# dedicated ingess for gRPC as documented at
|
|
# https://argoproj.github.io/argo-cd/operator-manual/ingress/
|
|
|
|
## ArgoCD config
|
|
## reference https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml
|
|
configEnabled: true
|
|
config:
|
|
# Argo CD's externally facing base URL (optional). Required when configuring SSO
|
|
url: https://argocd.dc
|
|
application.resourceTrackingMethod: annotation+label
|
|
|
|
oidc.config: |
|
|
name: Authentik
|
|
type: oidc
|
|
id: authentik
|
|
issuer: https://auth.dc/application/o/argocd/
|
|
clientID: 3793eb413f1d568b9e9cf82fd4d8d596b2867ec5
|
|
clientSecret: $dex.authentik.clientSecret
|
|
scopes:
|
|
- openid
|
|
- profile
|
|
- email
|
|
- groups
|
|
|
|
rbacConfig:
|
|
policy.csv: |
|
|
g, ArgoCDAdmins, role:admin
|
|
|
|
# Mount vault CA cert
|
|
volumeMounts:
|
|
- name: certificate
|
|
mountPath: /etc/ssl/certs/vault-ca-certificates.crt
|
|
subPath: ca
|
|
|
|
volumes:
|
|
- name: certificate
|
|
secret:
|
|
secretName: ca-cert
|
|
defaultMode: 420
|
|
|
|
additionalApplications: []
|
|
|
|
## Projects
|
|
## reference: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/
|
|
additionalProjects: []
|
|
|
|
## Enable Admin ClusterRole resources.
|
|
## Enable if you would like to grant rights to ArgoCD to deploy to the local Kubernetes cluster.
|
|
clusterAdminAccess:
|
|
enabled: true
|
|
|
|
## Repo Server
|
|
repoServer:
|
|
containerSecurityContext:
|
|
capabilities:
|
|
drop:
|
|
- all
|
|
readOnlyRootFilesystem: true
|
|
|
|
## Repo server metrics service configuration
|
|
metrics:
|
|
enabled: true
|
|
service:
|
|
annotations:
|
|
prometheus.io/scrape: 'true'
|
|
prometheus.io/port: '8084'
|
|
servicePort: 8084
|
|
|
|
# volumes:
|
|
# - name: cmp-plugins
|
|
# emptyDir: {}
|
|
|
|
# volumeMounts:
|
|
# - mountPath: /home/argocd/cmp-server/plugins
|
|
# name: cmp-plugins
|
|
|
|
initContainers:
|
|
- name: copy-cmp-server
|
|
image: quay.io/argoproj/argocd:v2.7.2
|
|
command:
|
|
- cp
|
|
- -n
|
|
- /usr/local/bin/argocd
|
|
- /var/run/argocd/argocd-cmp-server
|
|
volumeMounts:
|
|
- mountPath: /var/run/argocd
|
|
name: var-files
|
|
|
|
extraContainers:
|
|
- name: cmp-heqet
|
|
command: ["/bin/sh","-c"]
|
|
args: [ 'HELM_CACHE_HOME=/tmp helm plugin install https://github.com/lib42/helm-heqet ; sed -i "s/bin\/bash\$/bin\/sh/" /helm-working-dir/plugins/helm-heqet/heqet.sh ; /var/run/argocd/argocd-cmp-server' ]
|
|
image: lib42/heqet-cli:latest
|
|
imagePullPolicy: Always
|
|
env:
|
|
- name: HELM_CACHE_HOME
|
|
value: /helm-working-dir
|
|
- name: HELM_CONFIG_HOME
|
|
value: /helm-working-dir
|
|
- name: HELM_DATA_HOME
|
|
value: /helm-working-dir
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 999
|
|
volumeMounts:
|
|
- mountPath: /var/run/argocd
|
|
name: var-files
|
|
- mountPath: /home/argocd/cmp-server/plugins
|
|
name: plugins
|
|
- mountPath: /tmp
|
|
name: tmp
|
|
- mountPath: /helm-working-dir
|
|
name: helm-working-dir
|
|
|
|
## Repo server rbac rules
|
|
# rbac:
|
|
# - apiGroups:
|
|
# - argoproj.io
|
|
# resources:
|
|
# - applications
|
|
# verbs:
|
|
# - get
|
|
# - list
|
|
# - watch
|
|
|
|
configs:
|
|
secret:
|
|
createSecret: false
|