hive-apps/projects/argocd/values/argocd.yaml

228 lines
5.1 KiB
YAML

## ArgoCD configuration
## Ref: https://github.com/argoproj/argo-cd
##
# Optional CRD installation for those without Helm hooks
installCRDs: true
global:
image:
repository: quay.io/argoproj/argocd
tag: v2.10.4
# imagePullPolicy: IfNotPresent
securityContext:
runAsUser: 999
runAsGroup: 999
fsGroup: 999
## Controller
controller:
## Labels to set container specific security contexts
containerSecurityContext:
capabilities:
drop:
- all
readOnlyRootFilesystem: true
## Server metrics controller configuration
metrics:
enabled: true
service:
annotations:
prometheus.io/scrape: 'true'
prometheus.io/port: '8082'
clusterAdminAccess:
enabled: true
## Dex
dex:
enabled: true
## Labels to set container specific security contexts
containerSecurityContext:
capabilities:
drop:
- all
readOnlyRootFilesystem: true
## Redis
redis:
enabled: true
## Labels to set container specific security contexts
containerSecurityContext:
capabilities:
drop:
- all
readOnlyRootFilesystem: true
## Redis Pod specific security context
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
runAsNonRoot: true
## Server
server:
extraArgs:
- --insecure
## Labels to set container specific security contexts
containerSecurityContext:
capabilities:
drop:
- all
readOnlyRootFilesystem: true
## Server metrics service configuration
metrics:
enabled: true
service:
annotations:
prometheus.io/scrape: 'true'
prometheus.io/port: '8083'
servicePort: 8083
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: vault-issuer
traefik.ingress.kubernetes.io/router.tls: 'true'
hosts:
- argocd.dc
paths:
- /
tls:
- secretName: argocd-tls
hosts:
- argocd.dc
https: false
# dedicated ingess for gRPC as documented at
# https://argoproj.github.io/argo-cd/operator-manual/ingress/
## ArgoCD config
## reference https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml
configEnabled: true
config:
# Argo CD's externally facing base URL (optional). Required when configuring SSO
url: https://argocd.dc
application.resourceTrackingMethod: annotation+label
oidc.config: |
name: Authentik
type: oidc
id: authentik
issuer: https://auth.dc/application/o/argocd/
clientID: "1080104731533290513674458574364055869568731613048916978401072612100150376072438332692042842646474"
clientSecret: $dex.authentik.clientSecret
scopes:
- openid
- profile
- email
- groups
rbacConfig:
policy.csv: |
g, ArgoCDAdmins, role:admin
# Mount vault CA cert
volumeMounts:
- name: certificate
mountPath: /etc/ssl/certs/vault-ca-certificates.crt
subPath: ca
volumes:
- name: certificate
secret:
secretName: ca-cert
defaultMode: 420
additionalApplications: []
## Projects
## reference: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/
additionalProjects: []
## Enable Admin ClusterRole resources.
## Enable if you would like to grant rights to ArgoCD to deploy to the local Kubernetes cluster.
clusterAdminAccess:
enabled: true
## Repo Server
repoServer:
containerSecurityContext:
capabilities:
drop:
- all
readOnlyRootFilesystem: true
## Repo server metrics service configuration
metrics:
enabled: true
service:
annotations:
prometheus.io/scrape: 'true'
prometheus.io/port: '8084'
servicePort: 8084
# volumes:
# - name: cmp-plugins
# emptyDir: {}
# volumeMounts:
# - mountPath: /home/argocd/cmp-server/plugins
# name: cmp-plugins
initContainers:
- name: copy-cmp-server
image: quay.io/argoproj/argocd:v2.10.4
command:
- cp
- -n
- /usr/local/bin/argocd
- /var/run/argocd/argocd-cmp-server
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
extraContainers:
- name: cmp-heqet
command: ["/bin/sh","-c"]
args: [ 'HELM_CACHE_HOME=/tmp helm plugin install https://github.com/lib42/helm-heqet ; sed -i "s/bin\/bash\$/bin\/sh/" /helm-working-dir/plugins/helm-heqet/heqet.sh ; /var/run/argocd/argocd-cmp-server' ]
image: lib42/heqet-cli:latest
imagePullPolicy: Always
env:
- name: HELM_CACHE_HOME
value: /helm-working-dir
- name: HELM_CONFIG_HOME
value: /helm-working-dir
- name: HELM_DATA_HOME
value: /helm-working-dir
securityContext:
runAsNonRoot: true
runAsUser: 999
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: tmp
- mountPath: /helm-working-dir
name: helm-working-dir
## Repo server rbac rules
# rbac:
# - apiGroups:
# - argoproj.io
# resources:
# - applications
# verbs:
# - get
# - list
# - watch
configs:
secret:
createSecret: false