[DO-1431] deploy ArgoCD (!6)

DO-1431

Co-authored-by: denis.patrakeev <denis.patrakeev@avroid.tech>
Reviewed-on: https://git.avroid.tech/K8s/k8s-configs/pulls/6

.editorconfig

@@ -0,0 +1,23 @@
+# EditorConfig is awesome: https://editorconfig.org
+
+# top-most EditorConfig file
+root = true
+
+# Unix-style newlines with a newline ending every file
+[*]
+end_of_line          = lf
+insert_final_newline = true
+charset              = utf-8
+
+[*.sh]
+# like -i=4
+indent_style = space
+indent_size  = 4
+
+# --language-variant
+shell_variant      = bash
+binary_next_line   = true
+# --case-indent
+switch_case_indent = true
+space_redirects    = true
+keep_padding       = true

.gitea/pull_request_template.md

@@ -0,0 +1,13 @@
+---
+
+name: "Feature PR"
+about: "Template feature PR"
+title: "[DO-XXXX] New feature"
+ref: "main"
+assignees: ["svc-gitea-k8s-w"]
+labels:
+- "kind/Feature"
+
+---
+
+[DO-XXXX]

.gitea/workflows/check-shellscripts.yml

@@ -0,0 +1,44 @@
+---
+name: Check ShellScripts
+run-name: ${{ gitea.actor }} is start check shellscripts
+on: [pull_request]
+
+jobs:
+  shellscripts:
+    name: Check shellscripts by shellcheck
+    runs-on: docker
+    container:
+      image: harbor.avroid.tech/docker-hub-proxy/library/node:20
+    steps:
+      - run: echo "Start job on ${{ runner.name }} with os ${{ runner.os }}"
+      - run: echo "Work with branch ${{ gitea.ref }} repository ${{ gitea.repository }}"
+
+      - name: Check out repository code
+        uses: https://git-mirrors.avroid.tech/Mirrors-actions/checkout.git@v4
+
+      - name: Check shellscripts by shellcheck
+        uses: https://git-mirrors.avroid.tech/Mirrors-actions/action-shellcheck.git@2.0.0
+
+  shfmt:
+    name: Check shellscript formatting
+    runs-on: docker
+    container:
+      image: harbor.avroid.tech/docker-hub-proxy/library/node:20
+    steps:
+      - run: echo "Start job on ${{ runner.name }} with os ${{ runner.os }}"
+      - run: echo "Work with branch ${{ gitea.ref }} repository ${{ gitea.repository }}"
+
+      - name: Check out repository code
+        uses: https://git-mirrors.avroid.tech/Mirrors-actions/checkout.git@v4
+
+      - name: Install Golang
+        uses: https://git-mirrors.avroid.tech/Mirrors-actions/setup-go.git@v5
+        with:
+          go-version: '1.22'
+          check-latest: true
+
+      - name: Install shfmt
+        run: go install mvdan.cc/sh/v3/cmd/shfmt@latest
+
+      - name: Check shellscripts by shfmt
+        run: shfmt -d .

.gitignore

@@ -0,0 +1,37 @@
+# ---> Ansible
+*.retry
+.vault_password_file
+ansible_collections
+
+# ---> JetBrains
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+.idea
+
+# File-based project format
+*.iws
+
+# ---> VisualStudioCode
+.vscode
+.history/
+*.vsix
+**/.DS_Store
+
+
+# Other
+.vagrant
+
+.venv
+venv*
+.kubespray-venv
+kubespray-venv*
+**/.kubespray-venv
+**/kubespray-venv*
+
+__pycache__
+*~
+*.log
+._*
+
+.creds
+.secrets

clusters/k8s-avroid-office.prod.local/namespaces/argocd/README.md

@@ -0,0 +1,39 @@
+# Argo CD
+
+## Project structure
+```text
+.
+├── README.md
+├── argocd-namespace.yaml
+├── .rbac
+├── argo-cd
+│   ├── README.md
+│   ├── values-override.yml
+│   ├── argocd_values_secrets_init.sh
+│   └── .rbac
+└── argocd-apps
+    ├── README.md
+    └── values-override.yml
+
+Назначение:
+argo-cd - Helm-чарт для установки Argo CD
+argocd-apps - Helm-чарт для развёртывания в Argo CD "корневого" приложения, которое будет разворачивать остальные приложения
+argocd-namespace.yaml - манифест для создания namespace Argo CD
+.rbac - кастомные правила для RBAC 
+```
+## First install
+Порядок развёртывания Argo CD:
+1. Настраиваем для работы файл конфигурации kubectl для подключения к кластеру Kubernetes
+
+2. Готовим namespace:
+```bash
+kubectl apply -f argocd-namespace.yaml
+```
+
+2. Разворачиваем Argo CD
+
+[README.md](argo-cd/README.md)
+
+3. Разворачиваем "корневое" приложение в Argo CD
+
+[README.md](argocd-apps/README.md)

clusters/k8s-avroid-office.prod.local/namespaces/argocd/argo-cd/.rbac/vault-service-account.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: serviceaccount
+    app.kubernetes.io/instance: vault-sa
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: vault-operator
+    app.kubernetes.io/part-of: vault-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: vault
+  namespace: argocd

clusters/k8s-avroid-office.prod.local/namespaces/argocd/argo-cd/README.md

@@ -0,0 +1,120 @@
+# Install Argo CD by [argo-cd in argo-helm](https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd) 
+
+## Create from version
+| Project             | Version |
+|---------------------|---------|
+| ArgoCD Helm         | 7.8.2   |
+| ArgoCD              | v2.14.2 |
+| ArgoCD Vault Plugin | 1.18.1  |
+
+
+## Plugins
+1. Argo CD Vault Plugin
+
+https://argocd-vault-plugin.readthedocs.io/en/stable/installation/#initcontainer-and-configuration-via-sidecar
+
+https://github.com/argoproj-labs/argocd-vault-plugin/tree/main/manifests/cmp-sidecar
+
+https://habr.com/ru/articles/645773/
+
+
+## Install
+Настраиваем для работы файл конфигурации kubectl для подключения к кластеру Kubernetes
+
+Готовим служебную УЗ для vault:
+```bash
+kubectl apply -f .rbac/vault-service-account.yaml
+```
+
+Получаем из Vault секреты с паролями/токенами/сертификатами и выгружаем в окружение оболочки:
+```bash
+./argocd_values_secrets_init.sh
+
+source .creds
+```
+
+Создаём секрет с сертификатами:
+```bash
+kubectl -n argocd create secret tls argocd-server-tls \
+  --cert=.secrets/argocd_cert.pem \
+  --key=.secrets/argocd_key.pem
+```
+
+Добавляем конфигурацию для плагина ArgoCD Vault:
+```bash
+kubectl -n argocd apply -f .secrets/argocd-vault-plugin-configmap.yaml
+kubectl -n argocd apply -f .secrets/argocd-vault-plugin-secret.yaml
+```
+
+И производим непосредственную установку ArgoCD:
+
+```bash
+helm repo add argo https://argoproj.github.io/argo-helm
+helm repo update
+
+helm install -n argocd argo-cd argo/argo-cd -f values-override.yaml \
+  --set configs.secret.argocdServerAdminPassword=$ARGOCD_ADMIN_PASSWORD_HASH \
+  --set configs.repositories.argocd-git-server.username=$ARGOCD_GIT_REPO_USER \
+  --set configs.repositories.argocd-git-server.password=$ARGOCD_GIT_REPO_USER_PASSWORD
+```
+
+Подпихиваем в секрет `argocd-secret` необходимые для конфигурации секреты:
+```bash
+kubectl -n argocd patch --patch-file .secrets/argocd-secret-path.yaml secret argocd-secret
+```
+
+
+
+## Upgrade/Changes
+Обновление настроек и чарта делаем так:
+
+В начале сравниваем содержимое `values-override.yaml` с исходным файлом `values.yaml`
+(ссылка на исходную версию зафиксирована в заголовке `values-override.yaml`) через diff (IDE лучше).
+Или с новой версией `values.yaml` в Helm-чарте.
+Вносим необходимые правки, новые опции или добавляем секреты.
+
+Получаем из Vault секреты с паролями/токенами/сертификатами и выгружаем в окружение оболочки:
+```bash
+./argocd_values_secrets_init.sh
+
+source .creds
+```
+
+Создаём секрет с сертификатами:
+```bash
+kubectl -n argocd create secret tls argocd-server-tls \
+  --cert=.secrets/argocd_cert.pem \
+  --key=.secrets/argocd_key.pem
+```
+
+Добавляем конфигурацию для плагина ArgoCD Vault:
+```bash
+kubectl -n argocd apply -f .secrets/argocd-vault-plugin-configmap.yaml
+kubectl -n argocd apply -f .secrets/argocd-vault-plugin-secret.yaml
+```
+
+Подпихиваем в секрет argocd-secret необходимые для конфигурации секреты:
+```bash
+kubectl -n argocd patch --patch-file .secrets/argocd-secret-path.yaml secret argocd-secret
+```
+
+Затем применяем:
+```bash
+helm upgrade -n argocd argo-cd argo/argo-cd -f values-override.yaml \
+  --set configs.secret.argocdServerAdminPassword=$ARGOCD_ADMIN_PASSWORD_HASH \
+  --set configs.repositories.argocd-git-server.username=$ARGOCD_GIT_REPO_USER \
+  --set configs.repositories.argocd-git-server.password=$ARGOCD_GIT_REPO_USER_PASSWORD
+```
+
+## Установка и использование CLI Argo CD на локальной машине
+https://argo-cd.readthedocs.io/en/stable/cli_installation
+
+MacOS:
+```bash
+brew install argocd
+```
+
+Использование:
+```bash
+argocd login argocd.avroid.tech
+```

clusters/k8s-avroid-office.prod.local/namespaces/argocd/argo-cd/argocd_values_secrets_init.sh

@@ -0,0 +1,102 @@
+#!/bin/sh
+set -e
+
+rm -rf .creds .secrets
+
+argocd_admin_password=$(vault kv get team-devops/services/ci-cd/ArgoCD/argocd.avroid.tech | grep service.user.admin.password | awk '{print $2}')
+
+# shellcheck disable=SC2016
+argocd_admin_password_hash=$(htpasswd -nbBC 10 "" "${argocd_admin_password}" | tr -d ':\n' | sed 's/$2y/$2a/')
+
+argocd_ldap_binddn=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep dn | awk '{print $2}')
+argocd_ldap_binddn_password=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep password | awk '{print $2}')
+
+argocd_tg_token=$(vault kv get team-devops/accounts/bots/telegram/alertmanager | grep bot.avroid_alerts_bot.token | awk '{print $2}')
+
+argocd_repo_user=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep login | awk '{print $2}')
+argocd_repo_password=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep password | awk '{print $2}')
+
+argocd_cert_key=$(vault kv get -field="certificate.key" team-devops/ssl/avroid.tech/wildcard.avroid.tech)
+argocd_cert_data=$(vault kv get -field="certificate_fullchain.crt" team-devops/ssl/avroid.tech/wildcard.avroid.tech)
+
+argocd_avp_role_id=$(vault kv get team-devops/services/ci-cd/ArgoCD/argocd.avroid.tech | grep service.argocd_vault_plugin.vault.env.AVP_ROLE_ID | awk '{print $2}')
+argocd_avp_secret_id=$(vault kv get team-devops/services/ci-cd/ArgoCD/argocd.avroid.tech | grep service.argocd_vault_plugin.vault.env.AVP_SECRET_ID | awk '{print $2}')
+
+cat > .creds << EOF
+export ARGOCD_ADMIN_PASSWORD='${argocd_admin_password}'
+export ARGOCD_ADMIN_PASSWORD_HASH='${argocd_admin_password_hash}'
+export ARGOCD_GIT_REPO_USER='${argocd_repo_user}'
+export ARGOCD_GIT_REPO_USER_PASSWORD='${argocd_repo_password}'
+EOF
+
+mkdir .secrets
+
+cat > .secrets/argocd_key.pem << EOF
+${argocd_cert_key}
+EOF
+
+cat > .secrets/argocd_cert.pem << EOF
+${argocd_cert_data}
+EOF
+
+cat > .secrets/argocd-secret-path.yaml << EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argocd-secret
+  namespace: argocd
+type: Opaque
+stringData:
+  admin.password: ${argocd_admin_password_hash}
+  dex.ldap.bindDN: ${argocd_ldap_binddn}
+  dex.ldap.bindPW: ${argocd_ldap_binddn_password}
+  telegram-token: ${argocd_tg_token}
+EOF
+
+cat > .secrets/argocd-vault-plugin-configmap.yaml << EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cmp-plugin
+  namespace: argocd
+data:
+  avp.yaml: |
+    apiVersion: argoproj.io/v1alpha1
+    kind: ConfigManagementPlugin
+    metadata:
+      name: argocd-vault-plugin
+    spec:
+      allowConcurrency: true
+      discover:
+        find:
+          command:
+            - sh
+            - "-c"
+            - "find . -name '*.yaml' | xargs -I {} grep \"<path\\\\|avp\\\\.kubernetes\\\\.io\" {} | grep ."
+      generate:
+        command:
+          - argocd-vault-plugin
+          - generate
+          - "."
+      lockRepo: false
+EOF
+
+cat > .secrets/argocd-vault-plugin-secret.yaml << EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argocd-vault-plugin-credentials
+  namespace: argocd
+type: Opaque
+stringData:
+  AVP_AUTH_TYPE: approle
+  AVP_TYPE: vault
+  VAULT_ADDR: "https://vault.avroid.tech"
+  AVP_ROLE_ID: ${argocd_avp_role_id}
+  AVP_SECRET_ID: ${argocd_avp_secret_id}
+EOF
+
+echo "Run:"
+echo '  1. source .creds'
+echo '  2. kubectl -n argocd apply -f .secrets/argocd-vault-plugin-configmap.yaml'
+echo '  3. kubectl -n argocd apply -f .secrets/argocd-vault-plugin-secret.yaml'

clusters/k8s-avroid-office.prod.local/namespaces/argocd/argo-cd/values-override.yaml

@@ -0,0 +1,346 @@
+## Argo CD configuration
+## Ref: https://github.com/argoproj/argo-cd
+##
+
+## Globally shared configuration
+global:
+  # -- Default domain used by all components
+  ## Used for ingresses, certificates, SSO, notifications, etc.
+  domain: argocd.avroid.tech
+
+  # Default image used by all components
+  image:
+    # -- If defined, a repository applied to all Argo CD deployments
+    repository: &global-image-repository "harbor.avroid.tech/quay-proxy/argoproj/argocd"
+    # -- Overrides the global Argo CD image tag whose default is the chart appVersion
+    tag: &global-image-tag "v2.14.2"
+
+  # -- Default node selector for all components
+  nodeSelector:
+    node-role.kubernetes.io/worker: ""
+
+## Argo Configs
+configs:
+  # General Argo CD configuration
+  ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml
+  cm:
+    # Dex configuration
+    dex.config: |
+      connectors:
+        - type: ldap
+          name:  avroid.tech
+          id: ldap_avroid_tech
+          config:
+            # Ldap server address
+            host: "ds-01.avroid.tech:636"
+            insecureNoSSL: false
+            insecureSkipVerify: true
+            # Variable name stores ldap bindDN in argocd-secret
+            bindDN: "$dex.ldap.bindDN"
+            # Variable name stores ldap bind password in argocd-secret
+            bindPW: "$dex.ldap.bindPW"
+            usernamePrompt: Username
+            # Ldap user serch attributes
+            userSearch:
+              baseDN: cn=users,cn=accounts,dc=avroid,dc=tech
+              filter: "(objectClass=inetorgperson)"
+              username: uid
+              idAttr: uid
+              emailAttr: mail
+            # Ldap group serch attributes
+            groupSearch:
+              baseDN: cn=groups,cn=accounts,dc=avroid,dc=tech
+              filter: "(|(objectClass=posixGroup)(objectClass=groupOfNames))"
+              userMatchers:
+              - userAttr: DN
+                groupAttr: member
+            # Represents group name.
+              nameAttr: cn
+
+  # Argo CD configuration parameters
+  ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cmd-params-cm.yaml
+  params:
+    ## Server properties
+    # -- Run server without TLS
+    ## NOTE: This value should be set when you generate params by other means as it changes ports used by ingress template.
+    server.insecure: true
+
+  # Argo CD RBAC policy configuration
+  ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md
+  rbac:
+    # -- The name of the default role which Argo CD will falls back to, when authorizing API requests (optional).
+    # If omitted or empty, users may be still be able to login, but will see no apps, projects, etc...
+    policy.default: 'role:deny'
+
+    # -- File containing user-defined policies and role definitions.
+    # @default -- `''` (See [values.yaml])
+    policy.csv: |
+      p, role:devops-admin, applications, *, */*, allow
+      p, role:devops-admin, applicationsets, *, */*, allow
+      p, role:devops-admin, clusters, *, *, allow
+      p, role:devops-admin, projects, *, *, allow
+      p, role:devops-admin, repositories, *, *, allow
+      p, role:devops-admin, accounts, *, *, allow
+      p, role:devops-admin, certificates, *, *, allow
+      p, role:devops-admin, gpgkeys, *, *, allow
+      p, role:devops-admin, logs, *, *, allow
+      p, role:devops-admin, exec, *, */*, allow
+      p, role:devops-admin, extensions, *, */*, allow
+      g, grp-admin-devops, role:devops-admin
+    # Policy rules are in the form:
+    #  p, subject, resource, action, object, effect
+    # Role definitions and bindings are in the form:
+    #  g, subject, inherited-subject
+    # policy.csv: |
+    #   p, role:org-admin, applications, *, */*, allow
+    #   p, role:org-admin, clusters, get, *, allow
+    #   p, role:org-admin, repositories, *, *, allow
+    #   p, role:org-admin, logs, get, *, allow
+    #   p, role:org-admin, exec, create, */*, allow
+    #   g, your-github-org:your-team, role:org-admin
+
+  # -- Repositories list to be used by applications
+  ## Creates a secret for each key/value specified below to create repositories
+  ## Note: the last example in the list would use a repository credential template, configured under "configs.repositoryCredentials".
+  repositories:
+    argocd-git-server:
+      url: https://git.avroid.tech/K8s/k8s-configs.git
+      name: prod_agrocd_configuration_repo
+      type: git
+      username: $git.repo.username
+      password: $git.repo.password
+    # istio-helm-repo:
+    #   url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts
+    #   name: istio.io
+    #   type: helm
+    # private-helm-repo:
+    #   url: https://my-private-chart-repo.internal
+    #   name: private-repo
+    #   type: helm
+    #   password: my-password
+    #   username: my-username
+    # private-repo:
+    #   url: https://github.com/argoproj/private-repo
+
+  # Argo CD sensitive data
+  # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#sensitive-data-and-sso-client-secrets
+  secret:
+    # -- Bcrypt hashed admin password
+    ## Argo expects the password in the secret to be bcrypt hashed. You can create this hash with
+    ## `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/'`
+    argocdServerAdminPassword: $admin.password
+
+  ## Dex image
+  image:
+    # -- Dex image repository
+    repository: harbor.avroid.tech/quay-proxy/dexidp/dex
+
+## Redis-HA subchart replaces custom redis deployment when `redis-ha.enabled=true`
+# Ref: https://github.com/DandyDeveloper/charts/blob/master/charts/redis-ha/values.yaml
+redis-ha:
+  # -- Enables the Redis HA subchart and disables the custom Redis single node deployment
+  enabled: true
+
+## Server
+server:
+  ## Argo CD server Horizontal Pod Autoscaler
+  autoscaling:
+    # -- Enable Horizontal Pod Autoscaler ([HPA]) for the Argo CD server
+    enabled: true
+    # -- Minimum number of replicas for the Argo CD server [HPA]
+    minReplicas: 2
+
+  # Argo CD server ingress configuration
+  ingress:
+    # -- Enable an ingress resource for the Argo CD server
+    enabled: true
+
+    # -- Additional ingress annotations
+    ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-1-ssl-passthrough
+    annotations:
+      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+      nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+
+    # -- Defines which ingress controller will implement the resource
+    ingressClassName: "nginx"
+
+    # -- Enable TLS configuration for the hostname defined at `server.ingress.hostname`
+    ## TLS certificate will be retrieved from a TLS secret `argocd-server-tls`
+    ## You can create this secret via `certificate` or `certificateSecret` option
+    tls: true
+
+## Repo Server
+repoServer:
+  ## Repo server Horizontal Pod Autoscaler
+  autoscaling:
+    # -- Enable Horizontal Pod Autoscaler ([HPA]) for the repo server
+    enabled: true
+    # -- Minimum number of replicas for the repo server [HPA]
+    minReplicas: 2
+
+  # -- Additional containers to be added to the repo server pod
+  ## Ref: https://argo-cd.readthedocs.io/en/stable/user-guide/config-management-plugins/
+  ## Note: Supports use of custom Helm templates
+  extraContainers:
+    - name: avp
+      command: [/var/run/argocd/argocd-cmp-server]
+      image: "{{ .Values.global.image.repository }}:{{ .Values.global.image.tag }}"
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 999
+      volumeMounts:
+        - mountPath: /var/run/argocd
+          name: var-files
+        - mountPath: /home/argocd/cmp-server/plugins
+          name: plugins
+        - mountPath: /tmp
+          name: tmp
+        # Register plugins into sidecar
+        - mountPath: /home/argocd/cmp-server/config/plugin.yaml
+          subPath: avp.yaml
+          name: cmp-plugin
+        # Important: Mount tools into $PATH
+        - name: custom-tools
+          subPath: argocd-vault-plugin
+          mountPath: /usr/local/bin/argocd-vault-plugin
+
+  # -- Init containers to add to the repo server pods
+  initContainers:
+    - name: download-tools
+      image: registry.access.redhat.com/ubi8
+      env:
+        - name: AVP_VERSION
+          value: 1.18.1
+      command: [sh, -c]
+      args:
+        - >-
+          curl -L https://nexus.avroid.tech/repository/devops-raw-proxy-gitea/argoproj-labs/argocd-vault-plugin/releases/download/v$(AVP_VERSION)/argocd-vault-plugin_$(AVP_VERSION)_linux_amd64 -o argocd-vault-plugin &&
+          chmod +x argocd-vault-plugin &&
+          mv argocd-vault-plugin /custom-tools/
+      volumeMounts:
+        - mountPath: /custom-tools
+          name: custom-tools
+
+  # -- Additional volumes to the repo server pod
+  volumes:
+    - name: cmp-plugin
+      configMap:
+        name: cmp-plugin
+    - name: custom-tools
+      emptyDir: {}
+
+  # -- Automount API credentials for the Service Account into the pod.
+  automountServiceAccountToken: true
+
+## ApplicationSet controller
+applicationSet:
+  # -- The number of ApplicationSet controller pods to run
+  replicas: 2
+
+
+  # -- Configures notification services such as slack, email or custom webhook
+  # @default -- See [values.yaml]
+  ## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/services/overview/
+  notifiers:
+    service.telegram: |
+      token: $telegram-token
+
+  # -- Contains centrally managed global application subscriptions
+  ## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/subscriptions/
+  subscriptions:
+    - recipients:
+      # warning channel
+      - telegram:-1001685938630
+      triggers:
+      - on-sync-status-unknown
+      - app-deployed
+      - on-sync-succeeded
+    - recipients:
+      # critical channel
+      - telegram:-1001997104886
+      triggers:
+      - on-health-degraded
+      - on-sync-failed
+
+  # -- The notification template is used to generate the notification content
+  ## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/templates/
+  templates:
+    template.app-deployed: |
+      email:
+        subject: New version of an application {{.app.metadata.name}} is up and running.
+      message: |
+        {{if eq .serviceType "slack"}}:white_check_mark:{{end}} Application {{.app.metadata.name}} is now running new version of deployments manifests.
+    template.app-health-degraded: |
+      email:
+        subject: Application {{.app.metadata.name}} has degraded.
+      message: |
+        {{if eq .serviceType "slack"}}:exclamation:{{end}} Application {{.app.metadata.name}} has degraded.
+        Application details: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}.
+    template.app-sync-failed: |
+      email:
+        subject: Failed to sync application {{.app.metadata.name}}.
+      message: |
+        {{if eq .serviceType "slack"}}:exclamation:{{end}}  The sync operation of application {{.app.metadata.name}} has failed at {{.app.status.operationState.finishedAt}} with the following error: {{.app.status.operationState.message}}
+        Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true .
+    template.app-sync-running: |
+      email:
+        subject: Start syncing application {{.app.metadata.name}}.
+      message: |
+        The sync operation of application {{.app.metadata.name}} has started at {{.app.status.operationState.startedAt}}.
+        Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true .
+    template.app-sync-status-unknown: |
+      email:
+        subject: Application {{.app.metadata.name}} sync status is 'Unknown'
+      message: |
+        {{if eq .serviceType "slack"}}:exclamation:{{end}} Application {{.app.metadata.name}} sync is 'Unknown'.
+        Application details: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}.
+        {{if ne .serviceType "slack"}}
+        {{range $c := .app.status.conditions}}
+            * {{$c.message}}
+        {{end}}
+        {{end}}
+    template.app-sync-succeeded: |
+      email:
+        subject: Application {{.app.metadata.name}} has been successfully synced.
+      message: |
+        {{if eq .serviceType "slack"}}:white_check_mark:{{end}} Application {{.app.metadata.name}} has been successfully synced at {{.app.status.operationState.finishedAt}}.
+        Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true .
+
+  # -- The trigger defines the condition when the notification should be sent
+  ## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/triggers/
+  triggers:
+    trigger.on-deployed: |
+      - description: Application is synced and healthy. Triggered once per commit.
+        oncePer: app.status.sync.revision
+        send:
+        - app-deployed
+        when: app.status.operationState.phase in ['Succeeded'] and app.status.health.status == 'Healthy'
+    trigger.on-health-degraded: |
+      - description: Application has degraded
+        send:
+        - app-health-degraded
+        when: app.status.health.status == 'Degraded'
+    trigger.on-sync-failed: |
+      - description: Application syncing has failed
+        send:
+        - app-sync-failed
+        when: app.status.operationState.phase in ['Error', 'Failed']
+    trigger.on-sync-running: |
+      - description: Application is being synced
+        send:
+        - app-sync-running
+        when: app.status.operationState.phase in ['Running']
+    trigger.on-sync-status-unknown: |
+      - description: Application status is 'Unknown'
+        send:
+        - app-sync-status-unknown
+        when: app.status.sync.status == 'Unknown'
+    trigger.on-sync-succeeded: |
+      - description: Application syncing has succeeded
+        send:
+        - app-sync-succeeded
+        when: app.status.operationState.phase in ['Succeeded']
+    #
+    # For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/triggers/#default-triggers
+    # defaultTriggers: |
+    #   - on-sync-status-unknown

clusters/k8s-avroid-office.prod.local/namespaces/argocd/argocd-apps/README.md

@@ -0,0 +1,45 @@
+# Install Argo CD by [argocd-apps in argo-helm](https://github.com/argoproj/argo-helm/tree/main/charts/argocd-apps) 
+
+## Create from version
+| Project             | Version |
+|---------------------|---------|
+| ArgoCD Helm         | 7.8.2   |
+
+
+
+## Common
+Используется подход управления приложениями через корневое приложение:
+
+[App of Apps Pattern](https://github.com/argoproj/argo-helm/tree/main/charts/argocd-apps)
+
+
+
+## Prepare install
+Предварительно должен быть развёрнут и настроен ArgoCD через оператора `argo-cd` из состава `ArgoCD Helm` (каталог с инструкцией и переменными `argo-cd`) 
+
+
+## Install
+Настраиваем для работы файл конфигурации kubectl для подключения к кластеру Kubernetes
+
+И производим непосредственную установку корневого приложения ArgoCD:
+
+```bash
+helm repo add argo https://argoproj.github.io/argo-helm
+helm repo update
+
+helm install -n argocd argocd-apps argo/argocd-apps -f values-override.yaml
+```
+
+
+## Upgrade/Changes
+Обновление настроек и чарта делаем так:
+
+В начале сравниваем содержимое `values-override.yaml` с исходным файлом `values.yaml`
+(ссылка на исходную версию зафиксирована в заголовке `values-override.yaml`) через diff (IDE лучше).
+Или с новой версией `values.yaml` в Helm-чарте.
+Вносим необходимые правки, новые опции или добавляем секреты.
+
+Затем применяем:
+```bash
+helm upgrade -n argocd argocd-apps argo/argocd-apps -f values-override.yaml
+```

clusters/k8s-avroid-office.prod.local/namespaces/argocd/argocd-apps/values-override.yaml

@@ -0,0 +1,37 @@
+# -- Deploy Argo CD Applications within this helm release
+# @default -- `{}` (See [values.yaml])
+## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/
+applications:
+  root-app:
+    namespace: argocd
+    additionalLabels: {}
+    additionalAnnotations: {}
+    finalizers:
+    - resources-finalizer.argocd.argoproj.io
+    project: default
+    source:
+      repoURL: https://git.avroid.tech/K8s/k8s-configs.git
+      targetRevision: master
+      path: clusters/k8s-avroid-office.prod.local/namespaces
+      directory:
+        recurse: true
+        exclude: '*'
+        include: 'argocd-apps-*.yaml'
+    destination:
+      server: https://kubernetes.default.svc
+      namespace: argocd
+    syncPolicy:
+      automated:
+        prune: true
+        selfHeal: true
+      syncOptions:
+      - CreateNamespace=true
+      - Validate=true
+      - PrunePropagationPolicy=foreground
+      - PruneLast=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m

clusters/k8s-avroid-office.prod.local/namespaces/argocd/argocd-namespace.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: argocd
+  labels:
+    name: argocd
+    app.kubernetes.io/managed-by: manual
+  annotations:
+    scheduler.alpha.kubernetes.io/node-selector: node-role.kubernetes.io/worker=