## Argo CD configuration ## Ref: https://github.com/argoproj/argo-cd ## ## Globally shared configuration global: # -- Default domain used by all components ## Used for ingresses, certificates, SSO, notifications, etc. domain: argocd.avroid.tech # Default image used by all components image: # -- If defined, a repository applied to all Argo CD deployments repository: &global-image-repository "harbor.avroid.tech/quay-proxy/argoproj/argocd" # -- Overrides the global Argo CD image tag whose default is the chart appVersion tag: &global-image-tag "v2.14.2" # -- Default node selector for all components nodeSelector: node-role.kubernetes.io/worker: "" ## Argo Configs configs: # General Argo CD configuration ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml cm: # Dex configuration dex.config: | connectors: - type: ldap name: avroid.tech id: ldap_avroid_tech config: # Ldap server address host: "ds-01.avroid.tech:636" insecureNoSSL: false insecureSkipVerify: true # Variable name stores ldap bindDN in argocd-secret bindDN: "$dex.ldap.bindDN" # Variable name stores ldap bind password in argocd-secret bindPW: "$dex.ldap.bindPW" usernamePrompt: Username # Ldap user serch attributes userSearch: baseDN: cn=users,cn=accounts,dc=avroid,dc=tech filter: "(objectClass=inetorgperson)" username: uid idAttr: uid emailAttr: mail # Ldap group serch attributes groupSearch: baseDN: cn=groups,cn=accounts,dc=avroid,dc=tech filter: "(|(objectClass=posixGroup)(objectClass=groupOfNames))" userMatchers: - userAttr: DN groupAttr: member # Represents group name. nameAttr: cn # Argo CD configuration parameters ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cmd-params-cm.yaml params: ## Server properties # -- Run server without TLS ## NOTE: This value should be set when you generate params by other means as it changes ports used by ingress template. server.insecure: true # Argo CD RBAC policy configuration ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md rbac: # -- The name of the default role which Argo CD will falls back to, when authorizing API requests (optional). # If omitted or empty, users may be still be able to login, but will see no apps, projects, etc... policy.default: 'role:deny' # -- File containing user-defined policies and role definitions. # @default -- `''` (See [values.yaml]) policy.csv: | p, role:devops-admin, applications, *, */*, allow p, role:devops-admin, applicationsets, *, */*, allow p, role:devops-admin, clusters, *, *, allow p, role:devops-admin, projects, *, *, allow p, role:devops-admin, repositories, *, *, allow p, role:devops-admin, accounts, *, *, allow p, role:devops-admin, certificates, *, *, allow p, role:devops-admin, gpgkeys, *, *, allow p, role:devops-admin, logs, *, *, allow p, role:devops-admin, exec, *, */*, allow p, role:devops-admin, extensions, *, */*, allow g, grp-admin-devops, role:devops-admin # Policy rules are in the form: # p, subject, resource, action, object, effect # Role definitions and bindings are in the form: # g, subject, inherited-subject # policy.csv: | # p, role:org-admin, applications, *, */*, allow # p, role:org-admin, clusters, get, *, allow # p, role:org-admin, repositories, *, *, allow # p, role:org-admin, logs, get, *, allow # p, role:org-admin, exec, create, */*, allow # g, your-github-org:your-team, role:org-admin # -- Repositories list to be used by applications ## Creates a secret for each key/value specified below to create repositories ## Note: the last example in the list would use a repository credential template, configured under "configs.repositoryCredentials". repositories: argocd-git-server: url: https://git.avroid.tech/K8s/k8s-configs.git name: prod_agrocd_configuration_repo type: git username: $git.repo.username password: $git.repo.password # istio-helm-repo: # url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts # name: istio.io # type: helm # private-helm-repo: # url: https://my-private-chart-repo.internal # name: private-repo # type: helm # password: my-password # username: my-username # private-repo: # url: https://github.com/argoproj/private-repo # Argo CD sensitive data # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#sensitive-data-and-sso-client-secrets secret: # -- Bcrypt hashed admin password ## Argo expects the password in the secret to be bcrypt hashed. You can create this hash with ## `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/'` argocdServerAdminPassword: $admin.password ## Dex image image: # -- Dex image repository repository: harbor.avroid.tech/quay-proxy/dexidp/dex ## Redis-HA subchart replaces custom redis deployment when `redis-ha.enabled=true` # Ref: https://github.com/DandyDeveloper/charts/blob/master/charts/redis-ha/values.yaml redis-ha: # -- Enables the Redis HA subchart and disables the custom Redis single node deployment enabled: true ## Server server: ## Argo CD server Horizontal Pod Autoscaler autoscaling: # -- Enable Horizontal Pod Autoscaler ([HPA]) for the Argo CD server enabled: true # -- Minimum number of replicas for the Argo CD server [HPA] minReplicas: 2 # Argo CD server ingress configuration ingress: # -- Enable an ingress resource for the Argo CD server enabled: true # -- Additional ingress annotations ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-1-ssl-passthrough annotations: nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/ssl-passthrough: "true" # -- Defines which ingress controller will implement the resource ingressClassName: "nginx" # -- Enable TLS configuration for the hostname defined at `server.ingress.hostname` ## TLS certificate will be retrieved from a TLS secret `argocd-server-tls` ## You can create this secret via `certificate` or `certificateSecret` option tls: true ## Repo Server repoServer: ## Repo server Horizontal Pod Autoscaler autoscaling: # -- Enable Horizontal Pod Autoscaler ([HPA]) for the repo server enabled: true # -- Minimum number of replicas for the repo server [HPA] minReplicas: 2 # -- Additional containers to be added to the repo server pod ## Ref: https://argo-cd.readthedocs.io/en/stable/user-guide/config-management-plugins/ ## Note: Supports use of custom Helm templates extraContainers: - name: avp command: [/var/run/argocd/argocd-cmp-server] image: "{{ .Values.global.image.repository }}:{{ .Values.global.image.tag }}" securityContext: runAsNonRoot: true runAsUser: 999 volumeMounts: - mountPath: /var/run/argocd name: var-files - mountPath: /home/argocd/cmp-server/plugins name: plugins - mountPath: /tmp name: tmp # Register plugins into sidecar - mountPath: /home/argocd/cmp-server/config/plugin.yaml subPath: avp.yaml name: cmp-plugin # Important: Mount tools into $PATH - name: custom-tools subPath: argocd-vault-plugin mountPath: /usr/local/bin/argocd-vault-plugin # -- Init containers to add to the repo server pods initContainers: - name: download-tools image: registry.access.redhat.com/ubi8 env: - name: AVP_VERSION value: 1.18.1 command: [sh, -c] args: - >- curl -L https://nexus.avroid.tech/repository/devops-raw-proxy-gitea/argoproj-labs/argocd-vault-plugin/releases/download/v$(AVP_VERSION)/argocd-vault-plugin_$(AVP_VERSION)_linux_amd64 -o argocd-vault-plugin && chmod +x argocd-vault-plugin && mv argocd-vault-plugin /custom-tools/ volumeMounts: - mountPath: /custom-tools name: custom-tools # -- Additional volumes to the repo server pod volumes: - name: cmp-plugin configMap: name: cmp-plugin - name: custom-tools emptyDir: {} # -- Automount API credentials for the Service Account into the pod. automountServiceAccountToken: true ## ApplicationSet controller applicationSet: # -- The number of ApplicationSet controller pods to run replicas: 2 # -- Configures notification services such as slack, email or custom webhook # @default -- See [values.yaml] ## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/services/overview/ notifiers: service.telegram: | token: $telegram-token # -- Contains centrally managed global application subscriptions ## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/subscriptions/ subscriptions: - recipients: # warning channel - telegram:-1001685938630 triggers: - on-sync-status-unknown - app-deployed - on-sync-succeeded - recipients: # critical channel - telegram:-1001997104886 triggers: - on-health-degraded - on-sync-failed # -- The notification template is used to generate the notification content ## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/templates/ templates: template.app-deployed: | email: subject: New version of an application {{.app.metadata.name}} is up and running. message: | {{if eq .serviceType "slack"}}:white_check_mark:{{end}} Application {{.app.metadata.name}} is now running new version of deployments manifests. template.app-health-degraded: | email: subject: Application {{.app.metadata.name}} has degraded. message: | {{if eq .serviceType "slack"}}:exclamation:{{end}} Application {{.app.metadata.name}} has degraded. Application details: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}. template.app-sync-failed: | email: subject: Failed to sync application {{.app.metadata.name}}. message: | {{if eq .serviceType "slack"}}:exclamation:{{end}} The sync operation of application {{.app.metadata.name}} has failed at {{.app.status.operationState.finishedAt}} with the following error: {{.app.status.operationState.message}} Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true . template.app-sync-running: | email: subject: Start syncing application {{.app.metadata.name}}. message: | The sync operation of application {{.app.metadata.name}} has started at {{.app.status.operationState.startedAt}}. Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true . template.app-sync-status-unknown: | email: subject: Application {{.app.metadata.name}} sync status is 'Unknown' message: | {{if eq .serviceType "slack"}}:exclamation:{{end}} Application {{.app.metadata.name}} sync is 'Unknown'. Application details: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}. {{if ne .serviceType "slack"}} {{range $c := .app.status.conditions}} * {{$c.message}} {{end}} {{end}} template.app-sync-succeeded: | email: subject: Application {{.app.metadata.name}} has been successfully synced. message: | {{if eq .serviceType "slack"}}:white_check_mark:{{end}} Application {{.app.metadata.name}} has been successfully synced at {{.app.status.operationState.finishedAt}}. Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true . # -- The trigger defines the condition when the notification should be sent ## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/triggers/ triggers: trigger.on-deployed: | - description: Application is synced and healthy. Triggered once per commit. oncePer: app.status.sync.revision send: - app-deployed when: app.status.operationState.phase in ['Succeeded'] and app.status.health.status == 'Healthy' trigger.on-health-degraded: | - description: Application has degraded send: - app-health-degraded when: app.status.health.status == 'Degraded' trigger.on-sync-failed: | - description: Application syncing has failed send: - app-sync-failed when: app.status.operationState.phase in ['Error', 'Failed'] trigger.on-sync-running: | - description: Application is being synced send: - app-sync-running when: app.status.operationState.phase in ['Running'] trigger.on-sync-status-unknown: | - description: Application status is 'Unknown' send: - app-sync-status-unknown when: app.status.sync.status == 'Unknown' trigger.on-sync-succeeded: | - description: Application syncing has succeeded send: - app-sync-succeeded when: app.status.operationState.phase in ['Succeeded'] # # For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/triggers/#default-triggers # defaultTriggers: | # - on-sync-status-unknown