---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: trivy-operator
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  project: trivy-operator
  destination:
    server: https://kubernetes.default.svc
    namespace: avroid-prod
  sources:
    - repoURL: https://git.avroid.tech/K8s/k8s-configs.git
      targetRevision: master
      ref: values
    - repoURL: https://nexus.avroid.tech/repository/devops-helm-proxy-helm/
      chart: "aquasecurity/trivy-operator"
      targetRevision: 0.26.0
      helm:
        valueFiles:
          - $values/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/security/trivy-operator/values-override.yaml
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - ApplyOutOfSyncOnly=true
      - CreateNamespace=true
---
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: trivy-operator
  namespace: argocd
  # Finalizer that ensures that project is not deleted until it is not referenced by any application
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  sourceRepos:
    - https://git.avroid.tech/K8s/k8s-configs.git
    - https://nexus.avroid.tech/repository/devops-helm-proxy-helm/
  # Only permit applications to deploy to the guestbook namespace in the same cluster
  destinations:
    - namespace: avroid-prod
      server: https://kubernetes.default.svc
  # Deny all cluster-scoped resources from being created, except for Namespace
  clusterResourceWhitelist:
    - group: ''
      kind: Namespace
    - group: '*'
      kind: Role
    - group: '*'
      kind: RoleBinding
    - group: '*'
      kind: ClusterRole
    - group: '*'
      kind: ClusterRoleBinding
    - group: '*'
      kind: ClusterComplianceReport
    - group: '*'
      kind: CustomResourceDefinition