5654a65bff
DO-1431 Co-authored-by: denis.patrakeev <denis.patrakeev@avroid.tech> Reviewed-on: https://git.avroid.tech/K8s/k8s-configs/pulls/6
347 lines
14 KiB
YAML
347 lines
14 KiB
YAML
## Argo CD configuration
|
|
## Ref: https://github.com/argoproj/argo-cd
|
|
##
|
|
|
|
## Globally shared configuration
|
|
global:
|
|
# -- Default domain used by all components
|
|
## Used for ingresses, certificates, SSO, notifications, etc.
|
|
domain: argocd.avroid.tech
|
|
|
|
# Default image used by all components
|
|
image:
|
|
# -- If defined, a repository applied to all Argo CD deployments
|
|
repository: &global-image-repository "harbor.avroid.tech/quay-proxy/argoproj/argocd"
|
|
# -- Overrides the global Argo CD image tag whose default is the chart appVersion
|
|
tag: &global-image-tag "v2.14.2"
|
|
|
|
# -- Default node selector for all components
|
|
nodeSelector:
|
|
node-role.kubernetes.io/worker: ""
|
|
|
|
## Argo Configs
|
|
configs:
|
|
# General Argo CD configuration
|
|
## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml
|
|
cm:
|
|
# Dex configuration
|
|
dex.config: |
|
|
connectors:
|
|
- type: ldap
|
|
name: avroid.tech
|
|
id: ldap_avroid_tech
|
|
config:
|
|
# Ldap server address
|
|
host: "ds-01.avroid.tech:636"
|
|
insecureNoSSL: false
|
|
insecureSkipVerify: true
|
|
# Variable name stores ldap bindDN in argocd-secret
|
|
bindDN: "$dex.ldap.bindDN"
|
|
# Variable name stores ldap bind password in argocd-secret
|
|
bindPW: "$dex.ldap.bindPW"
|
|
usernamePrompt: Username
|
|
# Ldap user serch attributes
|
|
userSearch:
|
|
baseDN: cn=users,cn=accounts,dc=avroid,dc=tech
|
|
filter: "(objectClass=inetorgperson)"
|
|
username: uid
|
|
idAttr: uid
|
|
emailAttr: mail
|
|
# Ldap group serch attributes
|
|
groupSearch:
|
|
baseDN: cn=groups,cn=accounts,dc=avroid,dc=tech
|
|
filter: "(|(objectClass=posixGroup)(objectClass=groupOfNames))"
|
|
userMatchers:
|
|
- userAttr: DN
|
|
groupAttr: member
|
|
# Represents group name.
|
|
nameAttr: cn
|
|
|
|
# Argo CD configuration parameters
|
|
## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cmd-params-cm.yaml
|
|
params:
|
|
## Server properties
|
|
# -- Run server without TLS
|
|
## NOTE: This value should be set when you generate params by other means as it changes ports used by ingress template.
|
|
server.insecure: true
|
|
|
|
# Argo CD RBAC policy configuration
|
|
## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md
|
|
rbac:
|
|
# -- The name of the default role which Argo CD will falls back to, when authorizing API requests (optional).
|
|
# If omitted or empty, users may be still be able to login, but will see no apps, projects, etc...
|
|
policy.default: 'role:deny'
|
|
|
|
# -- File containing user-defined policies and role definitions.
|
|
# @default -- `''` (See [values.yaml])
|
|
policy.csv: |
|
|
p, role:devops-admin, applications, *, */*, allow
|
|
p, role:devops-admin, applicationsets, *, */*, allow
|
|
p, role:devops-admin, clusters, *, *, allow
|
|
p, role:devops-admin, projects, *, *, allow
|
|
p, role:devops-admin, repositories, *, *, allow
|
|
p, role:devops-admin, accounts, *, *, allow
|
|
p, role:devops-admin, certificates, *, *, allow
|
|
p, role:devops-admin, gpgkeys, *, *, allow
|
|
p, role:devops-admin, logs, *, *, allow
|
|
p, role:devops-admin, exec, *, */*, allow
|
|
p, role:devops-admin, extensions, *, */*, allow
|
|
g, grp-admin-devops, role:devops-admin
|
|
# Policy rules are in the form:
|
|
# p, subject, resource, action, object, effect
|
|
# Role definitions and bindings are in the form:
|
|
# g, subject, inherited-subject
|
|
# policy.csv: |
|
|
# p, role:org-admin, applications, *, */*, allow
|
|
# p, role:org-admin, clusters, get, *, allow
|
|
# p, role:org-admin, repositories, *, *, allow
|
|
# p, role:org-admin, logs, get, *, allow
|
|
# p, role:org-admin, exec, create, */*, allow
|
|
# g, your-github-org:your-team, role:org-admin
|
|
|
|
# -- Repositories list to be used by applications
|
|
## Creates a secret for each key/value specified below to create repositories
|
|
## Note: the last example in the list would use a repository credential template, configured under "configs.repositoryCredentials".
|
|
repositories:
|
|
argocd-git-server:
|
|
url: https://git.avroid.tech/K8s/k8s-configs.git
|
|
name: prod_agrocd_configuration_repo
|
|
type: git
|
|
username: $git.repo.username
|
|
password: $git.repo.password
|
|
# istio-helm-repo:
|
|
# url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts
|
|
# name: istio.io
|
|
# type: helm
|
|
# private-helm-repo:
|
|
# url: https://my-private-chart-repo.internal
|
|
# name: private-repo
|
|
# type: helm
|
|
# password: my-password
|
|
# username: my-username
|
|
# private-repo:
|
|
# url: https://github.com/argoproj/private-repo
|
|
|
|
# Argo CD sensitive data
|
|
# Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#sensitive-data-and-sso-client-secrets
|
|
secret:
|
|
# -- Bcrypt hashed admin password
|
|
## Argo expects the password in the secret to be bcrypt hashed. You can create this hash with
|
|
## `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/'`
|
|
argocdServerAdminPassword: $admin.password
|
|
|
|
## Dex image
|
|
image:
|
|
# -- Dex image repository
|
|
repository: harbor.avroid.tech/quay-proxy/dexidp/dex
|
|
|
|
## Redis-HA subchart replaces custom redis deployment when `redis-ha.enabled=true`
|
|
# Ref: https://github.com/DandyDeveloper/charts/blob/master/charts/redis-ha/values.yaml
|
|
redis-ha:
|
|
# -- Enables the Redis HA subchart and disables the custom Redis single node deployment
|
|
enabled: true
|
|
|
|
## Server
|
|
server:
|
|
## Argo CD server Horizontal Pod Autoscaler
|
|
autoscaling:
|
|
# -- Enable Horizontal Pod Autoscaler ([HPA]) for the Argo CD server
|
|
enabled: true
|
|
# -- Minimum number of replicas for the Argo CD server [HPA]
|
|
minReplicas: 2
|
|
|
|
# Argo CD server ingress configuration
|
|
ingress:
|
|
# -- Enable an ingress resource for the Argo CD server
|
|
enabled: true
|
|
|
|
# -- Additional ingress annotations
|
|
## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-1-ssl-passthrough
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
|
|
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
|
|
|
|
# -- Defines which ingress controller will implement the resource
|
|
ingressClassName: "nginx"
|
|
|
|
# -- Enable TLS configuration for the hostname defined at `server.ingress.hostname`
|
|
## TLS certificate will be retrieved from a TLS secret `argocd-server-tls`
|
|
## You can create this secret via `certificate` or `certificateSecret` option
|
|
tls: true
|
|
|
|
## Repo Server
|
|
repoServer:
|
|
## Repo server Horizontal Pod Autoscaler
|
|
autoscaling:
|
|
# -- Enable Horizontal Pod Autoscaler ([HPA]) for the repo server
|
|
enabled: true
|
|
# -- Minimum number of replicas for the repo server [HPA]
|
|
minReplicas: 2
|
|
|
|
# -- Additional containers to be added to the repo server pod
|
|
## Ref: https://argo-cd.readthedocs.io/en/stable/user-guide/config-management-plugins/
|
|
## Note: Supports use of custom Helm templates
|
|
extraContainers:
|
|
- name: avp
|
|
command: [/var/run/argocd/argocd-cmp-server]
|
|
image: "{{ .Values.global.image.repository }}:{{ .Values.global.image.tag }}"
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 999
|
|
volumeMounts:
|
|
- mountPath: /var/run/argocd
|
|
name: var-files
|
|
- mountPath: /home/argocd/cmp-server/plugins
|
|
name: plugins
|
|
- mountPath: /tmp
|
|
name: tmp
|
|
# Register plugins into sidecar
|
|
- mountPath: /home/argocd/cmp-server/config/plugin.yaml
|
|
subPath: avp.yaml
|
|
name: cmp-plugin
|
|
# Important: Mount tools into $PATH
|
|
- name: custom-tools
|
|
subPath: argocd-vault-plugin
|
|
mountPath: /usr/local/bin/argocd-vault-plugin
|
|
|
|
# -- Init containers to add to the repo server pods
|
|
initContainers:
|
|
- name: download-tools
|
|
image: registry.access.redhat.com/ubi8
|
|
env:
|
|
- name: AVP_VERSION
|
|
value: 1.18.1
|
|
command: [sh, -c]
|
|
args:
|
|
- >-
|
|
curl -L https://nexus.avroid.tech/repository/devops-raw-proxy-gitea/argoproj-labs/argocd-vault-plugin/releases/download/v$(AVP_VERSION)/argocd-vault-plugin_$(AVP_VERSION)_linux_amd64 -o argocd-vault-plugin &&
|
|
chmod +x argocd-vault-plugin &&
|
|
mv argocd-vault-plugin /custom-tools/
|
|
volumeMounts:
|
|
- mountPath: /custom-tools
|
|
name: custom-tools
|
|
|
|
# -- Additional volumes to the repo server pod
|
|
volumes:
|
|
- name: cmp-plugin
|
|
configMap:
|
|
name: cmp-plugin
|
|
- name: custom-tools
|
|
emptyDir: {}
|
|
|
|
# -- Automount API credentials for the Service Account into the pod.
|
|
automountServiceAccountToken: true
|
|
|
|
## ApplicationSet controller
|
|
applicationSet:
|
|
# -- The number of ApplicationSet controller pods to run
|
|
replicas: 2
|
|
|
|
|
|
# -- Configures notification services such as slack, email or custom webhook
|
|
# @default -- See [values.yaml]
|
|
## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/services/overview/
|
|
notifiers:
|
|
service.telegram: |
|
|
token: $telegram-token
|
|
|
|
# -- Contains centrally managed global application subscriptions
|
|
## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/subscriptions/
|
|
subscriptions:
|
|
- recipients:
|
|
# warning channel
|
|
- telegram:-1001685938630
|
|
triggers:
|
|
- on-sync-status-unknown
|
|
- app-deployed
|
|
- on-sync-succeeded
|
|
- recipients:
|
|
# critical channel
|
|
- telegram:-1001997104886
|
|
triggers:
|
|
- on-health-degraded
|
|
- on-sync-failed
|
|
|
|
# -- The notification template is used to generate the notification content
|
|
## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/templates/
|
|
templates:
|
|
template.app-deployed: |
|
|
email:
|
|
subject: New version of an application {{.app.metadata.name}} is up and running.
|
|
message: |
|
|
{{if eq .serviceType "slack"}}:white_check_mark:{{end}} Application {{.app.metadata.name}} is now running new version of deployments manifests.
|
|
template.app-health-degraded: |
|
|
email:
|
|
subject: Application {{.app.metadata.name}} has degraded.
|
|
message: |
|
|
{{if eq .serviceType "slack"}}:exclamation:{{end}} Application {{.app.metadata.name}} has degraded.
|
|
Application details: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}.
|
|
template.app-sync-failed: |
|
|
email:
|
|
subject: Failed to sync application {{.app.metadata.name}}.
|
|
message: |
|
|
{{if eq .serviceType "slack"}}:exclamation:{{end}} The sync operation of application {{.app.metadata.name}} has failed at {{.app.status.operationState.finishedAt}} with the following error: {{.app.status.operationState.message}}
|
|
Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true .
|
|
template.app-sync-running: |
|
|
email:
|
|
subject: Start syncing application {{.app.metadata.name}}.
|
|
message: |
|
|
The sync operation of application {{.app.metadata.name}} has started at {{.app.status.operationState.startedAt}}.
|
|
Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true .
|
|
template.app-sync-status-unknown: |
|
|
email:
|
|
subject: Application {{.app.metadata.name}} sync status is 'Unknown'
|
|
message: |
|
|
{{if eq .serviceType "slack"}}:exclamation:{{end}} Application {{.app.metadata.name}} sync is 'Unknown'.
|
|
Application details: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}.
|
|
{{if ne .serviceType "slack"}}
|
|
{{range $c := .app.status.conditions}}
|
|
* {{$c.message}}
|
|
{{end}}
|
|
{{end}}
|
|
template.app-sync-succeeded: |
|
|
email:
|
|
subject: Application {{.app.metadata.name}} has been successfully synced.
|
|
message: |
|
|
{{if eq .serviceType "slack"}}:white_check_mark:{{end}} Application {{.app.metadata.name}} has been successfully synced at {{.app.status.operationState.finishedAt}}.
|
|
Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true .
|
|
|
|
# -- The trigger defines the condition when the notification should be sent
|
|
## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/triggers/
|
|
triggers:
|
|
trigger.on-deployed: |
|
|
- description: Application is synced and healthy. Triggered once per commit.
|
|
oncePer: app.status.sync.revision
|
|
send:
|
|
- app-deployed
|
|
when: app.status.operationState.phase in ['Succeeded'] and app.status.health.status == 'Healthy'
|
|
trigger.on-health-degraded: |
|
|
- description: Application has degraded
|
|
send:
|
|
- app-health-degraded
|
|
when: app.status.health.status == 'Degraded'
|
|
trigger.on-sync-failed: |
|
|
- description: Application syncing has failed
|
|
send:
|
|
- app-sync-failed
|
|
when: app.status.operationState.phase in ['Error', 'Failed']
|
|
trigger.on-sync-running: |
|
|
- description: Application is being synced
|
|
send:
|
|
- app-sync-running
|
|
when: app.status.operationState.phase in ['Running']
|
|
trigger.on-sync-status-unknown: |
|
|
- description: Application status is 'Unknown'
|
|
send:
|
|
- app-sync-status-unknown
|
|
when: app.status.sync.status == 'Unknown'
|
|
trigger.on-sync-succeeded: |
|
|
- description: Application syncing has succeeded
|
|
send:
|
|
- app-sync-succeeded
|
|
when: app.status.operationState.phase in ['Succeeded']
|
|
#
|
|
# For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/triggers/#default-triggers
|
|
# defaultTriggers: |
|
|
# - on-sync-status-unknown
|