cilium, argo
This commit is contained in:
110
cluster/argocd/values.yaml
Normal file
110
cluster/argocd/values.yaml
Normal file
@@ -0,0 +1,110 @@
|
||||
# ─── ArgoCD Helm values — fastpass cluster ───────────────────────────────────
|
||||
# Chart: argo/argo-cd
|
||||
# Version: 7.8.23
|
||||
#
|
||||
# Install:
|
||||
# helm repo add argo https://argoproj.github.io/argo-helm
|
||||
# helm repo update
|
||||
# helm upgrade --install argocd argo/argo-cd \
|
||||
# --namespace argocd \
|
||||
# --create-namespace \
|
||||
# --version 7.8.23 \
|
||||
# --values cluster/argocd/values.yaml \
|
||||
# --wait
|
||||
#
|
||||
# Then apply the root app-of-apps (second and final manual step):
|
||||
# kubectl apply -n argocd -f cluster/argocd/apps-of-apps.yaml
|
||||
# ─────────────────────────────────────────────────────────────────────────────
|
||||
|
||||
# ─── Global ──────────────────────────────────────────────────────────────────
|
||||
global:
|
||||
domain: argocd.local.mk-labs.cloud
|
||||
|
||||
# ─── ArgoCD server ───────────────────────────────────────────────────────────
|
||||
server:
|
||||
# Run insecure — TLS is terminated at ingress-nginx, not at ArgoCD itself.
|
||||
# Without this, ArgoCD redirects to HTTPS internally and breaks behind ingress.
|
||||
extraArgs:
|
||||
- --insecure
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: nginx
|
||||
hostname: argocd.local.mk-labs.cloud
|
||||
tls: true
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-production
|
||||
nginx.ingress.kubernetes.io/ssl-passthrough: "false"
|
||||
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
|
||||
|
||||
# ─── ConfigMap — core ArgoCD settings ────────────────────────────────────────
|
||||
configs:
|
||||
params:
|
||||
# Matches --insecure above — tells the server not to handle TLS
|
||||
server.insecure: "true"
|
||||
|
||||
cm:
|
||||
# Gitea as the source repo — HTTPS with token auth (set in secret below)
|
||||
# SSH alternative is in the repositories section if preferred
|
||||
url: https://argocd.local.mk-labs.cloud
|
||||
|
||||
# Authentik OIDC SSO
|
||||
# Uncomment once Authentik is configured with an ArgoCD OIDC provider
|
||||
# oidc.config: |
|
||||
# name: Authentik
|
||||
# issuer: https://authentik.local.mk-labs.cloud/application/o/argocd/
|
||||
# clientID: <client-id-from-authentik>
|
||||
# clientSecret: $oidc.authentik.clientSecret
|
||||
# requestedScopes:
|
||||
# - openid
|
||||
# - profile
|
||||
# - email
|
||||
# - groups
|
||||
|
||||
# Resource health checks — ignore progressing Cilium CRDs
|
||||
resource.customizations.health.cilium.io_CiliumLoadBalancerIPPool: |
|
||||
hs = {}
|
||||
hs.status = "Healthy"
|
||||
hs.message = "IP pool ready"
|
||||
return hs
|
||||
|
||||
# RBAC — admin gets full access, SSO groups mapped after Authentik integration
|
||||
rbac:
|
||||
policy.default: role:readonly
|
||||
policy.csv: |
|
||||
g, argocd-admins, role:admin
|
||||
|
||||
# Repository credentials — Gitea SSH
|
||||
# Private key is injected via ESO once external-secrets is bootstrapped.
|
||||
# For initial bootstrap, create the secret manually:
|
||||
# kubectl create secret generic gitea-repo \
|
||||
# --namespace argocd \
|
||||
# --from-literal=type=git \
|
||||
# --from-literal=url=git@gitea.mk-labs.cloud:rblundon/homelab.git \
|
||||
# --from-file=sshPrivateKey=/path/to/argocd_gitea_ed25519 \
|
||||
# kubectl label secret gitea-repo -n argocd \
|
||||
# argocd.argoproj.io/secret-type=repository
|
||||
repositories:
|
||||
homelab-repo:
|
||||
url: git@gitea.mk-labs.cloud:rblundon/homelab.git
|
||||
name: homelab
|
||||
type: git
|
||||
insecure: "false"
|
||||
|
||||
# ─── Redis ───────────────────────────────────────────────────────────────────
|
||||
redis:
|
||||
enabled: true
|
||||
|
||||
# ─── Notifications ───────────────────────────────────────────────────────────
|
||||
# Disabled for now — wire into n8n via webhook later
|
||||
notifications:
|
||||
enabled: false
|
||||
|
||||
# ─── ApplicationSet controller ───────────────────────────────────────────────
|
||||
applicationSet:
|
||||
enabled: true
|
||||
|
||||
# ─── Dex (built-in OIDC) ─────────────────────────────────────────────────────
|
||||
# Disabled — using Authentik as the OIDC provider
|
||||
dex:
|
||||
enabled: false
|
||||
Reference in New Issue
Block a user