# ─── ArgoCD Helm values — fastpass cluster ───────────────────────────────────── # Chart: argo/argo-cd # Version: 7.8.23 # # Install: # helm repo add argo https://argoproj.github.io/argo-helm # helm repo update # helm upgrade --install argocd argo/argo-cd \ # --namespace argocd \ # --create-namespace \ # --version 7.8.23 \ # --values cluster/argocd/values.yaml \ # --wait # # Then apply the root app-of-apps (second and final manual step): # kubectl apply -n argocd -f cluster/argocd/apps-of-apps.yaml # ─────────────────────────────────────────────────────────────────────────────── # ─── Global ───────────────────────────────────────────────────────────────────── global: domain: argocd.local.mk-labs.cloud # ─── ArgoCD server ────────────────────────────────────────────────────────────── server: # Run insecure — TLS is terminated at ingress-nginx, not at ArgoCD itself. # Without this, ArgoCD redirects to HTTPS internally and breaks behind ingress. extraArgs: - --insecure ingress: enabled: true ingressClassName: nginx hostname: argocd.local.mk-labs.cloud tls: true annotations: cert-manager.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/ssl-passthrough: "false" nginx.ingress.kubernetes.io/backend-protocol: "HTTP" # ─── ConfigMap — core ArgoCD settings ─────────────────────────────────────────── configs: params: server.insecure: "true" cm: url: https://argocd.local.mk-labs.cloud # Authentik native OIDC SSO # Client secret pulled from 1Password via ESO → argocd-oidc-secret oidc.config: | name: Authentik issuer: https://authentik.local.mk-labs.cloud/application/o/argocd/ clientID: $oidc.authentik.clientID clientSecret: $oidc.authentik.clientSecret requestedScopes: - openid - profile - email - groups groupsClaim: groups # Resource health checks — ignore progressing Cilium CRDs resource.customizations.health.cilium.io_CiliumLoadBalancerIPPool: | hs = {} hs.status = "Healthy" hs.message = "IP pool ready" return hs # Ignore ESO-injected default fields on ExternalSecret resources. resource.customizations.ignoreDifferences.external-secrets.io_ExternalSecret: | jqPathExpressions: - '.spec.data[]?.remoteRef?.conversionStrategy' - '.spec.data[]?.remoteRef?.decodingStrategy' - '.spec.data[]?.remoteRef?.metadataPolicy' - '.spec.dataFrom[]?.extract?.conversionStrategy' - '.spec.dataFrom[]?.extract?.decodingStrategy' - '.spec.dataFrom[]?.extract?.metadataPolicy' # RBAC — argocd-admins group from Authentik gets full access rbac: policy.default: role:readonly policy.csv: | g, argocd-admins, role:admin g, argocd-viewers, role:readonly # Repository credentials — Gitea SSH repositories: homelab-repo: url: git@gitea.mk-labs.cloud:rblundon/homelab.git name: homelab type: git insecure: "false" # ─── Redis ────────────────────────────────────────────────────────────────────── redis: enabled: true # ─── Notifications ────────────────────────────────────────────────────────────── # Disabled for now — wire into n8n via webhook later notifications: enabled: false # ─── ApplicationSet controller ────────────────────────────────────────────────── applicationSet: enabled: true # ─── Dex ──────────────────────────────────────────────────────────────────────── # Disabled — using Authentik as the native OIDC provider dex: enabled: false # Disable default admin user admin: enabled: false # Enable Prometheus metrics for ArgoCD controller: metrics: enabled: true serviceMonitor: enabled: true server: metrics: enabled: true serviceMonitor: enabled: true repoServer: metrics: enabled: true serviceMonitor: enabled: true applicationSet: metrics: enabled: true serviceMonitor: enabled: true