# ------------------------------------------------------------------------------ # Platform: ArgoCD Configuration (post-bootstrap) # Wave 2 — after ESO (wave 1), needs 1Password for Authentik client secret # # This is NOT the ArgoCD install (that's a manual bootstrap step). # This Application manages ArgoCD's own configuration declaratively: # - argocd-cm (URL, Dex/OIDC config, repo credentials) # - argocd-rbac-cm (RBAC policies mapped from Authentik groups) # - argocd-secret (Authentik client secret via ESO) # # ArgoCD managing its own config is intentional and works cleanly — # it's the "self-managed ArgoCD" pattern. # ------------------------------------------------------------------------------ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: argocd-config namespace: argocd annotations: argocd.argoproj.io/sync-wave: "2" spec: project: default source: repoURL: https://gitea.mk-labs.cloud/rblundon/homelab.git targetRevision: main path: cluster/platform/argocd directory: exclude: "application.yaml" destination: server: https://kubernetes.default.svc namespace: argocd syncPolicy: automated: prune: true selfHeal: true syncOptions: - ServerSideApply=true ignoreDifferences: # ArgoCD mutates its own secret — ignore those fields - group: "" kind: Secret name: argocd-secret jsonPointers: - /data/admin.password - /data/admin.passwordMtime - /data/server.secretkey