# ─── ArgoCD Helm values — fastpass cluster ─────────────────────────────────── # Chart: argo/argo-cd # Version: 7.8.23 # # Install: # helm repo add argo https://argoproj.github.io/argo-helm # helm repo update # helm upgrade --install argocd argo/argo-cd \ # --namespace argocd \ # --create-namespace \ # --version 7.8.23 \ # --values cluster/argocd/values.yaml \ # --wait # # Then apply the root app-of-apps (second and final manual step): # kubectl apply -n argocd -f cluster/argocd/apps-of-apps.yaml # ───────────────────────────────────────────────────────────────────────────── # ─── Global ────────────────────────────────────────────────────────────────── global: domain: argocd.local.mk-labs.cloud # ─── ArgoCD server ─────────────────────────────────────────────────────────── server: # Run insecure — TLS is terminated at ingress-nginx, not at ArgoCD itself. # Without this, ArgoCD redirects to HTTPS internally and breaks behind ingress. extraArgs: - --insecure ingress: enabled: true ingressClassName: nginx hostname: argocd.local.mk-labs.cloud tls: true annotations: cert-manager.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/ssl-passthrough: "false" nginx.ingress.kubernetes.io/backend-protocol: "HTTP" # ─── ConfigMap — core ArgoCD settings ──────────────────────────────────────── configs: params: # Matches --insecure above — tells the server not to handle TLS server.insecure: "true" cm: # Gitea as the source repo — HTTPS with token auth (set in secret below) # SSH alternative is in the repositories section if preferred url: https://argocd.local.mk-labs.cloud # Authentik OIDC SSO # Uncomment once Authentik is configured with an ArgoCD OIDC provider # oidc.config: | # name: Authentik # issuer: https://authentik.local.mk-labs.cloud/application/o/argocd/ # clientID: # clientSecret: $oidc.authentik.clientSecret # requestedScopes: # - openid # - profile # - email # - groups # Resource health checks — ignore progressing Cilium CRDs resource.customizations.health.cilium.io_CiliumLoadBalancerIPPool: | hs = {} hs.status = "Healthy" hs.message = "IP pool ready" return hs # Ignore ESO-injected default fields on ExternalSecret resources. # ESO mutates these fields after sync causing false OutOfSync state. resource.customizations.ignoreDifferences.external-secrets.io_ExternalSecret: | jqPathExpressions: - '.spec.data[]?.remoteRef?.conversionStrategy' - '.spec.data[]?.remoteRef?.decodingStrategy' - '.spec.data[]?.remoteRef?.metadataPolicy' - '.spec.dataFrom[]?.extract?.conversionStrategy' - '.spec.dataFrom[]?.extract?.decodingStrategy' - '.spec.dataFrom[]?.extract?.metadataPolicy' # RBAC — admin gets full access, SSO groups mapped after Authentik integration rbac: policy.default: role:readonly policy.csv: | g, argocd-admins, role:admin # Repository credentials — Gitea SSH # Private key is injected via ESO once external-secrets is bootstrapped. # For initial bootstrap, create the secret manually: # kubectl create secret generic gitea-repo \ # --namespace argocd \ # --from-literal=type=git \ # --from-literal=url=git@gitea.mk-labs.cloud:rblundon/homelab.git \ # --from-file=sshPrivateKey=/path/to/argocd_gitea_ed25519 \ # kubectl label secret gitea-repo -n argocd \ # argocd.argoproj.io/secret-type=repository repositories: homelab-repo: url: git@gitea.mk-labs.cloud:rblundon/homelab.git name: homelab type: git insecure: "false" # ─── Redis ─────────────────────────────────────────────────────────────────── redis: enabled: true # ─── Notifications ─────────────────────────────────────────────────────────── # Disabled for now — wire into n8n via webhook later notifications: enabled: false # ─── ApplicationSet controller ─────────────────────────────────────────────── applicationSet: enabled: true # ─── Dex (built-in OIDC) ───────────────────────────────────────────────────── # Disabled — using Authentik as the OIDC provider dex: enabled: false