139 lines
5.1 KiB
YAML
139 lines
5.1 KiB
YAML
# ─── ArgoCD Helm values — fastpass cluster ─────────────────────────────────────
|
|
# Chart: argo/argo-cd
|
|
# Version: 7.8.23
|
|
#
|
|
# Install:
|
|
# helm repo add argo https://argoproj.github.io/argo-helm
|
|
# helm repo update
|
|
# helm upgrade --install argocd argo/argo-cd \
|
|
# --namespace argocd \
|
|
# --create-namespace \
|
|
# --version 7.8.23 \
|
|
# --values cluster/argocd/values.yaml \
|
|
# --wait
|
|
#
|
|
# Then apply the root app-of-apps (second and final manual step):
|
|
# kubectl apply -n argocd -f cluster/argocd/apps-of-apps.yaml
|
|
# ───────────────────────────────────────────────────────────────────────────────
|
|
|
|
# ─── Global ─────────────────────────────────────────────────────────────────────
|
|
global:
|
|
domain: argocd.local.mk-labs.cloud
|
|
|
|
# ─── ArgoCD server ──────────────────────────────────────────────────────────────
|
|
server:
|
|
# Run insecure — TLS is terminated at ingress-nginx, not at ArgoCD itself.
|
|
# Without this, ArgoCD redirects to HTTPS internally and breaks behind ingress.
|
|
extraArgs:
|
|
- --insecure
|
|
|
|
ingress:
|
|
enabled: true
|
|
ingressClassName: nginx
|
|
hostname: argocd.local.mk-labs.cloud
|
|
tls: true
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: letsencrypt-prod
|
|
nginx.ingress.kubernetes.io/ssl-passthrough: "false"
|
|
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
|
|
|
|
# ─── ConfigMap — core ArgoCD settings ───────────────────────────────────────────
|
|
configs:
|
|
params:
|
|
server.insecure: "true"
|
|
|
|
cm:
|
|
url: https://argocd.local.mk-labs.cloud
|
|
|
|
# Authentik native OIDC SSO
|
|
# Client secret pulled from 1Password via ESO → argocd-oidc-secret
|
|
oidc.config: |
|
|
name: Authentik
|
|
issuer: https://authentik.local.mk-labs.cloud/application/o/argocd/
|
|
clientID: $oidc.authentik.clientID
|
|
clientSecret: $oidc.authentik.clientSecret
|
|
requestedScopes:
|
|
- openid
|
|
- profile
|
|
- email
|
|
- groups
|
|
groupsClaim: groups
|
|
|
|
# Resource health checks — ignore progressing Cilium CRDs
|
|
resource.customizations.health.cilium.io_CiliumLoadBalancerIPPool: |
|
|
hs = {}
|
|
hs.status = "Healthy"
|
|
hs.message = "IP pool ready"
|
|
return hs
|
|
|
|
# Ignore ESO-injected default fields on ExternalSecret resources.
|
|
resource.customizations.ignoreDifferences.external-secrets.io_ExternalSecret: |
|
|
jqPathExpressions:
|
|
- '.spec.data[]?.remoteRef?.conversionStrategy'
|
|
- '.spec.data[]?.remoteRef?.decodingStrategy'
|
|
- '.spec.data[]?.remoteRef?.metadataPolicy'
|
|
- '.spec.dataFrom[]?.extract?.conversionStrategy'
|
|
- '.spec.dataFrom[]?.extract?.decodingStrategy'
|
|
- '.spec.dataFrom[]?.extract?.metadataPolicy'
|
|
|
|
# RBAC — argocd-admins group from Authentik gets full access
|
|
rbac:
|
|
policy.default: role:readonly
|
|
policy.csv: |
|
|
g, argocd-admins, role:admin
|
|
g, argocd-viewers, role:readonly
|
|
|
|
# Repository credentials — Gitea SSH
|
|
repositories:
|
|
homelab-repo:
|
|
url: git@gitea.mk-labs.cloud:rblundon/homelab.git
|
|
name: homelab
|
|
type: git
|
|
insecure: "false"
|
|
|
|
# ─── Redis ──────────────────────────────────────────────────────────────────────
|
|
redis:
|
|
enabled: true
|
|
|
|
# ─── Notifications ──────────────────────────────────────────────────────────────
|
|
# Disabled for now — wire into n8n via webhook later
|
|
notifications:
|
|
enabled: false
|
|
|
|
# ─── ApplicationSet controller ──────────────────────────────────────────────────
|
|
applicationSet:
|
|
enabled: true
|
|
|
|
# ─── Dex ────────────────────────────────────────────────────────────────────────
|
|
# Disabled — using Authentik as the native OIDC provider
|
|
dex:
|
|
enabled: false
|
|
|
|
# Disable default admin user
|
|
admin:
|
|
enabled: false
|
|
|
|
# Enable Prometheus metrics for ArgoCD
|
|
controller:
|
|
metrics:
|
|
enabled: true
|
|
serviceMonitor:
|
|
enabled: true
|
|
|
|
server:
|
|
metrics:
|
|
enabled: true
|
|
serviceMonitor:
|
|
enabled: true
|
|
|
|
repoServer:
|
|
metrics:
|
|
enabled: true
|
|
serviceMonitor:
|
|
enabled: true
|
|
|
|
applicationSet:
|
|
metrics:
|
|
enabled: true
|
|
serviceMonitor:
|
|
enabled: true |