Files
homelab/cluster/argocd/values.yaml
2026-05-19 22:25:00 -05:00

140 lines
5.1 KiB
YAML

# ─── ArgoCD Helm values — fastpass cluster ─────────────────────────────────────
# Chart: argo/argo-cd
# Version: 7.8.23
#
# Install:
# helm repo add argo https://argoproj.github.io/argo-helm
# helm repo update
# helm upgrade --install argocd argo/argo-cd \
# --namespace argocd \
# --create-namespace \
# --version 7.8.23 \
# --values cluster/argocd/values.yaml \
# --wait
#
# Then apply the root app-of-apps (second and final manual step):
# kubectl apply -n argocd -f cluster/argocd/apps-of-apps.yaml
# ───────────────────────────────────────────────────────────────────────────────
# ─── Global ─────────────────────────────────────────────────────────────────────
global:
domain: argocd.local.mk-labs.cloud
# ─── ArgoCD server ──────────────────────────────────────────────────────────────
server:
# Run insecure — TLS is terminated at ingress-nginx, not at ArgoCD itself.
# Without this, ArgoCD redirects to HTTPS internally and breaks behind ingress.
extraArgs:
- --insecure
ingress:
enabled: true
ingressClassName: nginx
hostname: argocd.local.mk-labs.cloud
tls: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/ssl-passthrough: "false"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
# ─── ConfigMap — core ArgoCD settings ───────────────────────────────────────────
configs:
params:
server.insecure: "true"
server.session.duration: "720h"
cm:
url: https://argocd.local.mk-labs.cloud
# Authentik native OIDC SSO
# Client secret pulled from 1Password via ESO → argocd-oidc-secret
oidc.config: |
name: Authentik
issuer: https://authentik.local.mk-labs.cloud/application/o/argocd/
clientID: $oidc.authentik.clientID
clientSecret: $oidc.authentik.clientSecret
requestedScopes:
- openid
- profile
- email
- groups
groupsClaim: groups
# Resource health checks — ignore progressing Cilium CRDs
resource.customizations.health.cilium.io_CiliumLoadBalancerIPPool: |
hs = {}
hs.status = "Healthy"
hs.message = "IP pool ready"
return hs
# Ignore ESO-injected default fields on ExternalSecret resources.
resource.customizations.ignoreDifferences.external-secrets.io_ExternalSecret: |
jqPathExpressions:
- '.spec.data[]?.remoteRef?.conversionStrategy'
- '.spec.data[]?.remoteRef?.decodingStrategy'
- '.spec.data[]?.remoteRef?.metadataPolicy'
- '.spec.dataFrom[]?.extract?.conversionStrategy'
- '.spec.dataFrom[]?.extract?.decodingStrategy'
- '.spec.dataFrom[]?.extract?.metadataPolicy'
# RBAC — argocd-admins group from Authentik gets full access
rbac:
policy.default: role:readonly
policy.csv: |
g, argocd-admins, role:admin
g, argocd-viewers, role:readonly
# Repository credentials — Gitea SSH
repositories:
homelab-repo:
url: git@gitea.mk-labs.cloud:rblundon/homelab.git
name: homelab
type: git
insecure: "false"
# ─── Redis ──────────────────────────────────────────────────────────────────────
redis:
enabled: true
# ─── Notifications ──────────────────────────────────────────────────────────────
# Disabled for now — wire into n8n via webhook later
notifications:
enabled: false
# ─── ApplicationSet controller ──────────────────────────────────────────────────
applicationSet:
enabled: true
# ─── Dex ────────────────────────────────────────────────────────────────────────
# Disabled — using Authentik as the native OIDC provider
dex:
enabled: false
# Disable default admin user
admin:
enabled: false
# Enable Prometheus metrics for ArgoCD
controller:
metrics:
enabled: true
serviceMonitor:
enabled: true
server:
metrics:
enabled: true
serviceMonitor:
enabled: true
repoServer:
metrics:
enabled: true
serviceMonitor:
enabled: true
applicationSet:
metrics:
enabled: true
serviceMonitor:
enabled: true