45 lines
1.5 KiB
YAML
45 lines
1.5 KiB
YAML
# ------------------------------------------------------------------------------
|
|
# Platform: ArgoCD Configuration (post-bootstrap)
|
|
# Wave 2 — after ESO (wave 1), needs 1Password for Authentik client secret
|
|
#
|
|
# This is NOT the ArgoCD install (that's a manual bootstrap step).
|
|
# This Application manages ArgoCD's own configuration declaratively:
|
|
# - argocd-cm (URL, Dex/OIDC config, repo credentials)
|
|
# - argocd-rbac-cm (RBAC policies mapped from Authentik groups)
|
|
# - argocd-secret (Authentik client secret via ESO)
|
|
#
|
|
# ArgoCD managing its own config is intentional and works cleanly —
|
|
# it's the "self-managed ArgoCD" pattern.
|
|
# ------------------------------------------------------------------------------
|
|
apiVersion: argoproj.io/v1alpha1
|
|
kind: Application
|
|
metadata:
|
|
name: argocd-config
|
|
namespace: argocd
|
|
annotations:
|
|
argocd.argoproj.io/sync-wave: "2"
|
|
spec:
|
|
project: default
|
|
source:
|
|
repoURL: https://gitea.mk-labs.cloud/rblundon/homelab.git
|
|
targetRevision: main
|
|
path: cluster/platform/argocd
|
|
destination:
|
|
server: https://kubernetes.default.svc
|
|
namespace: argocd
|
|
syncPolicy:
|
|
automated:
|
|
prune: true
|
|
selfHeal: true
|
|
syncOptions:
|
|
- ServerSideApply=true
|
|
ignoreDifferences:
|
|
# ArgoCD mutates its own secret — ignore those fields
|
|
- group: ""
|
|
kind: Secret
|
|
name: argocd-secret
|
|
jsonPointers:
|
|
- /data/admin.password
|
|
- /data/admin.passwordMtime
|
|
- /data/server.secretkey
|