global: logLevel: warn # We use Authelia OIDC instead of Dex dex: enabled: false # Maybe one day switch to Redis HA? redis-ha: enabled: false server: # HTTPS is implemented by Traefik extraArgs: - --insecure ingress: enabled: true annotations: cert-manager.io/cluster-issuer: default external-dns.alpha.kubernetes.io/target: traefik.k-space.ee traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" hosts: - argocd.k-space.ee tls: - hosts: - argocd.k-space.ee secretName: argocd-server-tls configEnabled: true config: admin.enabled: "false" url: https://argocd.k-space.ee application.instanceLabelKey: argocd.argoproj.io/instance oidc.config: | name: Authelia issuer: https://auth.k-space.ee clientID: argocd cliClientID: argocd clientSecret: $oidc.config.clientSecret requestedIDTokenClaims: groups: essential: true requestedScopes: - openid - profile - email - groups resource.customizations: | # https://github.com/argoproj/argo-cd/issues/1704 networking.k8s.io/Ingress: health.lua: | hs = {} hs.status = "Healthy" return hs # Members of ArgoCD Admins group in AD/Samba are allowed to administer Argo rbacConfig: policy.default: role:readonly policy.csv: | # Map AD groups to ArgoCD roles g, Developers, role:developers g, ArgoCD Admins, role:admin # Allow developers to read objects p, role:developers, applications, get, */*, allow p, role:developers, certificates, get, *, allow p, role:developers, clusters, get, *, allow p, role:developers, repositories, get, *, allow p, role:developers, projects, get, *, allow p, role:developers, accounts, get, *, allow p, role:developers, gpgkeys, get, *, allow p, role:developers, logs, get, */*, allow p, role:developers, applications, restart, default/camtiler, allow p, role:developers, applications, override, default/camtiler, allow p, role:developers, applications, action/apps/Deployment/restart, default/camtiler, allow p, role:developers, applications, sync, default/camtiler, allow p, role:developers, applications, update, default/camtiler, allow metrics: enabled: true service: annotations: prometheus.io/scrape: "true" prometheus.io/port: "8083" # We don't use ApplicationSet CRD-s (yet) applicationSet: enabled: false repoServer: metrics: enabled: true service: annotations: prometheus.io/scrape: "true" prometheus.io/port: "8084" notifications: metrics: enabled: true service: annotations: prometheus.io/scrape: "true" prometheus.io/port: "9001" controller: metrics: enabled: true service: annotations: prometheus.io/scrape: "true" prometheus.io/port: "8082" configs: secret: createSecret: false knownHosts: data: ssh_known_hosts: | # Copy-pasted from `ssh-keyscan git.k-space.ee` git.k-space.ee ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCF1+/TDRXuGwsu4SZQQwQuJusb7W1OciGAQp/ZbTTvKD+0p7fV6dXyUlWjdFmITrFNYDreDnMiOS+FvE62d2Z0= git.k-space.ee ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsLyRuubdIUnTKEqOipu+9x+FforrC8+oxulVrl0ECgdIRBQnLQXIspTNwuC3MKJ4z+DPbndSt8zdN33xWys8UNEs3V5/W6zsaW20tKiaX75WK5eOL4lIDJi/+E97+c0aZBXamhxTrgkRVJ5fcAkY6C5cKEmVM5tlke3v3ihLq78/LpJYv+P947NdnthYE2oc+XGp/elZ0LNfWRPnd///+ykbwWirvQm+iiDz7PMVKkb+Q7l3vw4+zneKJWAyFNrm+aewyJV9lFZZJuHliwlHGTriSf6zhMAWyJzvYqDAN6iT5yi9KGKw60J6vj2GLuK4ULVblTyP9k9+3iELKSWW5 git.k-space.ee ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL1jaIn/5dZcqN+cwcs/c2xMVJH/ReA84v8Mm73jqDAG