global:
  logLevel: warn

dex:
  enabled: false

# Maybe one day switch to Redis HA?
redis-ha:
  enabled: false

server:
  # HTTPS is implemented by Traefik
  extraArgs:
    - --insecure
  ingress:
    enabled: true
    annotations:
      external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
      traefik.ingress.kubernetes.io/router.entrypoints: websecure
      traefik.ingress.kubernetes.io/router.tls: "true"
    hosts:
    - argocd.k-space.ee
    tls:
     - hosts:
       - "*.k-space.ee"
  configEnabled: true
  config:
    admin.enabled: "false"
    url: https://argocd.k-space.ee
    application.instanceLabelKey: argocd.argoproj.io/instance
    oidc.config: |
       name: OpenID Connect
       issuer: https://auth2.k-space.ee/
       clientID: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_ID
       cliClientID: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_ID
       clientSecret: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_SECRET
       requestedIDTokenClaims:
         groups:
           essential: true
       requestedScopes:
         - openid
         - profile
         - email
         - groups
    resource.customizations: |
      # https://github.com/argoproj/argo-cd/issues/1704
      networking.k8s.io/Ingress:
          health.lua: |
            hs = {}
            hs.status = "Healthy"
            return hs
      apiextensions.k8s.io/CustomResourceDefinition:
          ignoreDifferences: |
            jsonPointers:
              - "x-kubernetes-validations"

  # Members of ArgoCD Admins group in AD/Samba are allowed to administer Argo
  rbacConfig:
    policy.default: role:admin
    policy.csv: |
      # Map AD groups to ArgoCD roles
      g, Developers, role:developers
      g, ArgoCD Admins, role:admin
      # Allow developers to read objects
      p, role:developers, applications, get, */*, allow
      p, role:developers, certificates, get, *, allow
      p, role:developers, clusters, get, *, allow
      p, role:developers, repositories, get, *, allow
      p, role:developers, projects, get, *, allow
      p, role:developers, accounts, get, *, allow
      p, role:developers, gpgkeys, get, *, allow
      p, role:developers, logs, get, */*, allow
      p, role:developers, applications, restart, default/camtiler, allow
      p, role:developers, applications, override, default/camtiler, allow
      p, role:developers, applications, action/apps/Deployment/restart, default/camtiler, allow
      p, role:developers, applications, sync, default/camtiler, allow
      p, role:developers, applications, update, default/camtiler, allow

  metrics:
    enabled: true

# We don't use ApplicationSet CRD-s (yet)
applicationSet:
  enabled: false

repoServer:
  metrics:
    enabled: true

notifications:
  metrics:
    enabled: true

controller:
  metrics:
    enabled: true

configs:
  secret:
    createSecret: false
  knownHosts:
    data:
      ssh_known_hosts: |
        # Copy-pasted from `ssh-keyscan git.k-space.ee`
        git.k-space.ee ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCF1+/TDRXuGwsu4SZQQwQuJusb7W1OciGAQp/ZbTTvKD+0p7fV6dXyUlWjdFmITrFNYDreDnMiOS+FvE62d2Z0=
        git.k-space.ee ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsLyRuubdIUnTKEqOipu+9x+FforrC8+oxulVrl0ECgdIRBQnLQXIspTNwuC3MKJ4z+DPbndSt8zdN33xWys8UNEs3V5/W6zsaW20tKiaX75WK5eOL4lIDJi/+E97+c0aZBXamhxTrgkRVJ5fcAkY6C5cKEmVM5tlke3v3ihLq78/LpJYv+P947NdnthYE2oc+XGp/elZ0LNfWRPnd///+ykbwWirvQm+iiDz7PMVKkb+Q7l3vw4+zneKJWAyFNrm+aewyJV9lFZZJuHliwlHGTriSf6zhMAWyJzvYqDAN6iT5yi9KGKw60J6vj2GLuK4ULVblTyP9k9+3iELKSWW5
        git.k-space.ee ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL1jaIn/5dZcqN+cwcs/c2xMVJH/ReA84v8Mm73jqDAG