global: logLevel: warn domain: argocd.k-space.ee dex: enabled: false redis: enabled: false redis-ha: enabled: false externalRedis: host: argocd-redis existingSecret: argocd-redis server: # HTTPS is implemented by Traefik ingress: enabled: true annotations: external-dns.alpha.kubernetes.io/target: traefik.k-space.ee traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" hosts: - argocd.k-space.ee tls: - hosts: - "*.k-space.ee" metrics: enabled: true # We don't use ApplicationSet CRD-s (yet) applicationSet: enabled: false repoServer: metrics: enabled: true notifications: metrics: enabled: true controller: metrics: enabled: true configs: params: server.insecure: true rbac: policy.default: role:admin policy.csv: | # Map AD groups to ArgoCD roles g, Developers, role:developers g, ArgoCD Admins, role:admin # Allow developers to read objects p, role:developers, applications, get, */*, allow p, role:developers, certificates, get, *, allow p, role:developers, clusters, get, *, allow p, role:developers, repositories, get, *, allow p, role:developers, projects, get, *, allow p, role:developers, accounts, get, *, allow p, role:developers, gpgkeys, get, *, allow p, role:developers, logs, get, */*, allow p, role:developers, applications, restart, default/camtiler, allow p, role:developers, applications, override, default/camtiler, allow p, role:developers, applications, action/apps/Deployment/restart, default/camtiler, allow p, role:developers, applications, sync, default/camtiler, allow p, role:developers, applications, update, default/camtiler, allow # argocd-image-updater p, role:image-updater, applications, get, */*, allow p, role:image-updater, applications, update, */*, allow g, image-updater, role:image-updater cm: admin.enabled: "false" resource.customizations: | # https://github.com/argoproj/argo-cd/issues/1704 networking.k8s.io/Ingress: health.lua: | hs = {} hs.status = "Healthy" return hs apiextensions.k8s.io/CustomResourceDefinition: ignoreDifferences: | jsonPointers: - "x-kubernetes-validations" oidc.config: | name: OpenID Connect issuer: https://auth.k-space.ee/ clientID: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_ID cliClientID: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_ID clientSecret: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_SECRET requestedIDTokenClaims: groups: essential: true requestedScopes: - openid - profile - email - groups secret: createSecret: false ssh: knownHosts: | # Copy-pasted from `ssh-keyscan git.k-space.ee` git.k-space.ee ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCF1+/TDRXuGwsu4SZQQwQuJusb7W1OciGAQp/ZbTTvKD+0p7fV6dXyUlWjdFmITrFNYDreDnMiOS+FvE62d2Z0= git.k-space.ee ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsLyRuubdIUnTKEqOipu+9x+FforrC8+oxulVrl0ECgdIRBQnLQXIspTNwuC3MKJ4z+DPbndSt8zdN33xWys8UNEs3V5/W6zsaW20tKiaX75WK5eOL4lIDJi/+E97+c0aZBXamhxTrgkRVJ5fcAkY6C5cKEmVM5tlke3v3ihLq78/LpJYv+P947NdnthYE2oc+XGp/elZ0LNfWRPnd///+ykbwWirvQm+iiDz7PMVKkb+Q7l3vw4+zneKJWAyFNrm+aewyJV9lFZZJuHliwlHGTriSf6zhMAWyJzvYqDAN6iT5yi9KGKw60J6vj2GLuK4ULVblTyP9k9+3iELKSWW5 git.k-space.ee ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL1jaIn/5dZcqN+cwcs/c2xMVJH/ReA84v8Mm73jqDAG