111 lines
		
	
	
		
			3.6 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			111 lines
		
	
	
		
			3.6 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
| global:
 | |
|   logLevel: warn
 | |
|   domain: argocd.k-space.ee
 | |
| 
 | |
| dex:
 | |
|   enabled: false
 | |
| 
 | |
| redis:
 | |
|   enabled: false
 | |
| redis-ha:
 | |
|   enabled: false
 | |
| externalRedis:
 | |
|   host: argocd-redis
 | |
|   existingSecret: argocd-redis
 | |
| 
 | |
| server:
 | |
|   # HTTPS is implemented by Traefik
 | |
|   ingress:
 | |
|     enabled: true
 | |
|     annotations:
 | |
|       external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
 | |
|       traefik.ingress.kubernetes.io/router.entrypoints: websecure
 | |
|       traefik.ingress.kubernetes.io/router.tls: "true"
 | |
|     hosts:
 | |
|     - argocd.k-space.ee
 | |
|     tls:
 | |
|      - hosts:
 | |
|        - "*.k-space.ee"
 | |
| 
 | |
|   metrics:
 | |
|     enabled: true
 | |
| 
 | |
| # We don't use ApplicationSet CRD-s (yet)
 | |
| applicationSet:
 | |
|   enabled: false
 | |
| 
 | |
| repoServer:
 | |
|   metrics:
 | |
|     enabled: true
 | |
| 
 | |
| notifications:
 | |
|   metrics:
 | |
|     enabled: true
 | |
| 
 | |
| controller:
 | |
|   metrics:
 | |
|     enabled: true
 | |
| 
 | |
| configs:
 | |
|   params:
 | |
|     server.insecure: true
 | |
|   rbac:
 | |
|     policy.default: role:admin
 | |
|     policy.csv: |
 | |
|       # Map AD groups to ArgoCD roles
 | |
|       g, Developers, role:developers
 | |
|       g, ArgoCD Admins, role:admin
 | |
|       # Allow developers to read objects
 | |
|       p, role:developers, applications, get, */*, allow
 | |
|       p, role:developers, certificates, get, *, allow
 | |
|       p, role:developers, clusters, get, *, allow
 | |
|       p, role:developers, repositories, get, *, allow
 | |
|       p, role:developers, projects, get, *, allow
 | |
|       p, role:developers, accounts, get, *, allow
 | |
|       p, role:developers, gpgkeys, get, *, allow
 | |
|       p, role:developers, logs, get, */*, allow
 | |
|       p, role:developers, applications, restart, default/camtiler, allow
 | |
|       p, role:developers, applications, override, default/camtiler, allow
 | |
|       p, role:developers, applications, action/apps/Deployment/restart, default/camtiler, allow
 | |
|       p, role:developers, applications, sync, default/camtiler, allow
 | |
|       p, role:developers, applications, update, default/camtiler, allow
 | |
|       # argocd-image-updater
 | |
|       p, role:image-updater, applications, get, */*, allow
 | |
|       p, role:image-updater, applications, update, */*, allow
 | |
|       g, image-updater, role:image-updater
 | |
|   cm:
 | |
|     admin.enabled: "false"
 | |
|     resource.customizations: |
 | |
|       # https://github.com/argoproj/argo-cd/issues/1704
 | |
|       networking.k8s.io/Ingress:
 | |
|           health.lua: |
 | |
|             hs = {}
 | |
|             hs.status = "Healthy"
 | |
|             return hs
 | |
|       apiextensions.k8s.io/CustomResourceDefinition:
 | |
|           ignoreDifferences: |
 | |
|             jsonPointers:
 | |
|               - "x-kubernetes-validations"
 | |
|     oidc.config: |
 | |
|        name: OpenID Connect
 | |
|        issuer: https://auth.k-space.ee/
 | |
|        clientID: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_ID
 | |
|        cliClientID: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_ID
 | |
|        clientSecret: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_SECRET
 | |
|        requestedIDTokenClaims:
 | |
|          groups:
 | |
|            essential: true
 | |
|        requestedScopes:
 | |
|          - openid
 | |
|          - profile
 | |
|          - email
 | |
|          - groups
 | |
|   secret:
 | |
|     createSecret: false
 | |
|   ssh:
 | |
|     knownHosts: |
 | |
|         # Copy-pasted from `ssh-keyscan git.k-space.ee`
 | |
|         git.k-space.ee ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCF1+/TDRXuGwsu4SZQQwQuJusb7W1OciGAQp/ZbTTvKD+0p7fV6dXyUlWjdFmITrFNYDreDnMiOS+FvE62d2Z0=
 | |
|         git.k-space.ee ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsLyRuubdIUnTKEqOipu+9x+FforrC8+oxulVrl0ECgdIRBQnLQXIspTNwuC3MKJ4z+DPbndSt8zdN33xWys8UNEs3V5/W6zsaW20tKiaX75WK5eOL4lIDJi/+E97+c0aZBXamhxTrgkRVJ5fcAkY6C5cKEmVM5tlke3v3ihLq78/LpJYv+P947NdnthYE2oc+XGp/elZ0LNfWRPnd///+ykbwWirvQm+iiDz7PMVKkb+Q7l3vw4+zneKJWAyFNrm+aewyJV9lFZZJuHliwlHGTriSf6zhMAWyJzvYqDAN6iT5yi9KGKw60J6vj2GLuK4ULVblTyP9k9+3iELKSWW5
 | |
|         git.k-space.ee ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL1jaIn/5dZcqN+cwcs/c2xMVJH/ReA84v8Mm73jqDAG
 |