forked from k-space/kube
105 lines
3.4 KiB
YAML
105 lines
3.4 KiB
YAML
global:
|
|
logLevel: warn
|
|
|
|
# We use Authelia OIDC instead of Dex
|
|
dex:
|
|
enabled: false
|
|
|
|
# Maybe one day switch to Redis HA?
|
|
redis-ha:
|
|
enabled: false
|
|
|
|
server:
|
|
# HTTPS is implemented by Traefik
|
|
extraArgs:
|
|
- --insecure
|
|
ingress:
|
|
enabled: true
|
|
annotations:
|
|
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
|
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
traefik.ingress.kubernetes.io/router.tls: "true"
|
|
hosts:
|
|
- argocd.k-space.ee
|
|
tls:
|
|
- hosts:
|
|
- "*.k-space.ee"
|
|
configEnabled: true
|
|
config:
|
|
admin.enabled: "false"
|
|
url: https://argocd.k-space.ee
|
|
application.instanceLabelKey: argocd.argoproj.io/instance
|
|
oidc.config: |
|
|
name: Authelia
|
|
issuer: https://auth.k-space.ee
|
|
clientID: argocd
|
|
cliClientID: argocd
|
|
clientSecret: $oidc.config.clientSecret
|
|
requestedIDTokenClaims:
|
|
groups:
|
|
essential: true
|
|
requestedScopes:
|
|
- openid
|
|
- profile
|
|
- email
|
|
- groups
|
|
resource.customizations: |
|
|
# https://github.com/argoproj/argo-cd/issues/1704
|
|
networking.k8s.io/Ingress:
|
|
health.lua: |
|
|
hs = {}
|
|
hs.status = "Healthy"
|
|
return hs
|
|
|
|
# Members of ArgoCD Admins group in AD/Samba are allowed to administer Argo
|
|
rbacConfig:
|
|
policy.default: role:readonly
|
|
policy.csv: |
|
|
# Map AD groups to ArgoCD roles
|
|
g, Developers, role:developers
|
|
g, ArgoCD Admins, role:admin
|
|
# Allow developers to read objects
|
|
p, role:developers, applications, get, */*, allow
|
|
p, role:developers, certificates, get, *, allow
|
|
p, role:developers, clusters, get, *, allow
|
|
p, role:developers, repositories, get, *, allow
|
|
p, role:developers, projects, get, *, allow
|
|
p, role:developers, accounts, get, *, allow
|
|
p, role:developers, gpgkeys, get, *, allow
|
|
p, role:developers, logs, get, */*, allow
|
|
p, role:developers, applications, restart, default/camtiler, allow
|
|
p, role:developers, applications, override, default/camtiler, allow
|
|
p, role:developers, applications, action/apps/Deployment/restart, default/camtiler, allow
|
|
p, role:developers, applications, sync, default/camtiler, allow
|
|
p, role:developers, applications, update, default/camtiler, allow
|
|
|
|
metrics:
|
|
enabled: true
|
|
|
|
# We don't use ApplicationSet CRD-s (yet)
|
|
applicationSet:
|
|
enabled: false
|
|
|
|
repoServer:
|
|
metrics:
|
|
enabled: true
|
|
|
|
notifications:
|
|
metrics:
|
|
enabled: true
|
|
|
|
controller:
|
|
metrics:
|
|
enabled: true
|
|
|
|
configs:
|
|
secret:
|
|
createSecret: false
|
|
knownHosts:
|
|
data:
|
|
ssh_known_hosts: |
|
|
# Copy-pasted from `ssh-keyscan git.k-space.ee`
|
|
git.k-space.ee ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCF1+/TDRXuGwsu4SZQQwQuJusb7W1OciGAQp/ZbTTvKD+0p7fV6dXyUlWjdFmITrFNYDreDnMiOS+FvE62d2Z0=
|
|
git.k-space.ee ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsLyRuubdIUnTKEqOipu+9x+FforrC8+oxulVrl0ECgdIRBQnLQXIspTNwuC3MKJ4z+DPbndSt8zdN33xWys8UNEs3V5/W6zsaW20tKiaX75WK5eOL4lIDJi/+E97+c0aZBXamhxTrgkRVJ5fcAkY6C5cKEmVM5tlke3v3ihLq78/LpJYv+P947NdnthYE2oc+XGp/elZ0LNfWRPnd///+ykbwWirvQm+iiDz7PMVKkb+Q7l3vw4+zneKJWAyFNrm+aewyJV9lFZZJuHliwlHGTriSf6zhMAWyJzvYqDAN6iT5yi9KGKw60J6vj2GLuK4ULVblTyP9k9+3iELKSWW5
|
|
git.k-space.ee ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL1jaIn/5dZcqN+cwcs/c2xMVJH/ReA84v8Mm73jqDAG
|