From 4cee8124e1f2c4eacf43b8c5453a74cc0f121522 Mon Sep 17 00:00:00 2001 From: William P Date: Mon, 6 Oct 2025 10:47:28 -0400 Subject: [PATCH] add argocd to system-apps --- system-apps/argocd/Chart.yaml | 28 +++++ system-apps/argocd/values.yaml | 181 +++++++++++++++++++++++++++++++++ 2 files changed, 209 insertions(+) create mode 100644 system-apps/argocd/Chart.yaml create mode 100644 system-apps/argocd/values.yaml diff --git a/system-apps/argocd/Chart.yaml b/system-apps/argocd/Chart.yaml new file mode 100644 index 0000000..9d27bd3 --- /dev/null +++ b/system-apps/argocd/Chart.yaml @@ -0,0 +1,28 @@ +apiVersion: v2 +name: argocd +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: "1.0" + +dependencies: +- name: argo-cd + version: 8.5.8 + repository: https://argoproj.github.io/argo-helm \ No newline at end of file diff --git a/system-apps/argocd/values.yaml b/system-apps/argocd/values.yaml new file mode 100644 index 0000000..7a7d86e --- /dev/null +++ b/system-apps/argocd/values.yaml @@ -0,0 +1,181 @@ +argo-cd: + global: + domain: argocd.infra.dubyatp.xyz + configs: + cm: + admin.enabled: false + dex.config: | + connectors: + - config: + issuer: https://auth.dubyatp.xyz/application/o/argocd/ + clientID: ZZ4Rt3ZixVu9ote8yzryHFrEhlbY85C24Hh9Uo98 + clientSecret: $weyma-argocd-secrets:dex.authentik.clientSecret + insecureEnableGroups: true + scopes: + - openid + - profile + - email + name: authentik + type: oidc + id: authentik + resource.customizations.ignoreDifferences.admissionregistration.k8s.io_MutatingWebhookConfiguration: | + jsonPointers: + - /webhooks/0/clientConfig/caBundle + resource.customizations.ignoreDifferences.admissionregistration.k8s.io_ValidatingWebhookConfiguration: | + jsonPointers: + - /webhooks/0/clientConfig/caBundle + resource.customizations.ignoreDifferences.Secret: | + jsonPointers: + - /data + params: + server.insecure: true + rbac: + policy.csv: | + g, ArgoCD Admins, role:admin + server: + ingress: + enabled: true + extraObjects: + - apiVersion: external-secrets.io/v1 + kind: ExternalSecret + metadata: + name: weyma-argocd-secrets + labels: + app.kubernetes.io/part-of: argocd + spec: + refreshInterval: 1h + secretStoreRef: + name: weyma-vault + kind: ClusterSecretStore + target: + name: weyma-argocd-secrets + creationPolicy: Owner + data: + - secretKey: webhook.gitea.secret + remoteRef: + key: argo-cd + property: webhook.gitea.secret + - secretKey: admin.password + remoteRef: + key: argo-cd + property: admin.password + - secretKey: admin.passwordMtime + remoteRef: + key: argo-cd + property: admin.passwordMtime + - secretKey: dex.authentik.clientSecret + remoteRef: + key: argo-cd + property: dex.authentik.clientSecret + - apiVersion: external-secrets.io/v1 + kind: ExternalSecret + metadata: + name: git-core-apps + labels: + app.kubernetes.io/part-of: argocd + argocd.argoproj.io/secret-type: repository + spec: + refreshInterval: 1h + secretStoreRef: + name: weyma-vault + kind: ClusterSecretStore + target: + name: git-core-apps + creationPolicy: Owner + data: + - secretKey: sshPrivateKey + remoteRef: + key: argo-cd-git + property: sshPrivateKey + - secretKey: type + remoteRef: + key: argo-cd-git + property: type + - secretKey: url + remoteRef: + key: argo-cd-git + property: url.core-apps + - apiVersion: external-secrets.io/v1 + kind: ExternalSecret + metadata: + name: git-weyma-talos + labels: + app.kubernetes.io/part-of: argocd + argocd.argoproj.io/secret-type: repository + spec: + refreshInterval: 1h + secretStoreRef: + name: weyma-vault + kind: ClusterSecretStore + target: + name: git-weyma-talos + creationPolicy: Owner + data: + - secretKey: sshPrivateKey + remoteRef: + key: argo-cd-git + property: sshPrivateKey + - secretKey: type + remoteRef: + key: argo-cd-git + property: type + - secretKey: url + remoteRef: + key: argo-cd-git + property: url.weyma-talos + - apiVersion: external-secrets.io/v1 + kind: ExternalSecret + metadata: + name: git-williamp-sites + labels: + app.kubernetes.io/part-of: argocd + argocd.argoproj.io/secret-type: repository + spec: + refreshInterval: 1h + secretStoreRef: + name: weyma-vault + kind: ClusterSecretStore + target: + name: git-williamp-sites + creationPolicy: Owner + data: + - secretKey: sshPrivateKey + remoteRef: + key: argo-cd-git + property: sshPrivateKey + - secretKey: type + remoteRef: + key: argo-cd-git + property: type + - secretKey: url + remoteRef: + key: argo-cd-git + property: url.williamp-sites + - apiVersion: external-secrets.io/v1 + kind: ExternalSecret + metadata: + name: git-db-operators + labels: + app.kubernetes.io/part-of: argocd + argocd.argoproj.io/secret-type: repository + spec: + refreshInterval: 1h + secretStoreRef: + name: weyma-vault + kind: ClusterSecretStore + target: + name: git-db-operators + creationPolicy: Owner + data: + - secretKey: sshPrivateKey + remoteRef: + key: argo-cd-git + property: sshPrivateKey + - secretKey: type + remoteRef: + key: argo-cd-git + property: type + - secretKey: url + remoteRef: + key: argo-cd-git + property: url.db-operators \ No newline at end of file