--- k8s_argocd_helm__name: "argo-cd" k8s_argocd_helm__release_namespace: "argo-cd" k8s_argocd_with_keycloak: True argo_realm_name: &argoname 'argocd' argo_realm_display_name: *argoname k8s_argocd_helm__domain: &argourl "{{ stage }}-kube-argocd.{{ domain }}" argo_realm_group: argoadmins # shouldn't be 'admin' due to default adminuser called 'admin' in argo argo_keycloak_clientscope_protocol: openid-connect argo_keycloak_clientscope_name: groups argo_client_id: *argoname argo_client_root_url: 'https://{{ k8s_argocd_helm__domain }}' argo_client_redirect_uris: - 'https://{{ k8s_argocd_helm__domain }}/auth/callback' argo_client_base_url: '/applications' argo_client_admin_url: 'https://{{ k8s_argocd_helm__domain }}' argo_client_web_origins: - 'https://{{ k8s_argocd_helm__domain }}' argo_realm_users: [ { "username": "{{ argocd_admin_username }}", "password": "{{ argocd_admin_password }}", "requiredActions": [] } ] argocd_server_admin_password: "{{ argocd_server_admin_password_vault | default( lookup('community.general.random_string', length=20) ) }}" # https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd k8s_argocd_helm__release_values: controller: logLevel: warn logFormat: json metrics: enabled: true serviceMonitor: enabled: true namespace: "{{ k8s_argocd_helm__release_namespace }}" additionalLabels: release: "{{ k8s_prometheus_helm__name }}" repoServer: serviceAccount: create: true name: argo-cd-argocd-repo-server rbac: - apiGroups: - "" resources: - secrets verbs: - get logLevel: warn logFormat: json metrics: enabled: true serviceMonitor: enabled: true namespace: "{{ k8s_argocd_helm__release_namespace }}" additionalLabels: release: "{{ k8s_prometheus_helm__name }}" env: - name: ARGOCD_MAX_CONCURRENT_LOGIN_REQUESTS_COUNT value: "0" - name: ARGOCD_EXEC_TIMEOUT value: "300s" - name: XDG_CONFIG_HOME value: /.config - name: GNUPGHOME value: /home/argocd/.gnupg - name: HELM_PLUGINS value: /custom-tools/helm-plugins/ - name: HELM_SECRETS_SOPS_PATH value: /custom-tools/sops - name: HELM_SECRETS_VALS_PATH value: /custom-tools/vals - name: HELM_SECRETS_KUBECTL_PATH value: /custom-tools/kubectl - name: HELM_SECRETS_CURL_PATH value: /custom-tools/curl # https://github.com/jkroepke/helm-secrets/wiki/Security-in-shared-environments - name: HELM_SECRETS_KEY_LOCATION_PREFIX value: "/sops-gpg/" - name: HELM_SECRETS_VALUES_ALLOW_SYMLINKS value: "false" - name: HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH value: "false" - name: HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL value: "false" volumes: - name: custom-tools emptyDir: {} - name: custom-tools-helm emptyDir: {} - name: gnupg-home emptyDir: {} - name: sops-gpg secret: secretName: sops-gpg volumeMounts: - mountPath: /home/argocd/.gnupg name: gnupg-home subPath: .gnupg - mountPath: /usr/local/bin/kustomize name: custom-tools subPath: kustomize # Verify this matches a XDG_CONFIG_HOME=/.config env variable - mountPath: /.config/kustomize/plugin/viaduct.ai/v1/ksops/ksops name: custom-tools subPath: ksops - mountPath: /custom-tools/helm-plugins name: custom-tools-helm subPath: helm-plugins - mountPath: /custom-tools/kubectl name: custom-tools-helm subPath: kubectl - mountPath: /custom-tools/sops name: custom-tools-helm subPath: sops - mountPath: /custom-tools/vals name: custom-tools-helm subPath: vals initContainers: - name: 1-install-ksops image: viaductoss/ksops:v3.0.1 command: ["/bin/sh", "-c"] args: - echo "Installing KSOPS..."; mv ksops /custom-tools/; mv $GOPATH/bin/kustomize /custom-tools/; echo "Done."; volumeMounts: - mountPath: /custom-tools name: custom-tools - name: 2-download-tools image: alpine:latest command: [sh, -ec] env: - name: HELM_SECRETS_VERSION value: "3.12.0" - name: KUBECTL_VERSION value: "1.24.3" - name: VALS_VERSION value: "0.18.0" - name: SOPS_VERSION value: "3.7.3" args: - | echo "Installing helm secrets..."; mkdir -p /custom-tools/helm-plugins wget -qO- https://github.com/jkroepke/helm-secrets/releases/download/v${HELM_SECRETS_VERSION}/helm-secrets.tar.gz | tar -C /custom-tools/helm-plugins -xzf-; echo "Done."; echo "Downloading SOPS=${SOPS_VERSION} and kubectl ..."; wget -qO /custom-tools/sops https://github.com/mozilla/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux wget -qO /custom-tools/kubectl https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl echo "Done."; echo "Downloading vals..."; wget -qO- https://github.com/variantdev/vals/releases/download/v${VALS_VERSION}/vals_${VALS_VERSION}_linux_amd64.tar.gz | tar -xzf- -C /custom-tools/ vals; echo "Done."; chmod +x /custom-tools/*; volumeMounts: - mountPath: /custom-tools name: custom-tools-helm - name: 3-import-gpg-key image: argoproj/argocd:v2.2.5 command: ["gpg", "--import","/sops-gpg/gpg_key_smardigo_automation__private"] env: - name: GNUPGHOME value: /gnupg-home/.gnupg volumeMounts: - mountPath: /sops-gpg name: sops-gpg - mountPath: /gnupg-home name: gnupg-home server: logLevel: warn logFormat: json config: oidc.config: | name: Keycloak issuer: '{{ shared_service_url_keycloak }}/auth/realms/argocd' clientID: '{{ argo_client_id }}' clientSecret: $oidc.keycloak.clientSecret requestedScopes: ["openid", "profile", "email", "{{ argo_keycloak_clientscope_name }}"] url: 'https://{{ k8s_argocd_helm__domain }}' kustomize.buildOptions: "--enable-alpha-plugins" helm.valuesFileSchemes: >- secrets+gpg-import, secrets+gpg-import-kubernetes, secrets+age-import, secrets+age-import-kubernetes, secrets,secrets+literal, https rbacConfig: policy.default: role:readonly policy.csv: | g, {{ argo_realm_group }}, role:admin g, admin, role:admin metrics: enabled: true serviceMonitor: enabled: true namespace: "{{ k8s_argocd_helm__release_namespace }}" additionalLabels: release: "{{ k8s_prometheus_helm__name }}" service: sessionAffinity: ClientIP ingress: enabled: true annotations: cert-manager.io/cluster-issuer: letsencrypt-prod cert-manager.io/issue-temporary-certificate: "true" kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist ) | join(',') }}" nginx.ingress.kubernetes.io/force-ssl-redirect: "false" nginx.ingress.kubernetes.io/ssl-passthrough: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" hosts: - "{{ k8s_argocd_helm__domain }}" tls: - secretName: "{{ stage }}-kube-argocd-cert" hosts: - "{{ k8s_argocd_helm__domain }}" additionalProjects: - name: bootstrap namespace: '{{ k8s_argocd_helm__release_namespace }}' additionalLabels: {} additionalAnnotations: {} description: application declarations for bootstraping k8s cluster with argo-cd sourceRepos: - '*' destinations: - namespace: '*' server: https://kubernetes.default.svc clusterResourceWhitelist: - group: '*' kind: '*' orphanedResources: warn: false - name: kube-system namespace: '{{ k8s_argocd_helm__release_namespace }}' additionalLabels: {} additionalAnnotations: {} description: applications for kube-system namespace sourceRepos: - '*' destinations: - namespace: kube-system server: https://kubernetes.default.svc clusterResourceWhitelist: - group: '*' kind: '*' orphanedResources: warn: false - name: infrastructure namespace: '{{ k8s_argocd_helm__release_namespace }}' additionalLabels: {} additionalAnnotations: {} description: infrastructure applications sourceRepos: - '*' destinations: - namespace: '*' server: https://kubernetes.default.svc clusterResourceWhitelist: - group: '*' kind: '*' orphanedResources: warn: false additionalApplications: - name: bootstrap namespace: '{{ k8s_argocd_helm__release_namespace }}' destination: namespace: bootstrap server: https://kubernetes.default.svc project: bootstrap source: path: config/default repoURL: https://{{ shared_service_gitea_hostname }}/argocd/argocd.git targetRevision: '{{ awx_smardigo_revision | default(stage) }}' syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true redis: metrics: enabled: true serviceMonitor: enabled: true namespace: "{{ k8s_argocd_helm__release_namespace }}" additionalLabels: release: "{{ k8s_prometheus_helm__name }}" dex: enabled: false applicationSet: enabled: false configs: secret: argocdServerAdminPassword: '{{ argocd_server_admin_password | password_hash("bcrypt") }}'