gitea_admin/k8s-and-chill
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

feat: Initial setup of GitOps-managed Kubernetes cluster

Browse source 
Configures `myks` for Helm chart rendering with `ytt` overlays to manage cluster applications.
Defines prototypes and environment-specific configurations for core applications including ArgoCD, Traefik, Cert-Manager, and Forgejo.
Adds comprehensive documentation covering cluster setup, GitOps structure, and development environment.
Integrates `direnv` for environment variable management, `gitignore` for file exclusion, and `sops` for secret encryption.
Includes rendered Kubernetes manifests and ArgoCD application resources for initial deployment.
This commit is contained in:
Felix Wolf 2026-03-29 22:42:56 +02:00
commit 6f717a602f
206 changed files with 60495 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.envrc Normal file
View file

@ -0,0 +1,7 @@
use flake
export KUBECONFIG="${PWD}/talos/kubeconfig"
export TALOSCONFIG="${PWD}/talos/talosconfig"
[ ! -f "$KUBECONFIG" ] && log_error "kubeconfig not found at $KUBECONFIG — run: talosctl kubeconfig --nodes <node-ip>"
[ ! -f "$TALOSCONFIG" ] && log_error "talosconfig not found at $TALOSCONFIG — regenerate from secrets.yaml"

4
.gitignore vendored Normal file
View file

@ -0,0 +1,4 @@
.myks/
.direnv/
talos/kubeconfig
talos/talosconfig

35
.myks.yaml Normal file
View file

@ -0,0 +1,35 @@
---
# Sets the number of applications to be processed in parallel.
# The default (0) is no limit.
async: 0
# Sets the root directory to the configuration file directory.
# Allows to run myks from subdirectories.
config-in-root: true
# One of the zerolog log levels.
# See: https://github.com/rs/zerolog#leveled-logging
log-level: info
# Minimum version of myks required to run this configuration.
# Myks will print an error message if the version is lower than this.
min-version: '5.11.0'
# Load all binaries from the following folders as myks plugins.
plugin-sources:
- ./plugins
# Defines names for files and directories recognized by myks.
# Tailor these to your team's conventions or remove this section to use the defaults.
naming-conventions:
environment-base-dir: envs
prototypes-dir: prototypes
ytt-library-dir-name: lib
rendered-envs-dir: rendered/envs
rendered-argo-dir: rendered/argocd
apps-dir: _apps
envs-dir: _env
prototype-override-dir: _proto
application-data-file-name: app-data*.yaml
environment-data-file-name: env-data*.yaml
plugin-argocd-dir-name: argocd
plugin-helm-dir-name: helm
plugin-static-dir-name: static
plugin-vendir-dir-name: vendir
plugin-ytt-dir-name: ytt

3
.sops.yaml Normal file
View file

@ -0,0 +1,3 @@
creation_rules:
- path_regex: talos/.*\.yaml$
age: age187sqd2s0wz5rztjdfvecy7dfv9qq603s8rcg56et779tva33yglslj8nyz

79
CLAUDE.md Normal file
View file

@ -0,0 +1,79 @@
# k8s-and-chill
## Project Overview
GitOps-managed Kubernetes cluster on Hetzner Cloud running Talos Linux. Uses [myks](https://github.com/mykso/myks) for Helm chart rendering with ytt overlays, targeting ArgoCD for continuous deployment.
## Cluster
- **3 Talos control-plane nodes** (CAX11 ARM64, Hetzner Cloud Nuremberg)
- Node IPs: `195.201.219.111`, `195.201.140.75`, `195.201.219.17`
- `allowSchedulingOnControlPlanes: true` (no dedicated workers)
- All namespaces use `pod-security.kubernetes.io/enforce: privileged`
## Domain & DNS
- **Domain**: `tr1ceracop.de` (registered at INWX)
- **DNS**: Managed at INWX with wildcard A record `*.tr1ceracop.de` pointing to node IPs
- **Forgejo**: `https://git.tr1ceracop.de`
- **ArgoCD**: `https://argocd.tr1ceracop.de`
## Deployed Applications
| App | Namespace | Notes |
|-----|-----------|-------|
| traefik | traefik | Ingress controller, DaemonSet with hostPort 80/443 |
| cert-manager | cert-manager | Let's Encrypt HTTP-01 via ClusterIssuer `letsencrypt` |
| forgejo | forgejo | Git server, SQLite, local-path PVC |
| argocd | argocd | GitOps controller |
| local-path-provisioner | local-path-storage | Default StorageClass, installed via upstream manifest |
## myks Structure
```
prototypes/ # Application templates (helm values + ytt overlays)
argocd/
traefik/
cert-manager/
forgejo/
envs/
env-data.ytt.yaml # Global ArgoCD config
_env/ # Shared overlays (annotations, secrets)
production/
env-data.ytt.yaml # App list for production
_apps/{app}/app-data.ytt.yaml # Per-app overrides
rendered/
envs/production/{app}/ # kubectl-ready manifests
argocd/production/ # ArgoCD Application resources
talos/
controlplane.yaml # Talos machine config
talosconfig # Talos client config
kubeconfig # Cluster kubeconfig
```
### Prototype Pattern
Each prototype follows this structure:
- `app-data.ytt.yaml` — namespace declaration
- `vendir/vendir-data.ytt.yaml` — chart name, version, repository URL
- `vendir/base.ytt.yaml` — vendir config template (identical across all)
- `helm/{chart}.yaml` — Helm values overrides
- `ytt/ns.ytt.yaml` — Namespace resource + namespace overlay on all resources
### Key Commands
```bash
myks render # Render all apps
myks render production <app> # Render single app
kubectl apply -f rendered/envs/production/<app>/ --server-side # Deploy
```
## Kubeconfig & Talos
```bash
export KUBECONFIG=./talos/kubeconfig
export TALOSCONFIG=./talos/talosconfig
```
## Known Issues / TODOs
- **Forgejo admin password**: Hardcoded in rendered secrets (`r8sA8CPHD9!bt6d`). Move to external secret before pushing to git.
- **Namespace race condition**: First `kubectl apply` of a new app often fails because namespace isn't ready. Re-apply once.
- **Traefik DaemonSet updates**: Requires `updateStrategy.rollingUpdate.maxSurge: 0` because hostPort conflicts prevent surge.
- **Forgejo Ingress API version**: Chart renders `extensions/v1beta1`, fixed via `ytt/ingress-fix.ytt.yaml` overlay to `networking.k8s.io/v1`.
- **ArgoCD Phase 3**: Repo not yet pushed to Forgejo, ArgoCD not yet wired.
## Secrets (not in git)
- `cert-manager/letsencrypt-account-key` — ACME account key (auto-generated)
- `argocd/argocd-initial-admin-secret` — ArgoCD admin password (auto-generated)

122
README.md Normal file
View file

@ -0,0 +1,122 @@
# k8s-and-chill
Private Kubernetes cluster running on 3x Hetzner CAX11 (ARM64) instances with Talos Linux, managed by myks.
## Cluster Setup
### Prerequisites
Enter the dev shell (via direnv or `nix develop`), which provides:
- `talosctl`
- `kubectl`
- `helm`
- `myks`
- `hcloud`
### Infrastructure
| Node | Public IP | Private IP | Location |
|------|-----------|------------|----------|
| ubuntu-4gb-nbg1-1 | 195.201.219.17 | 10.0.0.3 | nbg1 |
| ubuntu-4gb-nbg1-2 | 195.201.140.75 | 10.0.0.4 | nbg1 |
| ubuntu-4gb-nbg1-3 | 195.201.219.111 | 10.0.0.2 | nbg1 |
All nodes are control plane nodes (3-node HA etcd). The Kubernetes API endpoint is `https://195.201.219.111:6443`.
The nodes are connected via a Hetzner private network (`thalos-k8s`), which is used for inter-node communication.
### Installing Talos on Hetzner Cloud
The servers were originally provisioned with Ubuntu. Talos was installed by writing the Talos disk image via Hetzner rescue mode.
#### 1. Get the Talos image URL
Talos images for Hetzner Cloud are generated via the [Talos Image Factory](https://factory.talos.dev). For vanilla Talos (no extensions), get the schematic ID:
```sh
curl -sX POST https://factory.talos.dev/schematics \
-H 'Content-Type: application/json' \
-d '{"customization":{"systemExtensions":{"officialExtensions":[]}}}'
# Returns: {"id":"376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba"}
```
The image URL follows this pattern:
```
https://factory.talos.dev/image/<schematic-id>/<talos-version>/hcloud-arm64.raw.xz
```
#### 2. Enable rescue mode and reboot
For each server:
```sh
hcloud server enable-rescue <server-name> --ssh-key "<ssh-key-name>"
hcloud server reboot <server-name>
```
#### 3. Write Talos to disk
SSH into each server's rescue system and write the image:
```sh
ssh root@<server-ip> "curl -fsSL '<image-url>' | xz -d | dd of=/dev/sda bs=4M status=progress && sync"
```
#### 4. Reboot into Talos
```sh
hcloud server reboot <server-name>
```
### Bootstrapping the Cluster
#### 1. Generate machine configs
```sh
mkdir -p talos
talosctl gen config k8s-and-chill https://195.201.219.111:6443 --output talos/
```
This creates `controlplane.yaml`, `worker.yaml`, and `talosconfig`.
#### 2. Configure talosctl
```sh
export TALOSCONFIG=talos/talosconfig
talosctl config endpoint 195.201.219.111 195.201.140.75 195.201.219.17
talosctl config node 195.201.219.111 195.201.140.75 195.201.219.17
```
#### 3. Apply configs
Apply the controlplane config to each node (use `--insecure` on first apply since the nodes don't have matching certs yet):
```sh
talosctl apply-config --insecure --nodes 195.201.219.111 --file talos/controlplane.yaml
talosctl apply-config --insecure --nodes 195.201.140.75 --file talos/controlplane.yaml
talosctl apply-config --insecure --nodes 195.201.219.17 --file talos/controlplane.yaml
```
#### 4. Bootstrap etcd
Run this on exactly one node:
```sh
talosctl bootstrap --nodes 195.201.219.111
```
#### 5. Get kubeconfig
```sh
talosctl kubeconfig talos/kubeconfig --nodes 195.201.219.111
```
#### 6. Verify
```sh
export KUBECONFIG=talos/kubeconfig
kubectl get nodes -o wide
kubectl get pods -A
```

10
envs/_env/argocd/annotations.overlay.ytt.yaml Normal file
View file

@ -0,0 +1,10 @@
#@ load("@ytt:overlay", "overlay")
#@ load("@ytt:data", "data")
#@overlay/match by=overlay.all, expects="1+"
---
#@overlay/match missing_ok=True
#@overlay/match-child-defaults missing_ok=True
metadata:
annotations:
myks.dev/environment: #@ data.values.environment.id

14
envs/_env/argocd/secret.overlay.ytt.yaml Normal file
View file

@ -0,0 +1,14 @@
#@ load("@ytt:overlay", "overlay")
---
#@ def secret_fragment():
kind: Secret
metadata:
labels:
argocd.argoproj.io/secret-type: cluster
#@ end
#@overlay/match by=overlay.subset(secret_fragment()), expects="0+"
---
stringData:
config: ARGOCD_CLUSTER_CONNECT_CONFIG
server: ARGOCD_CLUSTER_SERVER_URL

9
envs/_env/ytt/common.ytt.yaml Normal file
View file

@ -0,0 +1,9 @@
#@ load("@ytt:data", "data")
#@ load("@ytt:overlay", "overlay")
#@overlay/match by=lambda i, l, r: "metadata" in l, when="1+"
---
#@overlay/match-child-defaults missing_ok=True
metadata:
annotations:
a8r.io/repository: #@ data.values.myks.gitRepoUrl

9
envs/env-data.ytt.yaml Normal file
View file

@ -0,0 +1,9 @@
#@data/values
---
argocd:
namespace: argocd
app:
prefix: app-
finalizers: []
project:
prefix: env-

5
envs/production/_apps/argocd/app-data.ytt.yaml Normal file
View file

@ -0,0 +1,5 @@
#@data/values-schema
---
#@overlay/match-child-defaults missing_ok=True
application:
namespace: argocd

5
envs/production/_apps/cert-manager/app-data.ytt.yaml Normal file
View file

@ -0,0 +1,5 @@
#@data/values-schema
---
#@overlay/match-child-defaults missing_ok=True
application:
namespace: cert-manager

5
envs/production/_apps/forgejo/app-data.ytt.yaml Normal file
View file

@ -0,0 +1,5 @@
#@data/values-schema
---
#@overlay/match-child-defaults missing_ok=True
application:
namespace: forgejo

5
envs/production/_apps/traefik/app-data.ytt.yaml Normal file
View file

@ -0,0 +1,5 @@
#@data/values-schema
---
#@overlay/match-child-defaults missing_ok=True
application:
namespace: traefik

9
envs/production/env-data.ytt.yaml Normal file
View file

@ -0,0 +1,9 @@
#@data/values
---
environment:
id: production
applications:
- proto: argocd
- proto: traefik
- proto: cert-manager
- proto: forgejo

61
flake.lock Normal file
View file

@ -0,0 +1,61 @@
{
"nodes": {
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1774701658,
"narHash": "sha256-CIS/4AMUSwUyC8X5g+5JsMRvIUL3YUfewe8K4VrbsSQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b63fe7f000adcfa269967eeff72c64cafecbbebe",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

27
flake.nix Normal file
View file

@ -0,0 +1,27 @@
{
description = "k8s-and-chill - Talos + myks managed Kubernetes cluster";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
flake-utils.url = "github:numtide/flake-utils";
};
outputs = { self, nixpkgs, flake-utils }:
flake-utils.lib.eachDefaultSystem (system:
let
pkgs = nixpkgs.legacyPackages.${system};
in
{
devShells.default = pkgs.mkShell {
packages = with pkgs; [
talosctl
kubectl
kubernetes-helm
myks
hcloud
sops
age
];
};
});
}

5
prototypes/argocd/app-data.ytt.yaml Normal file
View file

@ -0,0 +1,5 @@
#@data/values-schema
---
#@overlay/match-child-defaults missing_ok=True
application:
namespace: argocd

19
prototypes/argocd/helm/argo-cd.yaml Normal file
View file

@ -0,0 +1,19 @@
---
crds:
install: true
keep: true
global:
domain: argocd.tr1ceracop.de
configs:
params:
server.insecure: true
server:
ingress:
enabled: true
ingressClassName: traefik
tls: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt

16
prototypes/argocd/vendir/base.ytt.yaml Normal file
View file

@ -0,0 +1,16 @@
#@ load("@ytt:data", "data")
#@ app = data.values.application
---
apiVersion: vendir.k14s.io/v1alpha1
kind: Config
directories:
- path: #@ "charts/" + app.name
contents:
- path: .
helmChart:
name: #@ app.name
version: #@ app.version
repository:
url: #@ app.url
lazy: true

8
prototypes/argocd/vendir/vendir-data.ytt.yaml Normal file
View file

@ -0,0 +1,8 @@
#@data/values-schema
---
#@overlay/match-child-defaults missing_ok=True
application:
#! renovate: datasource=helm
name: argo-cd
url: https://argoproj.github.io/argo-helm
version: 7.8.26

18
prototypes/argocd/ytt/ns.ytt.yaml Normal file
View file

@ -0,0 +1,18 @@
#@ load("@ytt:data", "data")
#@ load("@ytt:overlay", "overlay")
#@ ns = data.values.application.namespace
---
apiVersion: v1
kind: Namespace
metadata:
name: #@ ns
labels:
pod-security.kubernetes.io/enforce: privileged
#@overlay/match by=overlay.all, expects="1+"
---
metadata:
#@overlay/match missing_ok=True
namespace: #@ ns

5
prototypes/cert-manager/app-data.ytt.yaml Normal file
View file

@ -0,0 +1,5 @@
#@data/values-schema
---
#@overlay/match-child-defaults missing_ok=True
application:
namespace: cert-manager

8
prototypes/cert-manager/helm/cert-manager.yaml Normal file
View file

@ -0,0 +1,8 @@
---
crds:
enabled: true
keep: true
global:
leaderElection:
namespace: cert-manager

16
prototypes/cert-manager/vendir/base.ytt.yaml Normal file
View file

@ -0,0 +1,16 @@
#@ load("@ytt:data", "data")
#@ app = data.values.application
---
apiVersion: vendir.k14s.io/v1alpha1
kind: Config
directories:
- path: #@ "charts/" + app.name
contents:
- path: .
helmChart:
name: #@ app.name
version: #@ app.version
repository:
url: #@ app.url
lazy: true

8
prototypes/cert-manager/vendir/vendir-data.ytt.yaml Normal file
View file

@ -0,0 +1,8 @@
#@data/values-schema
---
#@overlay/match-child-defaults missing_ok=True
application:
#! renovate: datasource=helm
name: cert-manager
url: https://charts.jetstack.io
version: v1.17.2

17
prototypes/cert-manager/ytt/clusterissuer.ytt.yaml Normal file
View file

@ -0,0 +1,17 @@
#@ load("@ytt:overlay", "overlay")
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: felukawo@gmail.com
privateKeySecretRef:
name: letsencrypt-account-key
solvers:
- http01:
ingress:
ingressClassName: traefik

18
prototypes/cert-manager/ytt/ns.ytt.yaml Normal file
View file

@ -0,0 +1,18 @@
#@ load("@ytt:data", "data")
#@ load("@ytt:overlay", "overlay")
#@ ns = data.values.application.namespace
---
apiVersion: v1
kind: Namespace
metadata:
name: #@ ns
labels:
pod-security.kubernetes.io/enforce: privileged
#@overlay/match by=overlay.all, expects="1+"
---
metadata:
#@overlay/match missing_ok=True
namespace: #@ ns

5
prototypes/forgejo/app-data.ytt.yaml Normal file
View file

@ -0,0 +1,5 @@
#@data/values-schema
---
#@overlay/match-child-defaults missing_ok=True
application:
namespace: forgejo

48
prototypes/forgejo/helm/forgejo.yaml Normal file
View file

@ -0,0 +1,48 @@
---
strategy:
type: Recreate
redis-cluster:
enabled: false
postgresql-ha:
enabled: false
persistence:
enabled: true
size: 10Gi
ingress:
enabled: true
hosts:
- host: git.tr1ceracop.de
paths:
- path: /
pathType: Prefix
tls:
- secretName: forgejo-tls
hosts:
- git.tr1ceracop.de
annotations:
cert-manager.io/cluster-issuer: letsencrypt
gitea:
admin:
existingSecret: forgejo-admin-secret
config:
database:
DB_TYPE: sqlite3
session:
PROVIDER: memory
cache:
ADAPTER: memory
queue:
TYPE: level
server:
DOMAIN: git.tr1ceracop.de
ROOT_URL: https://git.tr1ceracop.de/
service:
DISABLE_REGISTRATION: true
actions:
ENABLED: true

16
prototypes/forgejo/vendir/base.ytt.yaml Normal file
View file

@ -0,0 +1,16 @@
#@ load("@ytt:data", "data")
#@ app = data.values.application
---
apiVersion: vendir.k14s.io/v1alpha1
kind: Config
directories:
- path: #@ "charts/" + app.name
contents:
- path: .
helmChart:
name: #@ app.name
version: #@ app.version
repository:
url: #@ app.url
lazy: true

8
prototypes/forgejo/vendir/vendir-data.ytt.yaml Normal file
View file

@ -0,0 +1,8 @@
#@data/values-schema
---
#@overlay/match-child-defaults missing_ok=True
application:
#! renovate: datasource=docker registryUrl=code.forgejo.org
name: forgejo
url: oci://code.forgejo.org/forgejo-helm
version: 6.1.0

71
prototypes/forgejo/ytt/admin-secret-job.ytt.yaml Normal file
View file

@ -0,0 +1,71 @@
#@ load("@ytt:data", "data")
#@ ns = data.values.application.namespace
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: forgejo-admin-secret-init
namespace: #@ ns
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: forgejo-admin-secret-init
namespace: #@ ns
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: forgejo-admin-secret-init
namespace: #@ ns
subjects:
- kind: ServiceAccount
name: forgejo-admin-secret-init
namespace: #@ ns
roleRef:
kind: Role
name: forgejo-admin-secret-init
apiGroup: rbac.authorization.k8s.io
---
apiVersion: batch/v1
kind: Job
metadata:
name: forgejo-admin-secret-init
namespace: #@ ns
spec:
ttlSecondsAfterFinished: 300
template:
spec:
serviceAccountName: forgejo-admin-secret-init
restartPolicy: OnFailure
containers:
- name: init
image: bitnami/kubectl:latest
command:
- sh
- -c
- |
if kubectl get secret forgejo-admin-secret -n ${NAMESPACE} >/dev/null 2>&1; then
echo "Secret already exists, skipping"
exit 0
fi
PASSWORD=$(head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c 24)
kubectl create secret generic forgejo-admin-secret \
-n ${NAMESPACE} \
--from-literal=username=gitea_admin \
--from-literal=password="${PASSWORD}"
echo "Created forgejo-admin-secret with random password"
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace

18
prototypes/forgejo/ytt/ingress-fix.ytt.yaml Normal file
View file

@ -0,0 +1,18 @@
#@ load("@ytt:overlay", "overlay")
#@overlay/match by=overlay.subset({"kind": "Ingress"}), expects="0+"
---
apiVersion: networking.k8s.io/v1
spec:
#@overlay/replace
rules:
- host: git.tr1ceracop.de
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: forgejo-http
port:
number: 3000

18
prototypes/forgejo/ytt/ns.ytt.yaml Normal file
View file

@ -0,0 +1,18 @@
#@ load("@ytt:data", "data")
#@ load("@ytt:overlay", "overlay")
#@ ns = data.values.application.namespace
---
apiVersion: v1
kind: Namespace
metadata:
name: #@ ns
labels:
pod-security.kubernetes.io/enforce: privileged
#@overlay/match by=overlay.all, expects="1+"
---
metadata:
#@overlay/match missing_ok=True
namespace: #@ ns

5
prototypes/traefik/app-data.ytt.yaml Normal file
View file

@ -0,0 +1,5 @@
#@data/values-schema
---
#@overlay/match-child-defaults missing_ok=True
application:
namespace: traefik

23
prototypes/traefik/helm/traefik.yaml Normal file
View file

@ -0,0 +1,23 @@
---
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
maxSurge: 0
deployment:
kind: DaemonSet
ports:
web:
hostPort: 80
websecure:
hostPort: 443
persistence:
enabled: false
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule

16
prototypes/traefik/vendir/base.ytt.yaml Normal file
View file

@ -0,0 +1,16 @@
#@ load("@ytt:data", "data")
#@ app = data.values.application
---
apiVersion: vendir.k14s.io/v1alpha1
kind: Config
directories:
- path: #@ "charts/" + app.name
contents:
- path: .
helmChart:
name: #@ app.name
version: #@ app.version
repository:
url: #@ app.url
lazy: true

8
prototypes/traefik/vendir/vendir-data.ytt.yaml Normal file
View file

@ -0,0 +1,8 @@
#@data/values-schema
---
#@overlay/match-child-defaults missing_ok=True
application:
#! renovate: datasource=helm
name: traefik
url: https://traefik.github.io/charts
version: 39.0.5

18
prototypes/traefik/ytt/ns.ytt.yaml Normal file
View file

@ -0,0 +1,18 @@
#@ load("@ytt:data", "data")
#@ load("@ytt:overlay", "overlay")
#@ ns = data.values.application.namespace
---
apiVersion: v1
kind: Namespace
metadata:
name: #@ ns
labels:
pod-security.kubernetes.io/enforce: privileged
#@overlay/match by=overlay.all, expects="1+"
---
metadata:
#@overlay/match missing_ok=True
namespace: #@ ns

25
rendered/argocd/production/app-argocd.yaml Normal file
View file

@ -0,0 +1,25 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
annotations:
myks.dev/environment: production
finalizers:
- resources-finalizer.argocd.argoproj.io
name: app-production-argocd
namespace: argocd
spec:
destination:
name: production
namespace: argocd
project: env-production
source:
path: rendered/envs/production/argocd
repoURL: ""
targetRevision: main
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- ServerSideApply=true

25
rendered/argocd/production/app-cert-manager.yaml Normal file
View file

@ -0,0 +1,25 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
annotations:
myks.dev/environment: production
finalizers:
- resources-finalizer.argocd.argoproj.io
name: app-production-cert-manager
namespace: argocd
spec:
destination:
name: production
namespace: cert-manager
project: env-production
source:
path: rendered/envs/production/cert-manager
repoURL: ""
targetRevision: main
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- ServerSideApply=true

25
rendered/argocd/production/app-forgejo.yaml Normal file
View file

@ -0,0 +1,25 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
annotations:
myks.dev/environment: production
finalizers:
- resources-finalizer.argocd.argoproj.io
name: app-production-forgejo
namespace: argocd
spec:
destination:
name: production
namespace: forgejo
project: env-production
source:
path: rendered/envs/production/forgejo
repoURL: ""
targetRevision: main
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- ServerSideApply=true

25
rendered/argocd/production/app-traefik.yaml Normal file
View file

@ -0,0 +1,25 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
annotations:
myks.dev/environment: production
finalizers:
- resources-finalizer.argocd.argoproj.io
name: app-production-traefik
namespace: argocd
spec:
destination:
name: production
namespace: traefik
project: env-production
source:
path: rendered/envs/production/traefik
repoURL: ""
targetRevision: main
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- ServerSideApply=true

37
rendered/argocd/production/env-production.yaml Normal file
View file

@ -0,0 +1,37 @@
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: env-production
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
annotations:
myks.dev/environment: production
spec:
description: Project for "production" environment
clusterResourceWhitelist:
- group: '*'
kind: '*'
destinations:
- namespace: '*'
name: production
namespaceResourceWhitelist:
- group: '*'
kind: '*'
sourceRepos:
- '*'
---
apiVersion: v1
kind: Secret
metadata:
labels:
argocd.argoproj.io/secret-type: cluster
name: production
namespace: argocd
annotations:
myks.dev/environment: production
stringData:
config: ARGOCD_CLUSTER_CONNECT_CONFIG
name: production
project: env-production
server: ARGOCD_CLUSTER_SERVER_URL

26
rendered/envs/production/argocd/clusterrole-argo-cd-argocd-application-controller.yaml Normal file
View file

@ -0,0 +1,26 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: application-controller
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-application-controller
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-application-controller
namespace: argocd
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'

51
rendered/envs/production/argocd/clusterrole-argo-cd-argocd-notifications-controller.yaml Normal file
View file

@ -0,0 +1,51 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: notifications-controller
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-notifications-controller
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-notifications-controller
namespace: argocd
rules:
- apiGroups:
- argoproj.io
resources:
- applications
- appprojects
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- ""
resources:
- configmaps
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resourceNames:
- argocd-notifications-cm
resources:
- configmaps
verbs:
- get
- apiGroups:
- ""
resourceNames:
- argocd-notifications-secret
resources:
- secrets
verbs:
- get

60
rendered/envs/production/argocd/clusterrole-argo-cd-argocd-server.yaml Normal file
View file

@ -0,0 +1,60 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-server
namespace: argocd
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- delete
- get
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- list
- create
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- get
- apiGroups:
- argoproj.io
resources:
- applications
- applicationsets
verbs:
- get
- list
- update
- watch
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
- apiGroups:
- argoproj.io
resources:
- workflows
verbs:
- create

23
rendered/envs/production/argocd/clusterrolebinding-argo-cd-argocd-application-controller.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: application-controller
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-application-controller
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-application-controller
namespace: argocd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: argo-cd-argocd-application-controller
subjects:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd

23
rendered/envs/production/argocd/clusterrolebinding-argo-cd-argocd-notifications-controller.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: notifications-controller
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-notifications-controller
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-notifications-controller
namespace: argocd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: argo-cd-argocd-notifications-controller
subjects:
- kind: ServiceAccount
name: argocd-notifications-controller
namespace: argocd

23
rendered/envs/production/argocd/clusterrolebinding-argo-cd-argocd-server.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-server
namespace: argocd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: argo-cd-argocd-server
subjects:
- kind: ServiceAccount
name: argocd-server
namespace: argocd

42
rendered/envs/production/argocd/configmap-argo-cd-argocd-redis-health-configmap.yaml Normal file
View file

@ -0,0 +1,42 @@
apiVersion: v1
data:
redis_liveness.sh: |
response=$(
redis-cli \
-a "${REDIS_PASSWORD}" --no-auth-warning \
-h localhost \
-p 6379 \
ping
)
if [ "$response" != "PONG" ] && [ "${response:0:7}" != "LOADING" ] ; then
echo "$response"
exit 1
fi
echo "response=$response"
redis_readiness.sh: |
response=$(
redis-cli \
-a "${REDIS_PASSWORD}" --no-auth-warning \
-h localhost \
-p 6379 \
ping
)
if [ "$response" != "PONG" ] ; then
echo "$response"
exit 1
fi
echo "response=$response"
kind: ConfigMap
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: redis
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-redis
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-redis-health-configmap
namespace: argocd

25
rendered/envs/production/argocd/configmap-argocd-cm.yaml Normal file
View file

@ -0,0 +1,25 @@
apiVersion: v1
data:
admin.enabled: "true"
application.instanceLabelKey: argocd.argoproj.io/instance
application.sync.impersonation.enabled: "false"
exec.enabled: "false"
server.rbac.log.enforce.enable: "false"
statusbadge.enabled: "false"
timeout.hard.reconciliation: 0s
timeout.reconciliation: 180s
url: https://argocd.tr1ceracop.de
kind: ConfigMap
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-cm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argocd-cm
namespace: argocd

54
rendered/envs/production/argocd/configmap-argocd-cmd-params-cm.yaml Normal file
View file

@ -0,0 +1,54 @@
apiVersion: v1
data:
application.namespaces: ""
applicationsetcontroller.enable.leader.election: "false"
applicationsetcontroller.enable.progressive.syncs: "false"
applicationsetcontroller.log.format: text
applicationsetcontroller.log.level: info
applicationsetcontroller.namespaces: ""
applicationsetcontroller.policy: sync
controller.ignore.normalizer.jq.timeout: 1s
controller.log.format: text
controller.log.level: info
controller.operation.processors: "10"
controller.repo.server.timeout.seconds: "60"
controller.self.heal.timeout.seconds: "5"
controller.status.processors: "20"
controller.sync.timeout.seconds: "0"
dexserver.log.format: text
dexserver.log.level: info
notificationscontroller.log.format: text
notificationscontroller.log.level: info
otlp.address: ""
redis.server: argo-cd-argocd-redis:6379
repo.server: argo-cd-argocd-repo-server:8081
reposerver.log.format: text
reposerver.log.level: info
reposerver.parallelism.limit: "0"
server.basehref: /
server.dex.server: https://argo-cd-argocd-dex-server:5556
server.dex.server.strict.tls: "false"
server.disable.auth: "false"
server.enable.gzip: "true"
server.enable.proxy.extension: "false"
server.insecure: "true"
server.log.format: text
server.log.level: info
server.repo.server.strict.tls: "false"
server.rootpath: ""
server.staticassets: /shared/app
server.x.frame.options: sameorigin
kind: ConfigMap
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-cmd-params-cm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argocd-cmd-params-cm
namespace: argocd

14
rendered/envs/production/argocd/configmap-argocd-gpg-keys-cm.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: v1
kind: ConfigMap
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-gpg-keys-cm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argocd-gpg-keys-cm
namespace: argocd

18
rendered/envs/production/argocd/configmap-argocd-notifications-cm.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: v1
data:
context: |
argocdUrl: https://argocd.tr1ceracop.de
kind: ConfigMap
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: notifications-controller
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-notifications-controller
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argocd-notifications-cm
namespace: argocd

20
rendered/envs/production/argocd/configmap-argocd-rbac-cm.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: v1
data:
policy.csv: ""
policy.default: ""
policy.matchMode: glob
scopes: '[groups]'
kind: ConfigMap
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-rbac-cm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argocd-rbac-cm
namespace: argocd

30
rendered/envs/production/argocd/configmap-argocd-ssh-known-hosts-cm.yaml Normal file
View file

@ -0,0 +1,30 @@
apiVersion: v1
data:
ssh_known_hosts: |
[ssh.github.com]:443 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
[ssh.github.com]:443 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
[ssh.github.com]:443 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
bitbucket.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIQmuzMBuKdWeF4+a2sjSSpBK0iqitSQ+5BM9KhpexuGt20JpTVM7u5BDZngncgrqDMbWdxMWWOGtZ9UgbqgZE=
bitbucket.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIazEu89wgQZ4bqs3d63QSMzYVa0MuJ2e2gKTKqu+UUO
bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M=
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
kind: ConfigMap
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-ssh-known-hosts-cm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argocd-ssh-known-hosts-cm
namespace: argocd

14
rendered/envs/production/argocd/configmap-argocd-tls-certs-cm.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: v1
kind: ConfigMap
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-tls-certs-cm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argocd-tls-certs-cm
namespace: argocd

4788
rendered/envs/production/argocd/customresourcedefinition-applications.argoproj.io.yaml Normal file
View file

File diff suppressed because it is too large Load diff

17458
rendered/envs/production/argocd/customresourcedefinition-applicationsets.argoproj.io.yaml Normal file
View file

File diff suppressed because it is too large Load diff

316
rendered/envs/production/argocd/customresourcedefinition-appprojects.argoproj.io.yaml Normal file
View file

@ -0,0 +1,316 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
a8r.io/repository: ""
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/name: appprojects.argoproj.io
app.kubernetes.io/part-of: argocd
name: appprojects.argoproj.io
namespace: argocd
spec:
group: argoproj.io
names:
kind: AppProject
listKind: AppProjectList
plural: appprojects
shortNames:
- appproj
- appprojs
singular: appproject
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
AppProject provides a logical grouping of applications, providing controls for:
* where the apps may deploy to (cluster whitelist)
* what may be deployed (repository whitelist, resource whitelist/blacklist)
* who can access these applications (roles, OIDC group claims bindings)
* and what they can do (RBAC policies)
* automation access to these roles (JWT tokens)
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: AppProjectSpec is the specification of an AppProject
properties:
clusterResourceBlacklist:
description: ClusterResourceBlacklist contains list of blacklisted cluster level resources
items:
description: |-
GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying
concepts during lookup stages without having partially valid types
properties:
group:
type: string
kind:
type: string
required:
- group
- kind
type: object
type: array
clusterResourceWhitelist:
description: ClusterResourceWhitelist contains list of whitelisted cluster level resources
items:
description: |-
GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying
concepts during lookup stages without having partially valid types
properties:
group:
type: string
kind:
type: string
required:
- group
- kind
type: object
type: array
description:
description: Description contains optional project description
type: string
destinationServiceAccounts:
description: DestinationServiceAccounts holds information about the service accounts to be impersonated for the application sync operation for each destination.
items:
description: ApplicationDestinationServiceAccount holds information about the service account to be impersonated for the application sync operation.
properties:
defaultServiceAccount:
description: DefaultServiceAccount to be used for impersonation during the sync operation
type: string
namespace:
description: Namespace specifies the target namespace for the application's resources.
type: string
server:
description: Server specifies the URL of the target cluster's Kubernetes control plane API.
type: string
required:
- defaultServiceAccount
- server
type: object
type: array
destinations:
description: Destinations contains list of destinations available for deployment
items:
description: ApplicationDestination holds information about the application's destination
properties:
name:
description: Name is an alternate way of specifying the target cluster by its symbolic name. This must be set if Server is not set.
type: string
namespace:
description: |-
Namespace specifies the target namespace for the application's resources.
The namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace
type: string
server:
description: Server specifies the URL of the target cluster's Kubernetes control plane API. This must be set if Name is not set.
type: string
type: object
type: array
namespaceResourceBlacklist:
description: NamespaceResourceBlacklist contains list of blacklisted namespace level resources
items:
description: |-
GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying
concepts during lookup stages without having partially valid types
properties:
group:
type: string
kind:
type: string
required:
- group
- kind
type: object
type: array
namespaceResourceWhitelist:
description: NamespaceResourceWhitelist contains list of whitelisted namespace level resources
items:
description: |-
GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying
concepts during lookup stages without having partially valid types
properties:
group:
type: string
kind:
type: string
required:
- group
- kind
type: object
type: array
orphanedResources:
description: OrphanedResources specifies if controller should monitor orphaned resources of apps in this project
properties:
ignore:
description: Ignore contains a list of resources that are to be excluded from orphaned resources monitoring
items:
description: OrphanedResourceKey is a reference to a resource to be ignored from
properties:
group:
type: string
kind:
type: string
name:
type: string
type: object
type: array
warn:
description: Warn indicates if warning condition should be created for apps which have orphaned resources
type: boolean
type: object
permitOnlyProjectScopedClusters:
description: PermitOnlyProjectScopedClusters determines whether destinations can only reference clusters which are project-scoped
type: boolean
roles:
description: Roles are user defined RBAC roles associated with this project
items:
description: ProjectRole represents a role that has access to a project
properties:
description:
description: Description is a description of the role
type: string
groups:
description: Groups are a list of OIDC group claims bound to this role
items:
type: string
type: array
jwtTokens:
description: JWTTokens are a list of generated JWT tokens bound to this role
items:
description: JWTToken holds the issuedAt and expiresAt values of a token
properties:
exp:
format: int64
type: integer
iat:
format: int64
type: integer
id:
type: string
required:
- iat
type: object
type: array
name:
description: Name is a name for this role
type: string
policies:
description: Policies Stores a list of casbin formatted strings that define access policies for the role in the project
items:
type: string
type: array
required:
- name
type: object
type: array
signatureKeys:
description: SignatureKeys contains a list of PGP key IDs that commits in Git must be signed with in order to be allowed for sync
items:
description: SignatureKey is the specification of a key required to verify commit signatures with
properties:
keyID:
description: The ID of the key in hexadecimal notation
type: string
required:
- keyID
type: object
type: array
sourceNamespaces:
description: SourceNamespaces defines the namespaces application resources are allowed to be created in
items:
type: string
type: array
sourceRepos:
description: SourceRepos contains list of repository URLs which can be used for deployment
items:
type: string
type: array
syncWindows:
description: SyncWindows controls when syncs can be run for apps in this project
items:
description: SyncWindow contains the kind, time, duration and attributes that are used to assign the syncWindows to apps
properties:
applications:
description: Applications contains a list of applications that the window will apply to
items:
type: string
type: array
clusters:
description: Clusters contains a list of clusters that the window will apply to
items:
type: string
type: array
duration:
description: Duration is the amount of time the sync window will be open
type: string
kind:
description: Kind defines if the window allows or blocks syncs
type: string
manualSync:
description: ManualSync enables manual syncs when they would otherwise be blocked
type: boolean
namespaces:
description: Namespaces contains a list of namespaces that the window will apply to
items:
type: string
type: array
schedule:
description: Schedule is the time the window will begin, specified in cron format
type: string
timeZone:
description: TimeZone of the sync that will be applied to the schedule
type: string
type: object
type: array
type: object
status:
description: AppProjectStatus contains status information for AppProject CRs
properties:
jwtTokensByRole:
additionalProperties:
description: JWTTokens represents a list of JWT tokens
properties:
items:
items:
description: JWTToken holds the issuedAt and expiresAt values of a token
properties:
exp:
format: int64
type: integer
iat:
format: int64
type: integer
id:
type: string
required:
- iat
type: object
type: array
type: object
description: JWTTokensByRole contains a list of JWT tokens issued for a given role
type: object
type: object
required:
- metadata
- spec
type: object
served: true
storage: true

266
rendered/envs/production/argocd/deployment-argo-cd-argocd-applicationset-controller.yaml Normal file
View file

@ -0,0 +1,266 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: applicationset-controller
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-applicationset-controller
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-applicationset-controller
namespace: argocd
spec:
replicas: 1
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/name: argocd-applicationset-controller
template:
metadata:
annotations:
checksum/cmd-params: f46fb4747491e33ef19e957952ce838b6507690ddf03e01967ec0b131af9b595
labels:
app.kubernetes.io/component: applicationset-controller
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-applicationset-controller
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: argocd-applicationset-controller
topologyKey: kubernetes.io/hostname
weight: 100
automountServiceAccountToken: true
containers:
- args:
- /usr/local/bin/argocd-applicationset-controller
- --metrics-addr=:8080
- --probe-addr=:8081
- --webhook-addr=:7000
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_ANNOTATIONS
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.global.preserved.annotations
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_LABELS
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.global.preserved.labels
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_LEADER_ELECTION
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.enable.leader.election
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER
valueFrom:
configMapKeyRef:
key: repo.server
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_POLICY
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.policy
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_POLICY_OVERRIDE
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.enable.policy.override
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_DEBUG
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.debug
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_LOGFORMAT
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.log.format
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_LOGLEVEL
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.log.level
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.dryrun
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_MODULES_ENABLED
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.enable.git.submodule
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.enable.progressive.syncs
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_TOKENREF_STRICT_MODE
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.enable.tokenref.strict.mode
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.enable.new.git.file.globbing
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_PLAINTEXT
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.repo.server.plaintext
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_STRICT_TLS
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.repo.server.strict.tls
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.repo.server.timeout.seconds
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_CONCURRENT_RECONCILIATIONS
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.concurrent.reconciliations.max
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_NAMESPACES
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.namespaces
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_SCM_ROOT_CA_PATH
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.scm.root.ca.path
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.allowed.scm.providers
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_SCM_PROVIDERS
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.enable.scm.providers
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_WEBHOOK_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.webhook.parallelism.limit
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_REQUEUE_AFTER
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.requeue.after
name: argocd-cmd-params-cm
optional: true
image: quay.io/argoproj/argocd:v2.14.10
imagePullPolicy: IfNotPresent
name: applicationset-controller
ports:
- containerPort: 8080
name: metrics
protocol: TCP
- containerPort: 8081
name: probe
protocol: TCP
- containerPort: 7000
name: webhook
protocol: TCP
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /app/config/ssh
name: ssh-known-hosts
- mountPath: /app/config/tls
name: tls-certs
- mountPath: /app/config/gpg/source
name: gpg-keys
- mountPath: /app/config/gpg/keys
name: gpg-keyring
- mountPath: /app/config/reposerver/tls
name: argocd-repo-server-tls
- mountPath: /tmp
name: tmp
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: argocd-applicationset-controller
terminationGracePeriodSeconds: 30
volumes:
- configMap:
name: argocd-ssh-known-hosts-cm
name: ssh-known-hosts
- configMap:
name: argocd-tls-certs-cm
name: tls-certs
- configMap:
name: argocd-gpg-keys-cm
name: gpg-keys
- emptyDir: {}
name: gpg-keyring
- emptyDir: {}
name: tmp
- name: argocd-repo-server-tls
secret:
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
optional: true
secretName: argocd-repo-server-tls

144
rendered/envs/production/argocd/deployment-argo-cd-argocd-dex-server.yaml Normal file
View file

@ -0,0 +1,144 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: dex-server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-dex-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-dex-server
namespace: argocd
spec:
replicas: 1
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/name: argocd-dex-server
template:
metadata:
annotations:
checksum/cmd-params: f46fb4747491e33ef19e957952ce838b6507690ddf03e01967ec0b131af9b595
labels:
app.kubernetes.io/component: dex-server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-dex-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: argocd-dex-server
topologyKey: kubernetes.io/hostname
weight: 100
automountServiceAccountToken: true
containers:
- args:
- rundex
command:
- /shared/argocd-dex
env:
- name: ARGOCD_DEX_SERVER_LOGFORMAT
valueFrom:
configMapKeyRef:
key: dexserver.log.format
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_DEX_SERVER_LOGLEVEL
valueFrom:
configMapKeyRef:
key: dexserver.log.level
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_DEX_SERVER_DISABLE_TLS
valueFrom:
configMapKeyRef:
key: dexserver.disable.tls
name: argocd-cmd-params-cm
optional: true
image: ghcr.io/dexidp/dex:v2.42.1
imagePullPolicy: IfNotPresent
name: dex-server
ports:
- containerPort: 5556
name: http
protocol: TCP
- containerPort: 5557
name: grpc
protocol: TCP
- containerPort: 5558
name: metrics
protocol: TCP
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /shared
name: static-files
- mountPath: /tmp
name: dexconfig
- mountPath: /tls
name: argocd-dex-server-tls
dnsPolicy: ClusterFirst
initContainers:
- command:
- /bin/cp
- -n
- /usr/local/bin/argocd
- /shared/argocd-dex
image: quay.io/argoproj/argocd:v2.14.10
imagePullPolicy: IfNotPresent
name: copyutil
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /shared
name: static-files
- mountPath: /tmp
name: dexconfig
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: argocd-dex-server
terminationGracePeriodSeconds: 30
volumes:
- emptyDir: {}
name: static-files
- emptyDir: {}
name: dexconfig
- name: argocd-dex-server-tls
secret:
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
optional: true
secretName: argocd-dex-server-tls

126
rendered/envs/production/argocd/deployment-argo-cd-argocd-notifications-controller.yaml Normal file
View file

@ -0,0 +1,126 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: notifications-controller
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-notifications-controller
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-notifications-controller
namespace: argocd
spec:
replicas: 1
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/name: argocd-notifications-controller
strategy:
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/component: notifications-controller
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-notifications-controller
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: argocd-notifications-controller
topologyKey: kubernetes.io/hostname
weight: 100
automountServiceAccountToken: true
containers:
- args:
- /usr/local/bin/argocd-notifications
- --metrics-port=9001
- --namespace=argocd
- --argocd-repo-server=argo-cd-argocd-repo-server:8081
- --secret-name=argocd-notifications-secret
env:
- name: ARGOCD_NOTIFICATIONS_CONTROLLER_LOGLEVEL
valueFrom:
configMapKeyRef:
key: notificationscontroller.log.level
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_NOTIFICATIONS_CONTROLLER_LOGFORMAT
valueFrom:
configMapKeyRef:
key: notificationscontroller.log.format
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_NAMESPACES
valueFrom:
configMapKeyRef:
key: application.namespaces
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED
valueFrom:
configMapKeyRef:
key: notificationscontroller.selfservice.enabled
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_NOTIFICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
valueFrom:
configMapKeyRef:
key: notificationscontroller.repo.server.plaintext
name: argocd-cmd-params-cm
optional: true
image: quay.io/argoproj/argocd:v2.14.10
imagePullPolicy: IfNotPresent
name: notifications-controller
ports:
- containerPort: 9001
name: metrics
protocol: TCP
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /app/config/tls
name: tls-certs
- mountPath: /app/config/reposerver/tls
name: argocd-repo-server-tls
workingDir: /app
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: argocd-notifications-controller
terminationGracePeriodSeconds: 30
volumes:
- configMap:
name: argocd-tls-certs-cm
name: tls-certs
- name: argocd-repo-server-tls
secret:
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
optional: true
secretName: argocd-repo-server-tls

87
rendered/envs/production/argocd/deployment-argo-cd-argocd-redis.yaml Normal file
View file

@ -0,0 +1,87 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: redis
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-redis
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-redis
namespace: argocd
spec:
replicas: 1
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/name: argocd-redis
template:
metadata:
labels:
app.kubernetes.io/component: redis
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-redis
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: argocd-redis
topologyKey: kubernetes.io/hostname
weight: 100
automountServiceAccountToken: true
containers:
- args:
- --save
- ""
- --appendonly
- "no"
- --requirepass $(REDIS_PASSWORD)
env:
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
key: auth
name: argocd-redis
image: public.ecr.aws/docker/library/redis:7.4.2-alpine
imagePullPolicy: IfNotPresent
name: redis
ports:
- containerPort: 6379
name: redis
protocol: TCP
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /health
name: health
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
securityContext:
runAsNonRoot: true
runAsUser: 999
seccompProfile:
type: RuntimeDefault
serviceAccountName: default
terminationGracePeriodSeconds: 30
volumes:
- configMap:
defaultMode: 493
name: argo-cd-argocd-redis-health-configmap
name: health

383
rendered/envs/production/argocd/deployment-argo-cd-argocd-repo-server.yaml Normal file
View file

@ -0,0 +1,383 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: repo-server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-repo-server
namespace: argocd
spec:
replicas: 1
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/name: argocd-repo-server
template:
metadata:
annotations:
checksum/cm: 52c5a2727dab153bcfd45d15790886f8ec029f5dde02ec94a383c60583bcbb2e
checksum/cmd-params: f46fb4747491e33ef19e957952ce838b6507690ddf03e01967ec0b131af9b595
labels:
app.kubernetes.io/component: repo-server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: argocd-repo-server
topologyKey: kubernetes.io/hostname
weight: 100
automountServiceAccountToken: true
containers:
- args:
- /usr/local/bin/argocd-repo-server
- --port=8081
- --metrics-port=8084
env:
- name: ARGOCD_REPO_SERVER_NAME
value: argo-cd-argocd-repo-server
- name: ARGOCD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
key: timeout.reconciliation
name: argocd-cm
optional: true
- name: ARGOCD_REPO_SERVER_LOGFORMAT
valueFrom:
configMapKeyRef:
key: reposerver.log.format
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LOGLEVEL
valueFrom:
configMapKeyRef:
key: reposerver.log.level
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
key: reposerver.parallelism.limit
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
valueFrom:
configMapKeyRef:
key: reposerver.listen.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
valueFrom:
configMapKeyRef:
key: reposerver.metrics.listen.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_TLS
valueFrom:
configMapKeyRef:
key: reposerver.disable.tls
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_MIN_VERSION
valueFrom:
configMapKeyRef:
key: reposerver.tls.minversion
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_MAX_VERSION
valueFrom:
configMapKeyRef:
key: reposerver.tls.maxversion
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_CIPHERS
valueFrom:
configMapKeyRef:
key: reposerver.tls.ciphers
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: reposerver.repo.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: REDIS_SERVER
valueFrom:
configMapKeyRef:
key: redis.server
name: argocd-cmd-params-cm
optional: true
- name: REDIS_COMPRESSION
valueFrom:
configMapKeyRef:
key: redis.compression
name: argocd-cmd-params-cm
optional: true
- name: REDISDB
valueFrom:
configMapKeyRef:
key: redis.db
name: argocd-cmd-params-cm
optional: true
- name: REDIS_USERNAME
valueFrom:
secretKeyRef:
key: redis-username
name: argo-cd-argocd-redis
optional: true
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
key: auth
name: argocd-redis
optional: false
- name: REDIS_SENTINEL_USERNAME
valueFrom:
secretKeyRef:
key: redis-sentinel-username
name: argo-cd-argocd-redis
optional: true
- name: REDIS_SENTINEL_PASSWORD
valueFrom:
secretKeyRef:
key: redis-sentinel-password
name: argo-cd-argocd-redis
optional: true
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: reposerver.default.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_ADDRESS
valueFrom:
configMapKeyRef:
key: otlp.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_INSECURE
valueFrom:
configMapKeyRef:
key: otlp.insecure
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_HEADERS
valueFrom:
configMapKeyRef:
key: otlp.headers
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.max.combined.directory.manifests.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
valueFrom:
configMapKeyRef:
key: reposerver.plugin.tar.exclusions
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS
valueFrom:
configMapKeyRef:
key: reposerver.plugin.use.manifest.generate.paths
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
valueFrom:
configMapKeyRef:
key: reposerver.allow.oob.symlinks
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.streamed.manifest.max.tar.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.streamed.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.helm.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.disable.helm.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_MODULES_ENABLED
valueFrom:
configMapKeyRef:
key: reposerver.enable.git.submodule
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
key: reposerver.git.lsremote.parallelism.limit
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_REQUEST_TIMEOUT
valueFrom:
configMapKeyRef:
key: reposerver.git.request.timeout
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REVISION_CACHE_LOCK_TIMEOUT
valueFrom:
configMapKeyRef:
key: reposerver.revision.cache.lock.timeout
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_INCLUDE_HIDDEN_DIRECTORIES
valueFrom:
configMapKeyRef:
key: reposerver.include.hidden.directories
name: argocd-cmd-params-cm
optional: true
- name: HELM_CACHE_HOME
value: /helm-working-dir
- name: HELM_CONFIG_HOME
value: /helm-working-dir
- name: HELM_DATA_HOME
value: /helm-working-dir
image: quay.io/argoproj/argocd:v2.14.10
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz?full=true
port: metrics
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: repo-server
ports:
- containerPort: 8081
name: repo-server
protocol: TCP
- containerPort: 8084
name: metrics
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: metrics
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /app/config/ssh
name: ssh-known-hosts
- mountPath: /app/config/tls
name: tls-certs
- mountPath: /app/config/gpg/source
name: gpg-keys
- mountPath: /app/config/gpg/keys
name: gpg-keyring
- mountPath: /app/config/reposerver/tls
name: argocd-repo-server-tls
- mountPath: /helm-working-dir
name: helm-working-dir
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: tmp
dnsPolicy: ClusterFirst
initContainers:
- command:
- /bin/cp
- -n
- /usr/local/bin/argocd
- /var/run/argocd/argocd-cmp-server
image: quay.io/argoproj/argocd:v2.14.10
imagePullPolicy: IfNotPresent
name: copyutil
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: argo-cd-argocd-repo-server
terminationGracePeriodSeconds: 30
volumes:
- emptyDir: {}
name: helm-working-dir
- emptyDir: {}
name: plugins
- emptyDir: {}
name: var-files
- emptyDir: {}
name: tmp
- configMap:
name: argocd-ssh-known-hosts-cm
name: ssh-known-hosts
- configMap:
name: argocd-tls-certs-cm
name: tls-certs
- configMap:
name: argocd-gpg-keys-cm
name: gpg-keys
- emptyDir: {}
name: gpg-keyring
- name: argocd-repo-server-tls
secret:
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
optional: true
secretName: argocd-repo-server-tls

450
rendered/envs/production/argocd/deployment-argo-cd-argocd-server.yaml Normal file
View file

@ -0,0 +1,450 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-server
namespace: argocd
spec:
replicas: 1
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/name: argocd-server
template:
metadata:
annotations:
checksum/cm: 52c5a2727dab153bcfd45d15790886f8ec029f5dde02ec94a383c60583bcbb2e
checksum/cmd-params: f46fb4747491e33ef19e957952ce838b6507690ddf03e01967ec0b131af9b595
labels:
app.kubernetes.io/component: server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: argocd-server
topologyKey: kubernetes.io/hostname
weight: 100
automountServiceAccountToken: true
containers:
- args:
- /usr/local/bin/argocd-server
- --port=8080
- --metrics-port=8083
env:
- name: ARGOCD_SERVER_NAME
value: argo-cd-argocd-server
- name: ARGOCD_SERVER_INSECURE
valueFrom:
configMapKeyRef:
key: server.insecure
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_BASEHREF
valueFrom:
configMapKeyRef:
key: server.basehref
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_ROOTPATH
valueFrom:
configMapKeyRef:
key: server.rootpath
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_LOGFORMAT
valueFrom:
configMapKeyRef:
key: server.log.format
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_LOG_LEVEL
valueFrom:
configMapKeyRef:
key: server.log.level
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_REPO_SERVER
valueFrom:
configMapKeyRef:
key: repo.server
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_DEX_SERVER
valueFrom:
configMapKeyRef:
key: server.dex.server
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_DISABLE_AUTH
valueFrom:
configMapKeyRef:
key: server.disable.auth
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_ENABLE_GZIP
valueFrom:
configMapKeyRef:
key: server.enable.gzip
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_REPO_SERVER_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
key: server.repo.server.timeout.seconds
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_X_FRAME_OPTIONS
valueFrom:
configMapKeyRef:
key: server.x.frame.options
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_CONTENT_SECURITY_POLICY
valueFrom:
configMapKeyRef:
key: server.content.security.policy
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_REPO_SERVER_PLAINTEXT
valueFrom:
configMapKeyRef:
key: server.repo.server.plaintext
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_REPO_SERVER_STRICT_TLS
valueFrom:
configMapKeyRef:
key: server.repo.server.strict.tls
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_DEX_SERVER_PLAINTEXT
valueFrom:
configMapKeyRef:
key: server.dex.server.plaintext
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_DEX_SERVER_STRICT_TLS
valueFrom:
configMapKeyRef:
key: server.dex.server.strict.tls
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_MIN_VERSION
valueFrom:
configMapKeyRef:
key: server.tls.minversion
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_MAX_VERSION
valueFrom:
configMapKeyRef:
key: server.tls.maxversion
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_CIPHERS
valueFrom:
configMapKeyRef:
key: server.tls.ciphers
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_CONNECTION_STATUS_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: server.connection.status.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_OIDC_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: server.oidc.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_LOGIN_ATTEMPTS_EXPIRATION
valueFrom:
configMapKeyRef:
key: server.login.attempts.expiration
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_STATIC_ASSETS
valueFrom:
configMapKeyRef:
key: server.staticassets
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APP_STATE_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: server.app.state.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: REDIS_SERVER
valueFrom:
configMapKeyRef:
key: redis.server
name: argocd-cmd-params-cm
optional: true
- name: REDIS_COMPRESSION
valueFrom:
configMapKeyRef:
key: redis.compression
name: argocd-cmd-params-cm
optional: true
- name: REDISDB
valueFrom:
configMapKeyRef:
key: redis.db
name: argocd-cmd-params-cm
optional: true
- name: REDIS_USERNAME
valueFrom:
secretKeyRef:
key: redis-username
name: argo-cd-argocd-redis
optional: true
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
key: auth
name: argocd-redis
optional: false
- name: REDIS_SENTINEL_USERNAME
valueFrom:
secretKeyRef:
key: redis-sentinel-username
name: argo-cd-argocd-redis
optional: true
- name: REDIS_SENTINEL_PASSWORD
valueFrom:
secretKeyRef:
key: redis-sentinel-password
name: argo-cd-argocd-redis
optional: true
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: server.default.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_MAX_COOKIE_NUMBER
valueFrom:
configMapKeyRef:
key: server.http.cookie.maxnumber
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_LISTEN_ADDRESS
valueFrom:
configMapKeyRef:
key: server.listen.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_METRICS_LISTEN_ADDRESS
valueFrom:
configMapKeyRef:
key: server.metrics.listen.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_OTLP_ADDRESS
valueFrom:
configMapKeyRef:
key: otlp.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_OTLP_INSECURE
valueFrom:
configMapKeyRef:
key: otlp.insecure
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_OTLP_HEADERS
valueFrom:
configMapKeyRef:
key: otlp.headers
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_NAMESPACES
valueFrom:
configMapKeyRef:
key: application.namespaces
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_ENABLE_PROXY_EXTENSION
valueFrom:
configMapKeyRef:
key: server.enable.proxy.extension
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_K8SCLIENT_RETRY_MAX
valueFrom:
configMapKeyRef:
key: server.k8sclient.retry.max
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF
valueFrom:
configMapKeyRef:
key: server.k8sclient.retry.base.backoff
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_API_CONTENT_TYPES
valueFrom:
configMapKeyRef:
key: server.api.content.types
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_WEBHOOK_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
key: server.webhook.parallelism.limit
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.enable.new.git.file.globbing
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_SCM_ROOT_CA_PATH
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.scm.root.ca.path
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.allowed.scm.providers
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_SCM_PROVIDERS
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.enable.scm.providers
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_HYDRATOR_ENABLED
valueFrom:
configMapKeyRef:
key: hydrator.enabled
name: argocd-cmd-params-cm
optional: true
image: quay.io/argoproj/argocd:v2.14.10
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz?full=true
port: server
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: server
ports:
- containerPort: 8080
name: server
protocol: TCP
- containerPort: 8083
name: metrics
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: server
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /app/config/ssh
name: ssh-known-hosts
- mountPath: /app/config/tls
name: tls-certs
- mountPath: /app/config/server/tls
name: argocd-repo-server-tls
- mountPath: /app/config/dex/tls
name: argocd-dex-server-tls
- mountPath: /home/argocd
name: plugins-home
- mountPath: /shared/app/custom
name: styles
- mountPath: /tmp
name: tmp
- mountPath: /home/argocd/params
name: argocd-cmd-params-cm
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: argocd-server
terminationGracePeriodSeconds: 30
volumes:
- emptyDir: {}
name: plugins-home
- emptyDir: {}
name: tmp
- configMap:
name: argocd-ssh-known-hosts-cm
name: ssh-known-hosts
- configMap:
name: argocd-tls-certs-cm
name: tls-certs
- configMap:
name: argocd-styles-cm
optional: true
name: styles
- name: argocd-repo-server-tls
secret:
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
optional: true
secretName: argocd-repo-server-tls
- name: argocd-dex-server-tls
secret:
items:
- key: tls.crt
path: tls.crt
- key: ca.crt
path: ca.crt
optional: true
secretName: argocd-dex-server-tls
- configMap:
items:
- key: server.profile.enabled
path: profiler.enabled
name: argocd-cmd-params-cm
optional: true
name: argocd-cmd-params-cm

33
rendered/envs/production/argocd/ingress-argo-cd-argocd-server.yaml Normal file
View file

@ -0,0 +1,33 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
a8r.io/repository: ""
cert-manager.io/cluster-issuer: letsencrypt
labels:
app.kubernetes.io/component: server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-server
namespace: argocd
spec:
ingressClassName: traefik
rules:
- host: argocd.tr1ceracop.de
http:
paths:
- backend:
service:
name: argo-cd-argocd-server
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- argocd.tr1ceracop.de
secretName: argocd-server-tls

61
rendered/envs/production/argocd/job-argo-cd-argocd-redis-secret-init.yaml Normal file
View file

@ -0,0 +1,61 @@
apiVersion: batch/v1
kind: Job
metadata:
annotations:
a8r.io/repository: ""
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: before-hook-creation
labels:
app.kubernetes.io/component: redis-secret-init
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-redis-secret-init
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-redis-secret-init
namespace: argocd
spec:
template:
metadata:
labels:
app.kubernetes.io/component: redis-secret-init
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-redis-secret-init
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: argocd-redis-secret-init
topologyKey: kubernetes.io/hostname
weight: 100
containers:
- command:
- argocd
- admin
- redis-initial-password
image: quay.io/argoproj/argocd:v2.14.10
imagePullPolicy: IfNotPresent
name: secret-init
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
serviceAccountName: argo-cd-argocd-redis-secret-init
ttlSecondsAfterFinished: 60

9
rendered/envs/production/argocd/namespace-argocd.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Namespace
metadata:
annotations:
a8r.io/repository: ""
labels:
pod-security.kubernetes.io/enforce: privileged
name: argocd
namespace: argocd

53
rendered/envs/production/argocd/role-argo-cd-argocd-application-controller.yaml Normal file
View file

@ -0,0 +1,53 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: application-controller
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-application-controller
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-application-controller
namespace: argocd
rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- argoproj.io
resources:
- applications
- appprojects
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- list
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- list
- watch

97
rendered/envs/production/argocd/role-argo-cd-argocd-applicationset-controller.yaml Normal file
View file

@ -0,0 +1,97 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: applicationset-controller
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-applicationset-controller
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-applicationset-controller
namespace: argocd
rules:
- apiGroups:
- argoproj.io
resources:
- applications
- applicationsets
- applicationsets/finalizers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- argoproj.io
resources:
- applicationsets/status
verbs:
- get
- patch
- update
- apiGroups:
- argoproj.io
resources:
- appprojects
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- update
- delete
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- apps
- extensions
resources:
- deployments
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- list
- patch
- update
- watch

25
rendered/envs/production/argocd/role-argo-cd-argocd-dex-server.yaml Normal file
View file

@ -0,0 +1,25 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: dex-server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-dex-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-dex-server
namespace: argocd
rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- get
- list
- watch

51
rendered/envs/production/argocd/role-argo-cd-argocd-notifications-controller.yaml Normal file
View file

@ -0,0 +1,51 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: notifications-controller
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-notifications-controller
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-notifications-controller
namespace: argocd
rules:
- apiGroups:
- argoproj.io
resources:
- applications
- appprojects
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- ""
resources:
- configmaps
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resourceNames:
- argocd-notifications-cm
resources:
- configmaps
verbs:
- get
- apiGroups:
- ""
resourceNames:
- argocd-notifications-secret
resources:
- secrets
verbs:
- get

32
rendered/envs/production/argocd/role-argo-cd-argocd-redis-secret-init.yaml Normal file
View file

@ -0,0 +1,32 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
a8r.io/repository: ""
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: before-hook-creation
labels:
app.kubernetes.io/component: redis-secret-init
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-redis-secret-init
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-redis-secret-init
namespace: argocd
rules:
- apiGroups:
- ""
resourceNames:
- argocd-redis
resources:
- secrets
verbs:
- get
- apiGroups:
- ""
resources:
- secrets
verbs:
- create

16
rendered/envs/production/argocd/role-argo-cd-argocd-repo-server.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: repo-server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-repo-server
namespace: argocd
rules: null

50
rendered/envs/production/argocd/role-argo-cd-argocd-server.yaml Normal file
View file

@ -0,0 +1,50 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-server
namespace: argocd
rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- argoproj.io
resources:
- applications
- applicationsets
- appprojects
verbs:
- create
- get
- list
- watch
- update
- delete
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- list

23
rendered/envs/production/argocd/rolebinding-argo-cd-argocd-application-controller.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: application-controller
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-application-controller
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-application-controller
namespace: argocd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argo-cd-argocd-application-controller
subjects:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd

23
rendered/envs/production/argocd/rolebinding-argo-cd-argocd-applicationset-controller.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: applicationset-controller
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-applicationset-controller
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-applicationset-controller
namespace: argocd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argo-cd-argocd-applicationset-controller
subjects:
- kind: ServiceAccount
name: argocd-applicationset-controller
namespace: argocd

23
rendered/envs/production/argocd/rolebinding-argo-cd-argocd-dex-server.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: dex-server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-dex-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-dex-server
namespace: argocd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argo-cd-argocd-dex-server
subjects:
- kind: ServiceAccount
name: argocd-dex-server
namespace: argocd

23
rendered/envs/production/argocd/rolebinding-argo-cd-argocd-notifications-controller.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: notifications-controller
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-notifications-controller
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-notifications-controller
namespace: argocd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argo-cd-argocd-notifications-controller
subjects:
- kind: ServiceAccount
name: argocd-notifications-controller
namespace: argocd

24
rendered/envs/production/argocd/rolebinding-argo-cd-argocd-redis-secret-init.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
a8r.io/repository: ""
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: before-hook-creation
labels:
app.kubernetes.io/component: redis-secret-init
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-redis-secret-init
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-redis-secret-init
namespace: argocd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argo-cd-argocd-redis-secret-init
subjects:
- kind: ServiceAccount
name: argo-cd-argocd-redis-secret-init

23
rendered/envs/production/argocd/rolebinding-argo-cd-argocd-repo-server.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: repo-server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-repo-server
namespace: argocd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argo-cd-argocd-repo-server
subjects:
- kind: ServiceAccount
name: argo-cd-argocd-repo-server
namespace: argocd

23
rendered/envs/production/argocd/rolebinding-argo-cd-argocd-server.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-server
namespace: argocd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argo-cd-argocd-server
subjects:
- kind: ServiceAccount
name: argocd-server
namespace: argocd

17
rendered/envs/production/argocd/secret-argocd-notifications-secret.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: v1
kind: Secret
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: notifications-controller
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-notifications-controller
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argocd-notifications-secret
namespace: argocd
stringData: null
type: Opaque

16
rendered/envs/production/argocd/secret-argocd-secret.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: v1
kind: Secret
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-secret
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argocd-secret
namespace: argocd
type: Opaque

24
rendered/envs/production/argocd/service-argo-cd-argocd-applicationset-controller.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion: v1
kind: Service
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: applicationset-controller
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-applicationset-controller
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-applicationset-controller
namespace: argocd
spec:
ports:
- name: http-webhook
port: 7000
targetPort: webhook
selector:
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/name: argocd-applicationset-controller
type: ClusterIP

28
rendered/envs/production/argocd/service-argo-cd-argocd-dex-server.yaml Normal file
View file

@ -0,0 +1,28 @@
apiVersion: v1
kind: Service
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: dex-server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-dex-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-dex-server
namespace: argocd
spec:
ports:
- name: http
port: 5556
protocol: TCP
targetPort: http
- name: grpc
port: 5557
protocol: TCP
targetPort: grpc
selector:
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/name: argocd-dex-server

23
rendered/envs/production/argocd/service-argo-cd-argocd-redis.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: v1
kind: Service
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: redis
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-redis
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-redis
namespace: argocd
spec:
ports:
- name: redis
port: 6379
targetPort: redis
selector:
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/name: argocd-redis

24
rendered/envs/production/argocd/service-argo-cd-argocd-repo-server.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion: v1
kind: Service
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: repo-server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-repo-server
namespace: argocd
spec:
ports:
- name: tcp-repo-server
port: 8081
protocol: TCP
targetPort: repo-server
selector:
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/name: argocd-repo-server

30
rendered/envs/production/argocd/service-argo-cd-argocd-server.yaml Normal file
View file

@ -0,0 +1,30 @@
apiVersion: v1
kind: Service
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-server
namespace: argocd
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
- name: https
port: 443
protocol: TCP
targetPort: 8080
selector:
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/name: argocd-server
sessionAffinity: None
type: ClusterIP

18
rendered/envs/production/argocd/serviceaccount-argo-cd-argocd-redis-secret-init.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
annotations:
a8r.io/repository: ""
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: before-hook-creation
labels:
app.kubernetes.io/component: redis-secret-init
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-redis-secret-init
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-redis-secret-init
namespace: argocd

16
rendered/envs/production/argocd/serviceaccount-argo-cd-argocd-repo-server.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: repo-server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-repo-server
namespace: argocd

16
rendered/envs/production/argocd/serviceaccount-argocd-application-controller.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: application-controller
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-application-controller
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argocd-application-controller
namespace: argocd

16
rendered/envs/production/argocd/serviceaccount-argocd-applicationset-controller.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: applicationset-controller
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-applicationset-controller
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argocd-applicationset-controller
namespace: argocd

16
rendered/envs/production/argocd/serviceaccount-argocd-dex-server.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: dex-server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-dex-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argocd-dex-server
namespace: argocd

16
rendered/envs/production/argocd/serviceaccount-argocd-notifications-controller.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: notifications-controller
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-notifications-controller
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argocd-notifications-controller
namespace: argocd

16
rendered/envs/production/argocd/serviceaccount-argocd-server.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: server
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argocd-server
namespace: argocd

368
rendered/envs/production/argocd/statefulset-argo-cd-argocd-application-controller.yaml Normal file
View file

@ -0,0 +1,368 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
annotations:
a8r.io/repository: ""
labels:
app.kubernetes.io/component: application-controller
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-application-controller
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
name: argo-cd-argocd-application-controller
namespace: argocd
spec:
replicas: 1
revisionHistoryLimit: 5
selector:
matchLabels:
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/name: argocd-application-controller
serviceName: argo-cd-argocd-application-controller
template:
metadata:
annotations:
checksum/cm: 52c5a2727dab153bcfd45d15790886f8ec029f5dde02ec94a383c60583bcbb2e
checksum/cmd-params: f46fb4747491e33ef19e957952ce838b6507690ddf03e01967ec0b131af9b595
labels:
app.kubernetes.io/component: application-controller
app.kubernetes.io/instance: argo-cd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-application-controller
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.14.10
helm.sh/chart: argo-cd-7.8.26
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: argocd-application-controller
topologyKey: kubernetes.io/hostname
weight: 100
automountServiceAccountToken: true
containers:
- args:
- /usr/local/bin/argocd-application-controller
- --metrics-port=8082
env:
- name: ARGOCD_CONTROLLER_REPLICAS
value: "1"
- name: ARGOCD_APPLICATION_CONTROLLER_NAME
value: argo-cd-argocd-application-controller
- name: ARGOCD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
key: timeout.reconciliation
name: argocd-cm
optional: true
- name: ARGOCD_HARD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
key: timeout.hard.reconciliation
name: argocd-cm
optional: true
- name: ARGOCD_RECONCILIATION_JITTER
valueFrom:
configMapKeyRef:
key: timeout.reconciliation.jitter
name: argocd-cm
optional: true
- name: ARGOCD_REPO_ERROR_GRACE_PERIOD_SECONDS
valueFrom:
configMapKeyRef:
key: controller.repo.error.grace.period.seconds
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER
valueFrom:
configMapKeyRef:
key: repo.server
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
key: controller.repo.server.timeout.seconds
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS
valueFrom:
configMapKeyRef:
key: controller.status.processors
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS
valueFrom:
configMapKeyRef:
key: controller.operation.processors
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT
valueFrom:
configMapKeyRef:
key: controller.log.format
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL
valueFrom:
configMapKeyRef:
key: controller.log.level
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: controller.metrics.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
key: controller.self.heal.timeout.seconds
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
key: controller.self.heal.backoff.timeout.seconds
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_FACTOR
valueFrom:
configMapKeyRef:
key: controller.self.heal.backoff.factor
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_CAP_SECONDS
valueFrom:
configMapKeyRef:
key: controller.self.heal.backoff.cap.seconds
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SYNC_TIMEOUT
valueFrom:
configMapKeyRef:
key: controller.sync.timeout.seconds
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
valueFrom:
configMapKeyRef:
key: controller.repo.server.plaintext
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS
valueFrom:
configMapKeyRef:
key: controller.repo.server.strict.tls
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_PERSIST_RESOURCE_HEALTH
valueFrom:
configMapKeyRef:
key: controller.resource.health.persist
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APP_STATE_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: controller.app.state.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: REDIS_SERVER
valueFrom:
configMapKeyRef:
key: redis.server
name: argocd-cmd-params-cm
optional: true
- name: REDIS_COMPRESSION
valueFrom:
configMapKeyRef:
key: redis.compression
name: argocd-cmd-params-cm
optional: true
- name: REDISDB
valueFrom:
configMapKeyRef:
key: redis.db
name: argocd-cmd-params-cm
optional: true
- name: REDIS_USERNAME
valueFrom:
secretKeyRef:
key: redis-username
name: argo-cd-argocd-redis
optional: true
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
key: auth
name: argocd-redis
optional: false
- name: REDIS_SENTINEL_USERNAME
valueFrom:
secretKeyRef:
key: redis-sentinel-username
name: argo-cd-argocd-redis
optional: true
- name: REDIS_SENTINEL_PASSWORD
valueFrom:
secretKeyRef:
key: redis-sentinel-password
name: argo-cd-argocd-redis
optional: true
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: controller.default.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ADDRESS
valueFrom:
configMapKeyRef:
key: otlp.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_INSECURE
valueFrom:
configMapKeyRef:
key: otlp.insecure
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_HEADERS
valueFrom:
configMapKeyRef:
key: otlp.headers
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_NAMESPACES
valueFrom:
configMapKeyRef:
key: application.namespaces
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_CONTROLLER_SHARDING_ALGORITHM
valueFrom:
configMapKeyRef:
key: controller.sharding.algorithm
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_KUBECTL_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
key: controller.kubectl.parallelism.limit
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_K8SCLIENT_RETRY_MAX
valueFrom:
configMapKeyRef:
key: controller.k8sclient.retry.max
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF
valueFrom:
configMapKeyRef:
key: controller.k8sclient.retry.base.backoff
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF
valueFrom:
configMapKeyRef:
key: controller.diff.server.side
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_IGNORE_NORMALIZER_JQ_TIMEOUT
valueFrom:
configMapKeyRef:
key: controller.ignore.normalizer.jq.timeout
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_HYDRATOR_ENABLED
valueFrom:
configMapKeyRef:
key: hydrator.enabled
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_CLUSTER_CACHE_BATCH_EVENTS_PROCESSING
valueFrom:
configMapKeyRef:
key: controller.cluster.cache.batch.events.processing
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_CLUSTER_CACHE_EVENTS_PROCESSING_INTERVAL
valueFrom:
configMapKeyRef:
key: controller.cluster.cache.events.processing.interval
name: argocd-cmd-params-cm
optional: true
- name: KUBECACHEDIR
value: /tmp/kubecache
image: quay.io/argoproj/argocd:v2.14.10
imagePullPolicy: IfNotPresent
name: application-controller
ports:
- containerPort: 8082
name: metrics
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: metrics
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /app/config/controller/tls
name: argocd-repo-server-tls
- mountPath: /home/argocd
name: argocd-home
- mountPath: /home/argocd/params
name: argocd-cmd-params-cm
- mountPath: /tmp
name: argocd-application-controller-tmp
workingDir: /home/argocd
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: argocd-application-controller
terminationGracePeriodSeconds: 30
volumes:
- emptyDir: {}
name: argocd-home
- emptyDir: {}
name: argocd-application-controller-tmp
- name: argocd-repo-server-tls
secret:
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
optional: true
secretName: argocd-repo-server-tls
- configMap:
items:
- key: controller.profile.enabled
path: profiler.enabled
name: argocd-cmd-params-cm
optional: true
name: argocd-cmd-params-cm

Some files were not shown because too many files have changed in this diff Show more