forked from argoproj/argo-cd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
argocd-cm.yaml
408 lines (362 loc) · 18.7 KB
/
argocd-cm.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: argocd
labels:
app.kubernetes.io/name: argocd-cm
app.kubernetes.io/part-of: argocd
data:
# Argo CD's externally facing base URL (optional). Required when configuring SSO
url: https://argo-cd-demo.argoproj.io
# Enables application status badge feature
statusbadge.enabled: "true"
# Override the Argo CD hostname root URL for both the project and the application status badges.
# Here is an example of the application status badge for the app `myapp` to see what is replaced.
# <statusbadge.url>api/badge?name=myapp&revision=true
# Provide custom URL to override. You must include the trailing forward slash:
statusbadge.url: "https://cd-status.apps.argoproj.io/"
# Enables anonymous user access. The anonymous users get default role permissions specified argocd-rbac-cm.yaml.
users.anonymous.enabled: "true"
# Specifies token expiration duration
users.session.duration: "24h"
# Specifies regex expression for password
passwordPattern: "^.{8,32}$"
# Enables google analytics tracking is specified
ga.trackingid: "UA-12345-1"
# Unless set to 'false' then user ids are hashed before sending to google analytics
ga.anonymizeusers: "false"
# the URL for getting chat help, this will typically be your Slack channel for support
help.chatUrl: "https://mycorp.slack.com/argo-cd"
# the text for getting chat help, defaults to "Chat now!"
help.chatText: "Chat now!"
# The URLs to download additional ArgoCD binaries (besides the Linux with current platform binary included by default)
# for different OS architectures. If provided, additional download buttons will be displayed on the help page.
help.download.linux-amd64: "path-or-url-to-download"
help.download.linux-arm64: "path-or-url-to-download"
help.download.linux-ppc64le: "path-or-url-to-download"
help.download.linux-s390x: "path-or-url-to-download"
help.download.darwin-amd64: "path-or-url-to-download"
help.download.darwin-arm64: "path-or-url-to-download"
help.download.windows-amd64: "path-or-url-to-download"
# A dex connector configuration (optional). See SSO configuration documentation:
# https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/user-management/index.md#sso
# https://dexidp.io/docs/connectors/
dex.config: |
connectors:
# GitHub example
- type: github
id: github
name: GitHub
config:
clientID: aabbccddeeff00112233
clientSecret: $dex.github.clientSecret
orgs:
- name: your-github-org
teams:
- red-team
# It is possible to provide custom static client for dex if you want to reuse it
# with other services
# staticClients:
# - id: argo-workflow
# name: Argo Workflow
# redirectURIs:
# - https://argo/oauth2/callback
# secret: $secretReference
# OIDC configuration as an alternative to dex (optional).
oidc.config: |
name: Okta
issuer: https://dev-123456.oktapreview.com
clientID: aaaabbbbccccddddeee
clientSecret: $oidc.okta.clientSecret
# Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
requestedScopes: ["openid", "profile", "email"]
# Optional set of OIDC claims to request on the ID token.
requestedIDTokenClaims: {"groups": {"essential": true}}
# Configuration to customize resource behavior (optional) can be configured via splitted sub keys.
# Keys are in the form: resource.customizations.ignoreDifferences.<group_kind>, resource.customizations.health.<group_kind>
# resource.customizations.actions.<group_kind>, resource.customizations.knownTypeFields.<group-kind>
# resource.customizations.ignoreResourceUpdates.<group-kind>
resource.customizations.ignoreDifferences.admissionregistration.k8s.io_MutatingWebhookConfiguration: |
jsonPointers:
- /webhooks/0/clientConfig/caBundle
jqPathExpressions:
- .webhooks[0].clientConfig.caBundle
managedFieldsManagers:
- kube-controller-manager
# Configuration to define customizations ignoring differences between live and desired states for
# all resources (GK).
resource.customizations.ignoreDifferences.all: |
managedFieldsManagers:
- kube-controller-manager
jsonPointers:
- /spec/replicas
# Enable resource.customizations.ignoreResourceUpdates rules. If "false," those rules are not applied, and all updates
# to resources are applied to the cluster cache. Default is false.
resource.ignoreResourceUpdatesEnabled: "false"
# Configuration to define customizations ignoring differences during watched resource updates to skip application reconciles.
resource.customizations.ignoreResourceUpdates.all: |
jsonPointers:
- /metadata/resourceVersion
# Configuration to define customizations ignoring differences during watched resource updates can be configured via splitted sub key.
resource.customizations.ignoreResourceUpdates.argoproj.io_Application: |
jsonPointers:
- /status
# jsonPointers and jqPathExpressions can be specified.
resource.customizations.ignoreResourceUpdates.autoscaling_HorizontalPodAutoscaler: |
jqPathExpressions:
- '.metadata.annotations."autoscaling.alpha.kubernetes.io/behavior"'
- '.metadata.annotations."autoscaling.alpha.kubernetes.io/conditions"'
- '.metadata.annotations."autoscaling.alpha.kubernetes.io/metrics"'
- '.metadata.annotations."autoscaling.alpha.kubernetes.io/current-metrics"'
jsonPointers:
- /metadata/annotations/autoscaling.alpha.kubernetes.io~1behavior
- /metadata/annotations/autoscaling.alpha.kubernetes.io~1conditions
- /metadata/annotations/autoscaling.alpha.kubernetes.io~1metrics
- /metadata/annotations/autoscaling.alpha.kubernetes.io~1current-metrics
resource.customizations.health.certmanager.k8s.io-Certificate: |
hs = {}
if obj.status ~= nil then
if obj.status.conditions ~= nil then
for i, condition in ipairs(obj.status.conditions) do
if condition.type == "Ready" and condition.status == "False" then
hs.status = "Degraded"
hs.message = condition.message
return hs
end
if condition.type == "Ready" and condition.status == "True" then
hs.status = "Healthy"
hs.message = condition.message
return hs
end
end
end
end
hs.status = "Progressing"
hs.message = "Waiting for certificate"
return hs
resource.customizations.health.cert-manager.io_Certificate: |
hs = {}
if obj.status ~= nil then
if obj.status.conditions ~= nil then
for i, condition in ipairs(obj.status.conditions) do
if condition.type == "Ready" and condition.status == "False" then
hs.status = "Degraded"
hs.message = condition.message
return hs
end
if condition.type == "Ready" and condition.status == "True" then
hs.status = "Healthy"
hs.message = condition.message
return hs
end
end
end
end
hs.status = "Progressing"
hs.message = "Waiting for certificate"
return hs
# List of Lua Scripts to introduce custom actions
resource.customizations.actions.apps_Deployment: |
# Lua Script to indicate which custom actions are available on the resource
discovery.lua: |
actions = {}
actions["restart"] = {}
return actions
definitions:
- name: restart
# Lua Script to modify the obj
action.lua: |
local os = require("os")
if obj.spec.template.metadata == nil then
obj.spec.template.metadata = {}
end
if obj.spec.template.metadata.annotations == nil then
obj.spec.template.metadata.annotations = {}
end
obj.spec.template.metadata.annotations["kubectl.kubernetes.io/restartedAt"] = os.date("!%Y-%m-%dT%XZ")
return obj
# Configuration to completely ignore entire classes of resource group/kinds (optional).
# Excluding high-volume resources improves performance and memory usage, and reduces load and
# bandwidth to the Kubernetes API server.
# These are globs, so a "*" will match all values.
# If you omit groups/kinds/clusters then they will match all groups/kind/clusters.
# NOTE: events.k8s.io and metrics.k8s.io are excluded by default
resource.exclusions: |
- apiGroups:
- repositories.stash.appscode.com
kinds:
- Snapshot
clusters:
- "*.local"
# By default all resource group/kinds are included. The resource.inclusions setting allows customizing
# list of included group/kinds.
resource.inclusions: |
- apiGroups:
- repositories.stash.appscode.com
kinds:
- Snapshot
clusters:
- "*.local"
# An optional comma-separated list of metadata.labels to observe in the UI.
resource.customLabels: tier
resource.compareoptions: |
# if ignoreAggregatedRoles set to true then differences caused by aggregated roles in RBAC resources are ignored.
ignoreAggregatedRoles: true
# disables status field diffing in specified resource types
# 'crd' - CustomResourceDefinitions (default)
# 'all' - all resources
# 'none' - disabled
ignoreResourceStatusField: crd
# configuration to instruct controller to only watch for resources that it has permissions to list
# can be either empty, "normal" or "strict". By default, it is empty i.e. disabled.
resource.respectRBAC: "normal"
# A set of settings that allow enabling or disabling the config management tool.
# If unset, each defaults to "true".
kustomize.enabled: true
jsonnet.enabled: true
helm.enabled: true
# Build options/parameters to use with `kustomize build` (optional)
kustomize.buildOptions: --load_restrictor none
# Per-version build options and binary paths
kustomize.path.v3.9.1: /custom-tools/kustomize_3_9
kustomize.buildOptions.v3.9.1: --enable_kyaml true
# Additional Kustomize versions and corresponding binary paths (deprecated)
kustomize.version.v3.5.1: /custom-tools/kustomize_3_5_1
kustomize.version.v3.5.4: /custom-tools/kustomize_3_5_4
# Comma delimited list of additional custom remote values file schemes (http are https are allowed by default).
# Change to empty value if you want to disable remote values files altogether.
helm.valuesFileSchemes: http, https
# The metadata.label key name where Argo CD injects the app name as a tracking label (optional).
# Tracking labels are used to determine which resources need to be deleted when pruning.
# If omitted, Argo CD injects the app name into the label: 'app.kubernetes.io/instance'
application.instanceLabelKey: mycompany.com/appname
# You can change the resource tracking method Argo CD uses by changing the
# setting application.resourceTrackingMethod to the desired method.
# The following methods are available:
# - label : Uses the application.instanceLabelKey label for tracking
# - annotation : Uses an annotation with additional metadata for tracking instead of the label
# - annotation+label : Also uses an annotation for tracking, but additionally labels the resource with the application name
application.resourceTrackingMethod: annotation
# disables admin user. Admin is enabled by default
admin.enabled: "false"
# add an additional local user with apiKey and login capabilities
# apiKey - allows generating API keys
# login - allows to login using UI
accounts.alice: apiKey, login
# disables user. User is enabled by default
accounts.alice.enabled: "false"
# The location of optional user-defined CSS that is loaded at runtime.
# Local CSS Files:
# - If the supplied path is to a file mounted on the argocd-server container, that file should be mounted
# within a subdirectory of the existing "/shared/app" directory (e.g. "/shared/app/custom"). Otherwise,
# the file will likely fail to be imported by the browser with an "incorrect MIME type" error.
# - The path should be specified relative to the "/shared/app" directory; not as an absolute path.
# Remote CSS Files:
# - Files may also be loaded from remote locations via fully qualified URLs.
ui.cssurl: "./custom/my-styles.css"
# An optional user-defined banner message that's displayed at the top of every UI page.
# Every time this is updated, it will clear a user's localStorage telling the UI to hide the banner forever.
ui.bannercontent: "Hello there!"
# Optional link for banner. If set, the entire banner text will become a link.
# You can have bannercontent without a bannerurl, but not the other way around.
ui.bannerurl: "https://argoproj.github.io"
# Uncomment to make the banner not show the close buttons, thereby making the banner permanent.
# Because it is permanent, only one line of text is available to not take up too much real estate in the UI,
# so it is recommended that the length of the bannercontent text is kept reasonably short. Note that you can
# have either a permanent banner or a regular closeable banner, and NOT both. eg. A user can't dismiss a
# notification message (closeable) banner, to then immediately see a permanent banner.
# ui.bannerpermanent: "true"
# An option to specify the position of the banner, either the top or bottom of the page, or both. The valid values
# are: "top", "bottom" and "both". The default (if the option is not provided), is "top". If "both" is specified, then
# the content appears both at the top and the bottom of the page. Uncomment the following line to make the banner appear
# at the bottom of the page. Change the value as needed.
# ui.bannerposition: "bottom"
# Application reconciliation timeout is the max amount of time required to discover if a new manifests version got
# published to the repository. Reconciliation by timeout is disabled if timeout is set to 0. Three minutes by default.
# > Note: argocd-repo-server deployment must be manually restarted after changing the setting.
timeout.reconciliation: 180s
# With a large number of applications, the periodic refresh for each application can cause a spike in the refresh queue
# and can cause a spike in the repo-server component. To avoid this, you can set a jitter to the sync timeout, which will
# spread out the refreshes and give time to the repo-server to catch up. The jitter is the maximum duration that can be
# added to the sync timeout. So, if the sync timeout is 3 minutes and the jitter is 1 minute, then the actual timeout will
# be between 3 and 4 minutes. Disabled when the value is 0, defaults to 0.
timeout.reconciliation.jitter: 0
# cluster.inClusterEnabled indicates whether to allow in-cluster server address. This is enabled by default.
cluster.inClusterEnabled: "true"
# Application pod logs RBAC enforcement enables control over who can and who can't view application pod logs.
# When you enable the switch, pod logs will be visible only to admin role by default. Other roles/users will not be able to view them via cli and UI.
# When you enable the switch, viewing pod logs for other roles/users will require explicit RBAC allow policies (allow get on logs subresource).
# When you disable the switch (either add it to the configmap with a "false" value or do not add it to the configmap), no actual RBAC enforcement will take place.
server.rbac.log.enforce.enable: "false"
# exec.enabled indicates whether the UI exec feature is enabled. It is disabled by default.
exec.enabled: "false"
# exec.shells restricts which shells are allowed for `exec`, and in which order they are attempted
exec.shells: "bash,sh,powershell,cmd"
# oidc.tls.insecure.skip.verify determines whether certificate verification is skipped when verifying tokens with the
# configured OIDC provider (either external or the bundled Dex instance). Setting this to "true" will cause JWT
# token verification to pass despite the OIDC provider having an invalid certificate. Only set to "true" if you
# understand the risks.
oidc.tls.insecure.skip.verify: "false"
# Add Deep Links to ArgoCD UI
# sample project level links
project.links: |
- url: https://myaudit-system.com?project={{.metadata.name}}
title: Audit
description: system audit logs
icon.class: "fa-book"
# sample application level links
application.links: |
# pkg.go.dev/text/template is used for evaluating url templates
- url: https://mycompany.splunk.com?search={{.spec.destination.namespace}}
title: Splunk
# conditionally show link e.g. for specific project
# github.com/antonmedv/expr is used for evaluation of conditions
- url: https://mycompany.splunk.com?search={{.spec.destination.namespace}}
title: Splunk
if: spec.project == "default"
- url: https://{{.metadata.annotations.splunkhost}}?search={{.spec.destination.namespace}}
title: Splunk
if: metadata.annotations.splunkhost
# sample resource level links
resource.links: |
- url: https://mycompany.splunk.com?search={{.metadata.namespace}}
title: Splunk
if: kind == "Pod" || kind == "Deployment"
extension.config: |
extensions:
# Name defines the endpoint that will be used to register
# the extension route.
# Mandatory field.
- name: some-extension
backend:
# ConnectionTimeout is the maximum amount of time a dial to
# the extension server will wait for a connect to complete.
# Optional field. Default: 2 seconds
connectionTimeout: 2s
# KeepAlive specifies the interval between keep-alive probes
# for an active network connection between the API server and
# the extension server.
# Optional field. Default: 15 seconds
keepAlive: 15s
# IdleConnectionTimeout is the maximum amount of time an idle
# (keep-alive) connection between the API server and the extension
# server will remain idle before closing itself.
# Optional field. Default: 60 seconds
idleConnectionTimeout: 60s
# MaxIdleConnections controls the maximum number of idle (keep-alive)
# connections between the API server and the extension server.
# Optional field. Default: 30
maxIdleConnections: 30
services:
# URL is the address where the extension backend must be available.
# Mandatory field.
- url: http://httpbin.org
# Cluster if provided, will have to match the application
# destination name or the destination server to have requests
# properly forwarded to this service URL.
# Optional field if only one service is specified.
# Mandatory if multiple services are specified.
cluster:
name: some-cluster
server: https://some-cluster