alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Activity

chore: Update manifests after change

Browse Source
This commit is contained in:
gitea-bot
2025-12-04 21:29:28 +00:00
parent d008c08479
commit 2654baa2c5
2100 changed files with 365994 additions and 380674 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
clusters/cl01tl/manifests/argocd/ClusterRole-argocd-application-controller.yaml Normal file
View File

@@ -0,0 +1,25 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-application-controller/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: argocd-application-controller
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-application-controller
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: application-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'

50
clusters/cl01tl/manifests/argocd/ClusterRole-argocd-notifications-controller.yaml Normal file
View File

@@ -0,0 +1,50 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-notifications/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: argocd-notifications-controller
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-notifications-controller
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: notifications-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
rules:
- apiGroups:
- argoproj.io
resources:
- applications
- appprojects
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- ""
resources:
- configmaps
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resourceNames:
- argocd-notifications-cm
resources:
- configmaps
verbs:
- get
- apiGroups:
- ""
resourceNames:
- argocd-notifications-secret
resources:
- secrets
verbs:
- get

59
clusters/cl01tl/manifests/argocd/ClusterRole-argocd-server.yaml Normal file
View File

@@ -0,0 +1,59 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-server/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: argocd-server
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- delete # supports deletion a live object in UI
- get # supports viewing live object manifest in UI
- patch # supports `argocd app patch`
- apiGroups:
- ""
resources:
- events
verbs:
- list # supports listing events in UI
- create
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- get # supports viewing pod logs from UI
- apiGroups:
- argoproj.io
resources:
- applications
- applicationsets
verbs:
- get
- list
- update
- watch
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
- apiGroups:
- argoproj.io
resources:
- workflows
verbs:
- create

22
clusters/cl01tl/manifests/argocd/ClusterRoleBinding-argocd-application-controller.yaml Normal file
View File

@@ -0,0 +1,22 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-application-controller/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: argocd-application-controller
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-application-controller
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: application-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: argocd-application-controller
subjects:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd

22
clusters/cl01tl/manifests/argocd/ClusterRoleBinding-argocd-notifications-controller.yaml Normal file
View File

@@ -0,0 +1,22 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-notifications/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: argocd-notifications-controller
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-notifications-controller
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: notifications-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: argocd-notifications-controller
subjects:
- kind: ServiceAccount
name: argocd-notifications-controller
namespace: argocd

22
clusters/cl01tl/manifests/argocd/ClusterRoleBinding-argocd-server.yaml Normal file
View File

@@ -0,0 +1,22 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-server/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: argocd-server
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: argocd-server
subjects:
- kind: ServiceAccount
name: argocd-server
namespace: argocd

133
clusters/cl01tl/manifests/argocd/ConfigMap-argocd-cm.yaml Normal file
View File

@@ -0,0 +1,133 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-configs/argocd-cm.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-cm
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
data:
admin.enabled: "true"
application.instanceLabelKey: argocd.argoproj.io/instance
application.sync.impersonation.enabled: "false"
dex.config: |
connectors:
- config:
issuer: https://authentik.alexlebens.net/application/o/argocd/
clientID: $argocd-oidc-secret:client
clientSecret: $argocd-oidc-secret:secret
insecureEnableGroups: true
scopes:
- openid
- profile
- email
name: authentik
type: oidc
id: authentik
exec.enabled: "false"
resource.customizations.ignoreResourceUpdates.ConfigMap: |
jqPathExpressions:
# Ignore the cluster-autoscaler status
- '.metadata.annotations."cluster-autoscaler.kubernetes.io/last-updated"'
# Ignore the annotation of the legacy Leases election
- '.metadata.annotations."control-plane.alpha.kubernetes.io/leader"'
resource.customizations.ignoreResourceUpdates.Endpoints: |
jsonPointers:
- /metadata
- /subsets
resource.customizations.ignoreResourceUpdates.all: |
jsonPointers:
- /status
resource.customizations.ignoreResourceUpdates.apps_ReplicaSet: |
jqPathExpressions:
- '.metadata.annotations."deployment.kubernetes.io/desired-replicas"'
- '.metadata.annotations."deployment.kubernetes.io/max-replicas"'
- '.metadata.annotations."rollout.argoproj.io/desired-replicas"'
resource.customizations.ignoreResourceUpdates.argoproj.io_Application: |
jqPathExpressions:
- '.metadata.annotations."notified.notifications.argoproj.io"'
- '.metadata.annotations."argocd.argoproj.io/refresh"'
- '.metadata.annotations."argocd.argoproj.io/hydrate"'
- '.operation'
resource.customizations.ignoreResourceUpdates.argoproj.io_Rollout: |
jqPathExpressions:
- '.metadata.annotations."notified.notifications.argoproj.io"'
resource.customizations.ignoreResourceUpdates.autoscaling_HorizontalPodAutoscaler: |
jqPathExpressions:
- '.metadata.annotations."autoscaling.alpha.kubernetes.io/behavior"'
- '.metadata.annotations."autoscaling.alpha.kubernetes.io/conditions"'
- '.metadata.annotations."autoscaling.alpha.kubernetes.io/metrics"'
- '.metadata.annotations."autoscaling.alpha.kubernetes.io/current-metrics"'
resource.customizations.ignoreResourceUpdates.discovery.k8s.io_EndpointSlice: |
jsonPointers:
- /metadata
- /endpoints
- /ports
resource.exclusions: |
### Network resources created by the Kubernetes control plane and excluded to reduce the number of watched events and UI clutter
- apiGroups:
- ''
- discovery.k8s.io
kinds:
- Endpoints
- EndpointSlice
### Internal Kubernetes resources excluded reduce the number of watched events
- apiGroups:
- coordination.k8s.io
kinds:
- Lease
### Internal Kubernetes Authz/Authn resources excluded reduce the number of watched events
- apiGroups:
- authentication.k8s.io
- authorization.k8s.io
kinds:
- SelfSubjectReview
- TokenReview
- LocalSubjectAccessReview
- SelfSubjectAccessReview
- SelfSubjectRulesReview
- SubjectAccessReview
### Intermediate Certificate Request excluded reduce the number of watched events
- apiGroups:
- certificates.k8s.io
kinds:
- CertificateSigningRequest
- apiGroups:
- cert-manager.io
kinds:
- CertificateRequest
### Cilium internal resources excluded reduce the number of watched events and UI Clutter
- apiGroups:
- cilium.io
kinds:
- CiliumIdentity
- CiliumEndpoint
- CiliumEndpointSlice
### Kyverno intermediate and reporting resources excluded reduce the number of watched events and improve performance
- apiGroups:
- kyverno.io
- reports.kyverno.io
- wgpolicyk8s.io
kinds:
- PolicyReport
- ClusterPolicyReport
- EphemeralReport
- ClusterEphemeralReport
- AdmissionReport
- ClusterAdmissionReport
- BackgroundScanReport
- ClusterBackgroundScanReport
- UpdateRequest
statusbadge.enabled: "true"
statusbadge.url: https://argocd.alexlebens.net/
timeout.hard.reconciliation: 0s
timeout.reconciliation: 100s
timeout.reconciliation.jitter: 60s
url: https://argocd.alexlebens.net

37
clusters/cl01tl/manifests/argocd/ConfigMap-argocd-cmd-params-cm.yaml Normal file
View File

@@ -0,0 +1,37 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-configs/argocd-cmd-params-cm.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cmd-params-cm
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-cmd-params-cm
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
data:
applicationsetcontroller.enable.leader.election: "true"
applicationsetcontroller.log.format: text
applicationsetcontroller.log.level: info
commitserver.log.format: text
commitserver.log.level: info
controller.log.format: text
controller.log.level: info
dexserver.log.format: text
dexserver.log.level: info
notificationscontroller.log.format: text
notificationscontroller.log.level: info
redis.server: argocd-redis-ha-haproxy:6379
repo.server: argocd-repo-server:8081
reposerver.log.format: text
reposerver.log.level: info
server.dex.server: https://argocd-dex-server:5556
server.dex.server.strict.tls: "false"
server.insecure: "true"
server.log.format: text
server.log.level: info
server.repo.server.strict.tls: "false"

35
clusters/cl01tl/manifests/argocd/ConfigMap-argocd-cmp-cm.yaml Normal file
View File

@@ -0,0 +1,35 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-configs/argocd-cmp-cm.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cmp-cm
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-cmp-cm
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: repo-server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
data:
cdk8s.yaml: |
apiVersion: argoproj.io/v1alpha1
kind: ConfigManagementPlugin
metadata:
name: cdk8s
spec:
discover:
fileName: '*.go'
generate:
args:
- --stdout
command:
- cdk8s
- synth
init:
args:
- import
command:
- cdk8s

14
clusters/cl01tl/manifests/argocd/ConfigMap-argocd-gpg-keys-cm.yaml Normal file
View File

@@ -0,0 +1,14 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-configs/argocd-gpg-keys-cm.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-gpg-keys-cm
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-gpg-keys-cm
app.kubernetes.io/instance: argocd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"

183
clusters/cl01tl/manifests/argocd/ConfigMap-argocd-notifications-cm.yaml Normal file
View File

@@ -0,0 +1,183 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-configs/argocd-notifications-cm.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-notifications-cm
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-notifications-controller
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: notifications-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
data:
context: |
argocdUrl: https://argocd.example.com
argocdUrl: https://argocd.alexlebens.net
service.webhook.ntfy: |
url: http://ntfy.ntfy/
headers:
- name: Authorization
value: Bearer $ntfy-token
subscriptions: |
- recipients:
- ntfy
triggers:
- on-created
- on-deleted
- on-deployed
- on-health-degraded
- on-sync-failed
- on-sync-running
- on-sync-status-unknown
- on-sync-succeeded
template.app-created: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} has been created.",
"title": "Created: {{.app.metadata.name}}",
"tags": ["building_construction"],
"priority": 4,
"click": "{{.context.argocdUrl}}/applications/argocd/{{.app.metadata.name}}"
}
template.app-deleted: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} has been deleted",
"title": "Deleted: {{.app.metadata.name}}",
"tags": ["warning"],
"priority": 4,
"click": "{{.context.argocdUrl}}"
}
template.app-deployed: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} is now running new version of deployments manifests",
"title": "Deployed: {{.app.metadata.name}}",
"tags": ["+1"],
"priority": 3,
"click": "{{.context.argocdUrl}}/applications/argocd/{{.app.metadata.name}}"
}
template.app-health-degraded: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} health has degraded",
"title": "Degraded: {{.app.metadata.name}}",
"tags": ["rotating_light"],
"priority": 4,
"click": "{{.context.argocdUrl}}/applications/argocd/{{.app.metadata.name}}"
}
template.app-sync-failed: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} sync has failed at {{.app.status.operationState.finishedAt}} with the following error: {{.app.status.operationState.message}}",
"title": "Sync Failed: {{.app.metadata.name}}",
"tags": ["rotating_light"],
"priority": 4,
"click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true"
}
template.app-sync-running: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} sync has started at {{.app.status.operationState.startedAt}}",
"title": "Sync Running: {{.app.metadata.name}}",
"tags": ["runner"],
"priority": 3,
"click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true"
}
template.app-sync-status-unknown: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} sync status is unknown",
"title": "Sync Unknown: {{.app.metadata.name}}",
"tags": ["question"],
"priority": 3,
"click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}"
}
template.app-sync-succeeded: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} has been successfully synced at {{.app.status.operationState.finishedAt}}",
"title": "Sync Succeeded: {{.app.metadata.name}}",
"tags": ["+1"],
"priority": 3,
"click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true"
}
trigger.on-created: |
- description: Application {{.app.metadata.name}} has been created.
oncePer: app.metadata.name
send:
- app-created
when: "true"
trigger.on-deleted: |
- description: Application {{.app.metadata.name}} has been deleted.
oncePer: app.metadata.name
send:
- app-deleted
when: app.metadata.deletionTimestamp != nil
trigger.on-deployed: |
- description: Application is synced and healthy. Triggered once per commit.
oncePer: app.status.operationState.syncResult.revision
send:
- app-deployed
when: app.status.operationState.phase in ['Succeeded'] and app.status.health.status == 'Healthy'
trigger.on-health-degraded: |
- description: Application has degraded
send:
- app-health-degraded
when: app.status.health.status == 'Degraded' and time.Now().Sub(time.Parse(app.status.health.lastTransitionTime).Minutes() >= 15
trigger.on-sync-failed: |
- description: Application syncing has failed
send:
- app-sync-failed
when: app.status.operationState.phase in ['Error', 'Failed']
trigger.on-sync-running: |
- description: Application is being synced
send:
- app-sync-running
when: app.status.operationState.phase in ['Running']
trigger.on-sync-status-unknown: |
- description: Application status is 'Unknown'
send:
- app-sync-status-unknown
when: app.status.sync.status == 'Unknown'
trigger.on-sync-succeeded: |
- description: Application syncing has succeeded
send:
- app-sync-succeeded
when: app.status.operationState.phase in ['Succeeded']

21
clusters/cl01tl/manifests/argocd/ConfigMap-argocd-rbac-cm.yaml Normal file
View File

@@ -0,0 +1,21 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-configs/argocd-rbac-cm.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-rbac-cm
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
data:
policy.csv: |
g, ArgoCD Admins, role:admin
policy.default: ""
policy.matchMode: glob
scopes: '[groups]'

743
clusters/cl01tl/manifests/argocd/ConfigMap-argocd-redis-ha-configmap.yaml Normal file
View File

@@ -0,0 +1,743 @@
---
# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-ha-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-redis-ha-configmap
namespace: "argocd"
labels:
heritage: Helm
release: argocd
chart: redis-ha-4.34.11
app: argocd-redis-ha
data:
redis.conf: |
dir "/data"
port 6379
rename-command FLUSHDB ""
rename-command FLUSHALL ""
maxmemory 0
maxmemory-policy volatile-lru
min-replicas-max-lag 5
min-replicas-to-write 1
rdbchecksum yes
rdbcompression yes
repl-diskless-sync yes
save ""
sentinel.conf: |
dir "/data"
port 26379
sentinel down-after-milliseconds argocd 10000
sentinel failover-timeout argocd 180000
maxclients 10000
sentinel parallel-syncs argocd 5
init.sh: |
echo "$(date) Start..."
HOSTNAME="$(hostname)"
INDEX="${HOSTNAME##*-}"
SENTINEL_PORT=26379
ANNOUNCE_IP=''
MASTER=''
MASTER_GROUP="argocd"
QUORUM="2"
REDIS_CONF=/data/conf/redis.conf
REDIS_PORT=6379
REDIS_TLS_PORT=
SENTINEL_CONF=/data/conf/sentinel.conf
SENTINEL_TLS_PORT=
SERVICE=argocd-redis-ha
SENTINEL_TLS_REPLICATION_ENABLED=false
REDIS_TLS_REPLICATION_ENABLED=false
set -eu
sentinel_get_master() {
set +e
if [ "$SENTINEL_PORT" -eq 0 ]; then
redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
else
redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
fi
set -e
}
sentinel_get_master_retry() {
master=''
retry=${1}
sleep=3
for i in $(seq 1 "${retry}"); do
master=$(sentinel_get_master)
if [ -n "${master}" ]; then
break
fi
sleep $((sleep + i))
done
echo "${master}"
}
identify_master() {
echo "Identifying redis master (get-master-addr-by-name).."
echo " using sentinel (argocd-redis-ha), sentinel group name (argocd)"
MASTER="$(sentinel_get_master_retry 3)"
if [ -n "${MASTER}" ]; then
echo " $(date) Found redis master (${MASTER})"
else
echo " $(date) Did not find redis master (${MASTER})"
fi
}
sentinel_update() {
echo "Updating sentinel config.."
echo " evaluating sentinel id (\${SENTINEL_ID_${INDEX}})"
eval MY_SENTINEL_ID="\$SENTINEL_ID_${INDEX}"
echo " sentinel id (${MY_SENTINEL_ID}), sentinel grp (${MASTER_GROUP}), quorum (${QUORUM})"
sed -i "1s/^/sentinel myid ${MY_SENTINEL_ID}\\n/" "${SENTINEL_CONF}"
if [ "$SENTINEL_TLS_REPLICATION_ENABLED" = true ]; then
echo " redis master (${1}:${REDIS_TLS_PORT})"
sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_TLS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}"
else
echo " redis master (${1}:${REDIS_PORT})"
sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}"
fi
echo "sentinel announce-ip ${ANNOUNCE_IP}" >> ${SENTINEL_CONF}
if [ "$SENTINEL_PORT" -eq 0 ]; then
echo " announce (${ANNOUNCE_IP}:${SENTINEL_TLS_PORT})"
echo "sentinel announce-port ${SENTINEL_TLS_PORT}" >> ${SENTINEL_CONF}
else
echo " announce (${ANNOUNCE_IP}:${SENTINEL_PORT})"
echo "sentinel announce-port ${SENTINEL_PORT}" >> ${SENTINEL_CONF}
fi
}
redis_update() {
echo "Updating redis config.."
if [ "$REDIS_TLS_REPLICATION_ENABLED" = true ]; then
echo " we are slave of redis master (${1}:${REDIS_TLS_PORT})"
echo "slaveof ${1} ${REDIS_TLS_PORT}" >> "${REDIS_CONF}"
echo "slave-announce-port ${REDIS_TLS_PORT}" >> ${REDIS_CONF}
else
echo " we are slave of redis master (${1}:${REDIS_PORT})"
echo "slaveof ${1} ${REDIS_PORT}" >> "${REDIS_CONF}"
echo "slave-announce-port ${REDIS_PORT}" >> ${REDIS_CONF}
fi
echo "slave-announce-ip ${ANNOUNCE_IP}" >> ${REDIS_CONF}
}
copy_config() {
echo "Copying default redis config.."
echo " to '${REDIS_CONF}'"
cp /readonly-config/redis.conf "${REDIS_CONF}"
echo "Copying default sentinel config.."
echo " to '${SENTINEL_CONF}'"
cp /readonly-config/sentinel.conf "${SENTINEL_CONF}"
}
setup_defaults() {
echo "Setting up defaults.."
echo " using statefulset index (${INDEX})"
if [ "${INDEX}" = "0" ]; then
echo "Setting this pod as master for redis and sentinel.."
echo " using announce (${ANNOUNCE_IP})"
redis_update "${ANNOUNCE_IP}"
sentinel_update "${ANNOUNCE_IP}"
echo " make sure ${ANNOUNCE_IP} is not a slave (slaveof no one)"
sed -i "s/^.*slaveof.*//" "${REDIS_CONF}"
else
echo "Getting redis master ip.."
echo " blindly assuming (${SERVICE}-announce-0) or (${SERVICE}-server-0) are master"
DEFAULT_MASTER="$(getent_hosts 0 | awk '{ print $1 }')"
if [ -z "${DEFAULT_MASTER}" ]; then
echo "Error: Unable to resolve redis master (getent hosts)."
exit 1
fi
echo " identified redis (may be redis master) ip (${DEFAULT_MASTER})"
echo "Setting default slave config for redis and sentinel.."
echo " using master ip (${DEFAULT_MASTER})"
redis_update "${DEFAULT_MASTER}"
sentinel_update "${DEFAULT_MASTER}"
fi
}
redis_ping() {
set +e
if [ "$REDIS_PORT" -eq 0 ]; then
redis-cli -h "${MASTER}" -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
else
redis-cli -h "${MASTER}" -p "${REDIS_PORT}" ping
fi
set -e
}
redis_ping_retry() {
ping=''
retry=${1}
sleep=3
for i in $(seq 1 "${retry}"); do
if [ "$(redis_ping)" = "PONG" ]; then
ping='PONG'
break
fi
sleep $((sleep + i))
MASTER=$(sentinel_get_master)
done
echo "${ping}"
}
find_master() {
echo "Verifying redis master.."
if [ "$REDIS_PORT" -eq 0 ]; then
echo " ping (${MASTER}:${REDIS_TLS_PORT})"
else
echo " ping (${MASTER}:${REDIS_PORT})"
fi
if [ "$(redis_ping_retry 3)" != "PONG" ]; then
echo " $(date) Can't ping redis master (${MASTER})"
echo "Attempting to force failover (sentinel failover).."
if [ "$SENTINEL_PORT" -eq 0 ]; then
echo " on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
echo " $(date) Failover returned with 'NOGOODSLAVE'"
echo "Setting defaults for this pod.."
setup_defaults
return 0
fi
else
echo " on sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})"
if redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
echo " $(date) Failover returned with 'NOGOODSLAVE'"
echo "Setting defaults for this pod.."
setup_defaults
return 0
fi
fi
echo "Hold on for 10sec"
sleep 10
echo "We should get redis master's ip now. Asking (get-master-addr-by-name).."
if [ "$SENTINEL_PORT" -eq 0 ]; then
echo " sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
else
echo " sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})"
fi
MASTER="$(sentinel_get_master)"
if [ "${MASTER}" ]; then
echo " $(date) Found redis master (${MASTER})"
echo "Updating redis and sentinel config.."
sentinel_update "${MASTER}"
redis_update "${MASTER}"
else
echo "$(date) Error: Could not failover, exiting..."
exit 1
fi
else
echo " $(date) Found reachable redis master (${MASTER})"
echo "Updating redis and sentinel config.."
sentinel_update "${MASTER}"
redis_update "${MASTER}"
fi
}
redis_ro_update() {
echo "Updating read-only redis config.."
echo " redis.conf set 'replica-priority 0'"
echo "replica-priority 0" >> ${REDIS_CONF}
}
getent_hosts() {
index=${1:-${INDEX}}
service="${SERVICE}-announce-${index}"
host=$(getent hosts "${service}")
echo "${host}"
}
identify_announce_ip() {
echo "Identify announce ip for this pod.."
echo " using (${SERVICE}-announce-${INDEX}) or (${SERVICE}-server-${INDEX})"
ANNOUNCE_IP=$(getent_hosts | awk '{ print $1 }')
echo " identified announce (${ANNOUNCE_IP})"
}
mkdir -p /data/conf/
echo "Initializing config.."
copy_config
# where is redis master
identify_master
identify_announce_ip
if [ -z "${ANNOUNCE_IP}" ]; then
"Error: Could not resolve the announce ip for this pod"
exit 1
elif [ "${MASTER}" ]; then
find_master
else
setup_defaults
fi
if [ "${AUTH:-}" ]; then
echo "Setting redis auth values.."
ESCAPED_AUTH=$(echo "${AUTH}" | sed -e 's/[\/&]/\\&/g');
sed -i "s/replace-default-auth/${ESCAPED_AUTH}/" "${REDIS_CONF}" "${SENTINEL_CONF}"
fi
if [ "${SENTINELAUTH:-}" ]; then
echo "Setting sentinel auth values"
ESCAPED_AUTH_SENTINEL=$(echo "$SENTINELAUTH" | sed -e 's/[\/&]/\\&/g');
sed -i "s/replace-default-sentinel-auth/${ESCAPED_AUTH_SENTINEL}/" "$SENTINEL_CONF"
fi
echo "$(date) Ready..."
fix-split-brain.sh: |
HOSTNAME="$(hostname)"
INDEX="${HOSTNAME##*-}"
SENTINEL_PORT=26379
ANNOUNCE_IP=''
MASTER=''
MASTER_GROUP="argocd"
QUORUM="2"
REDIS_CONF=/data/conf/redis.conf
REDIS_PORT=6379
REDIS_TLS_PORT=
SENTINEL_CONF=/data/conf/sentinel.conf
SENTINEL_TLS_PORT=
SERVICE=argocd-redis-ha
SENTINEL_TLS_REPLICATION_ENABLED=false
REDIS_TLS_REPLICATION_ENABLED=false
ROLE=''
REDIS_MASTER=''
set -eu
sentinel_get_master() {
set +e
if [ "$SENTINEL_PORT" -eq 0 ]; then
redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
else
redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
fi
set -e
}
sentinel_get_master_retry() {
master=''
retry=${1}
sleep=3
for i in $(seq 1 "${retry}"); do
master=$(sentinel_get_master)
if [ -n "${master}" ]; then
break
fi
sleep $((sleep + i))
done
echo "${master}"
}
identify_master() {
echo "Identifying redis master (get-master-addr-by-name).."
echo " using sentinel (argocd-redis-ha), sentinel group name (argocd)"
MASTER="$(sentinel_get_master_retry 3)"
if [ -n "${MASTER}" ]; then
echo " $(date) Found redis master (${MASTER})"
else
echo " $(date) Did not find redis master (${MASTER})"
fi
}
sentinel_update() {
echo "Updating sentinel config.."
echo " evaluating sentinel id (\${SENTINEL_ID_${INDEX}})"
eval MY_SENTINEL_ID="\$SENTINEL_ID_${INDEX}"
echo " sentinel id (${MY_SENTINEL_ID}), sentinel grp (${MASTER_GROUP}), quorum (${QUORUM})"
sed -i "1s/^/sentinel myid ${MY_SENTINEL_ID}\\n/" "${SENTINEL_CONF}"
if [ "$SENTINEL_TLS_REPLICATION_ENABLED" = true ]; then
echo " redis master (${1}:${REDIS_TLS_PORT})"
sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_TLS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}"
else
echo " redis master (${1}:${REDIS_PORT})"
sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}"
fi
echo "sentinel announce-ip ${ANNOUNCE_IP}" >> ${SENTINEL_CONF}
if [ "$SENTINEL_PORT" -eq 0 ]; then
echo " announce (${ANNOUNCE_IP}:${SENTINEL_TLS_PORT})"
echo "sentinel announce-port ${SENTINEL_TLS_PORT}" >> ${SENTINEL_CONF}
else
echo " announce (${ANNOUNCE_IP}:${SENTINEL_PORT})"
echo "sentinel announce-port ${SENTINEL_PORT}" >> ${SENTINEL_CONF}
fi
}
redis_update() {
echo "Updating redis config.."
if [ "$REDIS_TLS_REPLICATION_ENABLED" = true ]; then
echo " we are slave of redis master (${1}:${REDIS_TLS_PORT})"
echo "slaveof ${1} ${REDIS_TLS_PORT}" >> "${REDIS_CONF}"
echo "slave-announce-port ${REDIS_TLS_PORT}" >> ${REDIS_CONF}
else
echo " we are slave of redis master (${1}:${REDIS_PORT})"
echo "slaveof ${1} ${REDIS_PORT}" >> "${REDIS_CONF}"
echo "slave-announce-port ${REDIS_PORT}" >> ${REDIS_CONF}
fi
echo "slave-announce-ip ${ANNOUNCE_IP}" >> ${REDIS_CONF}
}
copy_config() {
echo "Copying default redis config.."
echo " to '${REDIS_CONF}'"
cp /readonly-config/redis.conf "${REDIS_CONF}"
echo "Copying default sentinel config.."
echo " to '${SENTINEL_CONF}'"
cp /readonly-config/sentinel.conf "${SENTINEL_CONF}"
}
setup_defaults() {
echo "Setting up defaults.."
echo " using statefulset index (${INDEX})"
if [ "${INDEX}" = "0" ]; then
echo "Setting this pod as master for redis and sentinel.."
echo " using announce (${ANNOUNCE_IP})"
redis_update "${ANNOUNCE_IP}"
sentinel_update "${ANNOUNCE_IP}"
echo " make sure ${ANNOUNCE_IP} is not a slave (slaveof no one)"
sed -i "s/^.*slaveof.*//" "${REDIS_CONF}"
else
echo "Getting redis master ip.."
echo " blindly assuming (${SERVICE}-announce-0) or (${SERVICE}-server-0) are master"
DEFAULT_MASTER="$(getent_hosts 0 | awk '{ print $1 }')"
if [ -z "${DEFAULT_MASTER}" ]; then
echo "Error: Unable to resolve redis master (getent hosts)."
exit 1
fi
echo " identified redis (may be redis master) ip (${DEFAULT_MASTER})"
echo "Setting default slave config for redis and sentinel.."
echo " using master ip (${DEFAULT_MASTER})"
redis_update "${DEFAULT_MASTER}"
sentinel_update "${DEFAULT_MASTER}"
fi
}
redis_ping() {
set +e
if [ "$REDIS_PORT" -eq 0 ]; then
redis-cli -h "${MASTER}" -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
else
redis-cli -h "${MASTER}" -p "${REDIS_PORT}" ping
fi
set -e
}
redis_ping_retry() {
ping=''
retry=${1}
sleep=3
for i in $(seq 1 "${retry}"); do
if [ "$(redis_ping)" = "PONG" ]; then
ping='PONG'
break
fi
sleep $((sleep + i))
MASTER=$(sentinel_get_master)
done
echo "${ping}"
}
find_master() {
echo "Verifying redis master.."
if [ "$REDIS_PORT" -eq 0 ]; then
echo " ping (${MASTER}:${REDIS_TLS_PORT})"
else
echo " ping (${MASTER}:${REDIS_PORT})"
fi
if [ "$(redis_ping_retry 3)" != "PONG" ]; then
echo " $(date) Can't ping redis master (${MASTER})"
echo "Attempting to force failover (sentinel failover).."
if [ "$SENTINEL_PORT" -eq 0 ]; then
echo " on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
echo " $(date) Failover returned with 'NOGOODSLAVE'"
echo "Setting defaults for this pod.."
setup_defaults
return 0
fi
else
echo " on sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})"
if redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
echo " $(date) Failover returned with 'NOGOODSLAVE'"
echo "Setting defaults for this pod.."
setup_defaults
return 0
fi
fi
echo "Hold on for 10sec"
sleep 10
echo "We should get redis master's ip now. Asking (get-master-addr-by-name).."
if [ "$SENTINEL_PORT" -eq 0 ]; then
echo " sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
else
echo " sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})"
fi
MASTER="$(sentinel_get_master)"
if [ "${MASTER}" ]; then
echo " $(date) Found redis master (${MASTER})"
echo "Updating redis and sentinel config.."
sentinel_update "${MASTER}"
redis_update "${MASTER}"
else
echo "$(date) Error: Could not failover, exiting..."
exit 1
fi
else
echo " $(date) Found reachable redis master (${MASTER})"
echo "Updating redis and sentinel config.."
sentinel_update "${MASTER}"
redis_update "${MASTER}"
fi
}
redis_ro_update() {
echo "Updating read-only redis config.."
echo " redis.conf set 'replica-priority 0'"
echo "replica-priority 0" >> ${REDIS_CONF}
}
getent_hosts() {
index=${1:-${INDEX}}
service="${SERVICE}-announce-${index}"
host=$(getent hosts "${service}")
echo "${host}"
}
identify_announce_ip() {
echo "Identify announce ip for this pod.."
echo " using (${SERVICE}-announce-${INDEX}) or (${SERVICE}-server-${INDEX})"
ANNOUNCE_IP=$(getent_hosts | awk '{ print $1 }')
echo " identified announce (${ANNOUNCE_IP})"
}
redis_role() {
set +e
if [ "$REDIS_PORT" -eq 0 ]; then
ROLE=$(redis-cli -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep role | sed 's/role://' | sed 's/\r//')
else
ROLE=$(redis-cli -p "${REDIS_PORT}" info | grep role | sed 's/role://' | sed 's/\r//')
fi
set -e
}
identify_redis_master() {
set +e
if [ "$REDIS_PORT" -eq 0 ]; then
REDIS_MASTER=$(redis-cli -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep master_host | sed 's/master_host://' | sed 's/\r//')
else
REDIS_MASTER=$(redis-cli -p "${REDIS_PORT}" info | grep master_host | sed 's/master_host://' | sed 's/\r//')
fi
set -e
}
reinit() {
set +e
sh /readonly-config/init.sh
if [ "$REDIS_PORT" -eq 0 ]; then
echo "shutdown" | redis-cli -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key
else
echo "shutdown" | redis-cli -p "${REDIS_PORT}"
fi
set -e
}
identify_announce_ip
while [ -z "${ANNOUNCE_IP}" ]; do
echo "Error: Could not resolve the announce ip for this pod."
sleep 30
identify_announce_ip
done
trap "exit 0" TERM
while true; do
sleep 60
# where is redis master
identify_master
if [ "$MASTER" = "$ANNOUNCE_IP" ]; then
redis_role
if [ "$ROLE" != "master" ]; then
echo "waiting for redis to become master"
sleep 10
identify_master
redis_role
echo "Redis role is $ROLE, expected role is master. No need to reinitialize."
if [ "$ROLE" != "master" ]; then
echo "Redis role is $ROLE, expected role is master, reinitializing"
reinit
fi
fi
elif [ "${MASTER}" ]; then
identify_redis_master
if [ "$REDIS_MASTER" != "$MASTER" ]; then
echo "Redis master and local master are not the same. waiting."
sleep 10
identify_master
identify_redis_master
echo "Redis master is ${MASTER}, expected master is ${REDIS_MASTER}. No need to reinitialize."
if [ "${REDIS_MASTER}" != "${MASTER}" ]; then
echo "Redis master is ${MASTER}, expected master is ${REDIS_MASTER}, reinitializing"
reinit
fi
fi
fi
done
haproxy.cfg: |
defaults REDIS
mode tcp
timeout connect 4s
timeout server 330s
timeout client 330s
timeout check 2s
listen health_check_http_url
bind [::]:8888 v4v6
mode http
monitor-uri /healthz
option dontlognull
# Check Sentinel and whether they are nominated master
backend check_if_redis_is_master_0
mode tcp
option tcp-check
tcp-check connect
tcp-check send PING\r\n
tcp-check expect string +PONG
tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n
tcp-check expect string REPLACE_ANNOUNCE0
tcp-check send QUIT\r\n
server R0 argocd-redis-ha-announce-0:26379 check inter 1s
server R1 argocd-redis-ha-announce-1:26379 check inter 1s
server R2 argocd-redis-ha-announce-2:26379 check inter 1s
# Check Sentinel and whether they are nominated master
backend check_if_redis_is_master_1
mode tcp
option tcp-check
tcp-check connect
tcp-check send PING\r\n
tcp-check expect string +PONG
tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n
tcp-check expect string REPLACE_ANNOUNCE1
tcp-check send QUIT\r\n
server R0 argocd-redis-ha-announce-0:26379 check inter 1s
server R1 argocd-redis-ha-announce-1:26379 check inter 1s
server R2 argocd-redis-ha-announce-2:26379 check inter 1s
# Check Sentinel and whether they are nominated master
backend check_if_redis_is_master_2
mode tcp
option tcp-check
tcp-check connect
tcp-check send PING\r\n
tcp-check expect string +PONG
tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n
tcp-check expect string REPLACE_ANNOUNCE2
tcp-check send QUIT\r\n
server R0 argocd-redis-ha-announce-0:26379 check inter 1s
server R1 argocd-redis-ha-announce-1:26379 check inter 1s
server R2 argocd-redis-ha-announce-2:26379 check inter 1s
# decide redis backend to use
#master
frontend ft_redis_master
bind [::]:6379 v4v6
use_backend bk_redis_master
# Check all redis servers to see if they think they are master
backend bk_redis_master
mode tcp
option tcp-check
tcp-check connect
tcp-check send PING\r\n
tcp-check expect string +PONG
tcp-check send info\ replication\r\n
tcp-check expect string role:master
tcp-check send QUIT\r\n
tcp-check expect string +OK
use-server R0 if { srv_is_up(R0) } { nbsrv(check_if_redis_is_master_0) ge 2 }
server R0 argocd-redis-ha-announce-0:6379 check inter 1s fall 1 rise 1
use-server R1 if { srv_is_up(R1) } { nbsrv(check_if_redis_is_master_1) ge 2 }
server R1 argocd-redis-ha-announce-1:6379 check inter 1s fall 1 rise 1
use-server R2 if { srv_is_up(R2) } { nbsrv(check_if_redis_is_master_2) ge 2 }
server R2 argocd-redis-ha-announce-2:6379 check inter 1s fall 1 rise 1
frontend stats
mode http
bind [::]:9101 v4v6
http-request use-service prometheus-exporter if { path /metrics }
stats enable
stats uri /stats
stats refresh 10s
haproxy_init.sh: |
HAPROXY_CONF=/data/haproxy.cfg
cp /readonly/haproxy.cfg "$HAPROXY_CONF"
for loop in $(seq 1 10); do
getent hosts argocd-redis-ha-announce-0 && break
echo "Waiting for service argocd-redis-ha-announce-0 to be ready ($loop) ..." && sleep 1
done
ANNOUNCE_IP0=$(getent hosts "argocd-redis-ha-announce-0" | awk '{ print $1 }')
if [ -z "$ANNOUNCE_IP0" ]; then
echo "Could not resolve the announce ip for argocd-redis-ha-announce-0"
exit 1
fi
sed -i "s/REPLACE_ANNOUNCE0/$ANNOUNCE_IP0/" "$HAPROXY_CONF"
for loop in $(seq 1 10); do
getent hosts argocd-redis-ha-announce-1 && break
echo "Waiting for service argocd-redis-ha-announce-1 to be ready ($loop) ..." && sleep 1
done
ANNOUNCE_IP1=$(getent hosts "argocd-redis-ha-announce-1" | awk '{ print $1 }')
if [ -z "$ANNOUNCE_IP1" ]; then
echo "Could not resolve the announce ip for argocd-redis-ha-announce-1"
exit 1
fi
sed -i "s/REPLACE_ANNOUNCE1/$ANNOUNCE_IP1/" "$HAPROXY_CONF"
for loop in $(seq 1 10); do
getent hosts argocd-redis-ha-announce-2 && break
echo "Waiting for service argocd-redis-ha-announce-2 to be ready ($loop) ..." && sleep 1
done
ANNOUNCE_IP2=$(getent hosts "argocd-redis-ha-announce-2" | awk '{ print $1 }')
if [ -z "$ANNOUNCE_IP2" ]; then
echo "Could not resolve the announce ip for argocd-redis-ha-announce-2"
exit 1
fi
sed -i "s/REPLACE_ANNOUNCE2/$ANNOUNCE_IP2/" "$HAPROXY_CONF"
trigger-failover-if-master.sh: |
get_redis_role() {
is_master=$(
redis-cli \
-h localhost \
-p 6379 \
info | grep -c 'role:master' || true
)
}
get_redis_role
if [[ "$is_master" -eq 1 ]]; then
echo "This node is currently master, we trigger a failover."
response=$(
redis-cli \
-h localhost \
-p 26379 \
SENTINEL failover argocd
)
if [[ "$response" != "OK" ]] ; then
echo "$response"
exit 1
fi
timeout=30
while [[ "$is_master" -eq 1 && $timeout -gt 0 ]]; do
sleep 1
get_redis_role
timeout=$((timeout - 1))
done
echo "Failover successful"
fi

72
clusters/cl01tl/manifests/argocd/ConfigMap-argocd-redis-ha-health-configmap.yaml Normal file
View File

@@ -0,0 +1,72 @@
---
# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-ha-health-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-redis-ha-health-configmap
namespace: "argocd"
labels:
heritage: Helm
release: argocd
chart: redis-ha-4.34.11
app: argocd-redis-ha
data:
redis_liveness.sh: |
response=$(
redis-cli \
-h localhost \
-p 6379 \
ping
)
echo "response=$response"
case $response in
PONG|LOADING*) ;;
*) exit 1 ;;
esac
exit 0
redis_readiness.sh: |
response=$(
redis-cli \
-h localhost \
-p 6379 \
ping
)
if [ "$response" != "PONG" ] ; then
echo "ping=$response"
exit 1
fi
response=$(
redis-cli \
-h localhost \
-p 6379 \
role
)
role=$( echo "$response" | sed "1!d" )
if [ "$role" = "master" ]; then
echo "role=$role"
exit 0
elif [ "$role" = "slave" ]; then
repl=$( echo "$response" | sed "4!d" )
echo "role=$role; repl=$repl"
if [ "$repl" = "connected" ]; then
exit 0
else
exit 1
fi
else
echo "role=$role"
exit 1
fi
sentinel_liveness.sh: |
response=$(
redis-cli \
-h localhost \
-p 26379 \
ping
)
if [ "$response" != "PONG" ]; then
echo "$response"
exit 1
fi
echo "response=$response"

30
clusters/cl01tl/manifests/argocd/ConfigMap-argocd-ssh-known-hosts-cm.yaml Normal file
View File

@@ -0,0 +1,30 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-configs/argocd-ssh-known-hosts-cm.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-ssh-known-hosts-cm
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-ssh-known-hosts-cm
app.kubernetes.io/instance: argocd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
data:
ssh_known_hosts: |
[ssh.github.com]:443 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
[ssh.github.com]:443 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
[ssh.github.com]:443 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
bitbucket.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIQmuzMBuKdWeF4+a2sjSSpBK0iqitSQ+5BM9KhpexuGt20JpTVM7u5BDZngncgrqDMbWdxMWWOGtZ9UgbqgZE=
bitbucket.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIazEu89wgQZ4bqs3d63QSMzYVa0MuJ2e2gKTKqu+UUO
bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M=
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H

14
clusters/cl01tl/manifests/argocd/ConfigMap-argocd-tls-certs-cm.yaml Normal file
View File

@@ -0,0 +1,14 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-configs/argocd-tls-certs-cm.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-tls-certs-cm
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-tls-certs-cm
app.kubernetes.io/instance: argocd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"

4907
clusters/cl01tl/manifests/argocd/CustomResourceDefinition-applications.argoproj.io.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

17841
clusters/cl01tl/manifests/argocd/CustomResourceDefinition-applicationsets.argoproj.io.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

323
clusters/cl01tl/manifests/argocd/CustomResourceDefinition-appprojects.argoproj.io.yaml Normal file
View File

@@ -0,0 +1,323 @@
---
# Source: argocd/charts/argo-cd/templates/crds/crd-project.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
"helm.sh/resource-policy": keep
labels:
app.kubernetes.io/name: appprojects.argoproj.io
app.kubernetes.io/part-of: argocd
name: appprojects.argoproj.io
spec:
group: argoproj.io
names:
kind: AppProject
listKind: AppProjectList
plural: appprojects
shortNames:
- appproj
- appprojs
singular: appproject
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
AppProject provides a logical grouping of applications, providing controls for:
* where the apps may deploy to (cluster whitelist)
* what may be deployed (repository whitelist, resource whitelist/blacklist)
* who can access these applications (roles, OIDC group claims bindings)
* and what they can do (RBAC policies)
* automation access to these roles (JWT tokens)
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: AppProjectSpec is the specification of an AppProject
properties:
clusterResourceBlacklist:
description: ClusterResourceBlacklist contains list of blacklisted cluster level resources
items:
description: |-
GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying
concepts during lookup stages without having partially valid types
properties:
group:
type: string
kind:
type: string
required:
- group
- kind
type: object
type: array
clusterResourceWhitelist:
description: ClusterResourceWhitelist contains list of whitelisted cluster level resources
items:
description: |-
GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying
concepts during lookup stages without having partially valid types
properties:
group:
type: string
kind:
type: string
required:
- group
- kind
type: object
type: array
description:
description: Description contains optional project description
maxLength: 255
type: string
destinationServiceAccounts:
description: DestinationServiceAccounts holds information about the service accounts to be impersonated for the application sync operation for each destination.
items:
description: ApplicationDestinationServiceAccount holds information about the service account to be impersonated for the application sync operation.
properties:
defaultServiceAccount:
description: DefaultServiceAccount to be used for impersonation during the sync operation
type: string
namespace:
description: Namespace specifies the target namespace for the application's resources.
type: string
server:
description: Server specifies the URL of the target cluster's Kubernetes control plane API.
type: string
required:
- defaultServiceAccount
- server
type: object
type: array
destinations:
description: Destinations contains list of destinations available for deployment
items:
description: ApplicationDestination holds information about the application's destination
properties:
name:
description: Name is an alternate way of specifying the target cluster by its symbolic name. This must be set if Server is not set.
type: string
namespace:
description: |-
Namespace specifies the target namespace for the application's resources.
The namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace
type: string
server:
description: Server specifies the URL of the target cluster's Kubernetes control plane API. This must be set if Name is not set.
type: string
type: object
type: array
namespaceResourceBlacklist:
description: NamespaceResourceBlacklist contains list of blacklisted namespace level resources
items:
description: |-
GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying
concepts during lookup stages without having partially valid types
properties:
group:
type: string
kind:
type: string
required:
- group
- kind
type: object
type: array
namespaceResourceWhitelist:
description: NamespaceResourceWhitelist contains list of whitelisted namespace level resources
items:
description: |-
GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying
concepts during lookup stages without having partially valid types
properties:
group:
type: string
kind:
type: string
required:
- group
- kind
type: object
type: array
orphanedResources:
description: OrphanedResources specifies if controller should monitor orphaned resources of apps in this project
properties:
ignore:
description: Ignore contains a list of resources that are to be excluded from orphaned resources monitoring
items:
description: OrphanedResourceKey is a reference to a resource to be ignored from
properties:
group:
type: string
kind:
type: string
name:
type: string
type: object
type: array
warn:
description: Warn indicates if warning condition should be created for apps which have orphaned resources
type: boolean
type: object
permitOnlyProjectScopedClusters:
description: PermitOnlyProjectScopedClusters determines whether destinations can only reference clusters which are project-scoped
type: boolean
roles:
description: Roles are user defined RBAC roles associated with this project
items:
description: ProjectRole represents a role that has access to a project
properties:
description:
description: Description is a description of the role
type: string
groups:
description: Groups are a list of OIDC group claims bound to this role
items:
type: string
type: array
jwtTokens:
description: JWTTokens are a list of generated JWT tokens bound to this role
items:
description: JWTToken holds the issuedAt and expiresAt values of a token
properties:
exp:
format: int64
type: integer
iat:
format: int64
type: integer
id:
type: string
required:
- iat
type: object
type: array
name:
description: Name is a name for this role
type: string
policies:
description: Policies Stores a list of casbin formatted strings that define access policies for the role in the project
items:
type: string
type: array
required:
- name
type: object
type: array
signatureKeys:
description: SignatureKeys contains a list of PGP key IDs that commits in Git must be signed with in order to be allowed for sync
items:
description: SignatureKey is the specification of a key required to verify commit signatures with
properties:
keyID:
description: The ID of the key in hexadecimal notation
type: string
required:
- keyID
type: object
type: array
sourceNamespaces:
description: SourceNamespaces defines the namespaces application resources are allowed to be created in
items:
type: string
type: array
sourceRepos:
description: SourceRepos contains list of repository URLs which can be used for deployment
items:
type: string
type: array
syncWindows:
description: SyncWindows controls when syncs can be run for apps in this project
items:
description: SyncWindow contains the kind, time, duration and attributes that are used to assign the syncWindows to apps
properties:
andOperator:
description: UseAndOperator use AND operator for matching applications, namespaces and clusters instead of the default OR operator
type: boolean
applications:
description: Applications contains a list of applications that the window will apply to
items:
type: string
type: array
clusters:
description: Clusters contains a list of clusters that the window will apply to
items:
type: string
type: array
description:
description: Description of the sync that will be applied to the schedule, can be used to add any information such as a ticket number for example
type: string
duration:
description: Duration is the amount of time the sync window will be open
type: string
kind:
description: Kind defines if the window allows or blocks syncs
type: string
manualSync:
description: ManualSync enables manual syncs when they would otherwise be blocked
type: boolean
namespaces:
description: Namespaces contains a list of namespaces that the window will apply to
items:
type: string
type: array
schedule:
description: Schedule is the time the window will begin, specified in cron format
type: string
timeZone:
description: TimeZone of the sync that will be applied to the schedule
type: string
type: object
type: array
type: object
status:
description: AppProjectStatus contains status information for AppProject CRs
properties:
jwtTokensByRole:
additionalProperties:
description: JWTTokens represents a list of JWT tokens
properties:
items:
items:
description: JWTToken holds the issuedAt and expiresAt values of a token
properties:
exp:
format: int64
type: integer
iat:
format: int64
type: integer
id:
type: string
required:
- iat
type: object
type: array
type: object
description: JWTTokensByRole contains a list of JWT tokens issued for a given role
type: object
type: object
required:
- metadata
- spec
type: object
served: true
storage: true

309
clusters/cl01tl/manifests/argocd/Deployment-argocd-applicationset-controller.yaml Normal file
View File

@@ -0,0 +1,309 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-applicationset/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: argocd-applicationset-controller
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-applicationset-controller
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: applicationset-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
spec:
replicas: 2
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/name: argocd-applicationset-controller
app.kubernetes.io/instance: argocd
template:
metadata:
annotations:
checksum/cmd-params: bf2519278596ec7cee3e61f230a7b6ebbdcc8a5166fe036da04fccfdfa4ac1d1
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-applicationset-controller
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: applicationset-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
spec:
terminationGracePeriodSeconds: 30
serviceAccountName: argocd-applicationset-controller
automountServiceAccountToken: true
containers:
- name: applicationset-controller
image: quay.io/argoproj/argocd:v3.2.1
imagePullPolicy: IfNotPresent
args:
- /usr/local/bin/argocd-applicationset-controller
- --metrics-addr=:8080
- --probe-addr=:8081
- --webhook-addr=:7000
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_ANNOTATIONS
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.global.preserved.annotations
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_LABELS
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.global.preserved.labels
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_LEADER_ELECTION
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.enable.leader.election
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER
valueFrom:
configMapKeyRef:
key: repo.server
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_POLICY
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.policy
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_POLICY_OVERRIDE
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.enable.policy.override
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_DEBUG
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.debug
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_LOGFORMAT
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.log.format
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_LOGLEVEL
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.log.level
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_LOG_FORMAT_TIMESTAMP
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: log.format.timestamp
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.dryrun
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_MODULES_ENABLED
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.enable.git.submodule
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.enable.progressive.syncs
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_TOKENREF_STRICT_MODE
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.enable.tokenref.strict.mode
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.enable.new.git.file.globbing
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_PLAINTEXT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: applicationsetcontroller.repo.server.plaintext
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_STRICT_TLS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: applicationsetcontroller.repo.server.strict.tls
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: applicationsetcontroller.repo.server.timeout.seconds
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_CONCURRENT_RECONCILIATIONS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: applicationsetcontroller.concurrent.reconciliations.max
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_NAMESPACES
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.namespaces
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_SCM_ROOT_CA_PATH
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.scm.root.ca.path
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: applicationsetcontroller.allowed.scm.providers
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_SCM_PROVIDERS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: applicationsetcontroller.enable.scm.providers
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_GITHUB_API_METRICS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: applicationsetcontroller.enable.github.api.metrics
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_WEBHOOK_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: applicationsetcontroller.webhook.parallelism.limit
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_REQUEUE_AFTER
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.requeue.after
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_MAX_RESOURCES_STATUS_COUNT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: applicationsetcontroller.status.max.resources.count
optional: true
ports:
- name: metrics
containerPort: 8080
protocol: TCP
- name: probe
containerPort: 8081
protocol: TCP
- name: webhook
containerPort: 7000
protocol: TCP
livenessProbe:
tcpSocket:
port: probe
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
readinessProbe:
tcpSocket:
port: probe
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /app/config/ssh
name: ssh-known-hosts
- mountPath: /app/config/tls
name: tls-certs
- mountPath: /app/config/gpg/source
name: gpg-keys
- mountPath: /app/config/gpg/keys
name: gpg-keyring
- mountPath: /app/config/reposerver/tls
name: argocd-repo-server-tls
- mountPath: /home/argocd/params
name: argocd-cmd-params-cm
- mountPath: /tmp
name: tmp
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: argocd-applicationset-controller
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/os: linux
volumes:
- name: ssh-known-hosts
configMap:
name: argocd-ssh-known-hosts-cm
- name: tls-certs
configMap:
name: argocd-tls-certs-cm
- name: gpg-keys
configMap:
name: argocd-gpg-keys-cm
- name: gpg-keyring
emptyDir: {}
- name: tmp
emptyDir: {}
- name: argocd-repo-server-tls
secret:
secretName: argocd-repo-server-tls
optional: true
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
- name: argocd-cmd-params-cm
configMap:
optional: true
name: argocd-cmd-params-cm
items:
- key: applicationsetcontroller.profile.enabled
path: profiler.enabled
dnsPolicy: ClusterFirst

171
clusters/cl01tl/manifests/argocd/Deployment-argocd-dex-server.yaml Normal file
View File

@@ -0,0 +1,171 @@
---
# Source: argocd/charts/argo-cd/templates/dex/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: argocd-dex-server
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-dex-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: dex-server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
spec:
replicas: 1
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/name: argocd-dex-server
app.kubernetes.io/instance: argocd
template:
metadata:
annotations:
checksum/cmd-params: bf2519278596ec7cee3e61f230a7b6ebbdcc8a5166fe036da04fccfdfa4ac1d1
checksum/cm: b85950385c4567f0f6332e53f51df2bbe58a65f5771ac318c863d1b4e831ff9b
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-dex-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: dex-server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
spec:
terminationGracePeriodSeconds: 30
serviceAccountName: argocd-dex-server
automountServiceAccountToken: true
containers:
- name: dex-server
image: ghcr.io/dexidp/dex:v2.44.0
imagePullPolicy: IfNotPresent
command:
- /shared/argocd-dex
args:
- rundex
env:
- name: ARGOCD_DEX_SERVER_LOGFORMAT
valueFrom:
configMapKeyRef:
key: dexserver.log.format
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_DEX_SERVER_LOGLEVEL
valueFrom:
configMapKeyRef:
key: dexserver.log.level
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_LOG_FORMAT_TIMESTAMP
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: log.format.timestamp
optional: true
- name: ARGOCD_DEX_SERVER_DISABLE_TLS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: dexserver.disable.tls
optional: true
ports:
- name: http
containerPort: 5556
protocol: TCP
- name: grpc
containerPort: 5557
protocol: TCP
- name: metrics
containerPort: 5558
protocol: TCP
livenessProbe:
httpGet:
path: /healthz/live
port: metrics
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /healthz/ready
port: metrics
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- name: static-files
mountPath: /shared
- name: dexconfig
mountPath: /tmp
- name: argocd-dex-server-tls
mountPath: /tls
initContainers:
- name: copyutil
image: quay.io/argoproj/argocd:v3.2.1
imagePullPolicy: IfNotPresent
command:
- /bin/cp
- -n
- /usr/local/bin/argocd
- /shared/argocd-dex
volumeMounts:
- mountPath: /shared
name: static-files
- mountPath: /tmp
name: dexconfig
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: argocd-dex-server
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/os: linux
volumes:
- name: static-files
emptyDir: {}
- name: dexconfig
emptyDir: {}
- name: argocd-dex-server-tls
secret:
secretName: argocd-dex-server-tls
optional: true
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
dnsPolicy: ClusterFirst

150
clusters/cl01tl/manifests/argocd/Deployment-argocd-notifications-controller.yaml Normal file
View File

@@ -0,0 +1,150 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-notifications/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: argocd-notifications-controller
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-notifications-controller
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: notifications-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
spec:
replicas: 1
revisionHistoryLimit: 3
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/name: argocd-notifications-controller
app.kubernetes.io/instance: argocd
template:
metadata:
annotations:
checksum/cmd-params: bf2519278596ec7cee3e61f230a7b6ebbdcc8a5166fe036da04fccfdfa4ac1d1
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-notifications-controller
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: notifications-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
spec:
terminationGracePeriodSeconds: 30
serviceAccountName: argocd-notifications-controller
automountServiceAccountToken: true
containers:
- name: notifications-controller
image: quay.io/argoproj/argocd:v3.2.1
imagePullPolicy: IfNotPresent
args:
- /usr/local/bin/argocd-notifications
- --metrics-port=9001
- --namespace=argocd
- --argocd-repo-server=argocd-repo-server:8081
- --secret-name=argocd-notifications-secret
env:
- name: ARGOCD_NOTIFICATIONS_CONTROLLER_LOGLEVEL
valueFrom:
configMapKeyRef:
key: notificationscontroller.log.level
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_NOTIFICATIONS_CONTROLLER_LOGFORMAT
valueFrom:
configMapKeyRef:
key: notificationscontroller.log.format
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_LOG_FORMAT_TIMESTAMP
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: log.format.timestamp
optional: true
- name: ARGOCD_APPLICATION_NAMESPACES
valueFrom:
configMapKeyRef:
key: application.namespaces
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED
valueFrom:
configMapKeyRef:
key: notificationscontroller.selfservice.enabled
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_NOTIFICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
valueFrom:
configMapKeyRef:
key: notificationscontroller.repo.server.plaintext
name: argocd-cmd-params-cm
optional: true
ports:
- name: metrics
containerPort: 9001
protocol: TCP
livenessProbe:
tcpSocket:
port: metrics
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
readinessProbe:
tcpSocket:
port: metrics
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
workingDir: /app
volumeMounts:
- name: tls-certs
mountPath: /app/config/tls
- name: argocd-repo-server-tls
mountPath: /app/config/reposerver/tls
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: argocd-notifications-controller
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/os: linux
volumes:
- name: tls-certs
configMap:
name: argocd-tls-certs-cm
- name: argocd-repo-server-tls
secret:
secretName: argocd-repo-server-tls
optional: true
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
dnsPolicy: ClusterFirst

126
clusters/cl01tl/manifests/argocd/Deployment-argocd-redis-ha-haproxy.yaml Normal file
View File

@@ -0,0 +1,126 @@
---
# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-haproxy-deployment.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
name: argocd-redis-ha-haproxy
namespace: "argocd"
labels:
app: redis-ha
heritage: "Helm"
release: "argocd"
chart: redis-ha-4.34.11
component: haproxy
spec:
strategy:
type: RollingUpdate
revisionHistoryLimit: 1
replicas: 3
selector:
matchLabels:
app: redis-ha-haproxy
release: argocd
component: haproxy
template:
metadata:
name: argocd-redis-ha-haproxy
labels:
app: redis-ha-haproxy
release: argocd
component: haproxy
app.kubernetes.io/name: argocd-redis-ha-haproxy
annotations:
prometheus.io/port: "9101"
prometheus.io/scrape: "true"
prometheus.io/path: "/metrics"
checksum/config: 41729c8b600983b574147eb778eb317992f0a620e163e58b070b159548c3f8e6
spec:
# Needed when using unmodified rbac-setup.yml
serviceAccountName: argocd-redis-ha-haproxy
securityContext:
fsGroup: 99
runAsNonRoot: true
runAsUser: 99
automountServiceAccountToken: true
nodeSelector: {}
tolerations: []
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: redis-ha-haproxy
release: argocd
component: haproxy
topologyKey: kubernetes.io/hostname
initContainers:
- name: config-init
image: ecr-public.aws.com/docker/library/haproxy:3.0.8-alpine
imagePullPolicy: IfNotPresent
resources: {}
command:
- sh
args:
- /readonly/haproxy_init.sh
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- name: config-volume
mountPath: /readonly
readOnly: true
- name: data
mountPath: /data
containers:
- name: haproxy
image: ecr-public.aws.com/docker/library/haproxy:3.0.8-alpine
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
livenessProbe:
httpGet:
path: /healthz
port: probe
initialDelaySeconds: 5
periodSeconds: 3
readinessProbe:
httpGet:
path: /healthz
port: probe
initialDelaySeconds: 5
periodSeconds: 3
ports:
- name: probe
containerPort: 8888
- name: redis
containerPort: 6379
- name: metrics-port
containerPort: 9101
resources: {}
volumeMounts:
- name: data
mountPath: /usr/local/etc/haproxy
- name: shared-socket
mountPath: /run/haproxy
lifecycle: {}
volumes:
- name: config-volume
configMap:
name: argocd-redis-ha-configmap
- name: shared-socket
emptyDir: {}
- name: data
emptyDir: {}

448
clusters/cl01tl/manifests/argocd/Deployment-argocd-repo-server.yaml Normal file
View File

@@ -0,0 +1,448 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-repo-server/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: argocd-repo-server
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: repo-server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
spec:
replicas: 2
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/instance: argocd
template:
metadata:
annotations:
checksum/cmd-params: bf2519278596ec7cee3e61f230a7b6ebbdcc8a5166fe036da04fccfdfa4ac1d1
checksum/cm: b85950385c4567f0f6332e53f51df2bbe58a65f5771ac318c863d1b4e831ff9b
checksum/cmp-cm: 889b23506729520737104bb8fb0d94e269ba3ec96a1a0e9ffe5c7bdf1025801c
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: repo-server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
spec:
terminationGracePeriodSeconds: 30
serviceAccountName: argocd-repo-server
automountServiceAccountToken: true
containers:
- name: repo-server
image: quay.io/argoproj/argocd:v3.2.1
imagePullPolicy: IfNotPresent
args:
- /usr/local/bin/argocd-repo-server
- --port=8081
- --metrics-port=8084
env:
- name: ARGOCD_REPO_SERVER_NAME
value: argocd-repo-server
- name: ARGOCD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
name: argocd-cm
key: timeout.reconciliation
optional: true
- name: ARGOCD_REPO_SERVER_LOGFORMAT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.log.format
optional: true
- name: ARGOCD_REPO_SERVER_LOGLEVEL
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.log.level
optional: true
- name: ARGOCD_LOG_FORMAT_TIMESTAMP
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: log.format.timestamp
optional: true
- name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.parallelism.limit
optional: true
- name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.listen.address
optional: true
- name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.metrics.listen.address
optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_TLS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.disable.tls
optional: true
- name: ARGOCD_TLS_MIN_VERSION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.tls.minversion
optional: true
- name: ARGOCD_TLS_MAX_VERSION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.tls.maxversion
optional: true
- name: ARGOCD_TLS_CIPHERS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.tls.ciphers
optional: true
- name: ARGOCD_REPO_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.repo.cache.expiration
optional: true
- name: REDIS_SERVER
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.server
optional: true
- name: REDIS_COMPRESSION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.compression
optional: true
- name: REDISDB
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.db
optional: true
- name: REDIS_USERNAME
valueFrom:
secretKeyRef:
name: "argocd-redis"
key: redis-username
optional: true
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: "argocd-redis" # hard-coded in Job command and embedded Redis deployments (standalone and redis-ha)
key: auth
optional: false # Secret is not optional in this case !
- name: REDIS_SENTINEL_USERNAME
valueFrom:
secretKeyRef:
name: argocd-redis-ha-haproxy
key: redis-sentinel-username
optional: true
- name: REDIS_SENTINEL_PASSWORD
valueFrom:
secretKeyRef:
name: argocd-redis-ha-haproxy
key: redis-sentinel-password
optional: true
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.default.cache.expiration
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_ADDRESS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.address
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_INSECURE
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.insecure
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_HEADERS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.headers
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_ATTRS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.attrs
optional: true
- name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.max.combined.directory.manifests.size
optional: true
- name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.plugin.tar.exclusions
optional: true
- name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS
valueFrom:
configMapKeyRef:
key: reposerver.plugin.use.manifest.generate.paths
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
valueFrom:
configMapKeyRef:
key: reposerver.allow.oob.symlinks
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.streamed.manifest.max.tar.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.streamed.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.helm.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.disable.helm.manifest.max.extracted.size
optional: true
- name: ARGOCD_GIT_MODULES_ENABLED
valueFrom:
configMapKeyRef:
key: reposerver.enable.git.submodule
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
key: reposerver.git.lsremote.parallelism.limit
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_REQUEST_TIMEOUT
valueFrom:
configMapKeyRef:
key: reposerver.git.request.timeout
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_OCI_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.oci.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_OCI_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.disable.oci.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_OCI_LAYER_MEDIA_TYPES
valueFrom:
configMapKeyRef:
key: reposerver.oci.layer.media.types
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REVISION_CACHE_LOCK_TIMEOUT
valueFrom:
configMapKeyRef:
key: reposerver.revision.cache.lock.timeout
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_ENABLE_BUILTIN_GIT_CONFIG
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.enable.builtin.git.config
optional: true
- name: ARGOCD_GRPC_MAX_SIZE_MB
valueFrom:
configMapKeyRef:
key: reposerver.grpc.max.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_INCLUDE_HIDDEN_DIRECTORIES
valueFrom:
configMapKeyRef:
key: reposerver.include.hidden.directories
name: argocd-cmd-params-cm
optional: true
- name: HELM_CACHE_HOME
value: /helm-working-dir
- name: HELM_CONFIG_HOME
value: /helm-working-dir
- name: HELM_DATA_HOME
value: /helm-working-dir
volumeMounts:
- mountPath: /app/config/ssh
name: ssh-known-hosts
- mountPath: /app/config/tls
name: tls-certs
- mountPath: /app/config/gpg/source
name: gpg-keys
- mountPath: /app/config/gpg/keys
name: gpg-keyring
- mountPath: /app/config/reposerver/tls
name: argocd-repo-server-tls
- mountPath: /helm-working-dir
name: helm-working-dir
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: tmp
ports:
- name: repo-server
containerPort: 8081
protocol: TCP
- name: metrics
containerPort: 8084
protocol: TCP
livenessProbe:
httpGet:
path: /healthz?full=true
port: metrics
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /healthz
port: metrics
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
- command:
- /var/run/argocd/argocd-cmp-server
image: ghcr.io/akuity/cdk8s-cmp-typescript:1.0
name: cmp-cdk8s
securityContext:
runAsNonRoot: true
runAsUser: 999
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /home/argocd/cmp-server/config/plugin.yaml
name: argocd-cmp-cm
subPath: cdk8s.yaml
- mountPath: /tmp
name: cmp-tmp
initContainers:
- command:
- /bin/cp
- -n
- /usr/local/bin/argocd
- /var/run/argocd/argocd-cmp-server
image: quay.io/argoproj/argocd:v3.2.1
imagePullPolicy: IfNotPresent
name: copyutil
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: argocd-repo-server
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/os: linux
volumes:
- configMap:
name: argocd-cmp-cm
name: argocd-cmp-cm
- emptyDir: {}
name: cmp-tmp
- name: helm-working-dir
emptyDir: {}
- name: plugins
emptyDir: {}
- name: var-files
emptyDir: {}
- name: tmp
emptyDir: {}
- name: ssh-known-hosts
configMap:
name: argocd-ssh-known-hosts-cm
- name: tls-certs
configMap:
name: argocd-tls-certs-cm
- name: gpg-keys
configMap:
name: argocd-gpg-keys-cm
- name: gpg-keyring
emptyDir: {}
- name: argocd-repo-server-tls
secret:
secretName: argocd-repo-server-tls
optional: true
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
dnsPolicy: ClusterFirst

491
clusters/cl01tl/manifests/argocd/Deployment-argocd-server.yaml Normal file
View File

@@ -0,0 +1,491 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-server/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: argocd-server
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
spec:
replicas: 2
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/name: argocd-server
app.kubernetes.io/instance: argocd
template:
metadata:
annotations:
checksum/cmd-params: bf2519278596ec7cee3e61f230a7b6ebbdcc8a5166fe036da04fccfdfa4ac1d1
checksum/cm: b85950385c4567f0f6332e53f51df2bbe58a65f5771ac318c863d1b4e831ff9b
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
spec:
terminationGracePeriodSeconds: 30
serviceAccountName: argocd-server
automountServiceAccountToken: true
containers:
- name: server
image: quay.io/argoproj/argocd:v3.2.1
imagePullPolicy: IfNotPresent
args:
- /usr/local/bin/argocd-server
- --port=8080
- --metrics-port=8083
env:
- name: ARGOCD_SERVER_NAME
value: argocd-server
- name: ARGOCD_SERVER_INSECURE
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.insecure
optional: true
- name: ARGOCD_SERVER_BASEHREF
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.basehref
optional: true
- name: ARGOCD_SERVER_ROOTPATH
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.rootpath
optional: true
- name: ARGOCD_SERVER_LOGFORMAT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.log.format
optional: true
- name: ARGOCD_SERVER_LOG_LEVEL
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.log.level
optional: true
- name: ARGOCD_SERVER_REPO_SERVER
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: repo.server
optional: true
- name: ARGOCD_SERVER_DEX_SERVER
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.dex.server
optional: true
- name: ARGOCD_SERVER_DISABLE_AUTH
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.disable.auth
optional: true
- name: ARGOCD_SERVER_ENABLE_GZIP
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.enable.gzip
optional: true
- name: ARGOCD_SERVER_REPO_SERVER_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.repo.server.timeout.seconds
optional: true
- name: ARGOCD_SERVER_X_FRAME_OPTIONS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.x.frame.options
optional: true
- name: ARGOCD_SERVER_CONTENT_SECURITY_POLICY
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.content.security.policy
optional: true
- name: ARGOCD_SERVER_REPO_SERVER_PLAINTEXT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.repo.server.plaintext
optional: true
- name: ARGOCD_SERVER_REPO_SERVER_STRICT_TLS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.repo.server.strict.tls
optional: true
- name: ARGOCD_SERVER_DEX_SERVER_PLAINTEXT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.dex.server.plaintext
optional: true
- name: ARGOCD_SERVER_DEX_SERVER_STRICT_TLS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.dex.server.strict.tls
optional: true
- name: ARGOCD_TLS_MIN_VERSION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.tls.minversion
optional: true
- name: ARGOCD_TLS_MAX_VERSION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.tls.maxversion
optional: true
- name: ARGOCD_TLS_CIPHERS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.tls.ciphers
optional: true
- name: ARGOCD_SERVER_CONNECTION_STATUS_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.connection.status.cache.expiration
optional: true
- name: ARGOCD_SERVER_OIDC_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.oidc.cache.expiration
optional: true
- name: ARGOCD_SERVER_STATIC_ASSETS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.staticassets
optional: true
- name: ARGOCD_APP_STATE_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.app.state.cache.expiration
optional: true
- name: REDIS_SERVER
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.server
optional: true
- name: REDIS_COMPRESSION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.compression
optional: true
- name: REDISDB
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.db
optional: true
- name: REDIS_USERNAME
valueFrom:
secretKeyRef:
name: "argocd-redis"
key: redis-username
optional: true
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: "argocd-redis" # hard-coded in Job command and embedded Redis deployments (standalone and redis-ha)
key: auth
optional: false # Secret is not optional in this case !
- name: REDIS_SENTINEL_USERNAME
valueFrom:
secretKeyRef:
name: argocd-redis-ha-haproxy
key: redis-sentinel-username
optional: true
- name: REDIS_SENTINEL_PASSWORD
valueFrom:
secretKeyRef:
name: argocd-redis-ha-haproxy
key: redis-sentinel-password
optional: true
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.default.cache.expiration
optional: true
- name: ARGOCD_MAX_COOKIE_NUMBER
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.http.cookie.maxnumber
optional: true
- name: ARGOCD_SERVER_LISTEN_ADDRESS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.listen.address
optional: true
- name: ARGOCD_SERVER_METRICS_LISTEN_ADDRESS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.metrics.listen.address
optional: true
- name: ARGOCD_SERVER_OTLP_ADDRESS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.address
optional: true
- name: ARGOCD_SERVER_OTLP_INSECURE
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.insecure
optional: true
- name: ARGOCD_SERVER_OTLP_HEADERS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.headers
optional: true
- name: ARGOCD_SERVER_OTLP_ATTRS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.attrs
optional: true
- name: ARGOCD_APPLICATION_NAMESPACES
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: application.namespaces
optional: true
- name: ARGOCD_SERVER_ENABLE_PROXY_EXTENSION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.enable.proxy.extension
optional: true
- name: ARGOCD_K8SCLIENT_RETRY_MAX
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.k8sclient.retry.max
optional: true
- name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.k8sclient.retry.base.backoff
optional: true
- name: ARGOCD_API_CONTENT_TYPES
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.api.content.types
optional: true
- name: ARGOCD_SERVER_WEBHOOK_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.webhook.parallelism.limit
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.enable.new.git.file.globbing
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_SCM_ROOT_CA_PATH
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.scm.root.ca.path
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: applicationsetcontroller.allowed.scm.providers
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_SCM_PROVIDERS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: applicationsetcontroller.enable.scm.providers
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_GITHUB_API_METRICS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: applicationsetcontroller.enable.github.api.metrics
optional: true
- name: ARGOCD_HYDRATOR_ENABLED
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: hydrator.enabled
optional: true
- name: ARGOCD_SYNC_WITH_REPLACE_ALLOWED
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.sync.replace.allowed
optional: true
volumeMounts:
- mountPath: /app/config/ssh
name: ssh-known-hosts
- mountPath: /app/config/tls
name: tls-certs
- mountPath: /app/config/server/tls
name: argocd-repo-server-tls
- mountPath: /app/config/dex/tls
name: argocd-dex-server-tls
- mountPath: /home/argocd
name: plugins-home
- mountPath: /shared/app/custom
name: styles
- mountPath: /tmp
name: tmp
- name: argocd-cmd-params-cm
mountPath: /home/argocd/params
- mountPath: /tmp/extensions
name: extensions
ports:
- name: server
containerPort: 8080
protocol: TCP
- name: metrics
containerPort: 8083
protocol: TCP
livenessProbe:
httpGet:
path: /healthz?full=true
port: server
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /healthz
port: server
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
initContainers:
- name: extension-trivy
image: quay.io/argoprojlabs/argocd-extension-installer:v0.0.8
imagePullPolicy: IfNotPresent
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- name: extensions
mountPath: /tmp/extensions/
- name: tmp
mountPath: /tmp
env:
- name: EXTENSION_URL
value: https://github.com/mziyabo/argocd-trivy-extension/releases/download/v0.2.0/extension-trivy.tar
- name: EXTENSION_CHECKSUM_URL
value: https://github.com/mziyabo/argocd-trivy-extension/releases/download/v0.2.0/extension-trivy_checksums.txt
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: argocd-server
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/os: linux
volumes:
- name: extensions
emptyDir: {}
- name: plugins-home
emptyDir: {}
- name: tmp
emptyDir: {}
- name: ssh-known-hosts
configMap:
name: argocd-ssh-known-hosts-cm
- name: tls-certs
configMap:
name: argocd-tls-certs-cm
- name: styles
configMap:
name: argocd-styles-cm
optional: true
- name: argocd-repo-server-tls
secret:
secretName: argocd-repo-server-tls
optional: true
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
- name: argocd-dex-server-tls
secret:
secretName: argocd-dex-server-tls
optional: true
items:
- key: tls.crt
path: tls.crt
- key: ca.crt
path: ca.crt
- name: argocd-cmd-params-cm
configMap:
optional: true
name: argocd-cmd-params-cm
items:
- key: server.profile.enabled
path: profiler.enabled
dnsPolicy: ClusterFirst

59
clusters/cl01tl/manifests/argocd/ExternalSecret-argocd-notifications-secret.yaml Normal file
View File

@@ -0,0 +1,59 @@
---
# Source: argocd/templates/external-secret.yaml
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: argocd-notifications-secret
namespace: argocd
labels:
app.kubernetes.io/name: argocd-notifications-secret
app.kubernetes.io/instance: argocd
app.kubernetes.io/part-of: argocd
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ntfy-token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /ntfy/user/cl01tl
metadataPolicy: None
property: token
# ---
# apiVersion: external-secrets.io/v1
# kind: ExternalSecret
# metadata:
# name: argocd-gitea-repo-infrastructure-secret
# namespace: argocd
# labels:
# app.kubernetes.io/name: argocd-gitea-repo-infrastructure-secret
# app.kubernetes.io/instance: argocd
# app.kubernetes.io/part-of: argocd
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: type
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/argocd/credentials/repo/infrastructure
# metadataPolicy: None
# property: type
# - secretKey: url
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/argocd/credentials/repo/infrastructure
# metadataPolicy: None
# property: url
# - secretKey: sshPrivateKey
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/argocd/credentials/repo/infrastructure
# metadataPolicy: None
# property: sshPrivateKey

30
clusters/cl01tl/manifests/argocd/ExternalSecret-argocd-oidc-secret.yaml Normal file
View File

@@ -0,0 +1,30 @@
---
# Source: argocd/templates/external-secret.yaml
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: argocd-oidc-secret
namespace: argocd
labels:
app.kubernetes.io/name: argocd-oidc-secret
app.kubernetes.io/instance: argocd
app.kubernetes.io/part-of: argocd
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/argocd
metadataPolicy: None
property: secret
- secretKey: client
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/argocd
metadataPolicy: None
property: client

30
clusters/cl01tl/manifests/argocd/HTTPRoute-http-route-argocd.yaml Normal file
View File

@@ -0,0 +1,30 @@
---
# Source: argocd/templates/http-route.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-argocd
namespace: argocd
labels:
app.kubernetes.io/name: http-route-argocd
app.kubernetes.io/instance: argocd
app.kubernetes.io/part-of: argocd
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- argocd.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: argocd-server
port: 80
weight: 100

62
clusters/cl01tl/manifests/argocd/Job-argocd-redis-secret-init.yaml Normal file
View File

@@ -0,0 +1,62 @@
---
# Source: argocd/charts/argo-cd/templates/redis-secret-init/job.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: argocd-redis-secret-init
namespace: "argocd"
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-redis-secret-init
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: redis-secret-init
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
spec:
ttlSecondsAfterFinished: 60
template:
metadata:
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-redis-secret-init
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: redis-secret-init
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
spec:
containers:
- command:
- argocd
- admin
- redis-initial-password
image: quay.io/argoproj/argocd:v3.2.1
imagePullPolicy: IfNotPresent
name: secret-init
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
restartPolicy: OnFailure
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: argocd-redis-secret-init
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: argocd-redis-secret-init

43
clusters/cl01tl/manifests/argocd/Pod-argocd-redis-ha-configmap-test.yaml Normal file
View File

@@ -0,0 +1,43 @@
---
# Source: argocd/charts/argo-cd/charts/redis-ha/templates/tests/test-redis-ha-configmap.yaml
apiVersion: v1
kind: Pod
metadata:
name: argocd-redis-ha-configmap-test
namespace: "argocd"
labels:
app: redis-ha
heritage: "Helm"
release: "argocd"
chart: redis-ha-4.34.11
annotations:
"helm.sh/hook": test-success
spec:
nodeSelector: {}
tolerations: []
containers:
- name: check-init
image: koalaman/shellcheck:v0.10.0
args:
- --shell=sh
- /readonly-config/init.sh
volumeMounts:
- name: config
mountPath: /readonly-config
readOnly: true
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
restartPolicy: Never
volumes:
- name: config
configMap:
name: argocd-redis-ha-configmap

36
clusters/cl01tl/manifests/argocd/Pod-argocd-redis-ha-service-test.yaml Normal file
View File

@@ -0,0 +1,36 @@
---
# Source: argocd/charts/argo-cd/charts/redis-ha/templates/tests/test-redis-ha-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: argocd-redis-ha-service-test
namespace: "argocd"
labels:
app: redis-ha
heritage: "Helm"
release: "argocd"
chart: redis-ha-4.34.11
annotations:
"helm.sh/hook": test-success
spec:
nodeSelector: {}
tolerations: []
containers:
- name: "argocd-service-test"
image: ecr-public.aws.com/docker/library/redis:8.2.2-alpine
command:
- sh
- -c
- redis-cli -h argocd-redis-ha-haproxy -p 6379 info server
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
restartPolicy: Never

54
clusters/cl01tl/manifests/argocd/Role-argocd-application-controller.yaml Normal file
View File

@@ -0,0 +1,54 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-application-controller/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: argocd-application-controller
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-application-controller
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: application-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- argoproj.io
resources:
- applications
- applicationsets
- appprojects
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- list
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- list
- watch

104
clusters/cl01tl/manifests/argocd/Role-argocd-applicationset-controller.yaml Normal file
View File

@@ -0,0 +1,104 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-applicationset/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: argocd-applicationset-controller
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-applicationset-controller
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: applicationset-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
rules:
- apiGroups:
- argoproj.io
resources:
- applications
- applicationsets
- applicationsets/finalizers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- argoproj.io
resources:
- applicationsets/status
verbs:
- get
- patch
- update
- apiGroups:
- argoproj.io
resources:
- appprojects
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- update
- delete
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- apps
- extensions
resources:
- deployments
verbs:
- get
- list
- watch
# argocd-applicationset-controller leader election rules
# Create with resourceNames fails, so use a separate rule for the lease creation
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- coordination.k8s.io
resources:
- leases
resourceNames:
# Defined in `cmd/argocd-applicationset-controller/commands/applicationset_controller.go`
- 58ac56fa.applicationsets.argoproj.io
verbs:
- get
- update
- create

25
clusters/cl01tl/manifests/argocd/Role-argocd-dex-server.yaml Normal file
View File

@@ -0,0 +1,25 @@
---
# Source: argocd/charts/argo-cd/templates/dex/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: argocd-dex-server
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-dex-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: dex-server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- get
- list
- watch

51
clusters/cl01tl/manifests/argocd/Role-argocd-notifications-controller.yaml Normal file
View File

@@ -0,0 +1,51 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-notifications/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: argocd-notifications-controller
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-notifications-controller
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: notifications-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
rules:
- apiGroups:
- argoproj.io
resources:
- applications
- appprojects
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- ""
resources:
- configmaps
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resourceNames:
- argocd-notifications-cm
resources:
- configmaps
verbs:
- get
- apiGroups:
- ""
resourceNames:
- argocd-notifications-secret
resources:
- secrets
verbs:
- get

20
clusters/cl01tl/manifests/argocd/Role-argocd-redis-ha-haproxy.yaml Normal file
View File

@@ -0,0 +1,20 @@
---
# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-haproxy-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: argocd-redis-ha-haproxy
namespace: "argocd"
labels:
app: redis-ha
heritage: "Helm"
release: "argocd"
chart: redis-ha-4.34.11
component: haproxy
rules:
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get

19
clusters/cl01tl/manifests/argocd/Role-argocd-redis-ha.yaml Normal file
View File

@@ -0,0 +1,19 @@
---
# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-ha-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: argocd-redis-ha
namespace: "argocd"
labels:
app: redis-ha
heritage: "Helm"
release: "argocd"
chart: redis-ha-4.34.11
rules:
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get

33
clusters/cl01tl/manifests/argocd/Role-argocd-redis-secret-init.yaml Normal file
View File

@@ -0,0 +1,33 @@
---
# Source: argocd/charts/argo-cd/templates/redis-secret-init/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-redis-secret-init
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: redis-secret-init
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
name: argocd-redis-secret-init
namespace: "argocd"
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- argocd-redis
verbs:
- get
- apiGroups:
- ""
resources:
- secrets
verbs:
- create

16
clusters/cl01tl/manifests/argocd/Role-argocd-repo-server.yaml Normal file
View File

@@ -0,0 +1,16 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-repo-server/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: argocd-repo-server
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: repo-server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
rules:

50
clusters/cl01tl/manifests/argocd/Role-argocd-server.yaml Normal file
View File

@@ -0,0 +1,50 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-server/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: argocd-server
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- argoproj.io
resources:
- applications
- applicationsets
- appprojects
verbs:
- create
- get
- list
- watch
- update
- delete
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- list

23
clusters/cl01tl/manifests/argocd/RoleBinding-argocd-application-controller.yaml Normal file
View File

@@ -0,0 +1,23 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-application-controller/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: argocd-application-controller
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-application-controller
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: application-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argocd-application-controller
subjects:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd

23
clusters/cl01tl/manifests/argocd/RoleBinding-argocd-applicationset-controller.yaml Normal file
View File

@@ -0,0 +1,23 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-applicationset/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: argocd-applicationset-controller
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-applicationset-controller
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: applicationset-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argocd-applicationset-controller
subjects:
- kind: ServiceAccount
name: argocd-applicationset-controller
namespace: argocd

23
clusters/cl01tl/manifests/argocd/RoleBinding-argocd-dex-server.yaml Normal file
View File

@@ -0,0 +1,23 @@
---
# Source: argocd/charts/argo-cd/templates/dex/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: argocd-dex-server
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-dex-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: dex-server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argocd-dex-server
subjects:
- kind: ServiceAccount
name: argocd-dex-server
namespace: argocd

23
clusters/cl01tl/manifests/argocd/RoleBinding-argocd-notifications-controller.yaml Normal file
View File

@@ -0,0 +1,23 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-notifications/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: argocd-notifications-controller
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-notifications-controller
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: notifications-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argocd-notifications-controller
subjects:
- kind: ServiceAccount
name: argocd-notifications-controller
namespace: argocd

20
clusters/cl01tl/manifests/argocd/RoleBinding-argocd-redis-ha-haproxy.yaml Normal file
View File

@@ -0,0 +1,20 @@
---
# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-haproxy-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: argocd-redis-ha-haproxy
namespace: "argocd"
labels:
app: redis-ha
heritage: "Helm"
release: "argocd"
chart: redis-ha-4.34.11
component: haproxy
subjects:
- kind: ServiceAccount
name: argocd-redis-ha-haproxy
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argocd-redis-ha-haproxy

19
clusters/cl01tl/manifests/argocd/RoleBinding-argocd-redis-ha.yaml Normal file
View File

@@ -0,0 +1,19 @@
---
# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-ha-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: argocd-redis-ha
namespace: "argocd"
labels:
app: redis-ha
heritage: "Helm"
release: "argocd"
chart: redis-ha-4.34.11
subjects:
- kind: ServiceAccount
name: argocd-redis-ha
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argocd-redis-ha

25
clusters/cl01tl/manifests/argocd/RoleBinding-argocd-redis-secret-init.yaml Normal file
View File

@@ -0,0 +1,25 @@
---
# Source: argocd/charts/argo-cd/templates/redis-secret-init/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-redis-secret-init
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: redis-secret-init
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
name: argocd-redis-secret-init
namespace: "argocd"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argocd-redis-secret-init
subjects:
- kind: ServiceAccount
name: argocd-redis-secret-init

23
clusters/cl01tl/manifests/argocd/RoleBinding-argocd-repo-server.yaml Normal file
View File

@@ -0,0 +1,23 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-repo-server/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: argocd-repo-server
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: repo-server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argocd-repo-server
subjects:
- kind: ServiceAccount
name: argocd-repo-server
namespace: argocd

23
clusters/cl01tl/manifests/argocd/RoleBinding-argocd-server.yaml Normal file
View File

@@ -0,0 +1,23 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-server/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: argocd-server
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argocd-server
subjects:
- kind: ServiceAccount
name: argocd-server
namespace: argocd

16
clusters/cl01tl/manifests/argocd/Secret-argocd-secret.yaml Normal file
View File

@@ -0,0 +1,16 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-configs/argocd-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: argocd-secret
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-secret
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
type: Opaque

25
clusters/cl01tl/manifests/argocd/Service-argocd-application-controller-metrics.yaml Normal file
View File

@@ -0,0 +1,25 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-application-controller/metrics.yaml
apiVersion: v1
kind: Service
metadata:
name: argocd-application-controller-metrics
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-metrics
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: application-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
spec:
type: ClusterIP
ports:
- name: http-metrics
protocol: TCP
port: 8082
targetPort: metrics
selector:
app.kubernetes.io/name: argocd-application-controller
app.kubernetes.io/instance: argocd

25
clusters/cl01tl/manifests/argocd/Service-argocd-applicationset-controller-metrics.yaml Normal file
View File

@@ -0,0 +1,25 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-applicationset/metrics.yaml
apiVersion: v1
kind: Service
metadata:
name: argocd-applicationset-controller-metrics
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-metrics
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: applicationset-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
spec:
type: ClusterIP
ports:
- name: http-metrics
protocol: TCP
port: 8080
targetPort: metrics
selector:
app.kubernetes.io/name: argocd-applicationset-controller
app.kubernetes.io/instance: argocd

24
clusters/cl01tl/manifests/argocd/Service-argocd-applicationset-controller.yaml Normal file
View File

@@ -0,0 +1,24 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-applicationset/service.yaml
apiVersion: v1
kind: Service
metadata:
name: argocd-applicationset-controller
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-applicationset-controller
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: applicationset-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
spec:
type: ClusterIP
ports:
- name: http-webhook
port: 7000
targetPort: webhook
selector:
app.kubernetes.io/name: argocd-applicationset-controller
app.kubernetes.io/instance: argocd

32
clusters/cl01tl/manifests/argocd/Service-argocd-dex-server.yaml Normal file
View File

@@ -0,0 +1,32 @@
---
# Source: argocd/charts/argo-cd/templates/dex/service.yaml
apiVersion: v1
kind: Service
metadata:
name: argocd-dex-server
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-dex-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: dex-server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
spec:
ports:
- name: http
protocol: TCP
port: 5556
targetPort: http
- name: grpc
protocol: TCP
port: 5557
targetPort: grpc
- name: http-metrics
protocol: TCP
port: 5558
targetPort: metrics
selector:
app.kubernetes.io/name: argocd-dex-server
app.kubernetes.io/instance: argocd

25
clusters/cl01tl/manifests/argocd/Service-argocd-notifications-controller-metrics.yaml Normal file
View File

@@ -0,0 +1,25 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-notifications/metrics.yaml
apiVersion: v1
kind: Service
metadata:
name: argocd-notifications-controller-metrics
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-metrics
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: notifications-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: argocd-notifications-controller
app.kubernetes.io/instance: argocd
ports:
- name: http-metrics
protocol: TCP
port: 9001
targetPort: metrics

29
clusters/cl01tl/manifests/argocd/Service-argocd-redis-ha-announce-0.yaml Normal file
View File

@@ -0,0 +1,29 @@
---
# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-ha-announce-service.yaml
apiVersion: v1
kind: Service
metadata:
name: argocd-redis-ha-announce-0
namespace: "argocd"
labels:
app: redis-ha
heritage: "Helm"
release: "argocd"
chart: redis-ha-4.34.11
annotations:
spec:
publishNotReadyAddresses: true
type: ClusterIP
ports:
- name: tcp-server
port: 6379
protocol: TCP
targetPort: redis
- name: tcp-sentinel
port: 26379
protocol: TCP
targetPort: sentinel
selector:
release: argocd
app: redis-ha
"statefulset.kubernetes.io/pod-name": argocd-redis-ha-server-0

29
clusters/cl01tl/manifests/argocd/Service-argocd-redis-ha-announce-1.yaml Normal file
View File

@@ -0,0 +1,29 @@
---
# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-ha-announce-service.yaml
apiVersion: v1
kind: Service
metadata:
name: argocd-redis-ha-announce-1
namespace: "argocd"
labels:
app: redis-ha
heritage: "Helm"
release: "argocd"
chart: redis-ha-4.34.11
annotations:
spec:
publishNotReadyAddresses: true
type: ClusterIP
ports:
- name: tcp-server
port: 6379
protocol: TCP
targetPort: redis
- name: tcp-sentinel
port: 26379
protocol: TCP
targetPort: sentinel
selector:
release: argocd
app: redis-ha
"statefulset.kubernetes.io/pod-name": argocd-redis-ha-server-1

29
clusters/cl01tl/manifests/argocd/Service-argocd-redis-ha-announce-2.yaml Normal file
View File

@@ -0,0 +1,29 @@
---
# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-ha-announce-service.yaml
apiVersion: v1
kind: Service
metadata:
name: argocd-redis-ha-announce-2
namespace: "argocd"
labels:
app: redis-ha
heritage: "Helm"
release: "argocd"
chart: redis-ha-4.34.11
annotations:
spec:
publishNotReadyAddresses: true
type: ClusterIP
ports:
- name: tcp-server
port: 6379
protocol: TCP
targetPort: redis
- name: tcp-sentinel
port: 26379
protocol: TCP
targetPort: sentinel
selector:
release: argocd
app: redis-ha
"statefulset.kubernetes.io/pod-name": argocd-redis-ha-server-2

28
clusters/cl01tl/manifests/argocd/Service-argocd-redis-ha-haproxy.yaml Normal file
View File

@@ -0,0 +1,28 @@
---
# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-haproxy-service.yaml
apiVersion: v1
kind: Service
metadata:
name: argocd-redis-ha-haproxy
namespace: "argocd"
labels:
app: redis-ha
heritage: "Helm"
release: "argocd"
chart: redis-ha-4.34.11
component: haproxy
annotations:
spec:
type: ClusterIP
ports:
- name: tcp-haproxy
port: 6379
protocol: TCP
targetPort: redis
- name: http-exporter-port
port: 9101
protocol: TCP
targetPort: metrics-port
selector:
release: argocd
app: redis-ha-haproxy

28
clusters/cl01tl/manifests/argocd/Service-argocd-redis-ha.yaml Normal file
View File

@@ -0,0 +1,28 @@
---
# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-ha-service.yaml
apiVersion: v1
kind: Service
metadata:
name: argocd-redis-ha
namespace: "argocd"
labels:
app: redis-ha
heritage: "Helm"
release: "argocd"
chart: redis-ha-4.34.11
annotations:
spec:
type: ClusterIP
clusterIP: None
ports:
- name: tcp-server
port: 6379
protocol: TCP
targetPort: redis
- name: tcp-sentinel
port: 26379
protocol: TCP
targetPort: sentinel
selector:
release: argocd
app: redis-ha

25
clusters/cl01tl/manifests/argocd/Service-argocd-repo-server-metrics.yaml Normal file
View File

@@ -0,0 +1,25 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-repo-server/metrics.yaml
apiVersion: v1
kind: Service
metadata:
name: argocd-repo-server-metrics
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-repo-server-metrics
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: repo-server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
spec:
type: ClusterIP
ports:
- name: http-metrics
protocol: TCP
port: 8084
targetPort: metrics
selector:
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/instance: argocd

24
clusters/cl01tl/manifests/argocd/Service-argocd-repo-server.yaml Normal file
View File

@@ -0,0 +1,24 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-repo-server/service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: repo-server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
name: argocd-repo-server
namespace: argocd
spec:
ports:
- name: tcp-repo-server
protocol: TCP
port: 8081
targetPort: repo-server
selector:
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/instance: argocd

25
clusters/cl01tl/manifests/argocd/Service-argocd-server-metrics.yaml Normal file
View File

@@ -0,0 +1,25 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-server/metrics.yaml
apiVersion: v1
kind: Service
metadata:
name: argocd-server-metrics
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-server-metrics
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
spec:
type: ClusterIP
ports:
- name: http-metrics
protocol: TCP
port: 8083
targetPort: metrics
selector:
app.kubernetes.io/name: argocd-server
app.kubernetes.io/instance: argocd

30
clusters/cl01tl/manifests/argocd/Service-argocd-server.yaml Normal file
View File

@@ -0,0 +1,30 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-server/service.yaml
apiVersion: v1
kind: Service
metadata:
name: argocd-server
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
spec:
type: ClusterIP
sessionAffinity: None
ports:
- name: http
protocol: TCP
port: 80
targetPort: 8080
- name: https
protocol: TCP
port: 443
targetPort: 8080
selector:
app.kubernetes.io/name: argocd-server
app.kubernetes.io/instance: argocd

16
clusters/cl01tl/manifests/argocd/ServiceAccount-argocd-application-controller.yaml Normal file
View File

@@ -0,0 +1,16 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-application-controller/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
name: argocd-application-controller
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-application-controller
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: application-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"

16
clusters/cl01tl/manifests/argocd/ServiceAccount-argocd-applicationset-controller.yaml Normal file
View File

@@ -0,0 +1,16 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-applicationset/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
name: argocd-applicationset-controller
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-applicationset-controller
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: applicationset-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"

16
clusters/cl01tl/manifests/argocd/ServiceAccount-argocd-dex-server.yaml Normal file
View File

@@ -0,0 +1,16 @@
---
# Source: argocd/charts/argo-cd/templates/dex/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
name: argocd-dex-server
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-dex-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: dex-server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"

16
clusters/cl01tl/manifests/argocd/ServiceAccount-argocd-notifications-controller.yaml Normal file
View File

@@ -0,0 +1,16 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-notifications/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
name: argocd-notifications-controller
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-notifications-controller
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: notifications-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"

12
clusters/cl01tl/manifests/argocd/ServiceAccount-argocd-redis-ha-haproxy.yaml Normal file
View File

@@ -0,0 +1,12 @@
---
# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-haproxy-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: argocd-redis-ha-haproxy
namespace: "argocd"
labels:
heritage: Helm
release: argocd
chart: redis-ha-4.34.11
app: argocd-redis-ha

12
clusters/cl01tl/manifests/argocd/ServiceAccount-argocd-redis-ha.yaml Normal file
View File

@@ -0,0 +1,12 @@
---
# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-ha-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: argocd-redis-ha
namespace: "argocd"
labels:
heritage: Helm
release: argocd
chart: redis-ha-4.34.11
app: argocd-redis-ha

19
clusters/cl01tl/manifests/argocd/ServiceAccount-argocd-redis-secret-init.yaml Normal file
View File

@@ -0,0 +1,19 @@
---
# Source: argocd/charts/argo-cd/templates/redis-secret-init/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
name: argocd-redis-secret-init
namespace: "argocd"
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-redis-secret-init
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: redis-secret-init
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"

16
clusters/cl01tl/manifests/argocd/ServiceAccount-argocd-repo-server.yaml Normal file
View File

@@ -0,0 +1,16 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-repo-server/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
name: argocd-repo-server
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: repo-server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"

16
clusters/cl01tl/manifests/argocd/ServiceAccount-argocd-server.yaml Normal file
View File

@@ -0,0 +1,16 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-server/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
name: argocd-server
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: server
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"

398
clusters/cl01tl/manifests/argocd/StatefulSet-argocd-application-controller.yaml Normal file
View File

@@ -0,0 +1,398 @@
---
# Source: argocd/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: argocd-application-controller
namespace: argocd
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-application-controller
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: application-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
spec:
replicas: 1
revisionHistoryLimit: 5
serviceName: argocd-application-controller
selector:
matchLabels:
app.kubernetes.io/name: argocd-application-controller
app.kubernetes.io/instance: argocd
template:
metadata:
annotations:
checksum/cmd-params: bf2519278596ec7cee3e61f230a7b6ebbdcc8a5166fe036da04fccfdfa4ac1d1
checksum/cm: b85950385c4567f0f6332e53f51df2bbe58a65f5771ac318c863d1b4e831ff9b
labels:
helm.sh/chart: argo-cd-9.1.5
app.kubernetes.io/name: argocd-application-controller
app.kubernetes.io/instance: argocd
app.kubernetes.io/component: application-controller
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: "v3.2.1"
spec:
terminationGracePeriodSeconds: 30
serviceAccountName: argocd-application-controller
automountServiceAccountToken: true
containers:
- args:
- /usr/local/bin/argocd-application-controller
- --metrics-port=8082
image: quay.io/argoproj/argocd:v3.2.1
imagePullPolicy: IfNotPresent
name: application-controller
env:
- name: ARGOCD_CONTROLLER_REPLICAS
value: "1"
- name: ARGOCD_APPLICATION_CONTROLLER_NAME
value: argocd-application-controller
- name: ARGOCD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
name: argocd-cm
key: timeout.reconciliation
optional: true
- name: ARGOCD_HARD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
name: argocd-cm
key: timeout.hard.reconciliation
optional: true
- name: ARGOCD_RECONCILIATION_JITTER
valueFrom:
configMapKeyRef:
key: timeout.reconciliation.jitter
name: argocd-cm
optional: true
- name: ARGOCD_REPO_ERROR_GRACE_PERIOD_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.repo.error.grace.period.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: repo.server
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.repo.server.timeout.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.status.processors
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.operation.processors
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.log.format
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.log.level
optional: true
- name: ARGOCD_LOG_FORMAT_TIMESTAMP
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: log.format.timestamp
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.metrics.cache.expiration
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.self.heal.timeout.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.self.heal.backoff.timeout.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_FACTOR
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.self.heal.backoff.factor
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_CAP_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.self.heal.backoff.cap.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_COOLDOWN_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.self.heal.backoff.cooldown.seconds
optional: true
- name: ARGOCD_SYNC_WAVE_DELAY
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.sync.wave.delay.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SYNC_TIMEOUT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.sync.timeout.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.repo.server.plaintext
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.repo.server.strict.tls
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_PERSIST_RESOURCE_HEALTH
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.resource.health.persist
optional: true
- name: ARGOCD_APP_STATE_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.app.state.cache.expiration
optional: true
- name: REDIS_SERVER
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.server
optional: true
- name: REDIS_COMPRESSION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.compression
optional: true
- name: REDISDB
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.db
optional: true
- name: REDIS_USERNAME
valueFrom:
secretKeyRef:
name: "argocd-redis"
key: redis-username
optional: true
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: "argocd-redis" # hard-coded in Job command and embedded Redis deployments (standalone and redis-ha)
key: auth
optional: false # Secret is not optional in this case !
- name: REDIS_SENTINEL_USERNAME
valueFrom:
secretKeyRef:
name: argocd-redis-ha-haproxy
key: redis-sentinel-username
optional: true
- name: REDIS_SENTINEL_PASSWORD
valueFrom:
secretKeyRef:
name: argocd-redis-ha-haproxy
key: redis-sentinel-password
optional: true
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.default.cache.expiration
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ADDRESS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.address
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_INSECURE
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.insecure
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_HEADERS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.headers
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ATTRS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.attrs
optional: true
- name: ARGOCD_APPLICATION_NAMESPACES
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: application.namespaces
optional: true
- name: ARGOCD_CONTROLLER_SHARDING_ALGORITHM
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.sharding.algorithm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_KUBECTL_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.kubectl.parallelism.limit
optional: true
- name: ARGOCD_K8SCLIENT_RETRY_MAX
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.k8sclient.retry.max
optional: true
- name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.k8sclient.retry.base.backoff
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.diff.server.side
optional: true
- name: ARGOCD_IGNORE_NORMALIZER_JQ_TIMEOUT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.ignore.normalizer.jq.timeout
optional: true
- name: ARGOCD_HYDRATOR_ENABLED
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: hydrator.enabled
optional: true
- name: ARGOCD_CLUSTER_CACHE_BATCH_EVENTS_PROCESSING
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.cluster.cache.batch.events.processing
optional: true
- name: ARGOCD_CLUSTER_CACHE_EVENTS_PROCESSING_INTERVAL
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.cluster.cache.events.processing.interval
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_COMMIT_SERVER
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: commit.server
optional: true
- name: KUBECACHEDIR
value: /tmp/kubecache
ports:
- name: metrics
containerPort: 8082
protocol: TCP
readinessProbe:
httpGet:
path: /healthz
port: metrics
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
workingDir: /home/argocd
volumeMounts:
- mountPath: /app/config/controller/tls
name: argocd-repo-server-tls
- mountPath: /home/argocd
name: argocd-home
- name: argocd-cmd-params-cm
mountPath: /home/argocd/params
- name: argocd-application-controller-tmp
mountPath: /tmp
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: argocd-application-controller
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/os: linux
volumes:
- name: argocd-home
emptyDir: {}
- name: argocd-application-controller-tmp
emptyDir: {}
- name: argocd-repo-server-tls
secret:
secretName: argocd-repo-server-tls
optional: true
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
- name: argocd-cmd-params-cm
configMap:
optional: true
name: argocd-cmd-params-cm
items:
- key: controller.profile.enabled
path: profiler.enabled
dnsPolicy: ClusterFirst

251
clusters/cl01tl/manifests/argocd/StatefulSet-argocd-redis-ha-server.yaml Normal file
View File

@@ -0,0 +1,251 @@
---
# Source: argocd/charts/argo-cd/charts/redis-ha/templates/redis-ha-statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: argocd-redis-ha-server
namespace: "argocd"
labels:
argocd-redis-ha: replica
app: redis-ha
heritage: "Helm"
release: "argocd"
chart: redis-ha-4.34.11
annotations: {}
spec:
selector:
matchLabels:
release: argocd
app: redis-ha
serviceName: argocd-redis-ha
replicas: 3
podManagementPolicy: OrderedReady
updateStrategy:
type: RollingUpdate
template:
metadata:
annotations:
checksum/init-config: ba53465a7f9221d17ea160133c99baec040e67b7b15fb4743adc8eca497cdf89
labels:
release: argocd
app: redis-ha
argocd-redis-ha: replica
spec:
terminationGracePeriodSeconds: 60
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: redis-ha
release: argocd
argocd-redis-ha: replica
topologyKey: kubernetes.io/hostname
securityContext:
fsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: argocd-redis-ha
automountServiceAccountToken: false
initContainers:
- name: config-init
image: ecr-public.aws.com/docker/library/redis:8.2.2-alpine
imagePullPolicy: IfNotPresent
resources: {}
command:
- sh
args:
- /readonly-config/init.sh
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
env:
- name: SENTINEL_ID_0
value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6
- name: SENTINEL_ID_1
value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
- name: SENTINEL_ID_2
value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
volumeMounts:
- name: config
mountPath: /readonly-config
readOnly: true
- name: data
mountPath: /data
containers:
- name: redis
image: ecr-public.aws.com/docker/library/redis:8.2.2-alpine
imagePullPolicy: IfNotPresent
command:
- redis-server
args:
- /data/conf/redis.conf
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
livenessProbe:
initialDelaySeconds: 30
periodSeconds: 15
timeoutSeconds: 15
successThreshold: 1
failureThreshold: 5
exec:
command:
- sh
- -c
- /health/redis_liveness.sh
readinessProbe:
initialDelaySeconds: 30
periodSeconds: 15
timeoutSeconds: 15
successThreshold: 1
failureThreshold: 5
exec:
command:
- sh
- -c
- /health/redis_readiness.sh
startupProbe:
initialDelaySeconds: 30
periodSeconds: 15
timeoutSeconds: 15
successThreshold: 1
failureThreshold: 5
exec:
command:
- sh
- -c
- /health/redis_readiness.sh
resources: {}
ports:
- name: redis
containerPort: 6379
volumeMounts:
- name: config
mountPath: /readonly-config
readOnly: true
- mountPath: /data
name: data
- mountPath: /health
name: health
lifecycle:
preStop:
exec:
command:
- /bin/sh
- /readonly-config/trigger-failover-if-master.sh
- name: sentinel
image: ecr-public.aws.com/docker/library/redis:8.2.2-alpine
imagePullPolicy: IfNotPresent
command:
- redis-sentinel
args:
- /data/conf/sentinel.conf
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
livenessProbe:
initialDelaySeconds: 30
periodSeconds: 15
timeoutSeconds: 15
successThreshold: 1
failureThreshold: 5
exec:
command:
- sh
- -c
- /health/sentinel_liveness.sh
readinessProbe:
initialDelaySeconds: 30
periodSeconds: 15
timeoutSeconds: 15
successThreshold: 3
failureThreshold: 5
exec:
command:
- sh
- -c
- /health/sentinel_liveness.sh
startupProbe:
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 15
successThreshold: 1
failureThreshold: 3
exec:
command:
- sh
- -c
- /health/sentinel_liveness.sh
resources: {}
ports:
- name: sentinel
containerPort: 26379
volumeMounts:
- mountPath: /data
name: data
- mountPath: /health
name: health
lifecycle: {}
- name: split-brain-fix
image: ecr-public.aws.com/docker/library/redis:8.2.2-alpine
imagePullPolicy: IfNotPresent
command:
- sh
args:
- /readonly-config/fix-split-brain.sh
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
env:
- name: SENTINEL_ID_0
value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6
- name: SENTINEL_ID_1
value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
- name: SENTINEL_ID_2
value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
resources: {}
volumeMounts:
- name: config
mountPath: /readonly-config
readOnly: true
- mountPath: /data
name: data
volumes:
- name: config
configMap:
name: argocd-redis-ha-configmap
- name: health
configMap:
name: argocd-redis-ha-health-configmap
defaultMode: 0755
- name: data
emptyDir: {}

29366
clusters/cl01tl/manifests/argocd/argocd.yaml
View File

File diff suppressed because it is too large Load Diff