init

clusters/cl01tl/deployment/argocd/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: argocd
+version: 0.1.0
+home: https://outline.alexlebens.net/doc/argo-cd-qLEdrgdwOD
+sources:
+  - https://github.com/argoproj/argo-cd
+  - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd
+dependencies:
+  - name: argo-cd
+    version: 6.9.3
+    repository: https://argoproj.github.io/argo-helm
+appVersion: v2.10.8

clusters/cl01tl/deployment/argocd/templates/external-secret.yaml

@@ -0,0 +1,110 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: argocd-oidc-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: "{{ .Release.Name }}-server"
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: server
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: secret
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/argocd
+        metadataPolicy: None
+        property: secret
+    - secretKey: client
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/argocd
+        metadataPolicy: None
+        property: client
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: argocd-cluster-cl02do-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: "{{ .Release.Name }}-server"
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: server
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    argocd.argoproj.io/secret-type: cluster
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: name
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /argocd/credentials/cluster/cl02do
+        metadataPolicy: None
+        property: name
+    - secretKey: server
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /argocd/credentials/cluster/cl02do
+        metadataPolicy: None
+        property: server
+    - secretKey: config
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /argocd/credentials/cluster/cl02do
+        metadataPolicy: None
+        property: config
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: argocd-repo-alexlebens-dev-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: "{{ .Release.Name }}-server"
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: server
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    argocd.argoproj.io/secret-type: repository
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: type
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /argocd/credentials/repo/alexlebens-dev
+        metadataPolicy: None
+        property: type
+    - secretKey: url
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /argocd/credentials/repo/alexlebens-dev
+        metadataPolicy: None
+        property: url
+    - secretKey: sshPrivateKey
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /argocd/credentials/repo/alexlebens-dev
+        metadataPolicy: None
+        property: sshPrivateKey

clusters/cl01tl/deployment/argocd/values.yaml

@@ -0,0 +1,66 @@
+argo-cd:
+  crds:
+    install: true
+  configs:
+    cm:
+      admin.enabled: true
+      url: https://argocd.alexlebens.net
+      statusbadge.enabled: true
+      dex.config: |
+        connectors:
+        - config:
+            issuer: https://authentik.alexlebens.net/application/o/argocd/
+            clientID: $argocd-oidc-secret:client
+            clientSecret: $argocd-oidc-secret:secret
+            insecureEnableGroups: true
+            scopes:
+              - openid
+              - profile
+              - email
+              - groups
+          name: authentik
+          type: oidc
+          id: authentik
+    rbac:
+      policy.csv: |
+        g, ArgoCD Admins, role:admin
+    params:
+      server.insecure: true
+  server:
+    replicas: 2
+    ingress:
+      enabled: true
+      controller: generic
+      ingressClassName: traefik
+      annotations:
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        traefik.ingress.kubernetes.io/router.tls: "true"
+        cert-manager.io/cluster-issuer: letsencrypt-issuer
+      hostname: argocd.alexlebens.net
+      tls: true
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+  dex:
+    enabled: true
+  redis-ha:
+    enabled: true
+  controller:
+    replicas: 1
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+  repoServer:
+    replicas: 2
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+  applicationSet:
+    replicas: 2
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true