alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 14 Actions Activity

migrate argocd
All checks were successful
lint-test-helm / helm-lint (push) Successful in 14s
Details
render-manifests / render-manifests (push) Successful in 19s
Details
renovate / renovate (push) Successful in 1m16s
Details

Browse Source
This commit is contained in:
Alex Lebens
2025-12-02 22:41:58 -06:00
parent 78cb9efe8f
commit 6e6917a00b
8 changed files with 6 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
clusters/cl01tl/helm/argocd/Chart.lock Normal file
View File

@@ -0,0 +1,6 @@
dependencies:
- name: argo-cd
repository: https://argoproj.github.io/argo-helm
version: 9.1.5
digest: sha256:07f7f6d369af426cdd213ddbc58373a4e5b4f54724efd4612662d7da0315232d
generated: "2025-12-02T21:27:41.876154-06:00"

21
clusters/cl01tl/helm/argocd/Chart.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: v2
name: argocd
version: 1.0.0
description: Argo CD
keywords:
- argo-cd
- delivery
- deployment
- gitops
home: https://wiki.alexlebens.dev/s/8a75cf26-b9df-437e-9cc5-2ef47e871a5f
sources:
- https://github.com/argoproj/argo-cd
- https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd
maintainers:
- name: alexlebens
dependencies:
- name: argo-cd
version: 9.1.5
repository: https://argoproj.github.io/argo-helm
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
appVersion: 3.0.0

88
clusters/cl01tl/helm/argocd/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,88 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: argocd-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argocd-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/argocd
metadataPolicy: None
property: secret
- secretKey: client
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/argocd
metadataPolicy: None
property: client
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: argocd-notifications-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argocd-notifications-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ntfy-token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /ntfy/user/cl01tl
metadataPolicy: None
property: token
# ---
# apiVersion: external-secrets.io/v1
# kind: ExternalSecret
# metadata:
# name: argocd-gitea-repo-infrastructure-secret
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: argocd-gitea-repo-infrastructure-secret
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: type
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/argocd/credentials/repo/infrastructure
# metadataPolicy: None
# property: type
# - secretKey: url
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/argocd/credentials/repo/infrastructure
# metadataPolicy: None
# property: url
# - secretKey: sshPrivateKey
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/argocd/credentials/repo/infrastructure
# metadataPolicy: None
# property: sshPrivateKey

28
clusters/cl01tl/helm/argocd/templates/http-route.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-argocd
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-argocd
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- argocd.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: argocd-server
port: 80
weight: 100

302
clusters/cl01tl/helm/argocd/values.yaml Normal file
View File

@@ -0,0 +1,302 @@
argo-cd:
crds:
install: true
configs:
cm:
admin.enabled: true
timeout.reconciliation: 100s
timeout.reconciliation.jitter: 60s
url: https://argocd.alexlebens.net
statusbadge.url: https://argocd.alexlebens.net/
statusbadge.enabled: true
dex.config: |
connectors:
- config:
issuer: https://authentik.alexlebens.net/application/o/argocd/
clientID: $argocd-oidc-secret:client
clientSecret: $argocd-oidc-secret:secret
insecureEnableGroups: true
scopes:
- openid
- profile
- email
name: authentik
type: oidc
id: authentik
params:
server.insecure: true
rbac:
policy.csv: |
g, ArgoCD Admins, role:admin
cmp:
create: true
plugins:
cdk8s:
init:
command: [cdk8s]
args: [import]
generate:
command: [cdk8s, synth]
args: [--stdout]
discover:
fileName: "*.go"
controller:
replicas: 1
metrics:
enabled: true
serviceMonitor:
enabled: true
dex:
enabled: true
metrics:
enabled: true
serviceMonitor:
enabled: true
livenessProbe:
enabled: true
readinessProbe:
enabled: true
redis-ha:
enabled: true
auth: false
redisSecretInit:
enabled: true
server:
replicas: 2
extensions:
enabled: true
extensionList:
- name: extension-trivy
env:
- name: EXTENSION_URL
value: https://github.com/mziyabo/argocd-trivy-extension/releases/download/v0.2.0/extension-trivy.tar
- name: EXTENSION_CHECKSUM_URL
value: https://github.com/mziyabo/argocd-trivy-extension/releases/download/v0.2.0/extension-trivy_checksums.txt
metrics:
enabled: true
serviceMonitor:
enabled: true
ingress:
enabled: false
repoServer:
replicas: 2
extraContainers:
- name: cmp-cdk8s
command:
- /var/run/argocd/argocd-cmp-server
image: ghcr.io/akuity/cdk8s-cmp-typescript:1.0
securityContext:
runAsNonRoot: true
runAsUser: 999
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /home/argocd/cmp-server/config/plugin.yaml
subPath: cdk8s.yaml
name: argocd-cmp-cm
- mountPath: /tmp
name: cmp-tmp
volumes:
- name: argocd-cmp-cm
configMap:
name: argocd-cmp-cm
- name: cmp-tmp
emptyDir: {}
metrics:
enabled: true
serviceMonitor:
enabled: true
applicationSet:
replicas: 2
metrics:
enabled: true
serviceMonitor:
enabled: true
livenessProbe:
enabled: true
readinessProbe:
enabled: true
notifications:
enabled: true
context:
argocdUrl: https://argocd.alexlebens.net
secret:
create: false
name: argocd-notifications-secret
metrics:
enabled: true
serviceMonitor:
enabled: true
notifiers:
service.webhook.ntfy: |
url: http://ntfy.ntfy/
headers:
- name: Authorization
value: Bearer $ntfy-token
livenessProbe:
enabled: true
readinessProbe:
enabled: true
subscriptions:
- recipients:
- ntfy
triggers:
- on-created
- on-deleted
- on-deployed
- on-health-degraded
- on-sync-failed
- on-sync-running
- on-sync-status-unknown
- on-sync-succeeded
templates:
template.app-created: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} has been created.",
"title": "Created: {{.app.metadata.name}}",
"tags": ["building_construction"],
"priority": 4,
"click": "{{.context.argocdUrl}}/applications/argocd/{{.app.metadata.name}}"
}
template.app-deleted: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} has been deleted",
"title": "Deleted: {{.app.metadata.name}}",
"tags": ["warning"],
"priority": 4,
"click": "{{.context.argocdUrl}}"
}
template.app-deployed: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} is now running new version of deployments manifests",
"title": "Deployed: {{.app.metadata.name}}",
"tags": ["+1"],
"priority": 3,
"click": "{{.context.argocdUrl}}/applications/argocd/{{.app.metadata.name}}"
}
template.app-health-degraded: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} health has degraded",
"title": "Degraded: {{.app.metadata.name}}",
"tags": ["rotating_light"],
"priority": 4,
"click": "{{.context.argocdUrl}}/applications/argocd/{{.app.metadata.name}}"
}
template.app-sync-failed: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} sync has failed at {{.app.status.operationState.finishedAt}} with the following error: {{.app.status.operationState.message}}",
"title": "Sync Failed: {{.app.metadata.name}}",
"tags": ["rotating_light"],
"priority": 4,
"click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true"
}
template.app-sync-running: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} sync has started at {{.app.status.operationState.startedAt}}",
"title": "Sync Running: {{.app.metadata.name}}",
"tags": ["runner"],
"priority": 3,
"click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true"
}
template.app-sync-status-unknown: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} sync status is unknown",
"title": "Sync Unknown: {{.app.metadata.name}}",
"tags": ["question"],
"priority": 3,
"click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}"
}
template.app-sync-succeeded: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} has been successfully synced at {{.app.status.operationState.finishedAt}}",
"title": "Sync Succeeded: {{.app.metadata.name}}",
"tags": ["+1"],
"priority": 3,
"click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true"
}
triggers:
trigger.on-created: |
- description: Application {{.app.metadata.name}} has been created.
oncePer: app.metadata.name
send:
- app-created
when: "true"
trigger.on-deleted: |
- description: Application {{.app.metadata.name}} has been deleted.
oncePer: app.metadata.name
send:
- app-deleted
when: app.metadata.deletionTimestamp != nil
trigger.on-deployed: |
- description: Application is synced and healthy. Triggered once per commit.
oncePer: app.status.operationState.syncResult.revision
send:
- app-deployed
when: app.status.operationState.phase in ['Succeeded'] and app.status.health.status == 'Healthy'
trigger.on-health-degraded: |
- description: Application has degraded
send:
- app-health-degraded
when: app.status.health.status == 'Degraded' and time.Now().Sub(time.Parse(app.status.health.lastTransitionTime).Minutes() >= 15
trigger.on-sync-failed: |
- description: Application syncing has failed
send:
- app-sync-failed
when: app.status.operationState.phase in ['Error', 'Failed']
trigger.on-sync-running: |
- description: Application is being synced
send:
- app-sync-running
when: app.status.operationState.phase in ['Running']
trigger.on-sync-status-unknown: |
- description: Application status is 'Unknown'
send:
- app-sync-status-unknown
when: app.status.sync.status == 'Unknown'
trigger.on-sync-succeeded: |
- description: Application syncing has succeeded
send:
- app-sync-succeeded
when: app.status.operationState.phase in ['Succeeded']