infrastructure/clusters/cl01tl/manifests/argocd/Deployment-argocd-repo-server.yml

---
# Source: argocd/charts/argo-cd/templates/argocd-repo-server/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: argocd-repo-server
  namespace: argocd
  labels:
    helm.sh/chart: argo-cd-9.1.5
    app.kubernetes.io/name: argocd-repo-server
    app.kubernetes.io/instance: argocd
    app.kubernetes.io/component: repo-server
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: argocd
    app.kubernetes.io/version: "v3.2.1"
spec:
  replicas: 2
  revisionHistoryLimit: 3
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-repo-server
      app.kubernetes.io/instance: argocd
  template:
    metadata:
      annotations:
        checksum/cmd-params: bf2519278596ec7cee3e61f230a7b6ebbdcc8a5166fe036da04fccfdfa4ac1d1
        checksum/cm: b85950385c4567f0f6332e53f51df2bbe58a65f5771ac318c863d1b4e831ff9b
        checksum/cmp-cm: 889b23506729520737104bb8fb0d94e269ba3ec96a1a0e9ffe5c7bdf1025801c
      labels:
        helm.sh/chart: argo-cd-9.1.5
        app.kubernetes.io/name: argocd-repo-server
        app.kubernetes.io/instance: argocd
        app.kubernetes.io/component: repo-server
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/part-of: argocd
        app.kubernetes.io/version: "v3.2.1"
    spec:
      terminationGracePeriodSeconds: 30
      serviceAccountName: argocd-repo-server
      automountServiceAccountToken: true
      containers:
        - name: repo-server
          image: quay.io/argoproj/argocd:v3.2.1
          imagePullPolicy: IfNotPresent
          args:
            - /usr/local/bin/argocd-repo-server
            - --port=8081
            - --metrics-port=8084
          env:
            - name: ARGOCD_REPO_SERVER_NAME
              value: argocd-repo-server
            - name: ARGOCD_RECONCILIATION_TIMEOUT
              valueFrom:
                configMapKeyRef:
                  name: argocd-cm
                  key: timeout.reconciliation
                  optional: true
            - name: ARGOCD_REPO_SERVER_LOGFORMAT
              valueFrom:
                configMapKeyRef:
                  name: argocd-cmd-params-cm
                  key: reposerver.log.format
                  optional: true
            - name: ARGOCD_REPO_SERVER_LOGLEVEL
              valueFrom:
                configMapKeyRef:
                  name: argocd-cmd-params-cm
                  key: reposerver.log.level
                  optional: true
            - name: ARGOCD_LOG_FORMAT_TIMESTAMP
              valueFrom:
                configMapKeyRef:
                  name: argocd-cmd-params-cm
                  key: log.format.timestamp
                  optional: true
            - name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
              valueFrom:
                configMapKeyRef:
                  name: argocd-cmd-params-cm
                  key: reposerver.parallelism.limit
                  optional: true
            - name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
              valueFrom:
                configMapKeyRef:
                  name: argocd-cmd-params-cm
                  key: reposerver.listen.address
                  optional: true
            - name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
              valueFrom:
                configMapKeyRef:
                  name: argocd-cmd-params-cm
                  key: reposerver.metrics.listen.address
                  optional: true
            - name: ARGOCD_REPO_SERVER_DISABLE_TLS
              valueFrom:
                configMapKeyRef:
                  name: argocd-cmd-params-cm
                  key: reposerver.disable.tls
                  optional: true
            - name: ARGOCD_TLS_MIN_VERSION
              valueFrom:
                configMapKeyRef:
                  name: argocd-cmd-params-cm
                  key: reposerver.tls.minversion
                  optional: true
            - name: ARGOCD_TLS_MAX_VERSION
              valueFrom:
                configMapKeyRef:
                  name: argocd-cmd-params-cm
                  key: reposerver.tls.maxversion
                  optional: true
            - name: ARGOCD_TLS_CIPHERS
              valueFrom:
                configMapKeyRef:
                  name: argocd-cmd-params-cm
                  key: reposerver.tls.ciphers
                  optional: true
            - name: ARGOCD_REPO_CACHE_EXPIRATION
              valueFrom:
                configMapKeyRef:
                  name: argocd-cmd-params-cm
                  key: reposerver.repo.cache.expiration
                  optional: true
            - name: REDIS_SERVER
              valueFrom:
                configMapKeyRef:
                  name: argocd-cmd-params-cm
                  key: redis.server
                  optional: true
            - name: REDIS_COMPRESSION
              valueFrom:
                configMapKeyRef:
                  name: argocd-cmd-params-cm
                  key: redis.compression
                  optional: true
            - name: REDISDB
              valueFrom:
                configMapKeyRef:
                  name: argocd-cmd-params-cm
                  key: redis.db
                  optional: true
            - name: REDIS_USERNAME
              valueFrom:
                secretKeyRef:
                  name: "argocd-redis"
                  key: redis-username
                  optional: true
            - name: REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: "argocd-redis" # hard-coded in Job command and embedded Redis deployments (standalone and redis-ha)
                  key: auth
                  optional: false # Secret is not optional in this case !
            - name: REDIS_SENTINEL_USERNAME
              valueFrom:
                secretKeyRef:
                  name: argocd-redis-ha-haproxy
                  key: redis-sentinel-username
                  optional: true
            - name: REDIS_SENTINEL_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: argocd-redis-ha-haproxy
                  key: redis-sentinel-password
                  optional: true
            - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
              valueFrom:
                configMapKeyRef:
                  name: argocd-cmd-params-cm
                  key: reposerver.default.cache.expiration
                  optional: true
            - name: ARGOCD_REPO_SERVER_OTLP_ADDRESS
              valueFrom:
                configMapKeyRef:
                  name: argocd-cmd-params-cm
                  key: otlp.address
                  optional: true
            - name: ARGOCD_REPO_SERVER_OTLP_INSECURE
              valueFrom:
                configMapKeyRef:
                  name: argocd-cmd-params-cm
                  key: otlp.insecure
                  optional: true
            - name: ARGOCD_REPO_SERVER_OTLP_HEADERS
              valueFrom:
                configMapKeyRef:
                  name: argocd-cmd-params-cm
                  key: otlp.headers
                  optional: true
            - name: ARGOCD_REPO_SERVER_OTLP_ATTRS
              valueFrom:
                configMapKeyRef:
                  name: argocd-cmd-params-cm
                  key: otlp.attrs
                  optional: true
            - name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
              valueFrom:
                configMapKeyRef:
                  name: argocd-cmd-params-cm
                  key: reposerver.max.combined.directory.manifests.size
                  optional: true
            - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
              valueFrom:
                configMapKeyRef:
                  name: argocd-cmd-params-cm
                  key: reposerver.plugin.tar.exclusions
                  optional: true
            - name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS
              valueFrom:
                configMapKeyRef:
                  key: reposerver.plugin.use.manifest.generate.paths
                  name: argocd-cmd-params-cm
                  optional: true
            - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
              valueFrom:
                configMapKeyRef:
                  key: reposerver.allow.oob.symlinks
                  name: argocd-cmd-params-cm
                  optional: true
            - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
              valueFrom:
                configMapKeyRef:
                  key: reposerver.streamed.manifest.max.tar.size
                  name: argocd-cmd-params-cm
                  optional: true
            - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
              valueFrom:
                configMapKeyRef:
                  key: reposerver.streamed.manifest.max.extracted.size
                  name: argocd-cmd-params-cm
                  optional: true
            - name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
              valueFrom:
                configMapKeyRef:
                  key: reposerver.helm.manifest.max.extracted.size
                  name: argocd-cmd-params-cm
                  optional: true
            - name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
              valueFrom:
                configMapKeyRef:
                  name: argocd-cmd-params-cm
                  key: reposerver.disable.helm.manifest.max.extracted.size
                  optional: true
            - name: ARGOCD_GIT_MODULES_ENABLED
              valueFrom:
                configMapKeyRef:
                  key: reposerver.enable.git.submodule
                  name: argocd-cmd-params-cm
                  optional: true
            - name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT
              valueFrom:
                configMapKeyRef:
                  key: reposerver.git.lsremote.parallelism.limit
                  name: argocd-cmd-params-cm
                  optional: true
            - name: ARGOCD_GIT_REQUEST_TIMEOUT
              valueFrom:
                configMapKeyRef:
                  key: reposerver.git.request.timeout
                  name: argocd-cmd-params-cm
                  optional: true
            - name: ARGOCD_REPO_SERVER_OCI_MANIFEST_MAX_EXTRACTED_SIZE
              valueFrom:
                configMapKeyRef:
                  key: reposerver.oci.manifest.max.extracted.size
                  name: argocd-cmd-params-cm
                  optional: true
            - name: ARGOCD_REPO_SERVER_DISABLE_OCI_MANIFEST_MAX_EXTRACTED_SIZE
              valueFrom:
                configMapKeyRef:
                  key: reposerver.disable.oci.manifest.max.extracted.size
                  name: argocd-cmd-params-cm
                  optional: true
            - name: ARGOCD_REPO_SERVER_OCI_LAYER_MEDIA_TYPES
              valueFrom:
                configMapKeyRef:
                  key: reposerver.oci.layer.media.types
                  name: argocd-cmd-params-cm
                  optional: true
            - name: ARGOCD_REVISION_CACHE_LOCK_TIMEOUT
              valueFrom:
                configMapKeyRef:
                  key: reposerver.revision.cache.lock.timeout
                  name: argocd-cmd-params-cm
                  optional: true
            - name: ARGOCD_REPO_SERVER_ENABLE_BUILTIN_GIT_CONFIG
              valueFrom:
                configMapKeyRef:
                  name: argocd-cmd-params-cm
                  key: reposerver.enable.builtin.git.config
                  optional: true
            - name: ARGOCD_GRPC_MAX_SIZE_MB
              valueFrom:
                configMapKeyRef:
                  key: reposerver.grpc.max.size
                  name: argocd-cmd-params-cm
                  optional: true
            - name: ARGOCD_REPO_SERVER_INCLUDE_HIDDEN_DIRECTORIES
              valueFrom:
                configMapKeyRef:
                  key: reposerver.include.hidden.directories
                  name: argocd-cmd-params-cm
                  optional: true
            - name: HELM_CACHE_HOME
              value: /helm-working-dir
            - name: HELM_CONFIG_HOME
              value: /helm-working-dir
            - name: HELM_DATA_HOME
              value: /helm-working-dir
          volumeMounts:
            - mountPath: /app/config/ssh
              name: ssh-known-hosts
            - mountPath: /app/config/tls
              name: tls-certs
            - mountPath: /app/config/gpg/source
              name: gpg-keys
            - mountPath: /app/config/gpg/keys
              name: gpg-keyring
            - mountPath: /app/config/reposerver/tls
              name: argocd-repo-server-tls
            - mountPath: /helm-working-dir
              name: helm-working-dir
            - mountPath: /home/argocd/cmp-server/plugins
              name: plugins
            - mountPath: /tmp
              name: tmp
          ports:
            - name: repo-server
              containerPort: 8081
              protocol: TCP
            - name: metrics
              containerPort: 8084
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /healthz?full=true
              port: metrics
            initialDelaySeconds: 10
            periodSeconds: 10
            timeoutSeconds: 1
            successThreshold: 1
            failureThreshold: 3
          readinessProbe:
            httpGet:
              path: /healthz
              port: metrics
            initialDelaySeconds: 10
            periodSeconds: 10
            timeoutSeconds: 1
            successThreshold: 1
            failureThreshold: 3
          resources: {}
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
        - command:
            - /var/run/argocd/argocd-cmp-server
          image: ghcr.io/akuity/cdk8s-cmp-typescript:1.0
          name: cmp-cdk8s
          securityContext:
            runAsNonRoot: true
            runAsUser: 999
          volumeMounts:
            - mountPath: /var/run/argocd
              name: var-files
            - mountPath: /home/argocd/cmp-server/plugins
              name: plugins
            - mountPath: /home/argocd/cmp-server/config/plugin.yaml
              name: argocd-cmp-cm
              subPath: cdk8s.yaml
            - mountPath: /tmp
              name: cmp-tmp
      initContainers:
        - command:
            - /bin/cp
            - -n
            - /usr/local/bin/argocd
            - /var/run/argocd/argocd-cmp-server
          image: quay.io/argoproj/argocd:v3.2.1
          imagePullPolicy: IfNotPresent
          name: copyutil
          resources: {}
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
          volumeMounts:
            - mountPath: /var/run/argocd
              name: var-files
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              podAffinityTerm:
                labelSelector:
                  matchLabels:
                    app.kubernetes.io/name: argocd-repo-server
                topologyKey: kubernetes.io/hostname
      nodeSelector:
        kubernetes.io/os: linux
      volumes:
        - configMap:
            name: argocd-cmp-cm
          name: argocd-cmp-cm
        - emptyDir: {}
          name: cmp-tmp
        - name: helm-working-dir
          emptyDir: {}
        - name: plugins
          emptyDir: {}
        - name: var-files
          emptyDir: {}
        - name: tmp
          emptyDir: {}
        - name: ssh-known-hosts
          configMap:
            name: argocd-ssh-known-hosts-cm
        - name: tls-certs
          configMap:
            name: argocd-tls-certs-cm
        - name: gpg-keys
          configMap:
            name: argocd-gpg-keys-cm
        - name: gpg-keyring
          emptyDir: {}
        - name: argocd-repo-server-tls
          secret:
            secretName: argocd-repo-server-tls
            optional: true
            items:
              - key: tls.crt
                path: tls.crt
              - key: tls.key
                path: tls.key
              - key: ca.crt
                path: ca.crt
      dnsPolicy: ClusterFirst