149 lines
6.9 KiB
YAML
149 lines
6.9 KiB
YAML
configs:
|
||
secret:
|
||
createSecret: true
|
||
argocdServerAdminPassword: "$2b$12$Tmb1jH7ADvwWoUoNPXXsfOf6JqEluqhq8mL06a8DGT2AP1GzbNsCm"
|
||
# oidc.clientSecret managed by argocd-oidc-sync CronJob
|
||
# (reads from argocd-oidc-credentials, patches argocd-secret)
|
||
ssh:
|
||
knownHosts: |
|
||
[git.forteapps.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTwi40de8yTGUuRT0i/XGicQ672BLhYR6D/lDquJrp/tdrWoZhVVPy0wxSkWsq1V92iiAUuQnXagOGsLBGZT9uDLWKvEmNDnCfjzTMq3J1iA3vk2rQ8WBlCzhvmeCV/r0ufl6vsgfwxSRomLZeqa2UkLHx69gy2Njb1S2/aZK1Q53f466hCUfDULZrTn2Nn5Sj8cEbJ8EyvVN2YG9HYBxQdzKRPZEmS1vyzmn8YrYIkZseIRQElabzWGh86owuaaqnwJhTJj1j2sEUeIet04sGKJcnxx2UL4H90N66LKMldmMiuli+ve/CjJmMwDl0zGkjIniT3XR8CyEXYHli7B1hR8Z+dbK6DBgjz+28lFgMIRY70KkZJNsJcBNZLZ5fHwCI13a9U3Uhg3Pu/6s0zlosM4CrAQNQCRe95ZPtCpdFhlGrOl4m1rdSK2meL6rND0TBBuZbaFF6Py7TawLCAiO2KRaVqhu9OFVjwJ/nifgLzFGwWj+WcYmpuR+DwozrF/Hl7QYsz1x4GO1SONY07KbIFkUCHOMAh0AELY5YE4eGI4mtG6SecdPaAdLREGZYK4IcyP5i1QW9g0wmfRSsV9jy+r0ivBxixxh4yJiNpkg6NXak40gQtGIme9EJ+DxrRLruNsfDILWcdSuH/wvuorv56NpQFGB0FzB6LXMloSYptQ==
|
||
cm:
|
||
application.resourceTrackingMethod: annotation
|
||
timeout.reconciliation: 60s
|
||
# Admin login disabled — SSO only. Break-glass: kubectl patch cm argocd-cm -n argocd -p '{"data":{"admin.enabled":"true"}}'
|
||
admin.enabled: "false"
|
||
url: https://argocd.forteapps.net
|
||
oidc.config: |
|
||
name: Forte SSO
|
||
issuer: https://id.forteapps.net/realms/forte
|
||
clientID: argocd
|
||
clientSecret: $oidc.clientSecret
|
||
requestedScopes: ["openid", "email", "profile"]
|
||
rbac:
|
||
# Base RBAC — org-wide roles shared across all clusters.
|
||
# Per-cluster policies go in infra/values/<cluster>/argocd-values.yaml
|
||
# as configs.rbac.policy.<cluster>.csv (ArgoCD concatenates all policy.*.csv keys)
|
||
policy.csv: |
|
||
# Platform administrators — full control
|
||
g, ArgoCD Admins, role:admin
|
||
|
||
# Read-only viewers — see all, change nothing
|
||
g, ArgoCD Viewers, role:readonly
|
||
|
||
# --- Per-team roles (scoped to default project app names) ---
|
||
# Observability team — manage monitoring stack
|
||
p, role:observability, applications, get, default/prometheus, allow
|
||
p, role:observability, applications, get, default/loki, allow
|
||
p, role:observability, applications, get, default/fluent-bit, allow
|
||
p, role:observability, applications, get, default/tempo, allow
|
||
p, role:observability, applications, get, default/grafana, allow
|
||
p, role:observability, applications, get, default/grafana-dashboards, allow
|
||
p, role:observability, applications, get, default/opencost, allow
|
||
p, role:observability, applications, sync, default/prometheus, allow
|
||
p, role:observability, applications, sync, default/loki, allow
|
||
p, role:observability, applications, sync, default/fluent-bit, allow
|
||
p, role:observability, applications, sync, default/tempo, allow
|
||
p, role:observability, applications, sync, default/grafana, allow
|
||
p, role:observability, applications, sync, default/grafana-dashboards, allow
|
||
p, role:observability, applications, sync, default/opencost, allow
|
||
p, role:observability, logs, get, default/*, allow
|
||
g, Observability Team, role:observability
|
||
|
||
# Dev tools team — manage gitea, renovate, karpor
|
||
p, role:devtools, applications, get, default/gitea, allow
|
||
p, role:devtools, applications, get, default/gitea-actions, allow
|
||
p, role:devtools, applications, get, default/renovate, allow
|
||
p, role:devtools, applications, get, default/karpor, allow
|
||
p, role:devtools, applications, sync, default/gitea, allow
|
||
p, role:devtools, applications, sync, default/gitea-actions, allow
|
||
p, role:devtools, applications, sync, default/renovate, allow
|
||
p, role:devtools, applications, sync, default/karpor, allow
|
||
p, role:devtools, logs, get, default/*, allow
|
||
g, Dev Tools Team, role:devtools
|
||
|
||
# App developers — manage enterprise apps only
|
||
p, role:app-dev, applications, get, default/enterprise-apps, allow
|
||
p, role:app-dev, applications, sync, default/enterprise-apps, allow
|
||
p, role:app-dev, applications, action, default/enterprise-apps, allow
|
||
p, role:app-dev, logs, get, default/enterprise-apps, allow
|
||
g, App Developers, role:app-dev
|
||
|
||
# Deny users not in any declared KC group
|
||
policy.default: ""
|
||
scopes: '[groups]'
|
||
params:
|
||
"server.insecure": true
|
||
"reposerver.enable.git.submodule": "false"
|
||
server:
|
||
ingress:
|
||
enabled: true
|
||
ingressClassName: traefik
|
||
annotations:
|
||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||
tls: true
|
||
extraArgs:
|
||
- --insecure
|
||
|
||
notifications:
|
||
# Don't create secret via Helm - using SealedSecret instead
|
||
secret:
|
||
create: false
|
||
|
||
# Define notification templates
|
||
templates:
|
||
template.app-syncing: |
|
||
webhook:
|
||
slack:
|
||
method: POST
|
||
body: |
|
||
{
|
||
"payload": "🖥️ {{ .context.clusterName }}: 🔄 *{{ .app.metadata.name }}* is syncing...\n📦 Revision: {{ .app.status.sync.revision | default `n/a` | substr 0 7 }}"
|
||
}
|
||
template.app-sync-succeeded: |
|
||
webhook:
|
||
slack:
|
||
method: POST
|
||
body: |
|
||
{
|
||
"payload": "🖥️ {{ .context.clusterName }}: ✅ *{{ .app.metadata.name }}* sync succeeded\n📦 Revision: {{ .app.status.sync.revision | default `n/a` | substr 0 7 }}{{ range .app.status.summary.images }}\n🏷️ Image: {{ . }}{{ end }}"
|
||
}
|
||
template.app-sync-failed: |
|
||
webhook:
|
||
slack:
|
||
method: POST
|
||
body: |
|
||
{
|
||
"payload": "🖥️ {{ .context.clusterName }}: ❌ *{{ .app.metadata.name }}* sync failed\n📦 Revision: {{ .app.status.sync.revision | default `n/a` | substr 0 7 }}\n⚠️ Message: {{ .app.status.operationState.message }}"
|
||
}
|
||
template.app-degraded: |
|
||
webhook:
|
||
slack:
|
||
method: POST
|
||
body: |
|
||
{
|
||
"payload": "🖥️ {{ .context.clusterName }}: ⚠️ *{{ .app.metadata.name }}* is degraded\n🏥 Health: {{ .app.status.health.status }}\n📦 Revision: {{ .app.status.sync.revision | default `n/a` | substr 0 7 }}{{ range .app.status.summary.images }}\n🏷️ Image: {{ . }}{{ end }}"
|
||
}
|
||
|
||
# Define notification triggers
|
||
triggers:
|
||
trigger.on-sync-running: |
|
||
- when: app.status.operationState.phase in ['Running']
|
||
send: [app-syncing]
|
||
trigger.on-sync-succeeded: |
|
||
- when: app.status.operationState.phase in ['Succeeded'] and app.status.health.status == 'Healthy'
|
||
send: [app-sync-succeeded]
|
||
trigger.on-sync-failed: |
|
||
- when: app.status.operationState.phase in ['Failed']
|
||
send: [app-sync-failed]
|
||
trigger.on-degraded: |
|
||
- when: app.status.health.status == 'Degraded'
|
||
send: [app-degraded]
|
||
|
||
# Define notification services (webhook for Slack)
|
||
notifiers:
|
||
service.webhook.slack: |
|
||
url: $slack-webhook-url
|
||
headers:
|
||
- name: Content-Type
|
||
value: application/json
|