diff --git a/helm-charts/proxy-k8s-argo-cd/Chart.yaml b/helm-charts/proxy-k8s-argo-cd-bootstrapping/Chart.yaml similarity index 77% rename from helm-charts/proxy-k8s-argo-cd/Chart.yaml rename to helm-charts/proxy-k8s-argo-cd-bootstrapping/Chart.yaml index 59ad895f5..589299a7b 100644 --- a/helm-charts/proxy-k8s-argo-cd/Chart.yaml +++ b/helm-charts/proxy-k8s-argo-cd-bootstrapping/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 -name: proxy-k8s-argo-cd -version: 1.0.7 +name: proxy-k8s-argo-cd-bootstrapping +version: 0.1.0 dependencies: - name: argo-cd version: 4.2.0 diff --git a/helm-charts/proxy-k8s-argo-cd/values.yaml b/helm-charts/proxy-k8s-argo-cd-bootstrapping/values.yaml similarity index 75% rename from helm-charts/proxy-k8s-argo-cd/values.yaml rename to helm-charts/proxy-k8s-argo-cd-bootstrapping/values.yaml index 50f8318b5..442c3b96e 100644 --- a/helm-charts/proxy-k8s-argo-cd/values.yaml +++ b/helm-charts/proxy-k8s-argo-cd-bootstrapping/values.yaml @@ -1,4 +1,4 @@ -# values for argocd. See +# Values for argocd. See # https://github.com/argoproj/argo-helm/blob/3a2858aa98f607b495d34db0da2a7a3ecad3eaa0/charts/argo-cd/values.yaml # for default values. # argo-cd is aliased to argocd @@ -6,9 +6,9 @@ argocd: # config of server # https://github.com/argoproj/argo-helm/blob/3a2858aa98f607b495d34db0da2a7a3ecad3eaa0/charts/argo-cd/values.yaml#L781 server: - ## We will be using the App of Apps pattern (https://argo-cd.readthedocs.io/en/stable/operator-manual/cluster-bootstrapping/) - ## to manage a group of applications in our cluster. - ## This is the only application in this deployment. + ## We will only configure ArgoCD itself here, and expect definition at + ## proxy-kubernetes/argocd-apps of https://github.com/GiganticMinecraft/seichi_infra + ## to further configure the ArgoCD application (via App of Apps pattern) additionalApplications: - name: argocd namespace: argocd @@ -21,8 +21,10 @@ argocd: source: path: proxy-kubernetes/argocd-apps repoURL: https://github.com/GiganticMinecraft/seichi_infra - targetRevision: HEAD - + targetRevision: main + syncPolicy: + automated: + prune: true additionalProjects: - name: argocd namespace: argocd diff --git a/proxy-kubernetes/argocd-apps/argo-cd.yaml b/proxy-kubernetes/argocd-apps/argo-cd.yaml index 285ce1eca..2a3f329fe 100644 --- a/proxy-kubernetes/argocd-apps/argo-cd.yaml +++ b/proxy-kubernetes/argocd-apps/argo-cd.yaml @@ -6,58 +6,87 @@ metadata: spec: project: default source: - chart: proxy-k8s-argo-cd - repoURL: https://giganticminecraft.github.io/seichi_infra - targetRevision: 1.0.7 + # proxy-k8s-argo-cd-bootstrapping はブートストラッピングにのみ用いるchartなので、 + # proxy-k8s-argo-cd-bootstrapping は利用せずに直接ArgoCDのチャートを使う + # (注:むしろ、proxy-k8s-argo-cd-bootstrapping の特定リビジョンを使うと永遠にreconcilationが走ってしまう) + chart: argo-cd + repoURL: https://argoproj.github.io/argo-helm + targetRevision: 4.2.0 helm: - releaseName: proxy-k8s-argo-cd + releaseName: argo-cd values: | - # argo-cd is a dependency chart so we must override values like this - # https://helm.sh/docs/chart_template_guide/subcharts_and_globals/ - argocd: - server: - configEnabled: true - # -- [General Argo CD configuration] - # @default -- See [values.yaml] - config: - # Argo CD instance label key - application.instanceLabelKey: argocd.argoproj.io/instance - kustomize.buildOptions: --load-restrictor LoadRestrictionsNone - kustomize.buildOptions.v4.4.0: --output /tmp - ## Following settings are required when configuring SSO - # Argo CD's externally facing base URL (optional). - url: https://argocd.bungee-proxy-public.seichi.click - dex.config: | - connectors: - - type: github - id: github - name: GitHub - config: - clientID: 6d77699f96a51159ce39 - clientSecret: $argocd-github-client-secret:dex.github.clientSecret - orgs: - - name: GiganticMinecraft + # config of server + # https://github.com/argoproj/argo-helm/blob/3a2858aa98f607b495d34db0da2a7a3ecad3eaa0/charts/argo-cd/values.yaml#L781 + server: + configEnabled: true + # -- [General Argo CD configuration] + # @default -- See [values.yaml] + config: + # Argo CD instance label key + application.instanceLabelKey: argocd.argoproj.io/instance + kustomize.buildOptions: --load-restrictor LoadRestrictionsNone + kustomize.buildOptions.v4.4.0: --output /tmp + ## Following settings are required when configuring SSO + # Argo CD's externally facing base URL (optional). + url: https://argocd.bungee-proxy-public.seichi.click + dex.config: | + connectors: + - type: github + id: github + name: GitHub + config: + clientID: 6d77699f96a51159ce39 + clientSecret: $argocd-github-client-secret:dex.github.clientSecret + orgs: + - name: GiganticMinecraft + + rbacConfig: + # policy.csv is an file containing user-defined RBAC policies and role definitions (optional). + # Policy rules are in the form: + # p, subject, resource, action, object, effect + # Role definitions and bindings are in the form: + # g, subject, inherited-subject + # See https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md for additional information. + policy.csv: | + g, GiganticMinecraft:admin-team, role:admin + g, GiganticMinecraft:infra-collaborator, role:admin + # policy.default is the name of the default role which Argo CD will falls back to, when + # authorizing API requests (optional). If omitted or empty, users may be still be able to login, + # but will see no apps, projects, etc... + policy.default: role:readonly + + additionalApplications: + - name: argocd + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io + destination: + namespace: argocd + server: https://kubernetes.default.svc + project: argocd + source: + path: proxy-kubernetes/argocd-apps + repoURL: https://github.com/GiganticMinecraft/seichi_infra + targetRevision: main + + additionalProjects: + - name: argocd + namespace: argocd + description: The Top-Level Project + sourceRepos: + - '*' + destinations: + - namespace: argocd + server: https://kubernetes.default.svc + clusterResourceWhitelist: + - group: '*' + kind: '*' + orphanedResources: + warn: true - rbacConfig: - # policy.csv is an file containing user-defined RBAC policies and role definitions (optional). - # Policy rules are in the form: - # p, subject, resource, action, object, effect - # Role definitions and bindings are in the form: - # g, subject, inherited-subject - # See https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md for additional information. - policy.csv: | - g, GiganticMinecraft:admin-team, role:admin - g, GiganticMinecraft:infra-collaborator, role:admin - # policy.default is the name of the default role which Argo CD will falls back to, when - # authorizing API requests (optional). If omitted or empty, users may be still be able to login, - # but will see no apps, projects, etc... - policy.default: role:readonly destination: server: https://kubernetes.default.svc namespace: argocd - syncPolicy: - automated: - prune: true --- apiVersion: bitnami.com/v1alpha1 kind: SealedSecret