From c1a4980a2d175b77c002127b221e0a1ee4d64db2 Mon Sep 17 00:00:00 2001 From: DeveloperDurp Date: Wed, 4 Jan 2023 22:07:07 +0000 Subject: [PATCH] update argocd --- .../roles/k3s/argocd/templates/argocd.yaml | 1651 ++++++++++------- 1 file changed, 996 insertions(+), 655 deletions(-) diff --git a/ansible/roles/k3s/argocd/templates/argocd.yaml b/ansible/roles/k3s/argocd/templates/argocd.yaml index af71a6c..6e6fd22 100644 --- a/ansible/roles/k3s/argocd/templates/argocd.yaml +++ b/ansible/roles/k3s/argocd/templates/argocd.yaml @@ -4,34 +4,7 @@ metadata: name: argocd --- - -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: argocd-ingress - annotations: - kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: letsencrypt-production - nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.0.0/16" - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" -spec: - rules: - - host: argocd.internal.durp.info - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: argocd-server - port: - number: 443 - tls: - - hosts: - - argocd.internal.durp.info - secretName: argocd-tls ---- - +# This is an auto-generated file. DO NOT EDIT apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -316,35 +289,9 @@ spec: type: string version: description: Version is the Helm version to use for templating - (either "2" or "3") + ("3") type: string type: object - ksonnet: - description: Ksonnet holds ksonnet specific options - properties: - environment: - description: Environment is a ksonnet application environment - name - type: string - parameters: - description: Parameters are a list of ksonnet component - parameter override values - items: - description: KsonnetParameter is a ksonnet component - parameter - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: description: Kustomize holds kustomize specific options properties: @@ -395,8 +342,8 @@ spec: and is only valid for applications sourced from Git. type: string plugin: - description: ConfigManagementPlugin holds config management - plugin specific options + description: Plugin holds config management plugin specific + options properties: env: description: Env is a list of environment variable entries @@ -689,34 +636,9 @@ spec: type: string version: description: Version is the Helm version to use for templating - (either "2" or "3") + ("3") type: string type: object - ksonnet: - description: Ksonnet holds ksonnet specific options - properties: - environment: - description: Environment is a ksonnet application environment - name - type: string - parameters: - description: Parameters are a list of ksonnet component parameter - override values - items: - description: KsonnetParameter is a ksonnet component parameter - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: description: Kustomize holds kustomize specific options properties: @@ -766,8 +688,7 @@ spec: and is only valid for applications sourced from Git. type: string plugin: - description: ConfigManagementPlugin holds config management plugin - specific options + description: Plugin holds config management plugin specific options properties: env: description: Env is a list of environment variable entries @@ -1068,35 +989,9 @@ spec: type: string version: description: Version is the Helm version to use for - templating (either "2" or "3") + templating ("3") type: string type: object - ksonnet: - description: Ksonnet holds ksonnet specific options - properties: - environment: - description: Environment is a ksonnet application environment - name - type: string - parameters: - description: Parameters are a list of ksonnet component - parameter override values - items: - description: KsonnetParameter is a ksonnet component - parameter - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: description: Kustomize holds kustomize specific options properties: @@ -1148,8 +1043,8 @@ spec: and is only valid for applications sourced from Git. type: string plugin: - description: ConfigManagementPlugin holds config management - plugin specific options + description: Plugin holds config management plugin specific + options properties: env: description: Env is a list of environment variable entries @@ -1465,35 +1360,9 @@ spec: type: string version: description: Version is the Helm version to use - for templating (either "2" or "3") + for templating ("3") type: string type: object - ksonnet: - description: Ksonnet holds ksonnet specific options - properties: - environment: - description: Environment is a ksonnet application - environment name - type: string - parameters: - description: Parameters are a list of ksonnet - component parameter override values - items: - description: KsonnetParameter is a ksonnet component - parameter - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: description: Kustomize holds kustomize specific options properties: @@ -1546,8 +1415,8 @@ spec: from Git. type: string plugin: - description: ConfigManagementPlugin holds config management - plugin specific options + description: Plugin holds config management plugin + specific options properties: env: description: Env is a list of environment variable @@ -1836,35 +1705,9 @@ spec: type: string version: description: Version is the Helm version to use for - templating (either "2" or "3") + templating ("3") type: string type: object - ksonnet: - description: Ksonnet holds ksonnet specific options - properties: - environment: - description: Environment is a ksonnet application - environment name - type: string - parameters: - description: Parameters are a list of ksonnet component - parameter override values - items: - description: KsonnetParameter is a ksonnet component - parameter - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: description: Kustomize holds kustomize specific options properties: @@ -1916,8 +1759,8 @@ spec: and is only valid for applications sourced from Git. type: string plugin: - description: ConfigManagementPlugin holds config management - plugin specific options + description: Plugin holds config management plugin specific + options properties: env: description: Env is a list of environment variable @@ -1968,6 +1811,10 @@ spec: reconciled using the latest git version format: date-time type: string + resourceHealthSource: + description: 'ResourceHealthSource indicates where the resource health + status is stored: inline if not set or appTree' + type: string resources: description: Resources is a list of Kubernetes resources managed by this application @@ -2004,6 +1851,9 @@ spec: description: SyncStatusCode is a type which represents possible comparison results type: string + syncWave: + format: int64 + type: integer version: type: string type: object @@ -2196,35 +2046,9 @@ spec: type: string version: description: Version is the Helm version to use for - templating (either "2" or "3") + templating ("3") type: string type: object - ksonnet: - description: Ksonnet holds ksonnet specific options - properties: - environment: - description: Environment is a ksonnet application - environment name - type: string - parameters: - description: Parameters are a list of ksonnet component - parameter override values - items: - description: KsonnetParameter is a ksonnet component - parameter - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: description: Kustomize holds kustomize specific options properties: @@ -2276,8 +2100,8 @@ spec: and is only valid for applications sourced from Git. type: string plugin: - description: ConfigManagementPlugin holds config management - plugin specific options + description: Plugin holds config management plugin specific + options properties: env: description: Env is a list of environment variable @@ -2341,9 +2165,9 @@ spec: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.3.0 - creationTimestamp: null + labels: + app.kubernetes.io/name: applicationsets.argoproj.io + app.kubernetes.io/part-of: argocd name: applicationsets.argoproj.io spec: group: argoproj.io @@ -2567,25 +2391,6 @@ spec: version: type: string type: object - ksonnet: - properties: - environment: - type: string - parameters: - items: - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: properties: commonAnnotations: @@ -2873,25 +2678,6 @@ spec: version: type: string type: object - ksonnet: - properties: - environment: - type: string - parameters: - items: - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: properties: commonAnnotations: @@ -3181,25 +2967,6 @@ spec: version: type: string type: object - ksonnet: - properties: - environment: - type: string - parameters: - items: - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: properties: commonAnnotations: @@ -3465,25 +3232,6 @@ spec: version: type: string type: object - ksonnet: - properties: - environment: - type: string - parameters: - items: - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: properties: commonAnnotations: @@ -3779,25 +3527,6 @@ spec: version: type: string type: object - ksonnet: - properties: - environment: - type: string - parameters: - items: - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: properties: commonAnnotations: @@ -4085,25 +3814,6 @@ spec: version: type: string type: object - ksonnet: - properties: - environment: - type: string - parameters: - items: - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: properties: commonAnnotations: @@ -4393,25 +4103,6 @@ spec: version: type: string type: object - ksonnet: - properties: - environment: - type: string - parameters: - items: - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: properties: commonAnnotations: @@ -4677,25 +4368,6 @@ spec: version: type: string type: object - ksonnet: - properties: - environment: - type: string - parameters: - items: - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: properties: commonAnnotations: @@ -4797,10 +4469,75 @@ spec: x-kubernetes-preserve-unknown-fields: true pullRequest: properties: + bitbucketServer: + properties: + api: + type: string + basicAuth: + properties: + passwordRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + username: + type: string + required: + - passwordRef + - username + type: object + project: + type: string + repo: + type: string + required: + - api + - project + - repo + type: object + filters: + items: + properties: + branchMatch: + type: string + type: object + type: array + gitea: + properties: + api: + type: string + insecure: + type: boolean + owner: + type: string + repo: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - api + - owner + - repo + type: object github: properties: api: type: string + appSecretName: + type: string labels: items: type: string @@ -4823,6 +4560,31 @@ spec: - owner - repo type: object + gitlab: + properties: + api: + type: string + labels: + items: + type: string + type: array + project: + type: string + pullRequestState: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - project + type: object requeueAfterSeconds: format: int64 type: integer @@ -4989,25 +4751,6 @@ spec: version: type: string type: object - ksonnet: - properties: - environment: - type: string - parameters: - items: - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: properties: commonAnnotations: @@ -5103,6 +4846,84 @@ spec: type: object scmProvider: properties: + azureDevOps: + properties: + accessTokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + allBranches: + type: boolean + api: + type: string + organization: + type: string + teamProject: + type: string + required: + - accessTokenRef + - organization + - teamProject + type: object + bitbucket: + properties: + allBranches: + type: boolean + appPasswordRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + owner: + type: string + user: + type: string + required: + - appPasswordRef + - owner + - user + type: object + bitbucketServer: + properties: + allBranches: + type: boolean + api: + type: string + basicAuth: + properties: + passwordRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + username: + type: string + required: + - passwordRef + - username + type: object + project: + type: string + required: + - api + - project + type: object cloneProtocol: type: string filters: @@ -5112,6 +4933,10 @@ spec: type: string labelMatch: type: string + pathsDoNotExist: + items: + type: string + type: array pathsExist: items: type: string @@ -5120,12 +4945,38 @@ spec: type: string type: object type: array + gitea: + properties: + allBranches: + type: boolean + api: + type: string + insecure: + type: boolean + owner: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - api + - owner + type: object github: properties: allBranches: type: boolean api: type: string + appSecretName: + type: string organization: type: string tokenRef: @@ -5330,25 +5181,6 @@ spec: version: type: string type: object - ksonnet: - properties: - environment: - type: string - parameters: - items: - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: properties: commonAnnotations: @@ -5442,6 +5274,29 @@ spec: - spec type: object type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object type: object type: array template: @@ -5607,25 +5462,6 @@ spec: version: type: string type: object - ksonnet: - properties: - environment: - type: string - parameters: - items: - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: properties: commonAnnotations: @@ -5921,25 +5757,6 @@ spec: version: type: string type: object - ksonnet: - properties: - environment: - type: string - parameters: - items: - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: properties: commonAnnotations: @@ -6227,25 +6044,6 @@ spec: version: type: string type: object - ksonnet: - properties: - environment: - type: string - parameters: - items: - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: properties: commonAnnotations: @@ -6535,25 +6333,6 @@ spec: version: type: string type: object - ksonnet: - properties: - environment: - type: string - parameters: - items: - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: properties: commonAnnotations: @@ -6819,25 +6598,6 @@ spec: version: type: string type: object - ksonnet: - properties: - environment: - type: string - parameters: - items: - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: properties: commonAnnotations: @@ -6939,10 +6699,75 @@ spec: x-kubernetes-preserve-unknown-fields: true pullRequest: properties: + bitbucketServer: + properties: + api: + type: string + basicAuth: + properties: + passwordRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + username: + type: string + required: + - passwordRef + - username + type: object + project: + type: string + repo: + type: string + required: + - api + - project + - repo + type: object + filters: + items: + properties: + branchMatch: + type: string + type: object + type: array + gitea: + properties: + api: + type: string + insecure: + type: boolean + owner: + type: string + repo: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - api + - owner + - repo + type: object github: properties: api: type: string + appSecretName: + type: string labels: items: type: string @@ -6965,6 +6790,31 @@ spec: - owner - repo type: object + gitlab: + properties: + api: + type: string + labels: + items: + type: string + type: array + project: + type: string + pullRequestState: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - project + type: object requeueAfterSeconds: format: int64 type: integer @@ -7131,25 +6981,6 @@ spec: version: type: string type: object - ksonnet: - properties: - environment: - type: string - parameters: - items: - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: properties: commonAnnotations: @@ -7245,6 +7076,84 @@ spec: type: object scmProvider: properties: + azureDevOps: + properties: + accessTokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + allBranches: + type: boolean + api: + type: string + organization: + type: string + teamProject: + type: string + required: + - accessTokenRef + - organization + - teamProject + type: object + bitbucket: + properties: + allBranches: + type: boolean + appPasswordRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + owner: + type: string + user: + type: string + required: + - appPasswordRef + - owner + - user + type: object + bitbucketServer: + properties: + allBranches: + type: boolean + api: + type: string + basicAuth: + properties: + passwordRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + username: + type: string + required: + - passwordRef + - username + type: object + project: + type: string + required: + - api + - project + type: object cloneProtocol: type: string filters: @@ -7254,6 +7163,10 @@ spec: type: string labelMatch: type: string + pathsDoNotExist: + items: + type: string + type: array pathsExist: items: type: string @@ -7262,12 +7175,38 @@ spec: type: string type: object type: array + gitea: + properties: + allBranches: + type: boolean + api: + type: string + insecure: + type: boolean + owner: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - api + - owner + type: object github: properties: allBranches: type: boolean api: type: string + appSecretName: + type: string organization: type: string tokenRef: @@ -7472,25 +7411,6 @@ spec: version: type: string type: object - ksonnet: - properties: - environment: - type: string - parameters: - items: - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: properties: commonAnnotations: @@ -7584,6 +7504,29 @@ spec: - spec type: object type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object type: object type: array mergeKeys: @@ -7753,25 +7696,6 @@ spec: version: type: string type: object - ksonnet: - properties: - environment: - type: string - parameters: - items: - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: properties: commonAnnotations: @@ -7870,10 +7794,75 @@ spec: type: object pullRequest: properties: + bitbucketServer: + properties: + api: + type: string + basicAuth: + properties: + passwordRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + username: + type: string + required: + - passwordRef + - username + type: object + project: + type: string + repo: + type: string + required: + - api + - project + - repo + type: object + filters: + items: + properties: + branchMatch: + type: string + type: object + type: array + gitea: + properties: + api: + type: string + insecure: + type: boolean + owner: + type: string + repo: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - api + - owner + - repo + type: object github: properties: api: type: string + appSecretName: + type: string labels: items: type: string @@ -7896,6 +7885,31 @@ spec: - owner - repo type: object + gitlab: + properties: + api: + type: string + labels: + items: + type: string + type: array + project: + type: string + pullRequestState: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - project + type: object requeueAfterSeconds: format: int64 type: integer @@ -8062,25 +8076,6 @@ spec: version: type: string type: object - ksonnet: - properties: - environment: - type: string - parameters: - items: - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: properties: commonAnnotations: @@ -8176,6 +8171,84 @@ spec: type: object scmProvider: properties: + azureDevOps: + properties: + accessTokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + allBranches: + type: boolean + api: + type: string + organization: + type: string + teamProject: + type: string + required: + - accessTokenRef + - organization + - teamProject + type: object + bitbucket: + properties: + allBranches: + type: boolean + appPasswordRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + owner: + type: string + user: + type: string + required: + - appPasswordRef + - owner + - user + type: object + bitbucketServer: + properties: + allBranches: + type: boolean + api: + type: string + basicAuth: + properties: + passwordRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + username: + type: string + required: + - passwordRef + - username + type: object + project: + type: string + required: + - api + - project + type: object cloneProtocol: type: string filters: @@ -8185,6 +8258,10 @@ spec: type: string labelMatch: type: string + pathsDoNotExist: + items: + type: string + type: array pathsExist: items: type: string @@ -8193,12 +8270,38 @@ spec: type: string type: object type: array + gitea: + properties: + allBranches: + type: boolean + api: + type: string + insecure: + type: boolean + owner: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - api + - owner + type: object github: properties: allBranches: type: boolean api: type: string + appSecretName: + type: string organization: type: string tokenRef: @@ -8403,25 +8506,6 @@ spec: version: type: string type: object - ksonnet: - properties: - environment: - type: string - parameters: - items: - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: properties: commonAnnotations: @@ -8515,8 +8599,33 @@ spec: - spec type: object type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object type: object type: array + goTemplate: + type: boolean syncPolicy: properties: preserveResourcesOnDeletion: @@ -8685,25 +8794,6 @@ spec: version: type: string type: object - ksonnet: - properties: - environment: - type: string - parameters: - items: - properties: - component: - type: string - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object kustomize: properties: commonAnnotations: @@ -8832,12 +8922,6 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -9000,6 +9084,10 @@ spec: for apps which have orphaned resources type: boolean type: object + permitOnlyProjectScopedClusters: + description: PermitOnlyProjectScopedClusters determines whether destinations + can only reference clusters which are project-scoped + type: boolean roles: description: Roles are user defined RBAC roles associated with this project @@ -9062,6 +9150,12 @@ spec: - keyID type: object type: array + sourceNamespaces: + description: SourceNamespaces defines the namespaces application resources + are allowed to be created in + items: + type: string + type: array sourceRepos: description: SourceRepos contains list of repository URLs which can be used for deployment @@ -9182,6 +9276,10 @@ metadata: apiVersion: v1 kind: ServiceAccount metadata: + labels: + app.kubernetes.io/component: notifications-controller + app.kubernetes.io/name: argocd-notifications-controller + app.kubernetes.io/part-of: argocd name: argocd-notifications-controller --- apiVersion: v1 @@ -9195,6 +9293,15 @@ metadata: --- apiVersion: v1 kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: repo-server + app.kubernetes.io/name: argocd-repo-server + app.kubernetes.io/part-of: argocd + name: argocd-repo-server +--- +apiVersion: v1 +kind: ServiceAccount metadata: labels: app.kubernetes.io/component: server @@ -9254,7 +9361,6 @@ rules: - argoproj.io resources: - applications - - appprojects - applicationsets - applicationsets/finalizers verbs: @@ -9265,6 +9371,12 @@ rules: - patch - update - watch +- apiGroups: + - argoproj.io + resources: + - appprojects + verbs: + - get - apiGroups: - argoproj.io resources: @@ -9389,6 +9501,7 @@ rules: resources: - applications - appprojects + - applicationsets verbs: - create - get @@ -9455,6 +9568,14 @@ rules: - pods/log verbs: - get +- apiGroups: + - argoproj.io + resources: + - applications + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -9609,7 +9730,6 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - creationTimestamp: null name: argocd-notifications-cm --- apiVersion: v1 @@ -9640,7 +9760,6 @@ metadata: name: argocd-ssh-known-hosts-cm --- apiVersion: v1 -data: null kind: ConfigMap metadata: labels: @@ -9677,6 +9796,10 @@ spec: port: 7000 protocol: TCP targetPort: webhook + - name: metrics + port: 8080 + protocol: TCP + targetPort: metrics selector: app.kubernetes.io/name: argocd-applicationset-controller --- @@ -9832,18 +9955,29 @@ spec: containers: - command: - entrypoint.sh - - applicationset-controller + - argocd-applicationset-controller env: - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - image: quay.io/argoproj/argocd-applicationset:v0.4.1 + image: quay.io/argoproj/argocd:v2.5.4 imagePullPolicy: Always name: argocd-applicationset-controller ports: - containerPort: 7000 name: webhook + - containerPort: 8080 + name: metrics + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /app/config/ssh name: ssh-known-hosts @@ -9853,6 +9987,8 @@ spec: name: gpg-keys - mountPath: /app/config/gpg/keys name: gpg-keyring + - mountPath: /tmp + name: tmp serviceAccountName: argocd-applicationset-controller volumes: - configMap: @@ -9866,6 +10002,8 @@ spec: name: gpg-keys - emptyDir: {} name: gpg-keyring + - emptyDir: {} + name: tmp --- apiVersion: apps/v1 kind: Deployment @@ -9897,7 +10035,14 @@ spec: - command: - /shared/argocd-dex - rundex - image: ghcr.io/dexidp/dex:v2.30.2 + env: + - name: ARGOCD_DEX_SERVER_DISABLE_TLS + valueFrom: + configMapKeyRef: + key: dexserver.disable.tls + name: argocd-cmd-params-cm + optional: true + image: ghcr.io/dexidp/dex:v2.35.3 imagePullPolicy: Always name: dex ports: @@ -9906,22 +10051,38 @@ spec: - containerPort: 5558 securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /shared name: static-files - mountPath: /tmp name: dexconfig + - mountPath: /tls + name: argocd-dex-server-tls initContainers: - command: - cp - -n - /usr/local/bin/argocd - /shared/argocd-dex - image: quay.io/argoproj/argocd:v2.3.3 + image: quay.io/argoproj/argocd:v2.5.4 imagePullPolicy: Always name: copyutil + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /shared name: static-files @@ -9933,6 +10094,17 @@ spec: name: static-files - emptyDir: {} name: dexconfig + - name: argocd-dex-server-tls + secret: + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + - key: ca.crt + path: ca.crt + optional: true + secretName: argocd-dex-server-tls --- apiVersion: apps/v1 kind: Deployment @@ -9952,12 +10124,18 @@ spec: containers: - command: - argocd-notifications - image: quay.io/argoproj/argocd:v2.3.3 + image: quay.io/argoproj/argocd:v2.5.4 imagePullPolicy: Always livenessProbe: tcpSocket: port: 9001 name: argocd-notifications-controller + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true volumeMounts: - mountPath: /app/config/tls name: tls-certs @@ -9966,6 +10144,8 @@ spec: workingDir: /app securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: argocd-notifications-controller volumes: - configMap: @@ -10021,14 +10201,21 @@ spec: - "" - --appendonly - "no" - image: redis:6.2.6-alpine + image: redis:7.0.5-alpine imagePullPolicy: Always name: redis ports: - containerPort: 6379 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL securityContext: runAsNonRoot: true runAsUser: 999 + seccompProfile: + type: RuntimeDefault serviceAccountName: argocd-redis --- apiVersion: apps/v1 @@ -10066,10 +10253,9 @@ spec: automountServiceAccountToken: false containers: - command: - - entrypoint.sh - - argocd-repo-server - - --redis - - argocd-redis:6379 + - sh + - -c + - entrypoint.sh argocd-repo-server --redis argocd-redis:6379 env: - name: ARGOCD_RECONCILIATION_TIMEOUT valueFrom: @@ -10131,6 +10317,12 @@ spec: key: redis.server name: argocd-cmd-params-cm optional: true + - name: REDIS_COMPRESSION + valueFrom: + configMapKeyRef: + key: redis.compression + name: argocd-cmd-params-cm + optional: true - name: REDISDB valueFrom: configMapKeyRef: @@ -10143,13 +10335,49 @@ spec: key: reposerver.default.cache.expiration name: argocd-cmd-params-cm optional: true + - name: ARGOCD_REPO_SERVER_OTLP_ADDRESS + valueFrom: + configMapKeyRef: + key: otlp.address + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE + valueFrom: + configMapKeyRef: + key: reposerver.max.combined.directory.manifests.size + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS + valueFrom: + configMapKeyRef: + key: reposerver.plugin.tar.exclusions + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS + valueFrom: + configMapKeyRef: + key: reposerver.allow.oob.symlinks + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE + valueFrom: + configMapKeyRef: + key: reposerver.streamed.manifest.max.tar.size + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE + valueFrom: + configMapKeyRef: + key: reposerver.streamed.manifest.max.extracted.size + name: argocd-cmd-params-cm + optional: true - name: HELM_CACHE_HOME value: /helm-working-dir - name: HELM_CONFIG_HOME value: /helm-working-dir - name: HELM_DATA_HOME value: /helm-working-dir - image: quay.io/argoproj/argocd:v2.3.3 + image: quay.io/argoproj/argocd:v2.5.4 imagePullPolicy: Always livenessProbe: failureThreshold: 3 @@ -10172,9 +10400,11 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /app/config/ssh name: ssh-known-hosts @@ -10198,11 +10428,21 @@ spec: - -n - /usr/local/bin/argocd - /var/run/argocd/argocd-cmp-server - image: quay.io/argoproj/argocd:v2.3.3 + image: quay.io/argoproj/argocd:v2.5.4 name: copyutil + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /var/run/argocd name: var-files + serviceAccountName: argocd-repo-server volumes: - configMap: name: argocd-ssh-known-hosts-cm @@ -10295,7 +10535,7 @@ spec: key: server.log.format name: argocd-cmd-params-cm optional: true - - name: ARGOCD_REPO_SERVER_LOGLEVEL + - name: ARGOCD_SERVER_LOG_LEVEL valueFrom: configMapKeyRef: key: server.log.level @@ -10337,6 +10577,12 @@ spec: key: server.x.frame.options name: argocd-cmd-params-cm optional: true + - name: ARGOCD_SERVER_CONTENT_SECURITY_POLICY + valueFrom: + configMapKeyRef: + key: server.content.security.policy + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_SERVER_REPO_SERVER_PLAINTEXT valueFrom: configMapKeyRef: @@ -10349,6 +10595,18 @@ spec: key: server.repo.server.strict.tls name: argocd-cmd-params-cm optional: true + - name: ARGOCD_SERVER_DEX_SERVER_PLAINTEXT + valueFrom: + configMapKeyRef: + key: server.dex.server.plaintext + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_SERVER_DEX_SERVER_STRICT_TLS + valueFrom: + configMapKeyRef: + key: server.dex.server.strict.tls + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_TLS_MIN_VERSION valueFrom: configMapKeyRef: @@ -10403,6 +10661,12 @@ spec: key: redis.server name: argocd-cmd-params-cm optional: true + - name: REDIS_COMPRESSION + valueFrom: + configMapKeyRef: + key: redis.compression + name: argocd-cmd-params-cm + optional: true - name: REDISDB valueFrom: configMapKeyRef: @@ -10421,7 +10685,19 @@ spec: key: server.http.cookie.maxnumber name: argocd-cmd-params-cm optional: true - image: quay.io/argoproj/argocd:v2.3.3 + - name: ARGOCD_SERVER_OTLP_ADDRESS + valueFrom: + configMapKeyRef: + key: otlp.address + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_APPLICATION_NAMESPACES + valueFrom: + configMapKeyRef: + key: application.namespaces + name: argocd-cmd-params-cm + optional: true + image: quay.io/argoproj/argocd:v2.5.4 imagePullPolicy: Always livenessProbe: httpGet: @@ -10443,9 +10719,11 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /app/config/ssh name: ssh-known-hosts @@ -10453,6 +10731,8 @@ spec: name: tls-certs - mountPath: /app/config/server/tls name: argocd-repo-server-tls + - mountPath: /app/config/dex/tls + name: argocd-dex-server-tls - mountPath: /home/argocd name: plugins-home - mountPath: /tmp @@ -10463,8 +10743,6 @@ spec: name: plugins-home - emptyDir: {} name: tmp - - emptyDir: {} - name: static-files - configMap: name: argocd-ssh-known-hosts-cm name: ssh-known-hosts @@ -10482,6 +10760,15 @@ spec: path: ca.crt optional: true secretName: argocd-repo-server-tls + - name: argocd-dex-server-tls + secret: + items: + - key: tls.crt + path: tls.crt + - key: ca.crt + path: ca.crt + optional: true + secretName: argocd-dex-server-tls --- apiVersion: apps/v1 kind: StatefulSet @@ -10521,12 +10808,20 @@ spec: - command: - argocd-application-controller env: + - name: ARGOCD_CONTROLLER_REPLICAS + value: "1" - name: ARGOCD_RECONCILIATION_TIMEOUT valueFrom: configMapKeyRef: key: timeout.reconciliation name: argocd-cm optional: true + - name: ARGOCD_HARD_RECONCILIATION_TIMEOUT + valueFrom: + configMapKeyRef: + key: timeout.hard.reconciliation + name: argocd-cm + optional: true - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER valueFrom: configMapKeyRef: @@ -10587,6 +10882,12 @@ spec: key: controller.repo.server.strict.tls name: argocd-cmd-params-cm optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_PERSIST_RESOURCE_HEALTH + valueFrom: + configMapKeyRef: + key: controller.resource.health.persist + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APP_STATE_CACHE_EXPIRATION valueFrom: configMapKeyRef: @@ -10599,6 +10900,12 @@ spec: key: redis.server name: argocd-cmd-params-cm optional: true + - name: REDIS_COMPRESSION + valueFrom: + configMapKeyRef: + key: redis.compression + name: argocd-cmd-params-cm + optional: true - name: REDISDB valueFrom: configMapKeyRef: @@ -10611,14 +10918,20 @@ spec: key: controller.default.cache.expiration name: argocd-cmd-params-cm optional: true - image: quay.io/argoproj/argocd:v2.3.3 + - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ADDRESS + valueFrom: + configMapKeyRef: + key: otlp.address + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_APPLICATION_NAMESPACES + valueFrom: + configMapKeyRef: + key: application.namespaces + name: argocd-cmd-params-cm + optional: true + image: quay.io/argoproj/argocd:v2.5.4 imagePullPolicy: Always - livenessProbe: - httpGet: - path: /healthz - port: 8082 - initialDelaySeconds: 5 - periodSeconds: 10 name: argocd-application-controller ports: - containerPort: 8082 @@ -10632,9 +10945,11 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /app/config/controller/tls name: argocd-repo-server-tls @@ -10675,6 +10990,25 @@ spec: --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy +metadata: + name: argocd-applicationset-controller-network-policy +spec: + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 7000 + protocol: TCP + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/name: argocd-applicationset-controller + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy metadata: name: argocd-dex-server-network-policy spec: @@ -10701,9 +11035,32 @@ spec: --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy +metadata: + name: argocd-notifications-controller-network-policy +spec: + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 9001 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/name: argocd-notifications-controller + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy metadata: name: argocd-redis-network-policy spec: + egress: + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP ingress: - from: - podSelector: @@ -10723,6 +11080,7 @@ spec: app.kubernetes.io/name: argocd-redis policyTypes: - Ingress + - Egress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy @@ -10765,20 +11123,3 @@ spec: app.kubernetes.io/name: argocd-server policyTypes: - Ingress - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: argocd-cm2 - namespace: argocd - labels: - app.kubernetes.io/name: argocd-cm - app.kubernetes.io/part-of: argocd -data: - resource.customizations: | - extensions/Ingress: - health.lua: | - hs = {} - hs.status = "Healthy" - return hs