diff --git a/charts/argo-cd/templates/argocd-dex-server-deployment.yaml b/charts/argo-cd/templates/argocd-dex-server-deployment.yaml new file mode 100644 index 00000000..8d7bc1c1 --- /dev/null +++ b/charts/argo-cd/templates/argocd-dex-server-deployment.yaml @@ -0,0 +1,48 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: argocd-dex-server + labels: + app.kubernetes.io/name: {{ include "argo-cd.name" . }}-dex-server + helm.sh/chart: {{ include "argo-cd.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/part-of: {{ include "argo-cd.name" . }} + app.kubernetes.io/component: dex-server +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ include "argo-cd.name" . }}-dex-server + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "argo-cd.name" . }}-dex-server + helm.sh/chart: {{ include "argo-cd.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/part-of: {{ include "argo-cd.name" . }} + app.kubernetes.io/component: dex-server + spec: + serviceAccountName: argocd-dex-server + initContainers: + - name: copyutil + image: {{ .Values.dexServer.initImage.repository }}:{{ .Values.dexServer.initImage.tag }} + imagePullPolicy: {{ .Values.dexServer.initImage.pullPolicy }} + command: [cp, /usr/local/bin/argocd-util, /shared] + volumeMounts: + - mountPath: /shared + name: static-files + containers: + - name: dex + image: {{ .Values.dexServer.image.repository }}:{{ .Values.dexServer.image.tag }} + imagePullPolicy: {{ .Values.dexServer.image.pullPolicy }} + command: [/shared/argocd-util, rundex] + ports: + - containerPort: {{ .Values.dexServer.containerPortHttp }} + - containerPort: {{ .Values.dexServer.containerPortGrpc }} + volumeMounts: + - mountPath: /shared + name: static-files + volumes: + - emptyDir: {} + name: static-files \ No newline at end of file diff --git a/charts/argo-cd/templates/argocd-dex-server-role.yaml b/charts/argo-cd/templates/argocd-dex-server-role.yaml new file mode 100644 index 00000000..16076248 --- /dev/null +++ b/charts/argo-cd/templates/argocd-dex-server-role.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: argocd-dex-server + labels: + app.kubernetes.io/name: {{ include "argo-cd.name" . }}-dex-server + helm.sh/chart: {{ include "argo-cd.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/part-of: {{ include "argo-cd.name" . }} + app.kubernetes.io/component: dex-server +rules: +- apiGroups: + - "" + resources: + - secrets + - configmaps + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/charts/argo-cd/templates/argocd-dex-server-rolebinding.yaml b/charts/argo-cd/templates/argocd-dex-server-rolebinding.yaml new file mode 100644 index 00000000..1db56ffe --- /dev/null +++ b/charts/argo-cd/templates/argocd-dex-server-rolebinding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: argocd-dex-server + labels: + app.kubernetes.io/name: {{ include "argo-cd.name" . }}-dex-server + helm.sh/chart: {{ include "argo-cd.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/part-of: {{ include "argo-cd.name" . }} + app.kubernetes.io/component: dex-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argocd-dex-server +subjects: +- kind: ServiceAccount + name: argocd-dex-server \ No newline at end of file diff --git a/charts/argo-cd/templates/argocd-dex-server-sa.yaml b/charts/argo-cd/templates/argocd-dex-server-sa.yaml new file mode 100644 index 00000000..9fa6a3bd --- /dev/null +++ b/charts/argo-cd/templates/argocd-dex-server-sa.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argocd-dex-server + labels: + app.kubernetes.io/name: {{ include "argo-cd.name" . }}-dex-server + helm.sh/chart: {{ include "argo-cd.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/part-of: {{ include "argo-cd.name" . }} + app.kubernetes.io/component: dex-server \ No newline at end of file diff --git a/charts/argo-cd/templates/argocd-dex-server-service.yaml b/charts/argo-cd/templates/argocd-dex-server-service.yaml new file mode 100644 index 00000000..87402f40 --- /dev/null +++ b/charts/argo-cd/templates/argocd-dex-server-service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: argocd-dex-server + labels: + app.kubernetes.io/name: {{ include "argo-cd.name" . }}-dex-server + helm.sh/chart: {{ include "argo-cd.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/part-of: {{ include "argo-cd.name" . }} + app.kubernetes.io/component: dex-server +spec: + ports: + - name: http + protocol: TCP + port: {{ .Values.dexServer.servicePortHttp }} + targetPort: {{ .Values.dexServer.containerPortHttp }} + - name: grpc + protocol: TCP + port: {{ .Values.dexServer.servicePortGrpc }} + targetPort: {{ .Values.dexServer.containerPortGrpc }} + selector: + app.kubernetes.io/name: {{ include "argo-cd.name" . }}-dex-server \ No newline at end of file diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index 4a99e294..81d3f7e7 100644 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -29,6 +29,20 @@ repoServer: tag: v0.11.0 pullPolicy: Always +dexServer: + containerPortHttp: 5556 + containerPortGrpc: 5557 + servicePortHttp: 5556 + servicePortGrpc: 5557 + image: + repository: quay.io/dexidp/dex + tag: v2.12.0 + pullPolicy: Always + initImage: + repository: argoproj/argocd + tag: v0.11.0 + pullPolicy: Always + # Standard Argo CD installation with cluster-admin access. # Set this true if you plan to use Argo CD to deploy applications in the same cluster that # Argo CD runs in (i.e. kubernetes.svc.default). @@ -39,42 +53,42 @@ clusterAdminAccess: config: helmRepositories: - - name: privateRepo - url: http://chartmuseum.privatecloud.com - usernameSecret: - name: private-chartmuseum - key: username - passwordSecret: - name: private-chartmuseum - key: password - - name: incubator - url: https://kubernetes-charts-incubator.storage.googleapis.com/ + # - name: privateRepo + # url: http://chartmuseum.privatecloud.com + # usernameSecret: + # name: private-chartmuseum + # key: username + # passwordSecret: + # name: private-chartmuseum + # key: password + # - name: incubator + # url: https://kubernetes-charts-incubator.storage.googleapis.com/ repositories: - - url: git@gitlab.com:usersprivategroup/users-gitops-config.git - sshPrivateKeySecret: - key: privateKey - name: argocd-dev-key - - url: git@gitlab.com:accountingprivategroup/accounting-gitops-config.git - sshPrivateKeySecret: - key: privateKey - name: argocd-dev-key + # - url: git@gitlab.com:usersprivategroup/users-gitops-config.git + # sshPrivateKeySecret: + # key: privateKey + # name: argocd-dev-key + # - url: git@gitlab.com:accountingprivategroup/accounting-gitops-config.git + # sshPrivateKeySecret: + # key: privateKey + # name: argocd-dev-key dexConfig: # # Argo CD's externally facing base URL. Required for configuring SSO # # url: https://argo-cd-demo.argoproj.io # # # A dex connector configuration. See documentation on how to configure SSO: # # https://github.com/argoproj/argo-cd/blob/master/docs/sso.md#2-configure-argocd-for-sso - connectors: - # GitHub example - - type: github - id: github - name: GitHub - config: - clientID: aabbccddeeff00112233 - clientSecret: $dex.github.clientSecret - orgs: - - name: your-github-org - teams: + # connectors: + # # GitHub example + # - type: github + # id: github + # name: GitHub + # config: + # clientID: aabbccddeeff00112233 + # clientSecret: $dex.github.clientSecret + # orgs: + # - name: your-github-org + # teams: # The following keys hold the shared secret for authenticating GitHub/GitLab/BitBucket webhook # events. To enable webhooks, configure one or more of the following keys with the shared git # provider webhook secret. The payload URL configured in the git provider should use the @@ -91,24 +105,13 @@ rbac: # p, my-org:team-alpha, applications, sync, my-project/*, allow # # Make all members of "my-org:team-beta" admins # g, my-org:team-beta, role:admin - policyCsv: | - p, role:org-admin, applications, *, */*, allow - p, role:org-admin, clusters, get, *, allow - p, role:org-admin, repositories, get, *, allow - p, role:org-admin, repositories, create, *, allow - p, role:org-admin, repositories, update, *, allow - p, role:org-admin, repositories, delete, *, allow - g, your-github-org:your-team, role:org-admin + policyCsv: #| + # p, role:org-admin, applications, *, */*, allow + # p, role:org-admin, clusters, get, *, allow + # p, role:org-admin, repositories, get, *, allow + # p, role:org-admin, repositories, create, *, allow + # p, role:org-admin, repositories, update, *, allow + # p, role:org-admin, repositories, delete, *, allow + # g, your-github-org:your-team, role:org-admin # The default role Argo CD will fall back to, when authorizing API requests - policyDefault: role:readonly -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi + policyDefault: #role:readonly \ No newline at end of file