DevFW-CICD/argocd-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(operator): Add ArgoCD Operator initial pass

Browse source 
Signed-off-by: sylus <sylus1984@gmail.com>
This commit is contained in:
sylus 2021-10-07 10:11:30 -04:00
parent 1ceb47ff76
commit bb5aa01a0e
31 changed files with 5914 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
charts/argocd-operator/.helmignore Normal file
View file

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

20
charts/argocd-operator/Chart.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: v2
description: A Helm chart for ArgoCD Operator
name: argocd-operator
version: 0.0.6
appVersion: v0.0.15
type: application
keywords:
- argocd
- cd
- gitops
home: https://argocd-operator.readthedocs.io/
icon: https://raw.githubusercontent.com/argoproj-labs/argocd-operator/master/deploy/argo-cd/icon.png
sources:
- https://github.com/argoproj-labs/argocd-operator
maintainers:
- name: sylus
email: william.hearn@canada.ca
- name: zachomedia
email: zachary.seguin@canada.ca
engine: gotpl

10
charts/argocd-operator/README.md Normal file
View file

@ -0,0 +1,10 @@
# ArgoCD Operator
A Kubernetes operator for managing Argo CD clusters.
For more detailed documentation please visit [here](https://argocd-operator.readthedocs.io/)
Introduction
------------
This chart bootstraps the ArgoCD Operator on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.

1760
charts/argocd-operator/crds/argoproj.io_applications_crd.yaml Normal file
View file

File diff suppressed because it is too large Load diff

1741
charts/argocd-operator/crds/argoproj.io_applicationsets.yaml Normal file
View file

File diff suppressed because it is too large Load diff

257
charts/argocd-operator/crds/argoproj.io_appprojects_crd.yaml Normal file
View file

@ -0,0 +1,257 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app.kubernetes.io/name: appprojects.argoproj.io
app.kubernetes.io/part-of: argocd
name: appprojects.argoproj.io
spec:
group: argoproj.io
names:
kind: AppProject
listKind: AppProjectList
plural: appprojects
shortNames:
- appproj
- appprojs
singular: appproject
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: 'AppProject provides a logical grouping of applications, providing controls for: * where the apps may deploy to (cluster whitelist) * what may be deployed (repository whitelist, resource whitelist/blacklist) * who can access these applications (roles, OIDC group claims bindings) * and what they can do (RBAC policies) * automation access to these roles (JWT tokens)'
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: AppProjectSpec is the specification of an AppProject
properties:
clusterResourceBlacklist:
description: ClusterResourceBlacklist contains list of blacklisted cluster level resources
items:
description: GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying concepts during lookup stages without having partially valid types
properties:
group:
type: string
kind:
type: string
required:
- group
- kind
type: object
type: array
clusterResourceWhitelist:
description: ClusterResourceWhitelist contains list of whitelisted cluster level resources
items:
description: GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying concepts during lookup stages without having partially valid types
properties:
group:
type: string
kind:
type: string
required:
- group
- kind
type: object
type: array
description:
description: Description contains optional project description
type: string
destinations:
description: Destinations contains list of destinations available for deployment
items:
description: ApplicationDestination holds information about the application's destination
properties:
name:
description: Name is an alternate way of specifying the target cluster by its symbolic name
type: string
namespace:
description: Namespace specifies the target namespace for the application's resources. The namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace
type: string
server:
description: Server specifies the URL of the target cluster and must be set to the Kubernetes control plane API
type: string
type: object
type: array
namespaceResourceBlacklist:
description: NamespaceResourceBlacklist contains list of blacklisted namespace level resources
items:
description: GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying concepts during lookup stages without having partially valid types
properties:
group:
type: string
kind:
type: string
required:
- group
- kind
type: object
type: array
namespaceResourceWhitelist:
description: NamespaceResourceWhitelist contains list of whitelisted namespace level resources
items:
description: GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying concepts during lookup stages without having partially valid types
properties:
group:
type: string
kind:
type: string
required:
- group
- kind
type: object
type: array
orphanedResources:
description: OrphanedResources specifies if controller should monitor orphaned resources of apps in this project
properties:
ignore:
description: Ignore contains a list of resources that are to be excluded from orphaned resources monitoring
items:
description: OrphanedResourceKey is a reference to a resource to be ignored from
properties:
group:
type: string
kind:
type: string
name:
type: string
type: object
type: array
warn:
description: Warn indicates if warning condition should be created for apps which have orphaned resources
type: boolean
type: object
roles:
description: Roles are user defined RBAC roles associated with this project
items:
description: ProjectRole represents a role that has access to a project
properties:
description:
description: Description is a description of the role
type: string
groups:
description: Groups are a list of OIDC group claims bound to this role
items:
type: string
type: array
jwtTokens:
description: JWTTokens are a list of generated JWT tokens bound to this role
items:
description: JWTToken holds the issuedAt and expiresAt values of a token
properties:
exp:
format: int64
type: integer
iat:
format: int64
type: integer
id:
type: string
required:
- iat
type: object
type: array
name:
description: Name is a name for this role
type: string
policies:
description: Policies Stores a list of casbin formated strings that define access policies for the role in the project
items:
type: string
type: array
required:
- name
type: object
type: array
signatureKeys:
description: SignatureKeys contains a list of PGP key IDs that commits in Git must be signed with in order to be allowed for sync
items:
description: SignatureKey is the specification of a key required to verify commit signatures with
properties:
keyID:
description: The ID of the key in hexadecimal notation
type: string
required:
- keyID
type: object
type: array
sourceRepos:
description: SourceRepos contains list of repository URLs which can be used for deployment
items:
type: string
type: array
syncWindows:
description: SyncWindows controls when syncs can be run for apps in this project
items:
description: SyncWindow contains the kind, time, duration and attributes that are used to assign the syncWindows to apps
properties:
applications:
description: Applications contains a list of applications that the window will apply to
items:
type: string
type: array
clusters:
description: Clusters contains a list of clusters that the window will apply to
items:
type: string
type: array
duration:
description: Duration is the amount of time the sync window will be open
type: string
kind:
description: Kind defines if the window allows or blocks syncs
type: string
manualSync:
description: ManualSync enables manual syncs when they would otherwise be blocked
type: boolean
namespaces:
description: Namespaces contains a list of namespaces that the window will apply to
items:
type: string
type: array
schedule:
description: Schedule is the time the window will begin, specified in cron format
type: string
type: object
type: array
type: object
status:
description: AppProjectStatus contains status information for AppProject CRs
properties:
jwtTokensByRole:
additionalProperties:
description: JWTTokens represents a list of JWT tokens
properties:
items:
items:
description: JWTToken holds the issuedAt and expiresAt values of a token
properties:
exp:
format: int64
type: integer
iat:
format: int64
type: integer
id:
type: string
required:
- iat
type: object
type: array
type: object
description: JWTTokensByRole contains a list of JWT tokens issued for a given role
type: object
type: object
required:
- metadata
- spec
type: object
served: true
storage: true

219
charts/argocd-operator/crds/argoproj.io_argocdexports_crd.yaml Normal file
View file

@ -0,0 +1,219 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.6.1
creationTimestamp: null
name: argocdexports.argoproj.io
spec:
group: argoproj.io
names:
kind: ArgoCDExport
listKind: ArgoCDExportList
plural: argocdexports
singular: argocdexport
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: ArgoCDExport is the Schema for the argocdexports API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ArgoCDExportSpec defines the desired state of ArgoCDExport
properties:
argocd:
description: Argocd is the name of the ArgoCD instance to export.
type: string
image:
description: Image is the container image to use for the export Job.
type: string
schedule:
description: Schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.
type: string
storage:
description: Storage defines the storage configuration options.
properties:
backend:
description: Backend defines the storage backend to use, must
be "local" (the default), "aws", "azure" or "gcp".
type: string
pvc:
description: PVC is the desired characteristics for a PersistentVolumeClaim.
properties:
accessModes:
description: 'AccessModes contains the desired access modes
the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1'
items:
type: string
type: array
dataSource:
description: 'This field can be used to specify either: *
An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
* An existing PVC (PersistentVolumeClaim) * An existing
custom resource that implements data population (Alpha)
In order to use custom resource types that implement data
population, the AnyVolumeDataSource feature gate must be
enabled. If the provisioner or an external controller can
support the specified data source, it will create a new
volume based on the contents of the specified data source.'
properties:
apiGroup:
description: APIGroup is the group for the resource being
referenced. If APIGroup is not specified, the specified
Kind must be in the core API group. For any other third-party
types, APIGroup is required.
type: string
kind:
description: Kind is the type of resource being referenced
type: string
name:
description: Name is the name of resource being referenced
type: string
required:
- kind
- name
type: object
resources:
description: 'Resources represents the minimum resources the
volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources'
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: 'Limits describes the maximum amount of compute
resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: 'Requests describes the minimum amount of
compute resources required. If Requests is omitted for
a container, it defaults to Limits if that is explicitly
specified, otherwise to an implementation-defined value.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
selector:
description: A label query over volumes to consider for binding.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn,
Exists and DoesNotExist.
type: string
values:
description: values is an array of string values.
If the operator is In or NotIn, the values array
must be non-empty. If the operator is Exists or
DoesNotExist, the values array must be empty.
This array is replaced during a strategic merge
patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field is
"key", the operator is "In", and the values array contains
only "value". The requirements are ANDed.
type: object
type: object
storageClassName:
description: 'Name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1'
type: string
volumeMode:
description: volumeMode defines what type of volume is required
by the claim. Value of Filesystem is implied when not included
in claim spec.
type: string
volumeName:
description: VolumeName is the binding reference to the PersistentVolume
backing this claim.
type: string
type: object
secretName:
description: SecretName is the name of a Secret with encryption
key, credentials, etc.
type: string
type: object
version:
description: Version is the tag/digest to use for the export Job container
image.
type: string
required:
- argocd
type: object
status:
description: ArgoCDExportStatus defines the observed state of ArgoCDExport
properties:
phase:
description: 'Phase is a simple, high-level summary of where the ArgoCDExport
is in its lifecycle. There are five possible phase values: Pending:
The ArgoCDExport has been accepted by the Kubernetes system, but
one or more of the required resources have not been created. Running:
All of the containers for the ArgoCDExport are still running, or
in the process of starting or restarting. Succeeded: All containers
for the ArgoCDExport have terminated in success, and will not be
restarted. Failed: At least one container has terminated in failure,
either exited with non-zero status or was terminated by the system.
Unknown: For some reason the state of the ArgoCDExport could not
be obtained.'
type: string
required:
- phase
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

1236
charts/argocd-operator/crds/argoproj.io_argocds_crd.yaml Normal file
View file

File diff suppressed because it is too large Load diff

5
charts/argocd-operator/templates/NOTES.txt Normal file
View file

@ -0,0 +1,5 @@
**********************
** CONGRATULATIONS! **
**********************
The ArgoCD Operator and associated Argo Projects have been installed.

58
charts/argocd-operator/templates/_helpers.tpl Normal file
View file

@ -0,0 +1,58 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "argocd-operator.name" -}}
{{- default .Chart.Name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "argocd-operator.fullname" -}}
{{- $name := default .Chart.Name -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "argocd-operator.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels for operator
*/}}
{{- define "argocd-operator.labels" -}}
helm.sh/chart: {{ include "argocd-operator.chart" . }}
{{ include "argocd-operator.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Selector labels Operator
*/}}
{{- define "argocd-operator.selectorLabels" -}}
app.kubernetes.io/name: {{ include "argocd-operator.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{/*
ArgoCD Vault plugin validation
*/}}
{{- if .Values.vault.enabled }}
{{- if ne .Values.vault.auth.type "k8s" }}
{{- fail "This chart currently only supports k8s auth for the argocd-vault-plugin" }}
{{- end }}
{{- end }}

24
charts/argocd-operator/templates/argocd_editor_role.yaml Normal file
View file

@ -0,0 +1,24 @@
# permissions for end users to edit argocds.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: argocd-editor-role
rules:
- apiGroups:
- argoproj.io
resources:
- argocds
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- argoproj.io
resources:
- argocds/status
verbs:
- get

20
charts/argocd-operator/templates/argocd_viewer_role.yaml Normal file
View file

@ -0,0 +1,20 @@
# permissions for end users to view argocds.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: argocd-viewer-role
rules:
- apiGroups:
- argoproj.io
resources:
- argocds
verbs:
- get
- list
- watch
- apiGroups:
- argoproj.io
resources:
- argocds/status
verbs:
- get

24
charts/argocd-operator/templates/argocdexport_editor_role.yaml Normal file
View file

@ -0,0 +1,24 @@
# permissions for end users to edit argocdexports.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: argocdexport-editor-role
rules:
- apiGroups:
- argoproj.io
resources:
- argocdexports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- argoproj.io
resources:
- argocdexports/status
verbs:
- get

20
charts/argocd-operator/templates/argocdexport_viewer_role.yaml Normal file
View file

@ -0,0 +1,20 @@
# permissions for end users to view argocdexports.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: argocdexport-viewer-role
rules:
- apiGroups:
- argoproj.io
resources:
- argocdexports
verbs:
- get
- list
- watch
- apiGroups:
- argoproj.io
resources:
- argocdexports/status
verbs:
- get

9
charts/argocd-operator/templates/auth_proxy_client_clusterrole.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: metrics-reader
rules:
- nonResourceURLs:
- "/metrics"
verbs:
- get

17
charts/argocd-operator/templates/auth_proxy_role.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: proxy-role
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create

12
charts/argocd-operator/templates/auth_proxy_role_binding.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: proxy-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: proxy-role
subjects:
- kind: ServiceAccount
name: argocd-operator
namespace: argocd-operator-system

14
charts/argocd-operator/templates/auth_proxy_service.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
labels:
control-plane: controller-manager
name: controller-manager-metrics-service
namespace: argocd-operator-system
spec:
ports:
- name: https
port: 8443
targetPort: https
selector:
control-plane: controller-manager

37
charts/argocd-operator/templates/leader_election_role.yaml Normal file
View file

@ -0,0 +1,37 @@
# permissions to do leader election.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: leader-election-role
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch

12
charts/argocd-operator/templates/leader_election_role_binding.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: leader-election-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: leader-election-role
subjects:
- kind: ServiceAccount
name: argocd-operator
namespace: argocd-operator-system

45
charts/argocd-operator/templates/operator.yaml Normal file
View file

@ -0,0 +1,45 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: "argocd-operator"
namespace: {{ .Release.Namespace }}
labels:
{{- include "argocd-operator.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.operator.replicaCount }}
selector:
matchLabels:
{{- include "argocd-operator.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "argocd-operator.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.operator.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: argocd-operator
{{- with .Values.operator.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.operator.image.repository }}:{{ .Values.operator.image.tag }}"
command:
- /manager
args:
- --leader-elect
imagePullPolicy: {{ .Values.operator.image.pullPolicy }}
env:
- name: WATCH_NAMESPACE
value: {{ .Values.operator.nsToWatch }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAME
value: "argocd-operator"
resources:
{{- toYaml .Values.operator.resources | nindent 12 }}

23
charts/argocd-operator/templates/projects.yaml Normal file
View file

@ -0,0 +1,23 @@
{{ range .Values.projects }}
---
apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
name: {{ .name }}
namespace: {{ .namespace }}
## Annotations for ArgoCD Project Pods
annotations:
{{- with .podAnnotations }}
{{- . | toYaml | nindent 4 }}
{{- end }}
## Optionally pass labels to be applied to the statefulset pods
labels:
app: argocd
{{- with .podLabels }}
{{- . | toYaml | nindent 4 }}
{{- end }}
spec: {{- with .spec }}
# See https://argocd-operator.readthedocs.io/en/latest/reference/api.html/#argoproj.io/v1alpha1.ArgoCDSpec
{{ toYaml . | nindent 2 }}
{{ end }}
{{ end }}

120
charts/argocd-operator/templates/role.yaml Normal file
View file

@ -0,0 +1,120 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: manager-role
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- events
- namespaces
- persistentvolumeclaims
- pods
- secrets
- serviceaccounts
- services
- services/finalizers
verbs:
- '*'
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- get
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- replicasets
- statefulsets
verbs:
- '*'
- apiGroups:
- apps
resourceNames:
- argocd-operator
resources:
- deployments/finalizers
verbs:
- update
- apiGroups:
- apps.openshift.io
resources:
- deploymentconfigs
verbs:
- '*'
- apiGroups:
- argoproj.io
resources:
- applications
- appprojects
verbs:
- '*'
- apiGroups:
- argoproj.io
resources:
- argocdexports
- argocdexports/finalizers
- argocdexports/status
verbs:
- '*'
- apiGroups:
- argoproj.io
resources:
- argocds
- argocds/finalizers
- argocds/status
verbs:
- '*'
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- '*'
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- '*'
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- '*'
- apiGroups:
- monitoring.coreos.com
resources:
- prometheuses
- servicemonitors
verbs:
- '*'
- apiGroups:
- rbac.authorization.k8s.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
verbs:
- '*'
- apiGroups:
- route.openshift.io
resources:
- routes
- routes/custom-host
verbs:
- '*'

12
charts/argocd-operator/templates/role_binding.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: manager-role
subjects:
- kind: ServiceAccount
name: argocd-operator
namespace: argocd-operator-system

7
charts/argocd-operator/templates/service_account.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: argocd-operator
namespace: {{ .Release.Namespace }}
labels:
{{ include "argocd-operator.labels" . | nindent 4 }}

18
charts/argocd-operator/templates/vault-plugin/cluster-role-binding.yaml Normal file
View file

@ -0,0 +1,18 @@
{{- if .Values.vault.enabled }}
{{ range .Values.projects }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: role-tokenreview-binding-{{ .namespace }}
namespace: {{ .namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: argocd-repo-server-vault
namespace: {{ .namespace }}
{{ end }}
{{- end }}

18
charts/argocd-operator/templates/vault-plugin/plugin-secret.yaml Normal file
View file

@ -0,0 +1,18 @@
{{- if .Values.vault.enabled }}
{{ range .Values.projects }}
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: argocd-vault-secret
namespace: {{ .namespace }}
stringData:
VAULT_ADDR: {{ $.Values.vault.auth.url }}
AVP_AUTH_TYPE: {{ $.Values.vault.auth.type }}
AVP_TYPE: vault
# The kubernetes role in vault
# https://github.com/IBM/argocd-vault-plugin/blob/main/docs/config.md#full-list-of-supported-parameters
AVP_K8S_ROLE: {{ $.Values.vault.auth.rolePrefix }}{{ .namespace | replace "-" "_" }}
{{ end }}
{{- end }}

18
charts/argocd-operator/templates/vault-plugin/role-binding.yaml Normal file
View file

@ -0,0 +1,18 @@
{{- if .Values.vault.enabled }}
{{ range .Values.projects }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: argocd-repo-server-vault
namespace: {{ .namespace }}
subjects:
- kind: ServiceAccount
name: argocd-repo-server-vault
namespace: {{ .namespace }}
roleRef:
kind: Role
name: secret-reader
apiGroup: rbac.authorization.k8s.io
{{ end }}
{{- end }}

15
charts/argocd-operator/templates/vault-plugin/role.yaml Normal file
View file

@ -0,0 +1,15 @@
{{- if .Values.vault.enabled }}
{{ range .Values.projects }}
---
# This is to get the argocd-vault-secret
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: secret-reader
namespace: {{ .namespace }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
{{ end }}
{{- end }}

13
charts/argocd-operator/templates/vault-plugin/serviceaccount.yaml Normal file
View file

@ -0,0 +1,13 @@
# This is created regardless of whether or not
# Vault is being used (so that nothing fails)
# if the service account doesn't exist.
# This is OK, since the serviceaccount doesn't
# get a RoleBinding unless Vault is enabled.
{{ range .Values.projects }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: argocd-repo-server-vault
namespace: {{ .namespace }}
{{ end }}

108
charts/argocd-operator/values.yaml Normal file
View file

@ -0,0 +1,108 @@
# Default values for argocd-operator.
operator:
clusterDomain: ""
nsToWatch: "argocd-operator-system,argocd-system"
image:
repository: statcan/argocd-operator
tag: v0.0.16
pullPolicy: IfNotPresent
imagePullSecrets: []
podAnnotations: {}
podLabels: {}
replicaCount: 1
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
fsGroup: 1000
resources:
requests:
cpu: 200m
memory: 256Mi
ephemeral-storage: 500Mi
# For the argocd-vault-plugin
vault:
enabled: false
auth:
url: http://vault.default:8200
# https://github.com/IBM/argocd-vault-plugin/blob/main/docs/config.md
type: k8s
# You need to create this kubernetes role in vault
# The end role is `{prefix}{namespace}`, like `argocd_dscd_system`.
# This is to isolate Vault spaces from eachother.
# NOTE: The namespace will have "-"s replaced with "_"s
rolePrefix: argocd_
pluginConfig: &pluginConfig |
# If the argocd-vault-plugin is not enabled,
# then obviously these will not work.
- name: argocd-vault-plugin
generate:
command: ["argocd-vault-plugin"]
args: ["-s", "argocd-vault-secret", "generate", "./"]
- name: argocd-vault-plugin-helm
generate:
command: ["sh", "-c"]
args: ["helm template . > all.yaml && argocd-vault-plugin -s argocd-vault-secret generate all.yaml"]
- name: argocd-vault-plugin-kustomize
generate:
command: ["sh", "-c"]
args: ["kustomize build . > all.yaml && argocd-vault-plugin -s argocd-vault-secret generate all.yaml"]
# ## ArgoCD Projects Definition
# projects:
# # Project name
# - name: argprojo01
# namespace: "argocd-operator-system"
# podAnnotations: {}
# podLabels: {}
# spec:
# oidcConfig: |
# name: myoidc
# issuer: OIDC_FQDN
# clientID: id
# clientSecret: secret
# requestedIDTokenClaims:
# groups:
# essential: true
# requestedScopes: ["openid", "profile", "email"]
# rbac:
# defaultPolicy: 'role:readonly'
# policy: |
# g, system:cluster-admins, role:admin
# scopes: '[groups]'
# server:
# autoscale:
# enabled: true
# host: ARGOCD_FQDN
# insecure: false
# configManagementPlugins: *pluginConfig
# # Project name
# - name: argprojo02
# namespace: argocd-system
# podAnnotations: {}
# podLabels: {}
# spec:
# oidcConfig: |
# name: myoidc
# issuer: OIDC_FQDN
# clientID: id
# clientSecret: secret
# requestedIDTokenClaims:
# groups:
# essential: true
# requestedScopes: ["openid", "profile", "email"]
# rbac:
# defaultPolicy: 'role:readonly'
# policy: |
# g, system:cluster-admins, role:admin
# scopes: '[groups]'
# server:
# autoscale:
# enabled: true
# host: ARGOCD_FQDN
# insecure: false
# configManagementPlugins: *pluginConfig