argo-cd: global: # -- Default domain used by all components ## Used for ingresses, certificates, SSO, notifications, etc. domain: argocd-dev.example.com configs: secret: # -- Create the argocd-secret createSecret: true cm: # required when SSO is enabled url: "https://argocd-dev.example.com" exec.enabled: true resource.exclusions: | - apiGroups: - "tekton.dev" kinds: - "PipelineRun" clusters: - "*" oidc.config: | name: Keycloak issuer: https://keycloak.example/auth/realms/shared clientID: argocd-dev clientSecret: $keycloak-client-argocd-secret:clientSecret requestedScopes: - openid - profile - email - groups params: server.insecure: true applicationsetcontroller.namespaces: krci application.namespaces: krci rbac: scopes: "[groups]" policy.csv: | # default global admins g, ArgoCDAdmins, role:admin # Default global developers g, ArgoCDReadOnly, role:readonly # Default role to run Terminal for krci Project p, role:krci-exec, exec, create, krci/*, allow # Assign role to developer group g, developer, role:krci-exec ssh: knownHosts: | # -- list of known host in format: # [host]:port key-type key # Example # [ssh.github.com]:443 ssh-rsa qgSdfOuiYhew/+afhQnvjfjhnhnqgSdfOuiYhew/+afhQnvjfjhnhn # we use Keycloak so no DEX is required dex: enabled: false redis: enabled: true server: replicas: 1 env: - name: ARGOCD_API_SERVER_REPLICAS value: '1' # -- Enable after nginx-ingress is installed ingress: enabled: false hostname: "argocd-dev.example.com" # Disabled for multitenancy env with single instance deployment # applicationSet: # extraEnv: # - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_SCM_PROVIDERS # value: 'false' # Configuration for setting up resources in Keycloak to enable OIDC authentication. # Prerequisite: Ensure that the Keycloak Operator is installed and integrated with Keycloak. # Refer to the installation guide for the Keycloak Operator: # https://github.com/epam/edp-cluster-add-ons/tree/main/clusters/core/addons/keycloak-operator # # Additionally, necessary Keycloak resources such as realms, roles, and groups must be created # to support component functionality. This can be done using the provided add-ons or manually: # https://github.com/epam/edp-cluster-add-ons/tree/main/clusters/core/addons/kuberocketci-rbac oidc: enabled: false # This section enables configuration for using External Secrets Operator (ESO) as the secret manager. # Prerequisite: Ensure that ESO is installed in the cluster. # Refer to the EDP cluster add-on for ESO installation and setup: # https://github.com/epam/edp-cluster-add-ons/tree/main/clusters/core/addons/external-secrets # # Ensure that you have created the necessary roles for ESO integration. # Follow the detailed instructions here: # https://docs.kuberocketci.io/docs/operator-guide/secrets-management/external-secrets-operator-integration#aws-parameter-store-scenario-in-kuberocketci eso: # -- Install components of the ESO. enabled: false # -- Defines provider type. One of `aws` or `generic`. type: "aws" # -- Defines Secret Store name. secretStoreName: "aws-parameterstore" # -- Value name in AWS ParameterStore, AWS SecretsManager or other Secret Store. secretName: "/infra/core/addons/argocd-dev" # -- Role ARN for the ExternalSecretOperator to assume. roleArn: arn:aws:iam::012345678910:role/AWSIRSA_Shared_ExternalSecretOperatorAccess # Defines Secret Store configuration. Used when eso.type is set to "generic". generic: secretStore: # -- Defines SecretStore provider configuration. providerConfig: {} # gcpsm: # projectID: "alphabet-123"