diff --git a/argocd/argocd.yaml b/argocd/argocd.yaml new file mode 100644 index 0000000..5a9e740 --- /dev/null +++ b/argocd/argocd.yaml @@ -0,0 +1,55 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: argocd + namespace: argocd + annotations: + # Sync early in the wave order + argocd.argoproj.io/sync-wave: "-10" +spec: + project: default + sources: + # Source 1: ArgoCD Helm Chart + - repoURL: https://argoproj.github.io/argo-helm + chart: argo-cd + targetRevision: 7.7.10 + helm: + valueFiles: + - $values/argocd/helm-values.yaml + # Source 2: Helm values from Git repo + - repoURL: https://github.com/K3S-HOME/platform.git + targetRevision: main + ref: values + # Source 3: Additional manifests (Ingress, Namespace) + - repoURL: https://github.com/K3S-HOME/platform.git + targetRevision: main + path: argocd/manifests + destination: + server: https://kubernetes.default.svc + namespace: argocd + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ServerSideApply=true + - RespectIgnoreDifferences=true + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m + # Ignore differences for self-managed resources + ignoreDifferences: + - group: "" + kind: Secret + name: argocd-secret + jsonPointers: + - /data + - group: "" + kind: Secret + name: argocd-initial-admin-secret + jsonPointers: + - /data diff --git a/argocd/helm-values.yaml b/argocd/helm-values.yaml new file mode 100644 index 0000000..78b2bb9 --- /dev/null +++ b/argocd/helm-values.yaml @@ -0,0 +1,141 @@ +# ArgoCD Helm Chart Values +# Chart: https://argoproj.github.io/argo-helm (argo-cd) +# All custom settings from current cluster deployment + +# ============================================================================= +# GLOBAL SETTINGS +# ============================================================================= +global: + # Deploy to master node + nodeSelector: + node-role.kubernetes.io/master: "true" + + # Tolerate control-plane taint + tolerations: + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule + +# ============================================================================= +# CONFIGS (ConfigMaps) +# ============================================================================= +configs: + # argocd-cm + cm: + # Authelia handles authentication, so allow anonymous access + users.anonymous.enabled: "true" + # Disable polling - webhook only + timeout.reconciliation: "0" + # Ignore resource status field differences + resource.compareoptions: | + ignoreResourceStatusField: all + + # argocd-cmd-params-cm + params: + # Ingress handles TLS, so run in insecure mode + server.insecure: "true" + # Disable periodic app resync (webhook + self-heal only) + controller.self.heal.timeout.seconds: "5" + + # argocd-rbac-cm + rbac: + # Anonymous users get admin role (Authelia handles authentication) + policy.csv: | + g, , role:admin + policy.default: role:admin + +# ============================================================================= +# APPLICATION CONTROLLER (StatefulSet) +# ============================================================================= +controller: + # Memory optimization environment variables + env: + - name: GOMEMLIMIT + value: "400MiB" + - name: GOGC + value: "50" + + # Disable periodic app resync + args: + appResyncPeriod: "0" + + # Resource settings (from VPA recommendations) + resources: + requests: + cpu: 126m + memory: 1700Mi + limits: + memory: 2500Mi + +# ============================================================================= +# API SERVER (Deployment) +# ============================================================================= +server: + # Main Ingress with Authelia middleware + ingress: + enabled: true + ingressClassName: traefik + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + traefik.ingress.kubernetes.io/router.middlewares: authelia-authelia-auth@kubernetescrd + hosts: + - argocd0213.kro.kr + tls: + - secretName: argocd-server-tls + hosts: + - argocd0213.kro.kr + + # Resource settings + resources: + requests: + cpu: 15m + memory: 138Mi + limits: + memory: 207Mi + +# ============================================================================= +# REPO SERVER (Deployment) +# ============================================================================= +repoServer: + resources: + requests: + cpu: 15m + memory: 640Mi + limits: + memory: 960Mi + +# ============================================================================= +# REDIS (Deployment) +# ============================================================================= +redis: + resources: + requests: + cpu: 15m + memory: 100Mi + limits: + memory: 150Mi + +# ============================================================================= +# DEX (OIDC) - Disabled (using Authelia instead) +# ============================================================================= +dex: + enabled: false + +# ============================================================================= +# APPLICATIONSET CONTROLLER - Disabled (not used) +# ============================================================================= +applicationSet: + enabled: false + +# ============================================================================= +# NOTIFICATIONS CONTROLLER - Disabled (not used) +# ============================================================================= +notifications: + enabled: false + +# ============================================================================= +# CRDs +# ============================================================================= +crds: + install: true + keep: true diff --git a/argocd/kustomization.yaml b/argocd/kustomization.yaml index 52d3665..9097c21 100644 --- a/argocd/kustomization.yaml +++ b/argocd/kustomization.yaml @@ -1,8 +1,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- manifests/namespace.yaml -- manifests/argocd-cm.yaml -- manifests/argocd-rbac-cm.yaml -- manifests/argocd-cmd-params-cm.yaml -- manifests/ingress.yaml + # ArgoCD Application (self-managed via Helm chart) + - argocd.yaml + # Additional manifests (applied alongside Helm chart) + - manifests/namespace.yaml + - manifests/webhook-ingress.yaml diff --git a/argocd/manifests/argocd-cm.yaml b/argocd/manifests/argocd-cm.yaml deleted file mode 100644 index 95a10b6..0000000 --- a/argocd/manifests/argocd-cm.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: argocd-cm - namespace: argocd - labels: - app.kubernetes.io/name: argocd-cm - app.kubernetes.io/part-of: argocd -data: - # Enable anonymous access (Authelia handles authentication) - users.anonymous.enabled: "true" - # Reconciliation interval (default: 180s) - # Set to 0 to disable polling - webhook only - timeout.reconciliation: "0" diff --git a/argocd/manifests/argocd-cmd-params-cm.yaml b/argocd/manifests/argocd-cmd-params-cm.yaml deleted file mode 100644 index 8c442a8..0000000 --- a/argocd/manifests/argocd-cmd-params-cm.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: argocd-cmd-params-cm - namespace: argocd - labels: - app.kubernetes.io/name: argocd-cmd-params-cm - app.kubernetes.io/part-of: argocd -data: - # Run ArgoCD server in insecure mode (let ingress handle TLS) - server.insecure: "true" - - # Disable periodic app resync (rely on webhook + self-heal only) - # Default is 180s, setting to 0 disables periodic resync - controller.app.resync: "0" diff --git a/argocd/manifests/argocd-rbac-cm.yaml b/argocd/manifests/argocd-rbac-cm.yaml deleted file mode 100644 index 2c2325a..0000000 --- a/argocd/manifests/argocd-rbac-cm.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: argocd-rbac-cm - namespace: argocd - labels: - app.kubernetes.io/name: argocd-rbac-cm - app.kubernetes.io/part-of: argocd -data: - # Grant admin role to anonymous users (Authelia handles authentication) - policy.csv: | - g, , role:admin - policy.default: role:admin diff --git a/argocd/manifests/ingress.yaml b/argocd/manifests/ingress.yaml deleted file mode 100644 index 67b9aae..0000000 --- a/argocd/manifests/ingress.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: argocd-server-ingress - namespace: argocd - annotations: - cert-manager.io/cluster-issuer: "letsencrypt-prod" - traefik.ingress.kubernetes.io/router.middlewares: authelia-authelia-auth@kubernetescrd -spec: - ingressClassName: traefik - tls: - - hosts: - - argocd0213.kro.kr - secretName: argocd-server-tls - rules: - - host: argocd0213.kro.kr - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: argocd-server - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: argocd-webhook-ingress - namespace: argocd - annotations: - cert-manager.io/cluster-issuer: "letsencrypt-prod" -spec: - ingressClassName: traefik - tls: - - hosts: - - argocd0213.kro.kr - secretName: argocd-server-tls - rules: - - host: argocd0213.kro.kr - http: - paths: - - path: /api/webhook - pathType: Prefix - backend: - service: - name: argocd-server - port: - number: 80 diff --git a/argocd/manifests/webhook-ingress.yaml b/argocd/manifests/webhook-ingress.yaml new file mode 100644 index 0000000..38d568e --- /dev/null +++ b/argocd/manifests/webhook-ingress.yaml @@ -0,0 +1,25 @@ +# Webhook Ingress - No Authelia middleware (GitHub webhook needs direct access) +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: argocd-webhook-ingress + namespace: argocd + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod +spec: + ingressClassName: traefik + tls: + - hosts: + - argocd0213.kro.kr + secretName: argocd-server-tls + rules: + - host: argocd0213.kro.kr + http: + paths: + - path: /api/webhook + pathType: Prefix + backend: + service: + name: argocd-server + port: + number: 80