FEAT(argocd): enable GitOps self-management

- Add ArgoCD Application for Helm chart deployment - Add helm-values.yaml with custom settings - Configure GOMEMLIMIT=400MiB, GOGC=50 - Disable reconciliation (webhook only) - Enable anonymous access (Authelia handles auth) - Move main ingress to helm-values.yaml - Add separate webhook-ingress.yaml - Remove ConfigMap files (now in helm-values)
2026-01-09 00:44:18 +09:00
parent a2b13bb4f6
commit 0d38963837
8 changed files with 226 additions and 97 deletions
--- a/argocd/manifests/argocd-cm.yaml
+++ b/argocd/manifests/argocd-cm.yaml
@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: argocd-cm
-  namespace: argocd
-  labels:
-    app.kubernetes.io/name: argocd-cm
-    app.kubernetes.io/part-of: argocd
-data:
-  # Enable anonymous access (Authelia handles authentication)
-  users.anonymous.enabled: "true"
-  # Reconciliation interval (default: 180s)
-  # Set to 0 to disable polling - webhook only
-  timeout.reconciliation: "0"
--- a/argocd/manifests/argocd-cmd-params-cm.yaml
+++ b/argocd/manifests/argocd-cmd-params-cm.yaml
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: argocd-cmd-params-cm
-  namespace: argocd
-  labels:
-    app.kubernetes.io/name: argocd-cmd-params-cm
-    app.kubernetes.io/part-of: argocd
-data:
-  # Run ArgoCD server in insecure mode (let ingress handle TLS)
-  server.insecure: "true"
-
-  # Disable periodic app resync (rely on webhook + self-heal only)
-  # Default is 180s, setting to 0 disables periodic resync
-  controller.app.resync: "0"
--- a/argocd/manifests/argocd-rbac-cm.yaml
+++ b/argocd/manifests/argocd-rbac-cm.yaml
@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: argocd-rbac-cm
-  namespace: argocd
-  labels:
-    app.kubernetes.io/name: argocd-rbac-cm
-    app.kubernetes.io/part-of: argocd
-data:
-  # Grant admin role to anonymous users (Authelia handles authentication)
-  policy.csv: |
-    g, , role:admin
-  policy.default: role:admin
--- a/argocd/manifests/ingress.yaml
+++ b/argocd/manifests/ingress.yaml
@@ -1,50 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: argocd-server-ingress
-  namespace: argocd
-  annotations:
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    traefik.ingress.kubernetes.io/router.middlewares: authelia-authelia-auth@kubernetescrd
-spec:
-  ingressClassName: traefik
-  tls:
-  - hosts:
-    - argocd0213.kro.kr
-    secretName: argocd-server-tls
-  rules:
-  - host: argocd0213.kro.kr
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: argocd-server
-            port:
-              number: 80
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: argocd-webhook-ingress
-  namespace: argocd
-  annotations:
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-spec:
-  ingressClassName: traefik
-  tls:
-  - hosts:
-    - argocd0213.kro.kr
-    secretName: argocd-server-tls
-  rules:
-  - host: argocd0213.kro.kr
-    http:
-      paths:
-      - path: /api/webhook
-        pathType: Prefix
-        backend:
-          service:
-            name: argocd-server
-            port:
-              number: 80
--- a/argocd/manifests/webhook-ingress.yaml
+++ b/argocd/manifests/webhook-ingress.yaml
@@ -0,0 +1,25 @@
+# Webhook Ingress - No Authelia middleware (GitHub webhook needs direct access)
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argocd-webhook-ingress
+  namespace: argocd
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: traefik
+  tls:
+    - hosts:
+        - argocd0213.kro.kr
+      secretName: argocd-server-tls
+  rules:
+    - host: argocd0213.kro.kr
+      http:
+        paths:
+          - path: /api/webhook
+            pathType: Prefix
+            backend:
+              service:
+                name: argocd-server
+                port:
+                  number: 80