FEAT(argocd): enable GitOps self-management

- Add ArgoCD Application for Helm chart deployment
- Add helm-values.yaml with custom settings
- Configure GOMEMLIMIT=400MiB, GOGC=50
- Disable reconciliation (webhook only)
- Enable anonymous access (Authelia handles auth)
- Move main ingress to helm-values.yaml
- Add separate webhook-ingress.yaml
- Remove ConfigMap files (now in helm-values)

argocd/argocd.yaml

@@ -0,0 +1,55 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd
+  namespace: argocd
+  annotations:
+    # Sync early in the wave order
+    argocd.argoproj.io/sync-wave: "-10"
+spec:
+  project: default
+  sources:
+    # Source 1: ArgoCD Helm Chart
+    - repoURL: https://argoproj.github.io/argo-helm
+      chart: argo-cd
+      targetRevision: 7.7.10
+      helm:
+        valueFiles:
+          - $values/argocd/helm-values.yaml
+    # Source 2: Helm values from Git repo
+    - repoURL: https://github.com/K3S-HOME/platform.git
+      targetRevision: main
+      ref: values
+    # Source 3: Additional manifests (Ingress, Namespace)
+    - repoURL: https://github.com/K3S-HOME/platform.git
+      targetRevision: main
+      path: argocd/manifests
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
+      - RespectIgnoreDifferences=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+  # Ignore differences for self-managed resources
+  ignoreDifferences:
+    - group: ""
+      kind: Secret
+      name: argocd-secret
+      jsonPointers:
+        - /data
+    - group: ""
+      kind: Secret
+      name: argocd-initial-admin-secret
+      jsonPointers:
+        - /data

argocd/helm-values.yaml

@@ -0,0 +1,141 @@
+# ArgoCD Helm Chart Values
+# Chart: https://argoproj.github.io/argo-helm (argo-cd)
+# All custom settings from current cluster deployment
+
+# =============================================================================
+# GLOBAL SETTINGS
+# =============================================================================
+global:
+  # Deploy to master node
+  nodeSelector:
+    node-role.kubernetes.io/master: "true"
+
+  # Tolerate control-plane taint
+  tolerations:
+    - key: node-role.kubernetes.io/control-plane
+      operator: Exists
+      effect: NoSchedule
+
+# =============================================================================
+# CONFIGS (ConfigMaps)
+# =============================================================================
+configs:
+  # argocd-cm
+  cm:
+    # Authelia handles authentication, so allow anonymous access
+    users.anonymous.enabled: "true"
+    # Disable polling - webhook only
+    timeout.reconciliation: "0"
+    # Ignore resource status field differences
+    resource.compareoptions: |
+      ignoreResourceStatusField: all
+
+  # argocd-cmd-params-cm
+  params:
+    # Ingress handles TLS, so run in insecure mode
+    server.insecure: "true"
+    # Disable periodic app resync (webhook + self-heal only)
+    controller.self.heal.timeout.seconds: "5"
+
+  # argocd-rbac-cm
+  rbac:
+    # Anonymous users get admin role (Authelia handles authentication)
+    policy.csv: |
+      g, , role:admin
+    policy.default: role:admin
+
+# =============================================================================
+# APPLICATION CONTROLLER (StatefulSet)
+# =============================================================================
+controller:
+  # Memory optimization environment variables
+  env:
+    - name: GOMEMLIMIT
+      value: "400MiB"
+    - name: GOGC
+      value: "50"
+
+  # Disable periodic app resync
+  args:
+    appResyncPeriod: "0"
+
+  # Resource settings (from VPA recommendations)
+  resources:
+    requests:
+      cpu: 126m
+      memory: 1700Mi
+    limits:
+      memory: 2500Mi
+
+# =============================================================================
+# API SERVER (Deployment)
+# =============================================================================
+server:
+  # Main Ingress with Authelia middleware
+  ingress:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+      traefik.ingress.kubernetes.io/router.middlewares: authelia-authelia-auth@kubernetescrd
+    hosts:
+      - argocd0213.kro.kr
+    tls:
+      - secretName: argocd-server-tls
+        hosts:
+          - argocd0213.kro.kr
+
+  # Resource settings
+  resources:
+    requests:
+      cpu: 15m
+      memory: 138Mi
+    limits:
+      memory: 207Mi
+
+# =============================================================================
+# REPO SERVER (Deployment)
+# =============================================================================
+repoServer:
+  resources:
+    requests:
+      cpu: 15m
+      memory: 640Mi
+    limits:
+      memory: 960Mi
+
+# =============================================================================
+# REDIS (Deployment)
+# =============================================================================
+redis:
+  resources:
+    requests:
+      cpu: 15m
+      memory: 100Mi
+    limits:
+      memory: 150Mi
+
+# =============================================================================
+# DEX (OIDC) - Disabled (using Authelia instead)
+# =============================================================================
+dex:
+  enabled: false
+
+# =============================================================================
+# APPLICATIONSET CONTROLLER - Disabled (not used)
+# =============================================================================
+applicationSet:
+  enabled: false
+
+# =============================================================================
+# NOTIFICATIONS CONTROLLER - Disabled (not used)
+# =============================================================================
+notifications:
+  enabled: false
+
+# =============================================================================
+# CRDs
+# =============================================================================
+crds:
+  install: true
+  keep: true

argocd/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  # ArgoCD Application (self-managed via Helm chart)
+  - argocd.yaml
+  # Additional manifests (applied alongside Helm chart)
   - manifests/namespace.yaml
-- manifests/argocd-cm.yaml
-- manifests/argocd-rbac-cm.yaml
-- manifests/argocd-cmd-params-cm.yaml
-- manifests/ingress.yaml
+  - manifests/webhook-ingress.yaml

argocd/manifests/argocd-cm.yaml

@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: argocd-cm
-  namespace: argocd
-  labels:
-    app.kubernetes.io/name: argocd-cm
-    app.kubernetes.io/part-of: argocd
-data:
-  # Enable anonymous access (Authelia handles authentication)
-  users.anonymous.enabled: "true"
-  # Reconciliation interval (default: 180s)
-  # Set to 0 to disable polling - webhook only
-  timeout.reconciliation: "0"

argocd/manifests/argocd-cmd-params-cm.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: argocd-cmd-params-cm
-  namespace: argocd
-  labels:
-    app.kubernetes.io/name: argocd-cmd-params-cm
-    app.kubernetes.io/part-of: argocd
-data:
-  # Run ArgoCD server in insecure mode (let ingress handle TLS)
-  server.insecure: "true"
-
-  # Disable periodic app resync (rely on webhook + self-heal only)
-  # Default is 180s, setting to 0 disables periodic resync
-  controller.app.resync: "0"

argocd/manifests/argocd-rbac-cm.yaml

@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: argocd-rbac-cm
-  namespace: argocd
-  labels:
-    app.kubernetes.io/name: argocd-rbac-cm
-    app.kubernetes.io/part-of: argocd
-data:
-  # Grant admin role to anonymous users (Authelia handles authentication)
-  policy.csv: |
-    g, , role:admin
-  policy.default: role:admin

argocd/manifests/ingress.yaml

@@ -1,50 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: argocd-server-ingress
-  namespace: argocd
-  annotations:
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    traefik.ingress.kubernetes.io/router.middlewares: authelia-authelia-auth@kubernetescrd
-spec:
-  ingressClassName: traefik
-  tls:
-  - hosts:
-    - argocd0213.kro.kr
-    secretName: argocd-server-tls
-  rules:
-  - host: argocd0213.kro.kr
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: argocd-server
-            port:
-              number: 80
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: argocd-webhook-ingress
-  namespace: argocd
-  annotations:
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-spec:
-  ingressClassName: traefik
-  tls:
-  - hosts:
-    - argocd0213.kro.kr
-    secretName: argocd-server-tls
-  rules:
-  - host: argocd0213.kro.kr
-    http:
-      paths:
-      - path: /api/webhook
-        pathType: Prefix
-        backend:
-          service:
-            name: argocd-server
-            port:
-              number: 80

argocd/manifests/webhook-ingress.yaml

@@ -0,0 +1,25 @@
+# Webhook Ingress - No Authelia middleware (GitHub webhook needs direct access)
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argocd-webhook-ingress
+  namespace: argocd
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: traefik
+  tls:
+    - hosts:
+        - argocd0213.kro.kr
+      secretName: argocd-server-tls
+  rules:
+    - host: argocd0213.kro.kr
+      http:
+        paths:
+          - path: /api/webhook
+            pathType: Prefix
+            backend:
+              service:
+                name: argocd-server
+                port:
+                  number: 80