forked from HariSekhon/Kubernetes-configs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
argocd-project.yaml
182 lines (170 loc) · 6.38 KB
/
argocd-project.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
#
# Author: Hari Sekhon
# Date: 2021-06-10 18:26:29 +0100 (Thu, 10 Jun 2021)
#
# vim:ts=2:sts=2:sw=2:et
# lint: k8s
#
# https://github.com/HariSekhon/Kubernetes-configs
#
# License: see accompanying Hari Sekhon LICENSE file
#
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
#
# https://www.linkedin.com/in/HariSekhon
#
# ============================================================================ #
# A r g o C D P r o j e c t
# ============================================================================ #
# https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#projects
# manages a given ArgoCD project and settings
# if using argocd-projects.yaml App-of-Projects pattern you can just drop this into the k8s/argocd/projects directory in git to add it dynamically,
# or conversely delete or rename it to a different suffix such .disabled to have it auto-removed from ArgoCD
---
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
# XXX: Edit
name: NAME
namespace: argocd # must be the namespace where ArgoCD was installed - usually 'argocd'
# Finalizer that ensures that project is not deleted until it is not referenced by any application
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
# XXX: Edit
description: DESCRIPTION
# give UI option to show orphaned resources but don't raise annoying warnings as this is quite common
orphanedResources:
warn: false
# Allow manifests to deploy from any Git repos
sourceRepos:
- '*'
# Only permit applications to deploy to the NAMESPACE namespace in the same cluster
destinations:
# XXX: Edit
- namespace: NAMESPACE # default namespace, overridden in k8s manifests
# XXX: Edit - this is fine for in-cluster deployments, otherwise give external Master URL for deployments to other clusters
server: https://kubernetes.default.svc
- namespace: kube-system # needed for Cert Manager roles for cainjector leader election
server: https://kubernetes.default.svc # XXX: Edit
- namespace: argocd
server: https://kubernetes.default.svc # XXX: Edit
- namespace: cert-manager
server: https://kubernetes.default.svc # XXX: Edit
- namespace: circleci
server: https://kubernetes.default.svc # XXX: Edit
- namespace: github-actions
server: https://kubernetes.default.svc # XXX: Edit
- namespace: goldilocks
server: https://kubernetes.default.svc # XXX: Edit
- namespace: ingress-nginx
server: https://kubernetes.default.svc # XXX: Edit
- namespace: jenkins
server: https://kubernetes.default.svc # XXX: Edit
- namespace: keycloak
server: https://kubernetes.default.svc # XXX: Edit
- namespace: kubernetes-dashboard
server: https://kubernetes.default.svc # XXX: Edit
- namespace: polaris
server: https://kubernetes.default.svc # XXX: Edit
- namespace: prometheus
server: https://kubernetes.default.svc # XXX: Edit
- namespace: selenium
server: https://kubernetes.default.svc # XXX: Edit
# Deny all cluster-scoped resources from being created, except for Namespace
clusterResourceWhitelist:
- group: cert-manager.io
kind: ClusterIssuer
# needed for Polaris kustomization
#- group: rbac.authorization.k8s.io
# kind: ClusterRole
#- group: rbac.authorization.k8s.io
# kind: ClusterRoleBinding
- group: apiextensions.k8s.io
kind: CustomResourceDefinition # needed for Cert-Manager
- group: networking.k8s.io
kind: IngressClass
- group: ''
kind: Namespace
#- group: scheduling.k8s.io
# kind: PriorityClass
#- group: storage.k8s.io
# kind: StorageClass
#
# for kube-prometheus-stack
- group: policy
kind: PodSecurityPolicy
- group: admissionregistration.k8s.io
kind: MutatingWebhookConfiguration
- group: admissionregistration.k8s.io
kind: ValidatingWebhookConfiguration
# Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy
namespaceResourceBlacklist:
- group: ''
kind: ResourceQuota
- group: ''
kind: LimitRange
- group: ''
kind: NetworkPolicy
# Deny all namespaced-scoped resources from being created, except for ones explicitly listed here
# populated by script argocd_namespace_resource_whitelist.sh from https://github.com/HariSekhon/DevOps-Bash-tools/
namespaceResourceWhitelist:
- group: ''
kind: ConfigMap
- group: batch
kind: Job
- group: batch
kind: CronJob
- group: apps
kind: DaemonSet
- group: apps
kind: Deployment
- group: autoscaling
kind: HorizontalPodAutoscaler
- group: extensions # old ingress
kind: Ingress
- group: networking.k8s.io # new ingress
kind: Ingress
- group: ''
kind: PersistentVolumeClaim
- group: policy
kind: PodDisruptionBudget
- group: rbac.authorization.k8s.io
kind: Role
- group: rbac.authorization.k8s.io
kind: RoleBinding
- group: ''
kind: Secret # XXX: if you're managing this you're doing it wrong, used SealedSecret instead
- group: bitnami.com
kind: SealedSecret
- group: ''
kind: Service
- group: ''
kind: ServiceAccount
- group: apps
kind: StatefulSet
- group: autoscaling.k8s.io
kind: VerticalPodAutoscaler
# for kube-prometheus-stack
- group: monitoring.coreos.com
kind: '*'
roles:
# A role which provides read-only access to all applications in the project
- name: read-only
description: Read-only privileges to NAME # XXX: Edit
policies:
- p, proj:my-project:read-only, applications, get, NAME/*, allow # XXX: Edit
groups:
# XXX: Edit
- my-oidc-group
# A role which provides sync privileges to only the guestbook-dev application, e.g. to provide
# sync privileges to a CI system
- name: ci-role
description: Sync privileges for guestbook-dev
policies:
# XXX: Edit
- p, proj:PROJECT:ci-role, applications, sync, NAME/APP, allow
# NOTE: JWT tokens can only be generated by the API server and the token is not persisted
# anywhere by Argo CD. It can be prematurely revoked by removing the entry from this list.
jwtTokens:
- iat: 1535390316