apiVersion: v1 kind: ConfigMap metadata: name: argocd-cm namespace: argocd labels: app.kubernetes.io/name: argocd-cm app.kubernetes.io/part-of: argocd data: # Argo CD's externally facing base URL (optional). Required when configuring SSO url: https://argo-cd-demo.argoproj.io # Enables application status badge feature statusbadge.enabled: "true" # Override the Argo CD hostname root URL for both the project and the application status badges. # Here is an example of the application status badge for the app `myapp` to see what is replaced. # api/badge?name=myapp&revision=true # Provide custom URL to override. You must include the trailing forward slash: statusbadge.url: "https://cd-status.apps.argoproj.io/" # Enables anonymous user access. The anonymous users get default role permissions specified argocd-rbac-cm.yaml. users.anonymous.enabled: "true" # Specifies token expiration duration users.session.duration: "24h" # Specifies regex expression for password passwordPattern: "^.{8,32}$" # Enables google analytics tracking is specified ga.trackingid: "UA-12345-1" # Unless set to 'false' then user ids are hashed before sending to google analytics ga.anonymizeusers: "false" # the URL for getting chat help, this will typically be your Slack channel for support help.chatUrl: "https://mycorp.slack.com/argo-cd" # the text for getting chat help, defaults to "Chat now!" help.chatText: "Chat now!" # The URLs to download additional ArgoCD binaries (besides the Linux with current platform binary included by default) # for different OS architectures. If provided, additional download buttons will be displayed on the help page. help.download.linux-amd64: "path-or-url-to-download" help.download.linux-arm64: "path-or-url-to-download" help.download.linux-ppc64le: "path-or-url-to-download" help.download.linux-s390x: "path-or-url-to-download" help.download.darwin-amd64: "path-or-url-to-download" help.download.darwin-arm64: "path-or-url-to-download" help.download.windows-amd64: "path-or-url-to-download" # A dex connector configuration (optional). See SSO configuration documentation: # https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/user-management/index.md#sso # https://dexidp.io/docs/connectors/ dex.config: | connectors: # GitHub example - type: github id: github name: GitHub config: clientID: aabbccddeeff00112233 clientSecret: $dex.github.clientSecret orgs: - name: your-github-org teams: - red-team # It is possible to provide custom static client for dex if you want to reuse it # with other services # staticClients: # - id: argo-workflow # name: Argo Workflow # redirectURIs: # - https://argo/oauth2/callback # secret: $secretReference # OIDC configuration as an alternative to dex (optional). oidc.config: | name: Okta issuer: https://dev-123456.oktapreview.com clientID: aaaabbbbccccddddeee clientSecret: $oidc.okta.clientSecret # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"] requestedScopes: ["openid", "profile", "email"] # Optional set of OIDC claims to request on the ID token. requestedIDTokenClaims: {"groups": {"essential": true}} # Configuration to customize resource behavior (optional) can be configured via splitted sub keys. # Keys are in the form: resource.customizations.ignoreDifferences., resource.customizations.health. # resource.customizations.actions., resource.customizations.knownTypeFields. # resource.customizations.ignoreResourceUpdates. resource.customizations.ignoreDifferences.admissionregistration.k8s.io_MutatingWebhookConfiguration: | jsonPointers: - /webhooks/0/clientConfig/caBundle jqPathExpressions: - .webhooks[0].clientConfig.caBundle managedFieldsManagers: - kube-controller-manager # Configuration to define customizations ignoring differences between live and desired states for # all resources (GK). resource.customizations.ignoreDifferences.all: | managedFieldsManagers: - kube-controller-manager jsonPointers: - /spec/replicas # Enable resource.customizations.ignoreResourceUpdates rules. If "false," those rules are not applied, and all updates # to resources are applied to the cluster cache. Default is false. resource.ignoreResourceUpdatesEnabled: "false" # Configuration to define customizations ignoring differences during watched resource updates to skip application reconciles. resource.customizations.ignoreResourceUpdates.all: | jsonPointers: - /metadata/resourceVersion # Configuration to define customizations ignoring differences during watched resource updates can be configured via splitted sub key. resource.customizations.ignoreResourceUpdates.argoproj.io_Application: | jsonPointers: - /status # jsonPointers and jqPathExpressions can be specified. resource.customizations.ignoreResourceUpdates.autoscaling_HorizontalPodAutoscaler: | jqPathExpressions: - '.metadata.annotations."autoscaling.alpha.kubernetes.io/behavior"' - '.metadata.annotations."autoscaling.alpha.kubernetes.io/conditions"' - '.metadata.annotations."autoscaling.alpha.kubernetes.io/metrics"' - '.metadata.annotations."autoscaling.alpha.kubernetes.io/current-metrics"' jsonPointers: - /metadata/annotations/autoscaling.alpha.kubernetes.io~1behavior - /metadata/annotations/autoscaling.alpha.kubernetes.io~1conditions - /metadata/annotations/autoscaling.alpha.kubernetes.io~1metrics - /metadata/annotations/autoscaling.alpha.kubernetes.io~1current-metrics resource.customizations.health.certmanager.k8s.io-Certificate: | hs = {} if obj.status ~= nil then if obj.status.conditions ~= nil then for i, condition in ipairs(obj.status.conditions) do if condition.type == "Ready" and condition.status == "False" then hs.status = "Degraded" hs.message = condition.message return hs end if condition.type == "Ready" and condition.status == "True" then hs.status = "Healthy" hs.message = condition.message return hs end end end end hs.status = "Progressing" hs.message = "Waiting for certificate" return hs resource.customizations.health.cert-manager.io_Certificate: | hs = {} if obj.status ~= nil then if obj.status.conditions ~= nil then for i, condition in ipairs(obj.status.conditions) do if condition.type == "Ready" and condition.status == "False" then hs.status = "Degraded" hs.message = condition.message return hs end if condition.type == "Ready" and condition.status == "True" then hs.status = "Healthy" hs.message = condition.message return hs end end end end hs.status = "Progressing" hs.message = "Waiting for certificate" return hs # List of Lua Scripts to introduce custom actions resource.customizations.actions.apps_Deployment: | # Lua Script to indicate which custom actions are available on the resource discovery.lua: | actions = {} actions["restart"] = {} return actions definitions: - name: restart # Lua Script to modify the obj action.lua: | local os = require("os") if obj.spec.template.metadata == nil then obj.spec.template.metadata = {} end if obj.spec.template.metadata.annotations == nil then obj.spec.template.metadata.annotations = {} end obj.spec.template.metadata.annotations["kubectl.kubernetes.io/restartedAt"] = os.date("!%Y-%m-%dT%XZ") return obj # Configuration to completely ignore entire classes of resource group/kinds (optional). # Excluding high-volume resources improves performance and memory usage, and reduces load and # bandwidth to the Kubernetes API server. # These are globs, so a "*" will match all values. # If you omit groups/kinds/clusters then they will match all groups/kind/clusters. # NOTE: events.k8s.io and metrics.k8s.io are excluded by default resource.exclusions: | - apiGroups: - repositories.stash.appscode.com kinds: - Snapshot clusters: - "*.local" # By default all resource group/kinds are included. The resource.inclusions setting allows customizing # list of included group/kinds. resource.inclusions: | - apiGroups: - repositories.stash.appscode.com kinds: - Snapshot clusters: - "*.local" # An optional comma-separated list of metadata.labels to observe in the UI. resource.customLabels: tier resource.compareoptions: | # if ignoreAggregatedRoles set to true then differences caused by aggregated roles in RBAC resources are ignored. ignoreAggregatedRoles: true # disables status field diffing in specified resource types # 'crd' - CustomResourceDefinitions (default) # 'all' - all resources # 'none' - disabled ignoreResourceStatusField: crd # configuration to instruct controller to only watch for resources that it has permissions to list # can be either empty, "normal" or "strict". By default, it is empty i.e. disabled. resource.respectRBAC: "normal" # A set of settings that allow enabling or disabling the config management tool. # If unset, each defaults to "true". kustomize.enabled: true jsonnet.enabled: true helm.enabled: true # Build options/parameters to use with `kustomize build` (optional) kustomize.buildOptions: --load_restrictor none # Per-version build options and binary paths kustomize.path.v3.9.1: /custom-tools/kustomize_3_9 kustomize.buildOptions.v3.9.1: --enable_kyaml true # Additional Kustomize versions and corresponding binary paths (deprecated) kustomize.version.v3.5.1: /custom-tools/kustomize_3_5_1 kustomize.version.v3.5.4: /custom-tools/kustomize_3_5_4 # Comma delimited list of additional custom remote values file schemes (http are https are allowed by default). # Change to empty value if you want to disable remote values files altogether. helm.valuesFileSchemes: http, https # The metadata.label key name where Argo CD injects the app name as a tracking label (optional). # Tracking labels are used to determine which resources need to be deleted when pruning. # If omitted, Argo CD injects the app name into the label: 'app.kubernetes.io/instance' application.instanceLabelKey: mycompany.com/appname # You can change the resource tracking method Argo CD uses by changing the # setting application.resourceTrackingMethod to the desired method. # The following methods are available: # - label : Uses the application.instanceLabelKey label for tracking # - annotation : Uses an annotation with additional metadata for tracking instead of the label # - annotation+label : Also uses an annotation for tracking, but additionally labels the resource with the application name application.resourceTrackingMethod: annotation # disables admin user. Admin is enabled by default admin.enabled: "false" # add an additional local user with apiKey and login capabilities # apiKey - allows generating API keys # login - allows to login using UI accounts.alice: apiKey, login # disables user. User is enabled by default accounts.alice.enabled: "false" # The location of optional user-defined CSS that is loaded at runtime. # Local CSS Files: # - If the supplied path is to a file mounted on the argocd-server container, that file should be mounted # within a subdirectory of the existing "/shared/app" directory (e.g. "/shared/app/custom"). Otherwise, # the file will likely fail to be imported by the browser with an "incorrect MIME type" error. # - The path should be specified relative to the "/shared/app" directory; not as an absolute path. # Remote CSS Files: # - Files may also be loaded from remote locations via fully qualified URLs. ui.cssurl: "./custom/my-styles.css" # An optional user-defined banner message that's displayed at the top of every UI page. # Every time this is updated, it will clear a user's localStorage telling the UI to hide the banner forever. ui.bannercontent: "Hello there!" # Optional link for banner. If set, the entire banner text will become a link. # You can have bannercontent without a bannerurl, but not the other way around. ui.bannerurl: "https://argoproj.github.io" # Uncomment to make the banner not show the close buttons, thereby making the banner permanent. # Because it is permanent, only one line of text is available to not take up too much real estate in the UI, # so it is recommended that the length of the bannercontent text is kept reasonably short. Note that you can # have either a permanent banner or a regular closeable banner, and NOT both. eg. A user can't dismiss a # notification message (closeable) banner, to then immediately see a permanent banner. # ui.bannerpermanent: "true" # An option to specify the position of the banner, either the top or bottom of the page, or both. The valid values # are: "top", "bottom" and "both". The default (if the option is not provided), is "top". If "both" is specified, then # the content appears both at the top and the bottom of the page. Uncomment the following line to make the banner appear # at the bottom of the page. Change the value as needed. # ui.bannerposition: "bottom" # Application reconciliation timeout is the max amount of time required to discover if a new manifests version got # published to the repository. Reconciliation by timeout is disabled if timeout is set to 0. Three minutes by default. # > Note: argocd-repo-server deployment must be manually restarted after changing the setting. timeout.reconciliation: 180s # With a large number of applications, the periodic refresh for each application can cause a spike in the refresh queue # and can cause a spike in the repo-server component. To avoid this, you can set a jitter to the sync timeout, which will # spread out the refreshes and give time to the repo-server to catch up. The jitter is the maximum duration that can be # added to the sync timeout. So, if the sync timeout is 3 minutes and the jitter is 1 minute, then the actual timeout will # be between 3 and 4 minutes. Disabled when the value is 0, defaults to 0. timeout.reconciliation.jitter: 0 # cluster.inClusterEnabled indicates whether to allow in-cluster server address. This is enabled by default. cluster.inClusterEnabled: "true" # Application pod logs RBAC enforcement enables control over who can and who can't view application pod logs. # When you enable the switch, pod logs will be visible only to admin role by default. Other roles/users will not be able to view them via cli and UI. # When you enable the switch, viewing pod logs for other roles/users will require explicit RBAC allow policies (allow get on logs subresource). # When you disable the switch (either add it to the configmap with a "false" value or do not add it to the configmap), no actual RBAC enforcement will take place. server.rbac.log.enforce.enable: "false" # exec.enabled indicates whether the UI exec feature is enabled. It is disabled by default. exec.enabled: "false" # exec.shells restricts which shells are allowed for `exec`, and in which order they are attempted exec.shells: "bash,sh,powershell,cmd" # oidc.tls.insecure.skip.verify determines whether certificate verification is skipped when verifying tokens with the # configured OIDC provider (either external or the bundled Dex instance). Setting this to "true" will cause JWT # token verification to pass despite the OIDC provider having an invalid certificate. Only set to "true" if you # understand the risks. oidc.tls.insecure.skip.verify: "false" # Add Deep Links to ArgoCD UI # sample project level links project.links: | - url: https://myaudit-system.com?project={{.metadata.name}} title: Audit description: system audit logs icon.class: "fa-book" # sample application level links application.links: | # pkg.go.dev/text/template is used for evaluating url templates - url: https://mycompany.splunk.com?search={{.spec.destination.namespace}} title: Splunk # conditionally show link e.g. for specific project # github.com/antonmedv/expr is used for evaluation of conditions - url: https://mycompany.splunk.com?search={{.spec.destination.namespace}} title: Splunk if: spec.project == "default" - url: https://{{.metadata.annotations.splunkhost}}?search={{.spec.destination.namespace}} title: Splunk if: metadata.annotations.splunkhost # sample resource level links resource.links: | - url: https://mycompany.splunk.com?search={{.metadata.namespace}} title: Splunk if: kind == "Pod" || kind == "Deployment" extension.config: | extensions: # Name defines the endpoint that will be used to register # the extension route. # Mandatory field. - name: some-extension backend: # ConnectionTimeout is the maximum amount of time a dial to # the extension server will wait for a connect to complete. # Optional field. Default: 2 seconds connectionTimeout: 2s # KeepAlive specifies the interval between keep-alive probes # for an active network connection between the API server and # the extension server. # Optional field. Default: 15 seconds keepAlive: 15s # IdleConnectionTimeout is the maximum amount of time an idle # (keep-alive) connection between the API server and the extension # server will remain idle before closing itself. # Optional field. Default: 60 seconds idleConnectionTimeout: 60s # MaxIdleConnections controls the maximum number of idle (keep-alive) # connections between the API server and the extension server. # Optional field. Default: 30 maxIdleConnections: 30 services: # URL is the address where the extension backend must be available. # Mandatory field. - url: http://httpbin.org # Cluster if provided, will have to match the application # destination name or the destination server to have requests # properly forwarded to this service URL. # Optional field if only one service is specified. # Mandatory if multiple services are specified. cluster: name: some-cluster server: https://some-cluster