argocd-cm.yaml example¶
An example of an argocd-cm.yaml file:
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: argocd
labels:
app.kubernetes.io/name: argocd-cm
app.kubernetes.io/part-of: argocd
data:
# Argo CD's externally facing base URL (optional). Required when configuring SSO
url: https://argo-cd-demo.argoproj.io
# Additional externally facing base URLs (optional)
additionalUrls: |
- https://argo-cd-demo2.argoproj.io
# Enables application status badge feature
statusbadge.enabled: "true"
# Override the Argo CD hostname root URL for both the project and the application status badges.
# Here is an example of the application status badge for the app `myapp` to see what is replaced.
# <statusbadge.url>api/badge?name=myapp&revision=true
# Provide custom URL to override. You must include the trailing forward slash:
statusbadge.url: "https://cd-status.apps.argoproj.io/"
# Enables anonymous user access. The anonymous users get default role permissions specified argocd-rbac-cm.yaml.
users.anonymous.enabled: "true"
# Specifies token expiration duration
users.session.duration: "24h"
# Specifies regex expression for password
passwordPattern: "^.{8,32}$"
# Enables google analytics tracking is specified
ga.trackingid: "UA-12345-1"
# Unless set to 'false' then user ids are hashed before sending to google analytics
ga.anonymizeusers: "false"
# the URL for getting chat help, this will typically be your Slack channel for support
help.chatUrl: "https://mycorp.slack.com/argo-cd"
# the text for getting chat help, defaults to "Chat now!"
help.chatText: "Chat now!"
# The URLs to download additional ArgoCD binaries (besides the Linux with current platform binary included by default)
# for different OS architectures. If provided, additional download buttons will be displayed on the help page.
help.download.linux-amd64: "path-or-url-to-download"
help.download.linux-arm64: "path-or-url-to-download"
help.download.linux-ppc64le: "path-or-url-to-download"
help.download.linux-s390x: "path-or-url-to-download"
help.download.darwin-amd64: "path-or-url-to-download"
help.download.darwin-arm64: "path-or-url-to-download"
help.download.windows-amd64: "path-or-url-to-download"
# A dex connector configuration (optional). See SSO configuration documentation:
# https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/user-management/index.md#sso
# https://dexidp.io/docs/connectors/
dex.config: |
connectors:
# GitHub example
- type: github
id: github
name: GitHub
config:
clientID: aabbccddeeff00112233
clientSecret: $dex.github.clientSecret
orgs:
- name: your-github-org
teams:
- red-team
# It is possible to provide custom static client for dex if you want to reuse it
# with other services
# staticClients:
# - id: argo-workflow
# name: Argo Workflow
# redirectURIs:
# - https://argo/oauth2/callback
# secret: $secretReference
# OIDC configuration as an alternative to dex (optional).
oidc.config: |
name: Okta
issuer: https://dev-123456.oktapreview.com
clientID: aaaabbbbccccddddeee
clientSecret: $oidc.okta.clientSecret
# Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
requestedScopes: ["openid", "profile", "email"]
# Optional set of OIDC claims to request on the ID token.
requestedIDTokenClaims: {"groups": {"essential": true}}
# Configuration to customize resource behavior (optional) can be configured via splitted sub keys.
# Keys are in the form: resource.customizations.ignoreDifferences.<group_kind>, resource.customizations.health.<group_kind>
# resource.customizations.actions.<group_kind>, resource.customizations.knownTypeFields.<group-kind>
# resource.customizations.ignoreResourceUpdates.<group-kind>
resource.customizations.ignoreDifferences.admissionregistration.k8s.io_MutatingWebhookConfiguration: |
jsonPointers:
- /webhooks/0/clientConfig/caBundle
jqPathExpressions:
- .webhooks[0].clientConfig.caBundle
managedFieldsManagers:
- kube-controller-manager
# Configuration to define customizations ignoring differences between live and desired states for
# all resources (GK).
resource.customizations.ignoreDifferences.all: |
managedFieldsManagers:
- kube-controller-manager
jsonPointers:
- /spec/replicas
# Enable resource.customizations.ignoreResourceUpdates rules. If "false," those rules are not applied, and all updates
# to resources are applied to the cluster cache. Default is false.
resource.ignoreResourceUpdatesEnabled: "false"
# Configuration to define customizations ignoring differences during watched resource updates to skip application reconciles.
resource.customizations.ignoreResourceUpdates.all: |
jsonPointers:
- /metadata/resourceVersion
# Configuration to define customizations ignoring differences during watched resource updates can be configured via splitted sub key.
resource.customizations.ignoreResourceUpdates.argoproj.io_Application: |
jsonPointers:
- /status
# jsonPointers and jqPathExpressions can be specified.
resource.customizations.ignoreResourceUpdates.autoscaling_HorizontalPodAutoscaler: |
jqPathExpressions:
- '.metadata.annotations."autoscaling.alpha.kubernetes.io/behavior"'
- '.metadata.annotations."autoscaling.alpha.kubernetes.io/conditions"'
- '.metadata.annotations."autoscaling.alpha.kubernetes.io/metrics"'
- '.metadata.annotations."autoscaling.alpha.kubernetes.io/current-metrics"'
jsonPointers:
- /metadata/annotations/autoscaling.alpha.kubernetes.io~1behavior
- /metadata/annotations/autoscaling.alpha.kubernetes.io~1conditions
- /metadata/annotations/autoscaling.alpha.kubernetes.io~1metrics
- /metadata/annotations/autoscaling.alpha.kubernetes.io~1current-metrics
resource.customizations.health.certmanager.k8s.io-Certificate: |
hs = {}
if obj.status ~= nil then
if obj.status.conditions ~= nil then
for i, condition in ipairs(obj.status.conditions) do
if condition.type == "Ready" and condition.status == "False" then
hs.status = "Degraded"
hs.message = condition.message
return hs
end
if condition.type == "Ready" and condition.status == "True" then
hs.status = "Healthy"
hs.message = condition.message
return hs
end
end
end
end
hs.status = "Progressing"
hs.message = "Waiting for certificate"
return hs
resource.customizations.health.cert-manager.io_Certificate: |
hs = {}
if obj.status ~= nil then
if obj.status.conditions ~= nil then
for i, condition in ipairs(obj.status.conditions) do
if condition.type == "Ready" and condition.status == "False" then
hs.status = "Degraded"
hs.message = condition.message
return hs
end
if condition.type == "Ready" and condition.status == "True" then
hs.status = "Healthy"
hs.message = condition.message
return hs
end
end
end
end
hs.status = "Progressing"
hs.message = "Waiting for certificate"
return hs
# List of Lua Scripts to introduce custom actions
resource.customizations.actions.apps_Deployment: |
# Lua Script to indicate which custom actions are available on the resource
discovery.lua: |
actions = {}
actions["restart"] = {}
return actions
definitions:
- name: restart
# Lua Script to modify the obj
action.lua: |
local os = require("os")
if obj.spec.template.metadata == nil then
obj.spec.template.metadata = {}
end
if obj.spec.template.metadata.annotations == nil then
obj.spec.template.metadata.annotations = {}
end
obj.spec.template.metadata.annotations["kubectl.kubernetes.io/restartedAt"] = os.date("!%Y-%m-%dT%XZ")
return obj
# Configuration to completely ignore entire classes of resource group/kinds (optional).
# Excluding high-volume resources improves performance and memory usage, and reduces load and
# bandwidth to the Kubernetes API server.
# These are globs, so a "*" will match all values.
# If you omit groups/kinds/clusters then they will match all groups/kind/clusters.
# NOTE: events.k8s.io and metrics.k8s.io are excluded by default
resource.exclusions: |
- apiGroups:
- repositories.stash.appscode.com
kinds:
- Snapshot
clusters:
- "*.local"
# By default all resource group/kinds are included. The resource.inclusions setting allows customizing
# list of included group/kinds.
resource.inclusions: |
- apiGroups:
- repositories.stash.appscode.com
kinds:
- Snapshot
clusters:
- "*.local"
# An optional comma-separated list of metadata.labels to observe in the UI.
resource.customLabels: tier
# An optional comma-separated list of metadata.labels keys to add to Kubernetes events generated for Applications.
# The keys are compared against the Application and its AppProject. If matched,
# the corresponding labels are added to the generated event.
# In case of a conflict between labels on the Application and AppProject,
# the Application label values are prioritized and added to the event. Supports wildcards.
resource.includeEventLabelKeys: team,env*
# An optional comma-separated list of metadata.labels keys to exclude from Kubernetes events generated for Applications. Supports wildcards.
resource.excludeEventLabelKeys: environment,bu
resource.compareoptions: |
# if ignoreAggregatedRoles set to true then differences caused by aggregated roles in RBAC resources are ignored.
ignoreAggregatedRoles: true
# disables status field diffing in specified resource types
# 'crd' - CustomResourceDefinitions (default)
# 'all' - all resources
# 'none' - disabled
ignoreResourceStatusField: crd
# configuration to instruct controller to only watch for resources that it has permissions to list
# can be either empty, "normal" or "strict". By default, it is empty i.e. disabled.
resource.respectRBAC: "normal"
# A set of settings that allow enabling or disabling the config management tool.
# If unset, each defaults to "true".
kustomize.enabled: "true"
jsonnet.enabled: "true"
helm.enabled: "true"
# Build options/parameters to use with `kustomize build` (optional)
kustomize.buildOptions: --load_restrictor none
# Per-version build options and binary paths
kustomize.path.v3.9.1: /custom-tools/kustomize_3_9
kustomize.buildOptions.v3.9.1: --enable_kyaml true
# Additional Kustomize versions and corresponding binary paths (deprecated)
kustomize.version.v3.5.1: /custom-tools/kustomize_3_5_1
kustomize.version.v3.5.4: /custom-tools/kustomize_3_5_4
# Comma delimited list of additional custom remote values file schemes (http are https are allowed by default).
# Change to empty value if you want to disable remote values files altogether.
helm.valuesFileSchemes: http, https
# The metadata.label key name where Argo CD injects the app name as a tracking label (optional).
# Tracking labels are used to determine which resources need to be deleted when pruning.
# If omitted, Argo CD injects the app name into the label: 'app.kubernetes.io/instance'
application.instanceLabelKey: mycompany.com/appname
# You can change the resource tracking method Argo CD uses by changing the
# setting application.resourceTrackingMethod to the desired method.
# The following methods are available:
# - label : Uses the application.instanceLabelKey label for tracking
# - annotation : Uses an annotation with additional metadata for tracking instead of the label
# - annotation+label : Also uses an annotation for tracking, but additionally labels the resource with the application name
application.resourceTrackingMethod: annotation
# Optional installation id. Allows to have multiple installations of Argo CD in the same cluster.
installationID: "my-unique-id"
# disables admin user. Admin is enabled by default
admin.enabled: "false"
# add an additional local user with apiKey and login capabilities
# apiKey - allows generating API keys
# login - allows to login using UI
accounts.alice: apiKey, login
# disables user. User is enabled by default
accounts.alice.enabled: "false"
# The location of optional user-defined CSS that is loaded at runtime.
# Local CSS Files:
# - If the supplied path is to a file mounted on the argocd-server container, that file should be mounted
# within a subdirectory of the existing "/shared/app" directory (e.g. "/shared/app/custom"). Otherwise,
# the file will likely fail to be imported by the browser with an "incorrect MIME type" error.
# - The path should be specified relative to the "/shared/app" directory; not as an absolute path.
# Remote CSS Files:
# - Files may also be loaded from remote locations via fully qualified URLs.
ui.cssurl: "./custom/my-styles.css"
# An optional user-defined banner message that's displayed at the top of every UI page.
# Every time this is updated, it will clear a user's localStorage telling the UI to hide the banner forever.
ui.bannercontent: "Hello there!"
# Optional link for banner. If set, the entire banner text will become a link.
# You can have bannercontent without a bannerurl, but not the other way around.
ui.bannerurl: "https://argoproj.github.io"
# Uncomment to make the banner not show the close buttons, thereby making the banner permanent.
# Because it is permanent, only one line of text is available to not take up too much real estate in the UI,
# so it is recommended that the length of the bannercontent text is kept reasonably short. Note that you can
# have either a permanent banner or a regular closeable banner, and NOT both. eg. A user can't dismiss a
# notification message (closeable) banner, to then immediately see a permanent banner.
# ui.bannerpermanent: "true"
# An option to specify the position of the banner, either the top or bottom of the page, or both. The valid values
# are: "top", "bottom" and "both". The default (if the option is not provided), is "top". If "both" is specified, then
# the content appears both at the top and the bottom of the page. Uncomment the following line to make the banner appear
# at the bottom of the page. Change the value as needed.
# ui.bannerposition: "bottom"
# Application reconciliation timeout is the max amount of time required to discover if a new manifests version got
# published to the repository. Reconciliation by timeout is disabled if timeout is set to 0. Three minutes by default.
# > Note: argocd-repo-server deployment must be manually restarted after changing the setting.
timeout.reconciliation: 180s
# With a large number of applications, the periodic refresh for each application can cause a spike in the refresh queue
# and can cause a spike in the repo-server component. To avoid this, you can set a jitter to the sync timeout, which will
# spread out the refreshes and give time to the repo-server to catch up. The jitter is the maximum duration that can be
# added to the sync timeout. So, if the sync timeout is 3 minutes and the jitter is 1 minute, then the actual timeout will
# be between 3 and 4 minutes. Disabled when the value is 0, defaults to 0.
timeout.reconciliation.jitter: "0"
# cluster.inClusterEnabled indicates whether to allow in-cluster server address. This is enabled by default.
cluster.inClusterEnabled: "true"
# The maximum number of pod logs to render in UI. If the application has more than this number of pods, the logs will not be rendered.
# This is to prevent the UI from becoming unresponsive when rendering a large number of logs. Default is 10.
server.maxPodLogsToRender: "10"
# Application pod logs RBAC enforcement enables control over who can and who can't view application pod logs.
# When you enable the switch, pod logs will be visible only to admin role by default. Other roles/users will not be able to view them via cli and UI.
# When you enable the switch, viewing pod logs for other roles/users will require explicit RBAC allow policies (allow get on logs subresource).
# When you disable the switch (either add it to the configmap with a "false" value or do not add it to the configmap), no actual RBAC enforcement will take place.
server.rbac.log.enforce.enable: "false"
# exec.enabled indicates whether the UI exec feature is enabled. It is disabled by default.
exec.enabled: "false"
# exec.shells restricts which shells are allowed for `exec`, and in which order they are attempted
exec.shells: "bash,sh,powershell,cmd"
# oidc.tls.insecure.skip.verify determines whether certificate verification is skipped when verifying tokens with the
# configured OIDC provider (either external or the bundled Dex instance). Setting this to "true" will cause JWT
# token verification to pass despite the OIDC provider having an invalid certificate. Only set to "true" if you
# understand the risks.
oidc.tls.insecure.skip.verify: "false"
# Add Deep Links to ArgoCD UI
# sample project level links
project.links: |
- url: https://myaudit-system.com?project={{.metadata.name}}
title: Audit
description: system audit logs
icon.class: "fa-book"
# sample application level links
application.links: |
# pkg.go.dev/text/template is used for evaluating url templates
- url: https://mycompany.splunk.com?search={{.spec.destination.namespace}}
title: Splunk
# conditionally show link e.g. for specific project
# github.com/expr-lang/expr is used for evaluation of conditions
- url: https://mycompany.splunk.com?search={{.spec.destination.namespace}}
title: Splunk
if: spec.project == "default"
- url: https://{{.metadata.annotations.splunkhost}}?search={{.spec.destination.namespace}}
title: Splunk
if: metadata.annotations.splunkhost
# sample resource level links
resource.links: |
- url: https://mycompany.splunk.com?search={{.metadata.namespace}}
title: Splunk
if: kind == "Pod" || kind == "Deployment"
extension.config: |
extensions:
# Name defines the endpoint that will be used to register
# the extension route.
# Mandatory field.
- name: some-extension
backend:
# ConnectionTimeout is the maximum amount of time a dial to
# the extension server will wait for a connect to complete.
# Optional field. Default: 2 seconds
connectionTimeout: 2s
# KeepAlive specifies the interval between keep-alive probes
# for an active network connection between the API server and
# the extension server.
# Optional field. Default: 15 seconds
keepAlive: 15s
# IdleConnectionTimeout is the maximum amount of time an idle
# (keep-alive) connection between the API server and the extension
# server will remain idle before closing itself.
# Optional field. Default: 60 seconds
idleConnectionTimeout: 60s
# MaxIdleConnections controls the maximum number of idle (keep-alive)
# connections between the API server and the extension server.
# Optional field. Default: 30
maxIdleConnections: 30
services:
# URL is the address where the extension backend must be available.
# Mandatory field.
- url: http://httpbin.org
# Cluster if provided, will have to match the application
# destination name or the destination server to have requests
# properly forwarded to this service URL.
# Optional field if only one service is specified.
# Mandatory if multiple services are specified.
cluster:
name: some-cluster
server: https://some-cluster
# The maximum size of the payload that can be sent to the webhook server.
webhook.maxPayloadSizeMB: "1024"
# application.sync.impersonation.enabled enables application sync to use a custom service account, via impersonation. This allows decoupling sync from control-plane service account.
application.sync.impersonation.enabled: "false"