tobru/gitops-zurrli
1
1
Fork 0
Code Issues 1 Pull requests 10 Activity

upgrade argocd for ssa

Browse source
This commit is contained in:
Tobias Brunner 2022-10-07 17:31:05 +02:00
parent 647189409b
commit fab7d8492b
1 changed files with 435 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

456
argocd/argocd.yaml
View file

@ -1806,6 +1806,10 @@ spec:
reconciled using the latest git version
format: date-time
type: string
resourceHealthSource:
description: 'ResourceHealthSource indicates where the resource health
status is stored: inline if not set or appTree'
type: string
resources:
description: Resources is a list of Kubernetes resources managed by
this application
@ -4523,6 +4527,8 @@ spec:
properties:
api:
type: string
appSecretName:
type: string
labels:
items:
type: string
@ -4545,6 +4551,31 @@ spec:
- owner
- repo
type: object
gitlab:
properties:
api:
type: string
labels:
items:
type: string
type: array
project:
type: string
pullRequestState:
type: string
tokenRef:
properties:
key:
type: string
secretName:
type: string
required:
- key
- secretName
type: object
required:
- project
type: object
requeueAfterSeconds:
format: int64
type: integer
@ -4806,6 +4837,31 @@ spec:
type: object
scmProvider:
properties:
azureDevOps:
properties:
accessTokenRef:
properties:
key:
type: string
secretName:
type: string
required:
- key
- secretName
type: object
allBranches:
type: boolean
api:
type: string
organization:
type: string
teamProject:
type: string
required:
- accessTokenRef
- organization
- teamProject
type: object
bitbucket:
properties:
allBranches:
@ -4910,6 +4966,8 @@ spec:
type: boolean
api:
type: string
appSecretName:
type: string
organization:
type: string
tokenRef:
@ -5207,6 +5265,29 @@ spec:
- spec
type: object
type: object
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
type: object
type: array
template:
@ -6676,6 +6757,8 @@ spec:
properties:
api:
type: string
appSecretName:
type: string
labels:
items:
type: string
@ -6698,6 +6781,31 @@ spec:
- owner
- repo
type: object
gitlab:
properties:
api:
type: string
labels:
items:
type: string
type: array
project:
type: string
pullRequestState:
type: string
tokenRef:
properties:
key:
type: string
secretName:
type: string
required:
- key
- secretName
type: object
required:
- project
type: object
requeueAfterSeconds:
format: int64
type: integer
@ -6959,6 +7067,31 @@ spec:
type: object
scmProvider:
properties:
azureDevOps:
properties:
accessTokenRef:
properties:
key:
type: string
secretName:
type: string
required:
- key
- secretName
type: object
allBranches:
type: boolean
api:
type: string
organization:
type: string
teamProject:
type: string
required:
- accessTokenRef
- organization
- teamProject
type: object
bitbucket:
properties:
allBranches:
@ -7063,6 +7196,8 @@ spec:
type: boolean
api:
type: string
appSecretName:
type: string
organization:
type: string
tokenRef:
@ -7360,6 +7495,29 @@ spec:
- spec
type: object
type: object
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
type: object
type: array
mergeKeys:
@ -7694,6 +7852,8 @@ spec:
properties:
api:
type: string
appSecretName:
type: string
labels:
items:
type: string
@ -7716,6 +7876,31 @@ spec:
- owner
- repo
type: object
gitlab:
properties:
api:
type: string
labels:
items:
type: string
type: array
project:
type: string
pullRequestState:
type: string
tokenRef:
properties:
key:
type: string
secretName:
type: string
required:
- key
- secretName
type: object
required:
- project
type: object
requeueAfterSeconds:
format: int64
type: integer
@ -7977,6 +8162,31 @@ spec:
type: object
scmProvider:
properties:
azureDevOps:
properties:
accessTokenRef:
properties:
key:
type: string
secretName:
type: string
required:
- key
- secretName
type: object
allBranches:
type: boolean
api:
type: string
organization:
type: string
teamProject:
type: string
required:
- accessTokenRef
- organization
- teamProject
type: object
bitbucket:
properties:
allBranches:
@ -8081,6 +8291,8 @@ spec:
type: boolean
api:
type: string
appSecretName:
type: string
organization:
type: string
tokenRef:
@ -8378,8 +8590,33 @@ spec:
- spec
type: object
type: object
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
type: object
type: array
goTemplate:
type: boolean
syncPolicy:
properties:
preserveResourcesOnDeletion:
@ -8838,6 +9075,10 @@ spec:
for apps which have orphaned resources
type: boolean
type: object
permitOnlyProjectScopedClusters:
description: PermitOnlyProjectScopedClusters determines whether destinations
can only reference clusters which are project-scoped
type: boolean
roles:
description: Roles are user defined RBAC roles associated with this
project
@ -8900,6 +9141,12 @@ spec:
- keyID
type: object
type: array
sourceNamespaces:
description: SourceNamespaces defines the namespaces application resources
are allowed to be created in
items:
type: string
type: array
sourceRepos:
description: SourceRepos contains list of repository URLs which can
be used for deployment
@ -9020,6 +9267,10 @@ metadata:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: notifications-controller
app.kubernetes.io/name: argocd-notifications-controller
app.kubernetes.io/part-of: argocd
name: argocd-notifications-controller
---
apiVersion: v1
@ -9241,6 +9492,7 @@ rules:
resources:
- applications
- appprojects
- applicationsets
verbs:
- create
- get
@ -9307,6 +9559,14 @@ rules:
- pods/log
verbs:
- get
- apiGroups:
- argoproj.io
resources:
- applications
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
@ -9692,7 +9952,7 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: quay.io/argoproj/argocd:v2.4.12
image: quay.io/argoproj/argocd:v2.5.0-rc1
imagePullPolicy: Always
name: argocd-applicationset-controller
ports:
@ -9707,6 +9967,8 @@ spec:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /app/config/ssh
name: ssh-known-hosts
@ -9764,7 +10026,14 @@ spec:
- command:
- /shared/argocd-dex
- rundex
image: ghcr.io/dexidp/dex:v2.32.0
env:
- name: ARGOCD_DEX_SERVER_DISABLE_TLS
valueFrom:
configMapKeyRef:
key: dexserver.disable.tls
name: argocd-cmd-params-cm
optional: true
image: ghcr.io/dexidp/dex:v2.35.1-distroless
imagePullPolicy: Always
name: dex
ports:
@ -9778,18 +10047,22 @@ spec:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /shared
name: static-files
- mountPath: /tmp
name: dexconfig
- mountPath: /tls
name: argocd-dex-server-tls
initContainers:
- command:
- cp
- -n
- /usr/local/bin/argocd
- /shared/argocd-dex
image: quay.io/argoproj/argocd:v2.4.12
image: quay.io/argoproj/argocd:v2.5.0-rc1
imagePullPolicy: Always
name: copyutil
securityContext:
@ -9799,6 +10072,8 @@ spec:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /shared
name: static-files
@ -9810,6 +10085,17 @@ spec:
name: static-files
- emptyDir: {}
name: dexconfig
- name: argocd-dex-server-tls
secret:
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
optional: true
secretName: argocd-dex-server-tls
---
apiVersion: apps/v1
kind: Deployment
@ -9829,7 +10115,7 @@ spec:
containers:
- command:
- argocd-notifications
image: quay.io/argoproj/argocd:v2.4.12
image: quay.io/argoproj/argocd:v2.5.0-rc1
imagePullPolicy: Always
livenessProbe:
tcpSocket:
@ -9849,6 +10135,8 @@ spec:
workingDir: /app
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: argocd-notifications-controller
volumes:
- configMap:
@ -9904,7 +10192,7 @@ spec:
- ""
- --appendonly
- "no"
image: redis:7.0.4-alpine
image: redis:7.0.5-alpine
imagePullPolicy: Always
name: redis
ports:
@ -9913,10 +10201,12 @@ spec:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
- ALL
securityContext:
runAsNonRoot: true
runAsUser: 999
seccompProfile:
type: RuntimeDefault
serviceAccountName: argocd-redis
---
apiVersion: apps/v1
@ -10018,6 +10308,12 @@ spec:
key: redis.server
name: argocd-cmd-params-cm
optional: true
- name: REDIS_COMPRESSION
valueFrom:
configMapKeyRef:
key: redis.compression
name: argocd-cmd-params-cm
optional: true
- name: REDISDB
valueFrom:
configMapKeyRef:
@ -10048,13 +10344,31 @@ spec:
key: reposerver.plugin.tar.exclusions
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
valueFrom:
configMapKeyRef:
key: reposerver.allow.oob.symlinks
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.streamed.manifest.max.tar.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.streamed.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: HELM_CACHE_HOME
value: /helm-working-dir
- name: HELM_CONFIG_HOME
value: /helm-working-dir
- name: HELM_DATA_HOME
value: /helm-working-dir
image: quay.io/argoproj/argocd:v2.4.12
image: quay.io/argoproj/argocd:v2.5.0-rc1
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
@ -10077,9 +10391,11 @@ spec:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /app/config/ssh
name: ssh-known-hosts
@ -10103,15 +10419,17 @@ spec:
- -n
- /usr/local/bin/argocd
- /var/run/argocd/argocd-cmp-server
image: quay.io/argoproj/argocd:v2.4.12
image: quay.io/argoproj/argocd:v2.5.0-rc1
name: copyutil
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
@ -10208,7 +10526,7 @@ spec:
key: server.log.format
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LOGLEVEL
- name: ARGOCD_SERVER_LOG_LEVEL
valueFrom:
configMapKeyRef:
key: server.log.level
@ -10268,6 +10586,18 @@ spec:
key: server.repo.server.strict.tls
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_DEX_SERVER_PLAINTEXT
valueFrom:
configMapKeyRef:
key: server.dex.server.plaintext
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_DEX_SERVER_STRICT_TLS
valueFrom:
configMapKeyRef:
key: server.dex.server.strict.tls
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_MIN_VERSION
valueFrom:
configMapKeyRef:
@ -10322,6 +10652,12 @@ spec:
key: redis.server
name: argocd-cmd-params-cm
optional: true
- name: REDIS_COMPRESSION
valueFrom:
configMapKeyRef:
key: redis.compression
name: argocd-cmd-params-cm
optional: true
- name: REDISDB
valueFrom:
configMapKeyRef:
@ -10346,7 +10682,13 @@ spec:
key: otlp.address
name: argocd-cmd-params-cm
optional: true
image: quay.io/argoproj/argocd:v2.4.12
- name: ARGOCD_APPLICATION_NAMESPACES
valueFrom:
configMapKeyRef:
key: application.namespaces
name: argocd-cmd-params-cm
optional: true
image: quay.io/argoproj/argocd:v2.5.0-rc1
imagePullPolicy: Always
livenessProbe:
httpGet:
@ -10368,9 +10710,11 @@ spec:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /app/config/ssh
name: ssh-known-hosts
@ -10378,6 +10722,8 @@ spec:
name: tls-certs
- mountPath: /app/config/server/tls
name: argocd-repo-server-tls
- mountPath: /app/config/dex/tls
name: argocd-dex-server-tls
- mountPath: /home/argocd
name: plugins-home
- mountPath: /tmp
@ -10405,6 +10751,15 @@ spec:
path: ca.crt
optional: true
secretName: argocd-repo-server-tls
- name: argocd-dex-server-tls
secret:
items:
- key: tls.crt
path: tls.crt
- key: ca.crt
path: ca.crt
optional: true
secretName: argocd-dex-server-tls
---
apiVersion: apps/v1
kind: StatefulSet
@ -10518,6 +10873,12 @@ spec:
key: controller.repo.server.strict.tls
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_PERSIST_RESOURCE_HEALTH
valueFrom:
configMapKeyRef:
key: controller.resource.health.persist
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APP_STATE_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
@ -10530,6 +10891,12 @@ spec:
key: redis.server
name: argocd-cmd-params-cm
optional: true
- name: REDIS_COMPRESSION
valueFrom:
configMapKeyRef:
key: redis.compression
name: argocd-cmd-params-cm
optional: true
- name: REDISDB
valueFrom:
configMapKeyRef:
@ -10548,14 +10915,14 @@ spec:
key: otlp.address
name: argocd-cmd-params-cm
optional: true
image: quay.io/argoproj/argocd:v2.4.12
- name: ARGOCD_APPLICATION_NAMESPACES
valueFrom:
configMapKeyRef:
key: application.namespaces
name: argocd-cmd-params-cm
optional: true
image: quay.io/argoproj/argocd:v2.5.0-rc1
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /healthz
port: 8082
initialDelaySeconds: 5
periodSeconds: 10
name: argocd-application-controller
ports:
- containerPort: 8082
@ -10569,9 +10936,11 @@ spec:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /app/config/controller/tls
name: argocd-repo-server-tls
@ -10612,6 +10981,25 @@ spec:
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: argocd-applicationset-controller-network-policy
spec:
ingress:
- from:
- namespaceSelector: {}
ports:
- port: 7000
protocol: TCP
- port: 8080
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/name: argocd-applicationset-controller
policyTypes:
- Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: argocd-dex-server-network-policy
spec:
@ -10638,9 +11026,34 @@ spec:
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: argocd-notifications-controller-network-policy
spec:
ingress:
- from:
- namespaceSelector: {}
ports:
- port: 9001
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/name: argocd-notifications-controller
policyTypes:
- Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: argocd-redis-network-policy
spec:
egress:
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
to:
- namespaceSelector: {}
ingress:
- from:
- podSelector:
@ -10660,6 +11073,7 @@ spec:
app.kubernetes.io/name: argocd-redis
policyTypes:
- Ingress
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy