Parameters

The parent key for all of the following parameters is argocd.

`namespace`

type	string
default	`syn`

The namespace in which to deploy this component.

The component deploys a configmap called cluster-info in this namespace. The configmap contains some Project Syn metadata associated with the cluster. All authenticated users (group system:authenticated) can read this configmap.

`distribution`

type	string
default	${facts:distribution}

The Kubernetes distribution of the cluster.

`network_policies`

This parameter configures network policies for ArgoCD.

`network_policies.enabled`

type	boolean
default	true

Whether to enable NetworkPolicies that isolate ArgoCD from the rest of the cluster.

`network_policies.allow_from_namespaces`

type	List(string)
default	`[]

Additional namespaces which should be able to access ArgoCD.

`monitoring`

This section configures monitoring for ArgoCD.

`monitoring.enabled`

type	bool
default	`true`

If monitoring should be enabled for this component. Requires the Prometheus Operator to be installed.

`monitoring.dashboards`

type	bool
default	`true`

If dashboards should be enabled for this component. Requires the Grafana Operator to be installed.

`monitoring.prometheus_rule_labels`

type	dict
default	`{"prometheus":"platform"}`

Labels to set on the alert rule configuration. Can be used to ensure prometheus-operator picks up the PrometheusRule object by setting appropriate labels.

`resync_time`

type	string
default	`3m0s`

Resync interval. Lower values mean quicker sync but higher CPU usage and more Git traffic.

`log_format`

type	object
default	`default: text`

This parameter exposes the log format for the ArgoCD components. By default, all components are configured to use the log format given for key default. The log format can be customized for individual components by providing the desired log format in keys server, application_controller or repo_server.

`log_level`

type	object
default	`default: info`

This parameter exposes the log level for the ArgoCD components. By default, all components are configured with the log level given in key default. The log level can be customized for individual components by providing the desired level in keys server, application_controller or repo_server

`override`

type	dictionary
default	`{}`

Override specs of the ProjectSyn ArgoCD instance.

`http_credentials_secret_name`

type	string
default	`catalog-https-credentials`

The name of the externally managed secret which holds the username and password for fetching the catalog repo over HTTPS in fields username and password.

This parameter is only used when the cluster’s catalog repo URL starts with https://.

Users must ensure that this secret is in place before this component is synced.

`images`

type	dictionary

Dictionary containing the container images used by this component. Each entry follows the Commodore component best practices for specifying container images.

`instances`

type	dictionary
default	`{}`

This section allows the definition of arbitrary ArgoCD instances, and associated AppProject resources. The keys of this parameter are parsed as namespaced names (<namespace>/<name>) and used as namespaces and names of the created resources.

Namespace management

Each ArgoCD instance must be deployed to its own namespace
You MUST create the target namespace manually before deploying ArgoCD using this component

Due to how Argo CD works, namespaces holding Argo CD instances cannot be created by other Argo CD instances.

Example

parameters:
  argocd:
    instances:
      some-namespace/some-argocd:
        config:
          spec:
            sso:
              provider: dex
              dex:
                openShiftOAuth: true
          ...
        projects:
          some-project:
            spec:
              clusterResourceWhitelist: []
              destinations:
                - namespace: corp-*
                  server: https://kubernetes.default.svc

`instances.<namespace>/<name>.config`

type	dictionary
default	`spec: applicationInstanceLabelKey: <name>.<namespace>/instance`

Plain configuration that will be merged verbatim into the created ArgoCD resource.

See the ArgoCD reference of the Argo CD Operator for available fields.

To avoid common issues, some defaults are configured. They can be overwritten via the inventory.

`instances.<namespace>/<name>.projects`

type	dictionary
default	`{}`

Arbitrary AppProject instances to be deployed on the cluster.

The keys of this parameter are used as the generated resource’s metadata.name, while the parent `ArgoCD’s namespace will be inherited.

See the AppProject reference of Argo CD for available fields.

`instances.<namespace>/<name>.projectDefaults`

type	dictionary
default	`{}`

Default values that will be applied for all AppProjects created for this instance.

`resources`

type	dictionary
defaults	See `class/defaults.yml`

Dictionary containing the resource requests and limits for the different components. Keys correspond to different pods/containers:

application_controller
redis
repo_server
repo_server_vault_agent - for the vault_agent container in the repo-server pod
server

Users can remove configured requests and limits by setting any keys or subkeys in the dictionary to null.

`ssh_known_hosts`

type	string
default	See `class/defaults.yml`

SSH known hosts for Git servers.

`resource_exclusions`

type	dictionary(list\|dictionary)
default	`cilium: - apiGroups: - cilium.io kinds: - CiliumIdentity clusters: - "*"`
example	`custom: - apiGroups: - custom.io kinds: - ClusterWrecker clusters: - "*" backup: null`

A dictionary of resource exclusions for the ArgoCD instance. Those resources will not be managed by ArgoCD.

The keys are the names of the exclusion groups. Keys are not used, they are exclusively for hierarchical structuring.

The values are lists of resource definitions that should be excluded from the ArgoCD instance. Those lists get concatenated.

Check ArgoCD documentation for more information.

`operator`

type	dict
defaults	See `class/defaults.yml`

Configuration for the ArgoCD operator which is deployed as part of this component.

`operator.namespace`

type	string
default	`syn-argocd-operator`

The namespace in which to deploy the argocd operator

`operator.cluster_scope_namespaces`

type	array
default	`["${argocd:namespace}"]`

List of namespaces in which argocd is allowed to be installed at the cluster scope.

`operator.controller_cluster_role_selectors`

type	dictionary
default	`{}`

The component has optional support to configure the operator’s custom roles feature. When this parameter contains one or more entries, the component deploys a cluster role which uses the value of each parameter entry as an entry for aggregationRule.clusterRoleSelectors. The cluster role is named syn:argocd-application-controller:custom. Additionally, the component configures environment variable CONTROLLER_CUSTOM_ROLE=syn:argocd-application-controller:custom on the operator container when the parameter isn’t empty.

When the aggregating cluster role is deployed, the component also deploys a cluster role called syn:argocd-application-controller:required which is aggregated to the syn:argocd-application-controller:custom role.

The syn:argocd-application-controller:required role grants the ArgoCD application controller a number of permissions that are required for it to work. See the definition of the role in component/rbac.jsonnet for the rules that are required.

We recommend setting resource.respectRBAC=strict via spec.extraConfig on namespace-scoped ArgoCD instances if you want to use custom roles.

If you don’t set resource.respectRBAC, you’ll need to create a cluster role which grants the application controller read access to all resources in the cluster in order to ensure that the application controller can create the K8s API cache.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: argocd-application-controller-api-cache
  labels:
    syn.tools/aggregate-to-argocd-application-controller: "true" (1)
rules:
- apiGroups: ['*']
  resources: ['*']
  verbs: ['get', 'list', 'watch']

1	The example assumes that you’ve configured `syn.tools/aggregate-to-argocd-application-controller="true"` as the label selector for the application controller aggregating cluster role.

ArgoCD may fail to update the argocd-operator deployment if you remove this config parameter after having used it. If you get an error like the one shown below, you need to edit the argocd-operator deployment by hand to remove the CONTROLLER_CLUSTER_ROLE environment variable after you remove this config parameter.

Failed to compare desired state to live state: failed to calculate diff: error calculating server side diff: serverSideDiff error: error removing non config mutations for resource Deployment/syn-argocd-operator-controller-manager: error reverting webhook removed fields in predicted live resource: .spec.template.spec.containers: element 0: associative list with keys has an element that omits key field "name" (and doesn't have default value)

`operator.server_cluster_role_selectors`

type	dictionary
default	`{}`

The component has optional support to configure the operator’s custom roles feature. When this parameter contains one or more entries, the component deploys a cluster role which uses the value of each parameter entry as an entry for aggregationRule.clusterRoleSelectors. The cluster role is named syn:argocd-server:custom. Additionally, the component configures environment variable SERVER_CUSTOM_ROLE=syn:argocd-server:custom on the operator container when the parameter isn’t empty.

When the aggregating cluster role is deployed, the component also deploys a cluster role called syn:argocd-server:required which is aggregated to the syn:argocd-server:custom role.

The syn:argocd-server:required role grants the ArgoCD server a number of permissions that are required for it to work. See the definition of the role in component/rbac.jsonnet for the rules that are required.

ArgoCD may fail to update the argocd-operator deployment if you remove this config parameter after having used it. If you get an error like the one shown below, you need to edit the argocd-operator deployment by hand to remove the SERVER_CLUSTER_ROLE environment variable after you remove this config parameter.

Failed to compare desired state to live state: failed to calculate diff: error calculating server side diff: serverSideDiff error: error removing non config mutations for resource Deployment/syn-argocd-operator-controller-manager: error reverting webhook removed fields in predicted live resource: .spec.template.spec.containers: element 0: associative list with keys has an element that omits key field "name" (and doesn't have default value)

`operator.env`

type	dictionary
default	`{}`

Entries in this dictionary are configured as environment variables for the argocd operator container.

The environment variable ARGOCD_CLUSTER_CONFIG_NAMESPACES can’t be set through this parameter.

This variable is configured through component parameter operator.cluster_scope_namespaces.

When parameter operator.controller_cluster_role_match_labels isn’t empty, setting CONTROLLER_CUSTOM_ROLE through this parameter has no effect.

When parameter operator.server_cluster_role_match_labels isn’t empty, setting SERVER_CUSTOM_ROLE through this parameter has no effect.

ArgoCD may fail to update the argocd-operator deployment after you remove an entry from this config parameter. If you get an error like the one shown below, you need to edit the argocd-operator deployment by hand and delete the environment variable(s) which you’ve removed from this parameter.

Failed to compare desired state to live state: failed to calculate diff: error calculating server side diff: serverSideDiff error: error removing non config mutations for resource Deployment/syn-argocd-operator-controller-manager: error reverting webhook removed fields in predicted live resource: .spec.template.spec.containers: element 0: associative list with keys has an element that omits key field "name" (and doesn't have default value)

`operator.migrate`

type	string
default	`false`

Whether to migrate from v5 or earlier. If you are upgrading from v5, set this to true on the first catalog compilation.

`operator.images`

type	dictionary
defaults	See `class/defaults.yml`

Dictionary containing the container images used by the operator

`operator.manifests_version`

type	string
default	`${argocd:images:argocd_operator:tag}`

Version of the kubernetes manifests for the operator

`operator.kustomization_url`

type	string
default	`github.com/argoproj-labs/argocd-operator//config/default/`

URL of the kustomization to deploy the operator

`operator.kustomize_input`

type	dictionary
defaults	See `class/defaults.yml`

Kustomize inputs supplied to the argocd operator kustomization

Example

parameters:
  argocd:
    resync_seconds: 3
    ssh_known_hosts: |
      git.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO9EkPcVdsz/oVTI2VJkBlq8Mv/dg3rhcbgzAEKyiwUG
    monitoring:
      dashboards: true