centralized Repos via Operator, RBACs, Projects and Applications for Argocd

Author: nihussmann

.gitignore

@@ -2,6 +2,11 @@
 .run
 *.iml
 target
+
+#includes just the .sh files in local
+.scripts/local/**
+!scripts/local/**/*.sh
+
 # do not check in the workspace
 workspace/
 
@@ -18,4 +23,4 @@ terraform/account.json
 
 gitops-playground.jar
 jenkins-plugins
-/charts/
+/charts/

argocd/argocd/applications/argocd.ftl.yaml

@@ -29,4 +29,4 @@ spec:
   syncPolicy:
     automated:
       prune: false # is set to false to prevent argo from deleting itself
-      selfHeal: true
+      selfHeal: true

argocd/argocd/applications/bootstrap.ftl.yaml

@@ -21,4 +21,4 @@ spec:
   syncPolicy:
     automated:
       prune: false # is set to false to prevent projects to be deleted by accident
-      selfHeal: true
+      selfHeal: true

argocd/argocd/applications/cluster-resources.ftl.yaml

@@ -20,4 +20,4 @@ spec:
   syncPolicy:
     automated:
       prune: false # is set to false to prevent projects to be deleted by accident
-      selfHeal: true
+      selfHeal: true

argocd/argocd/applications/projects.ftl.yaml

@@ -20,4 +20,4 @@ spec:
   syncPolicy:
     automated:
       prune: false # is set to false to prevent projects to be deleted by accident
-      selfHeal: true
+      selfHeal: true

argocd/argocd/multiTenant/central/applications/argocd.ftl.yaml

@@ -0,0 +1,32 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ${namePrefix}argocd
+  namespace: argocd
+  annotations:
+    # Only app with the sync-status-unknown alert, so that we only get one alert when SCM is not reachable.
+    # Otherwise, there would be a spam wave by every application everytime the SCM is not reachable.
+<#if mail.active?? && mail.active>
+    notifications.argoproj.io/subscribe.on-sync-status-unknown.email: ${argocd.emailToAdmin}
+</#if>
+# finalizer disabled, because otherwise everything under this Application would be deleted as well, if this Application is deleted by accident
+#  finalizers:
+#    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: ${namePrefix}argocd
+  project: ${tenantName}
+  source:
+    path: ${argocd.isOperator?string("operator/", "argocd/")}
+    repoURL: ${scmm.centralScmmUrl}/repo/${namePrefix}argocd/argocd
+    targetRevision: main
+    # needed to sync the operator/rbac folder
+    <#if argocd.isOperator??>
+    directory:
+      recurse: true
+    </#if>
+  syncPolicy:
+    automated:
+      prune: false # is set to false to prevent argo from deleting itself
+      selfHeal: true

argocd/argocd/multiTenant/central/applications/bootstrap.ftl.yaml

@@ -0,0 +1,24 @@
+# This is the root Applications, which manages all other applications with the app-of-apps-pattern.
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ${namePrefix}bootstrap
+  namespace: argocd
+# finalizer disabled, because otherwise everything under this Application would be deleted as well, if this Application is deleted by accident
+#  finalizers:
+#    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: ${namePrefix}argocd
+  project: ${tenantName}
+  source:
+    path: multiTenant/central/applications/
+    repoURL: ${scmm.centralScmmUrl}/repo/${namePrefix}argocd/argocd
+    targetRevision: main
+    directory:
+      recurse: true
+  syncPolicy:
+    automated:
+      prune: false # is set to false to prevent projects to be deleted by accident
+      selfHeal: true

argocd/argocd/multiTenant/central/applications/cluster-resources.ftl.yaml

@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ${namePrefix}cluster-resources
+  namespace: argocd
+# finalizer disabled, because otherwise everything under this Application would be deleted as well, if this Application is deleted by accident
+#  finalizers:
+#    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: ${namePrefix}argocd
+    server: https://kubernetes.default.svc
+  project: ${tenantName}
+  source:
+    path: argocd/
+    repoURL: ${scmm.centralScmmUrl}/repo/${namePrefix}argocd/cluster-resources
+    targetRevision: main
+    directory:
+      recurse: true
+  syncPolicy:
+    automated:
+      prune: false # is set to false to prevent projects to be deleted by accident
+      selfHeal: true

argocd/argocd/multiTenant/central/applications/projects.ftl.yaml

@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ${namePrefix}projects
+  namespace: argocd
+# finalizer disabled, because otherwise everything under this Application would be deleted as well, if this Application is deleted by accident
+#  finalizers:
+#    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: ${namePrefix}argocd
+  project: ${tenantName}
+  source:
+    path: multiTenant/central/projects/
+    repoURL: ${scmm.centralScmmUrl}/repo/${namePrefix}argocd/argocd
+    targetRevision: main
+    directory:
+      recurse: true
+  syncPolicy:
+    automated:
+      prune: false # is set to false to prevent projects to be deleted by accident
+      selfHeal: true

argocd/argocd/multiTenant/central/projects/tenant.ftl.yaml

@@ -0,0 +1,40 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: ${tenantName}
+  namespace: argocd
+spec:
+  description: Contains Cluster Ressources for MultiTentant Mode
+  destinations:
+    - namespace: '*'
+      server: https://kubernetes.default.svc
+  sourceRepos:
+    - ${scmm.centralScmmUrl}/repo/${namePrefix}argocd/argocd
+    - ${scmm.centralScmmUrl}/repo/${namePrefix}argocd/cluster-resources
+<#if mirrorRepos>
+    - ${scmm.repoUrl}3rd-party-dependencies/kube-prometheus-stack<#if scmm.provider == "gitlab">.git</#if>
+    - ${scmm.repoUrl}3rd-party-dependencies/mailhog<#if scmm.provider == "gitlab">.git</#if>
+    - ${scmm.repoUrl}3rd-party-dependencies/ingress-nginx<#if scmm.provider == "gitlab">.git</#if>
+    - ${scmm.repoUrl}3rd-party-dependencies/external-secrets<#if scmm.provider == "gitlab">.git</#if>
+    - ${scmm.repoUrl}3rd-party-dependencies/vault<#if scmm.provider == "gitlab">.git</#if>
+    - ${scmm.repoUrl}3rd-party-dependencies/cert-manager<#if scmm.provider == "gitlab">.git</#if>
+<#else>
+    - https://prometheus-community.github.io/helm-charts
+    - https://codecentric.github.io/helm-charts
+    - https://kubernetes.github.io/ingress-nginx
+    - https://helm.releases.hashicorp.com
+    - https://charts.external-secrets.io
+    - https://charts.jetstack.io
+</#if>
+
+  # allow to only see application resources from the specified namespace
+  sourceNamespaces:
+    - '*'
+
+  # Allow all namespaced-scoped resources to be created
+  namespaceResourceWhitelist:
+    - group: '*'
+      kind: '*'
+
+  # Deny all cluster-scoped resources from being created. Least privilege.
+  clusterResourceWhitelist: