Add ArgoCD Helm chart and configuration files for deployment

Add gateway-api application and update Traefik configuration; disable old ingress
2025-11-08 14:55:57 +01:00 · 2025-11-08 14:51:38 +01:00
12 changed files with 166 additions and 69 deletions
--- a/apps/argocd/Chart.yaml
+++ b/apps/argocd/Chart.yaml
@ -0,0 +1,7 @@
+apiVersion: v2
+name: argocd
+version: 1.0.0
+dependencies:
+  - name: argo-cd
+    version: 9.1.0
+    repository: https://argoproj.github.io/argo-helm
--- a/apps/argocd/application.yaml
+++ b/apps/argocd/application.yaml
@ -0,0 +1,41 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"  # Sync before other apps
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://git.mvzijl.nl/marco/veda.git
+    targetRevision: applicationset-rewrite
+    path: apps/argocd
+    helm:
+      releaseName: argocd
+      valueFiles:
+        - values.yaml
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: false  # Be careful with pruning ArgoCD itself
+      selfHeal: true  # Auto-fix configuration drift
+    syncOptions:
+      - CreateNamespace=true
+      - PruneLast=true
+      - PrunePropagationPolicy=foreground
+  ignoreDifferences:
+    # Ignore certain fields that change frequently
+    - group: apps
+      kind: Deployment
+      jsonPointers:
+        - /spec/replicas  # If using HPA
+    - group: ""
+      kind: Secret
+      name: argocd-initial-admin-secret
+      jsonPointers:
+        - /data  # Don't sync the initial password secret
--- a/apps/argocd/templates/httproute.yaml
+++ b/apps/argocd/templates/httproute.yaml
@ -0,0 +1,20 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: argocd-server
+  namespace: {{ .Release.Namespace }}
+spec:
+  parentRefs:
+    - name: traefik-gateway
+      namespace: traefik
+      sectionName: web
+  hostnames:
+    - {{ index .Values "argo-cd" "global" "domain" | quote }}
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: argocd-server
+          port: 80
--- a/apps/argocd/values.yaml
+++ b/apps/argocd/values.yaml
@ -0,0 +1,7 @@
+argo-cd:
+  global:
+    domain: argocd.noxxos.nl
+
+  server:
+    ingress:
+      enabled: false
--- a/apps/gateway-api/application.yaml
+++ b/apps/gateway-api/application.yaml
@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: gateway-api
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/kubernetes-sigs/gateway-api
+    targetRevision: v1.4.0
+    path: config/crd/standard
+  destination:
+    server: https://kubernetes.default.svc
+  syncPolicy:
+    automated:
+      prune: false
+      selfHeal: false
+    syncOptions:
+      - CreateNamespace=true
+      - Replace=true
+      - ServerSideApply=true
--- a/apps/traefik/application.yaml
+++ b/apps/traefik/application.yaml
@ -28,3 +28,4 @@ spec:
      - CreateNamespace=true
      - PruneLast=true
      - PrunePropagationPolicy=foreground
+      - Replace=true
--- a/apps/traefik/templates/dashboard-httproute.yaml
+++ b/apps/traefik/templates/dashboard-httproute.yaml
--- a/apps/traefik/templates/gateway.yaml
+++ b/apps/traefik/templates/gateway.yaml
--- a/apps/traefik/templates/reference-grant.yaml
+++ b/apps/traefik/templates/reference-grant.yaml
--- a/apps/traefik/values.yaml
+++ b/apps/traefik/values.yaml
@ -1,60 +1,30 @@
+
+
 traefik:
-  # Service configuration
+
+  global:
+    checkNewVersion: false
+
+  installCRDs: true
+
  service:
    type: LoadBalancer
    annotations:
      io.cilium/lb-ipam-ips: "192.168.0.2"

-  # Ports configuration
  ports:
-    web:
-      port: 80
-      exposedPort: 80
-      protocol: TCP
    websecure:
-      port: 443
-      exposedPort: 443
-      protocol: TCP
-      tls:
-        enabled: true
-    metrics:
-      port: 9100
-      expose:
-        default: false
-      protocol: TCP
+      asDefault: true

-  # Enable dashboard
-  ingressRoute:
-    dashboard:
-      enabled: true
-      matchRule: Host(`traefik.noxxos.nl`)
-      entryPoints:
-        - websecure
-  
-  # Global arguments
-  globalArguments:
-    - "--global.checknewversion=false"
-    - "--global.sendanonymoususage=false"
-  
-  # Additional arguments
-  additionalArguments:
-    - "--api.dashboard=true"
-    - "--log.level=INFO"
-    - "--accesslog=true"
-    - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
-    - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
-  
-  # Providers
  providers:
    kubernetesCRD:
      enabled: true
      allowCrossNamespace: true
    kubernetesIngress:
-      enabled: true
-      publishedService:
+      enabled: false
+    kubernetesGateway:
      enabled: true

-  # Resource limits
  resources:
    requests:
      cpu: "100m"
@ -63,26 +33,35 @@ traefik:
      cpu: "500m"
      memory: "512Mi"

-  # Replicas
  deployment:
    replicas: 2

-  # Metrics (Prometheus)
  metrics:
    prometheus:
      enabled: true
-      addEntryPointsLabels: true
-      addServicesLabels: true

-  # Security
-  securityContext:
-    capabilities:
-      drop: [ALL]
-      add: [NET_BIND_SERVICE]
-    readOnlyRootFilesystem: true
-    runAsGroup: 65532
-    runAsNonRoot: true
-    runAsUser: 65532
+  gateway:
+    listeners:
+      web:
+        namespacePolicy:
+          from: All

-  podSecurityContext:
-    fsGroup: 65532
+  extraObjects:
+    - apiVersion: gateway.networking.k8s.io/v1
+      kind: HTTPRoute
+      metadata:
+        name: traefik-dashboard
+        namespace: traefik
+      spec:
+        parentRefs:
+          - name: traefik-gateway
+        hostnames:
+          - "traefik.noxxos.nl"
+        rules:
+          - matches:
+              - path: { type: PathPrefix, value: /dashboard }
+              - path: { type: PathPrefix, value: /api }
+            backendRefs:
+              - group: traefik.io
+                kind: TraefikService
+                name: api@internal
--- a/platform/components/02-argocd/post-install/httproute.yaml
+++ b/platform/components/02-argocd/post-install/httproute.yaml
@ -0,0 +1,20 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: argocd-server
+  namespace: argocd
+spec:
+  parentRefs:
+    - name: traefik-gateway
+      namespace: traefik
+      sectionName: websecure
+  hostnames:
+    - "argocd.noxxos.nl"
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: argocd-server
+          port: 80
--- a/platform/components/02-argocd/values.yaml
+++ b/platform/components/02-argocd/values.yaml
@ -3,7 +3,4 @@ global:

 server:
  ingress:
-    enabled: true
-    ingressClassName: traefik
-    annotations:
-      traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    enabled: false
Author	SHA1	Message	Date
Marco van Zijl	a6dd91a88c	Add ArgoCD Helm chart and configuration files for deployment	2025-11-08 14:55:57 +01:00
Marco van Zijl	8c8a56b9f6	Add gateway-api application and update Traefik configuration; disable old ingress	2025-11-08 14:51:38 +01:00