devops/infra/modules/argocd/values.yaml.tftpl

redis:
  enabled: false

redisWait:
  enabled: false

externalRedis:
  host: ${ redis_service_uri }
  password: ${ redis_password }
  database: ${ redis_index }

dex:
  enabled: true

controller:
  extraArgs:
    - --redis=${ redis_service_uri }:6379
    - --redisdb=${ redis_index }
  extraEnvVars:
    - name: REDIS_USERNAME
      value: ""
    - name: REDIS_PASSWORD
      value: ${ redis_password }

repoServer:
  extraArgs:
    - --redis=${ redis_service_uri }:6379
    - --redisdb=${ redis_index }
  extraEnvVars:
    - name: REDIS_USERNAME
      value: ""
    - name: REDIS_PASSWORD
      value: ${ redis_password }

server:
  extraArgs:
    - --redis=${ redis_service_uri }:6379
    - --redisdb=${ redis_index }
  extraEnvVars:
    - name: REDIS_USERNAME
      value: ""
    - name: REDIS_PASSWORD
      value: ${ redis_password }

  url: https://${ service_uri }
  insecure: true
  ingress:
    enabled: true
    ingressClassName: ${ingress_class}
    hostname: ${ service_uri }
    annotations:
      kubernetes.io/ingress.class: ${ingress_class}
      cert-manager.io/cluster-issuer: letsencrypt
      %{ if ingress_class == "traefik" }
      %{ if tls }
      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
      traefik.ingress.kubernetes.io/router.middlewares: default-redirect-to-https@kubernetescrd,default-preserve-host-headers@kubernetescrd
      %{ else }
      traefik.ingress.kubernetes.io/router.entrypoints: web
      traefik.ingress.kubernetes.io/router.middlewares: default-preserve-host-headers@kubernetescrd
      %{ endif }
      %{ else }
      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
      nginx.ingress.kubernetes.io/ssl-passthrough: "true"
      %{ endif }
    %{ if tls }
    extraTls:
      - hosts:
          - ${ service_uri }
        secretName: argocd-tls
    %{ endif }

  config:
    rbac: |
      scopes: '[groups]'
      "policy.csv": |
        g, admin, role:admin
        g, user, role:readonly
      "policy.default": ''
    %{ if oauth_uri != null }
    dex.config: |
      connectors:
        - type: oidc
          id: oidc
          name: OIDC
          config:
            issuer: "${ oauth_issuer }"
            clientID: "${ oauth_client_id }"
            clientSecret: "${ oauth_client_secret }"
            insecureSkipEmailVerified: true
            insecureEnableGroups: true
            scopes:
              - profile
              - email
              - openid
              - groups
            logoutURL: "${ oauth_redirect_uri }"
            getUserInfo: true
            claimMapping:
              name: fullName
              groups: "urn:zitadel:iam:org:project:roles" 
              preferred_username: email

    %{ endif }