Skip to content

Commit 14c4aa3

Browse files
diegoitaliaitdiegoitaliait
authored
feat: ArgoCD upgrade to version 3.x (#158)
* upgrated argocd chart version * updated values files * minor fix * fix ingress protocol and resources * upgrated argocd version * minor fix * pre-commit fixs
1 parent 9bcc953 commit 14c4aa3

File tree

7 files changed

+38
-304
lines changed

7 files changed

+38
-304
lines changed

src/aks-platform/01_network.tf

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -16,11 +16,3 @@ resource "azurerm_subnet" "user_aks_subnet" {
1616
private_endpoint_network_policies_enabled = true
1717
private_link_service_network_policies_enabled = true
1818
}
19-
20-
resource "azurerm_private_dns_a_record" "argocd_ingress" {
21-
name = local.ingress_hostname_prefix
22-
zone_name = data.azurerm_private_dns_zone.internal.name
23-
resource_group_name = local.internal_dns_zone_resource_group_name
24-
ttl = 3600
25-
records = [var.ingress_load_balancer_ip]
26-
}

src/aks-platform/05_argocd.tf

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -182,3 +182,14 @@ resource "helm_release" "reloader_argocd" {
182182
value = "false"
183183
}
184184
}
185+
186+
#
187+
# 🌐 Network
188+
#
189+
resource "azurerm_private_dns_a_record" "argocd_ingress" {
190+
name = local.ingress_hostname_prefix
191+
zone_name = data.azurerm_private_dns_zone.internal.name
192+
resource_group_name = local.internal_dns_zone_resource_group_name
193+
ttl = 3600
194+
records = [var.ingress_load_balancer_ip]
195+
}

src/aks-platform/99_variables.tf

Lines changed: 0 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -401,24 +401,6 @@ variable "reloader_helm" {
401401
description = "reloader helm chart configuration"
402402
}
403403

404-
#
405-
# Monitor
406-
#
407-
variable "law_prometheus_sku" {
408-
type = string
409-
description = "Sku of the Log Analytics Workspace"
410-
}
411-
412-
variable "law_prometheus_retention_in_days" {
413-
type = number
414-
description = "The workspace data retention in days"
415-
}
416-
417-
variable "law_prometheus_daily_quota_gb" {
418-
type = number
419-
description = "The workspace daily quota for ingestion in GB."
420-
}
421-
422404
# DNS
423405
variable "external_domain" {
424406
type = string

src/aks-platform/README.md

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -156,9 +156,6 @@ Re-enable all the resource, commented before to complete the procedure
156156
| <a name="input_keda_helm_version"></a> [keda\_helm\_version](#input\_keda\_helm\_version) | n/a | `string` | n/a | yes |
157157
| <a name="input_key_vault_name"></a> [key\_vault\_name](#input\_key\_vault\_name) | Key Vault name | `string` | `""` | no |
158158
| <a name="input_key_vault_rg_name"></a> [key\_vault\_rg\_name](#input\_key\_vault\_rg\_name) | Key Vault - rg name | `string` | `""` | no |
159-
| <a name="input_law_prometheus_daily_quota_gb"></a> [law\_prometheus\_daily\_quota\_gb](#input\_law\_prometheus\_daily\_quota\_gb) | The workspace daily quota for ingestion in GB. | `number` | n/a | yes |
160-
| <a name="input_law_prometheus_retention_in_days"></a> [law\_prometheus\_retention\_in\_days](#input\_law\_prometheus\_retention\_in\_days) | The workspace data retention in days | `number` | n/a | yes |
161-
| <a name="input_law_prometheus_sku"></a> [law\_prometheus\_sku](#input\_law\_prometheus\_sku) | Sku of the Log Analytics Workspace | `string` | n/a | yes |
162159
| <a name="input_location"></a> [location](#input\_location) | n/a | `string` | n/a | yes |
163160
| <a name="input_location_short"></a> [location\_short](#input\_location\_short) | Location short like eg: weu, weu.. | `string` | n/a | yes |
164161
| <a name="input_location_westeurope"></a> [location\_westeurope](#input\_location\_westeurope) | n/a | `string` | n/a | yes |

src/aks-platform/argocd/argocd_helm_setup_values.yaml

Lines changed: 24 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
terraform:
22
force: ${force_reinstall}
3+
34
global:
45
addPrometheusAnnotations: true
56
securityContext:
@@ -20,14 +21,13 @@ global:
2021
configs:
2122
params:
2223
application.namespaces: "${join(",", argocd_application_namespaces)}"
23-
server.insecure: true # Miglioramento: Abilitazione TLS a livello di ArgoCD
24-
24+
server.insecure: false
2525
cm:
2626
timeout.reconciliation: 30s
2727
application.resourceTrackingMethod: annotation
28-
exec.enabled: "false"
29-
admin.enabled: "true" # Miglioramento: Disabilitazione dell'utente admin predefinito
30-
statusbadge.enabled: "true"
28+
exec.enabled: false
29+
admin.enabled: true
30+
statusbadge.enabled: true
3131
url: https://argocd.internal.devopslab.pagopa.it
3232
oidc.config: |
3333
name: Azure
@@ -42,21 +42,18 @@ configs:
4242
email:
4343
essential: true
4444
requestedScopes:
45-
- openid
46-
- profile
47-
- email
48-
45+
- openid
46+
- profile
47+
- email
48+
server.rbac.disableApplicationFineGrainedRBACInheritance: "false"
4949
rbac:
5050
policy.default: role:guest
5151
policy.csv: |
52-
# Admin role: full access to all resources
53-
p, role:admin, applications, *, */*, allow
54-
p, role:admin, projects, *, *, allow
55-
p, role:admin, repositories, *, *, allow
56-
p, role:admin, clusters, *, *, allow
57-
p, role:admin, accounts, *, *, allow
52+
# --- Admin role
53+
p, role:admin, *, *, */*, allow
54+
p, role:admin, logs, get, */*, allow
5855
59-
# Developer role: can manage applications but cannot delete them or modify infrastructure-level settings
56+
# --- Developer role
6057
p, role:developer, applications, get, */*, allow
6158
p, role:developer, applications, create, */*, allow
6259
p, role:developer, applications, update, */*, allow
@@ -66,16 +63,15 @@ configs:
6663
p, role:developer, clusters, get, *, allow
6764
p, role:developer, repositories, get, *, allow
6865
p, role:developer, accounts, get, *, allow
66+
p, role:developer, logs, get, */*, allow
6967
70-
# Reader role: can only view applications and logs, but cannot access secrets
68+
# --- Reader role
7169
p, role:reader, applications, get, */*, allow
7270
p, role:reader, applications, logs, */*, allow
7371
p, role:reader, projects, get, *, allow
74-
75-
# Explicitly deny access to secrets for the reader role
7672
p, role:reader, applications, get, */secrets, deny
7773
78-
# Guest role: no permissions (default for unassigned users)
74+
# --- Guest role
7975
p, role:guest, applications, get, */*, deny
8076
p, role:guest, projects, get, *, deny
8177
p, role:guest, repositories, get, *, deny
@@ -88,7 +84,6 @@ configs:
8884
8985
scopes: "[preferred_username, email, groups]"
9086

91-
9287
server:
9388
replicas: 1
9489
autoscaling:
@@ -118,25 +113,24 @@ server:
118113
enabled: true
119114
minAvailable: 1
120115
resources:
116+
requests:
117+
cpu: 500m
118+
memory: 256Mi
121119
limits:
122120
cpu: 1000m
123121
memory: 1Gi
124-
requests:
125-
cpu: 500m
126-
memory: 512Mi
127122
ingress:
128123
enabled: true
129-
ingressClassName: "nginx"
124+
controller: generic
125+
ingressClassName: nginx
130126
hostname: argocd.internal.devopslab.pagopa.it
127+
path: /
128+
pathType: Prefix
131129
annotations:
132-
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
133-
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
134-
nginx.ingress.kubernetes.io/ssl-redirect: "true"
135-
nginx.ingress.kubernetes.io/grpc-backend: "true"
130+
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
136131
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
137132
nginx.ingress.kubernetes.io/proxy-body-size: "100m"
138133
nginx.ingress.kubernetes.io/proxy-read-timeout: "90"
139-
tls: false
140134
extraTls:
141135
- hosts:
142136
- argocd.internal.devopslab.pagopa.it

0 commit comments

Comments
 (0)