docs/operator-manual/argocd-cm.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
data:
  # Argo CD's externally facing base URL (optional). Required when configuring SSO
  url: https://argo-cd-demo.argoproj.io

  # Additional externally facing base URLs (optional)
  additionalUrls: |
    - https://argo-cd-demo2.argoproj.io

  # Enables application status badge feature
  statusbadge.enabled: "true"

  # Override the Argo CD hostname root URL for both the project and the application status badges.
  # Here is an example of the application status badge for the app `myapp` to see what is replaced.
  #    <statusbadge.url>api/badge?name=myapp&revision=true
  # Provide custom URL to override. You must include the trailing forward slash:
  statusbadge.url: "https://cd-status.apps.argoproj.io/"

  # Enables anonymous user access. The anonymous users get default role permissions specified argocd-rbac-cm.yaml.
  users.anonymous.enabled: "true"
  # Specifies token expiration duration
  users.session.duration: "24h"

  # Specifies regex expression for password
  passwordPattern: "^.{8,32}$"

  # Enables google analytics tracking is specified
  ga.trackingid: "UA-12345-1"
  # Unless set to 'false' then user ids are hashed before sending to google analytics
  ga.anonymizeusers: "false"

  # the URL for getting chat help, this will typically be your Slack channel for support
  help.chatUrl: "https://mycorp.slack.com/argo-cd"
  # the text for getting chat help, defaults to "Chat now!"
  help.chatText: "Chat now!"
  # The URLs to download additional ArgoCD binaries (besides the Linux with current platform binary included by default)
  # for different OS architectures. If provided, additional download buttons will be displayed on the help page.
  help.download.linux-amd64: "path-or-url-to-download"
  help.download.linux-arm64: "path-or-url-to-download"
  help.download.linux-ppc64le: "path-or-url-to-download"
  help.download.linux-s390x: "path-or-url-to-download"
  help.download.darwin-amd64: "path-or-url-to-download"
  help.download.darwin-arm64: "path-or-url-to-download"
  help.download.windows-amd64: "path-or-url-to-download"

  # A dex connector configuration (optional). See SSO configuration documentation:
  # https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/user-management/index.md#sso
  # https://dexidp.io/docs/connectors/
  dex.config: |
    connectors:
      # GitHub example
      - type: github
        id: github
        name: GitHub
        config:
          clientID: aabbccddeeff00112233
          clientSecret: $dex.github.clientSecret
          orgs:
          - name: your-github-org
            teams:
            - red-team
    # It is possible to provide custom static client for dex if you want to reuse it
    # with other services
    # staticClients:
    # - id: argo-workflow
    #   name: Argo Workflow
    #   redirectURIs:
    #     - https://argo/oauth2/callback
    #   secret: $secretReference

  # OIDC configuration as an alternative to dex (optional).
  oidc.config: |
    name: Okta
    issuer: https://dev-123456.oktapreview.com
    clientID: aaaabbbbccccddddeee
    clientSecret: $oidc.okta.clientSecret
    # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
    requestedScopes: ["openid", "profile", "email"]
    # Optional set of OIDC claims to request on the ID token.
    requestedIDTokenClaims: {"groups": {"essential": true}}

  # Configuration to customize resource behavior (optional) can be configured via splitted sub keys.
  # Keys are in the form: resource.customizations.ignoreDifferences.<group_kind>, resource.customizations.health.<group_kind>
  # resource.customizations.actions.<group_kind>, resource.customizations.knownTypeFields.<group-kind>
  # resource.customizations.ignoreResourceUpdates.<group-kind>
  resource.customizations.ignoreDifferences.admissionregistration.k8s.io_MutatingWebhookConfiguration: |
    jsonPointers:
    - /webhooks/0/clientConfig/caBundle
    jqPathExpressions:
    - .webhooks[0].clientConfig.caBundle
    managedFieldsManagers:
    - kube-controller-manager

  # Configuration to define customizations ignoring differences between live and desired states for
  # all resources (GK).
  resource.customizations.ignoreDifferences.all: |
    managedFieldsManagers:
    - kube-controller-manager
    jsonPointers:
    - /spec/replicas

  # Enable resource.customizations.ignoreResourceUpdates rules. If "false," those rules are not applied, and all updates
  # to resources are applied to the cluster cache. Default is true.
  resource.ignoreResourceUpdatesEnabled: "true"

  # Configuration to define customizations ignoring differences during watched resource updates to skip application reconciles.
  resource.customizations.ignoreResourceUpdates.all: |
    jsonPointers:
    - /metadata/resourceVersion

  # Configuration to define customizations ignoring differences during watched resource updates can be configured via splitted sub key.
  resource.customizations.ignoreResourceUpdates.argoproj.io_Application: |
    jsonPointers:
    - /status

  # jsonPointers and jqPathExpressions can be specified.
  resource.customizations.ignoreResourceUpdates.autoscaling_HorizontalPodAutoscaler: |
    jqPathExpressions:
    - '.metadata.annotations."autoscaling.alpha.kubernetes.io/behavior"'
    - '.metadata.annotations."autoscaling.alpha.kubernetes.io/conditions"'
    - '.metadata.annotations."autoscaling.alpha.kubernetes.io/metrics"'
    - '.metadata.annotations."autoscaling.alpha.kubernetes.io/current-metrics"'
    jsonPointers:
    - /metadata/annotations/autoscaling.alpha.kubernetes.io~1behavior
    - /metadata/annotations/autoscaling.alpha.kubernetes.io~1conditions
    - /metadata/annotations/autoscaling.alpha.kubernetes.io~1metrics
    - /metadata/annotations/autoscaling.alpha.kubernetes.io~1current-metrics

  resource.customizations.health.certmanager.k8s.io-Certificate: |
    hs = {}
    if obj.status ~= nil then
      if obj.status.conditions ~= nil then
        for i, condition in ipairs(obj.status.conditions) do
          if condition.type == "Ready" and condition.status == "False" then
            hs.status = "Degraded"
            hs.message = condition.message
            return hs
          end
          if condition.type == "Ready" and condition.status == "True" then
            hs.status = "Healthy"
            hs.message = condition.message
            return hs
          end
        end
      end
    end
    hs.status = "Progressing"
    hs.message = "Waiting for certificate"
    return hs

  resource.customizations.health.cert-manager.io_Certificate: |
    hs = {}
    if obj.status ~= nil then
      if obj.status.conditions ~= nil then
        for i, condition in ipairs(obj.status.conditions) do
          if condition.type == "Ready" and condition.status == "False" then
            hs.status = "Degraded"
            hs.message = condition.message
            return hs
          end
          if condition.type == "Ready" and condition.status == "True" then
            hs.status = "Healthy"
            hs.message = condition.message
            return hs
          end
        end
      end
    end
    hs.status = "Progressing"
    hs.message = "Waiting for certificate"
    return hs

  # List of Lua Scripts to introduce custom actions
  resource.customizations.actions.apps_Deployment: |
    # Lua Script to indicate which custom actions are available on the resource
    discovery.lua: |
      actions = {}
      actions["restart"] = {}
      return actions
    definitions:
      - name: restart
        # Lua Script to modify the obj
        action.lua: |
          local os = require("os")
          if obj.spec.template.metadata == nil then
              obj.spec.template.metadata = {}
          end
          if obj.spec.template.metadata.annotations == nil then
              obj.spec.template.metadata.annotations = {}
          end
          obj.spec.template.metadata.annotations["kubectl.kubernetes.io/restartedAt"] = os.date("!%Y-%m-%dT%XZ")
          return obj

  # Configuration to completely ignore entire classes of resource group/kinds (optional).
  # Excluding high-volume resources improves performance and memory usage, and reduces load and
  # bandwidth to the Kubernetes API server.
  # These are globs, so a "*" will match all values.
  # If you omit groups/kinds/clusters then they will match all groups/kind/clusters.
  # NOTE: events.k8s.io and metrics.k8s.io are excluded by default
  resource.exclusions: |
    - apiGroups:
      - repositories.stash.appscode.com
      kinds:
      - Snapshot
      clusters:
      - "*.local"

  # By default all resource group/kinds are included. The resource.inclusions setting allows customizing
  # list of included group/kinds.
  resource.inclusions: |
    - apiGroups:
      - repositories.stash.appscode.com
      kinds:
      - Snapshot
      clusters:
      - "*.local"

  # An optional comma-separated list of annotation keys to mask in UI/CLI on secrets
  resource.sensitive.mask.annotations: openshift.io/token-secret.value,api-key

  # An optional comma-separated list of metadata.labels to observe in the UI.
  resource.customLabels: tier

  # An optional comma-separated list of metadata.labels keys to add to Kubernetes events generated for Applications.
  # The keys are compared against the Application and its AppProject. If matched,
  # the corresponding labels are added to the generated event.
  # In case of a conflict between labels on the Application and AppProject,
  # the Application label values are prioritized and added to the event. Supports wildcards.
  resource.includeEventLabelKeys: team,env*
  # An optional comma-separated list of metadata.labels keys to exclude from Kubernetes events generated for Applications. Supports wildcards.
  resource.excludeEventLabelKeys: environment,bu


  resource.compareoptions: |
    # if ignoreAggregatedRoles set to true then differences caused by aggregated roles in RBAC resources are ignored.
    ignoreAggregatedRoles: true

    # disables status field diffing in specified resource types
    # 'crd' - CustomResourceDefinitions (default)
    # 'all' - all resources
    # 'none' - disabled
    ignoreResourceStatusField: crd

  # configuration to instruct controller to only watch for resources that it has permissions to list
  # can be either empty, "normal" or "strict". By default, it is empty i.e. disabled.
  resource.respectRBAC: "normal"

  # A set of settings that allow enabling or disabling the config management tool.
  # If unset, each defaults to "true".
  kustomize.enabled: "true"
  jsonnet.enabled: "true"
  helm.enabled: "true"

  # Build options/parameters to use with `kustomize build` (optional)
  kustomize.buildOptions: --load_restrictor none

  # Per-version build options and binary paths
  kustomize.path.v3.9.1: /custom-tools/kustomize_3_9
  kustomize.buildOptions.v3.9.1: --enable_kyaml true

  # Additional Kustomize versions and corresponding binary paths (deprecated)
  kustomize.version.v3.5.1: /custom-tools/kustomize_3_5_1
  kustomize.version.v3.5.4: /custom-tools/kustomize_3_5_4

  # Comma delimited list of additional custom remote values file schemes (http are https are allowed by default).
  # Change to empty value if you want to disable remote values files altogether.
  helm.valuesFileSchemes: http, https

  # The metadata.label key name where Argo CD injects the app name as a tracking label (optional).
  # Tracking labels are used to determine which resources need to be deleted when pruning.
  # If omitted, Argo CD injects the app name into the label: 'app.kubernetes.io/instance'
  application.instanceLabelKey: mycompany.com/appname

  # You can change the resource tracking method Argo CD uses by changing the
  # setting application.resourceTrackingMethod to the desired method.
  # The following methods are available:
  # - label            : Uses the application.instanceLabelKey label for tracking
  # - annotation       : Uses an annotation with additional metadata for tracking instead of the label
  # - annotation+label : Also uses an annotation for tracking, but additionally labels the resource with the application name
  application.resourceTrackingMethod: annotation

  # Optional installation id. Allows to have multiple installations of Argo CD in the same cluster.
  installationID: "my-unique-id"

  # disables admin user. Admin is enabled by default
  admin.enabled: "false"
  # add an additional local user with apiKey and login capabilities
  #   apiKey - allows generating API keys
  #   login - allows to login using UI
  accounts.alice: apiKey, login
  # disables user. User is enabled by default
  accounts.alice.enabled: "false"

  # The location of optional user-defined CSS that is loaded at runtime.
  # Local CSS Files:
  # - If the supplied path is to a file mounted on the argocd-server container, that file should be mounted
  #   within a subdirectory of the existing "/shared/app" directory (e.g. "/shared/app/custom").  Otherwise,
  #   the file will likely fail to be imported by the browser with an "incorrect MIME type" error.
  # - The path should be specified relative to the "/shared/app" directory; not as an absolute path.
  # Remote CSS Files:
  # - Files may also be loaded from remote locations via fully qualified URLs.
  ui.cssurl: "./custom/my-styles.css"

  # An optional user-defined banner message that's displayed at the top of every UI page.
  # Every time this is updated, it will clear a user's localStorage telling the UI to hide the banner forever.
  ui.bannercontent: "Hello there!"
  # Optional link for banner. If set, the entire banner text will become a link.
  # You can have bannercontent without a bannerurl, but not the other way around.
  ui.bannerurl: "https://argoproj.github.io"
  # Uncomment to make the banner not show the close buttons, thereby making the banner permanent.
  # Because it is permanent, only one line of text is available to not take up too much real estate in the UI,
  # so it is recommended that the length of the bannercontent text is kept reasonably short. Note that you can
  # have either a permanent banner or a regular closeable banner, and NOT both. eg. A user can't dismiss a
  # notification message (closeable) banner, to then immediately see a permanent banner.
  # ui.bannerpermanent: "true"
  # An option to specify the position of the banner, either the top or bottom of the page, or both. The valid values
  # are: "top", "bottom" and "both".  The default (if the option is not provided), is "top". If "both" is specified, then
  # the content appears both at the top and the bottom of the page. Uncomment the following line to make the banner appear
  # at the bottom of the page. Change the value as needed.
  # ui.bannerposition: "bottom"

  # Application reconciliation timeout is the max amount of time required to discover if a new manifests version got
  # published to the repository. Reconciliation by timeout is disabled if timeout is set to 0. Three minutes by default.
  # > Note: The argocd-repo-server deployment and the argocd-application-controller statefulset (or deployment, if
  # configured) must be manually restarted after changing the setting.
  timeout.reconciliation: 180s
  # With a large number of applications, the periodic refresh for each application can cause a spike in the refresh queue
  # and can cause a spike in the repo-server component. To avoid this, you can set a jitter to the sync timeout, which will
  # spread out the refreshes and give time to the repo-server to catch up. The jitter is the maximum duration that can be
  # added to the sync timeout. So, if the sync timeout is 3 minutes and the jitter is 1 minute, then the actual timeout will
  # be between 3 and 4 minutes. Disabled when the value is 0, defaults to 0.
  timeout.reconciliation.jitter: "0"

  # cluster.inClusterEnabled indicates whether to allow in-cluster server address. This is enabled by default.
  cluster.inClusterEnabled: "true"

  # The maximum number of pod logs to render in UI. If the application has more than this number of pods, the logs will not be rendered.
  # This is to prevent the UI from becoming unresponsive when rendering a large number of logs. Default is 10.
  server.maxPodLogsToRender: "10"

  # Application pod logs RBAC enforcement enables control over who can and who can't view application pod logs.
  # When you enable the switch, pod logs will be visible only to admin role by default. Other roles/users will not be able to view them via cli and UI.
  # When you enable the switch, viewing pod logs for other roles/users will require explicit RBAC allow policies (allow get on logs subresource).
  # When you disable the switch (either add it to the configmap with a "false" value or do not add it to the configmap), no actual RBAC enforcement will take place.
  server.rbac.log.enforce.enable: "false"

  # exec.enabled indicates whether the UI exec feature is enabled. It is disabled by default.
  exec.enabled: "false"

  # exec.shells restricts which shells are allowed for `exec`, and in which order they are attempted
  exec.shells: "bash,sh,powershell,cmd"

  # oidc.tls.insecure.skip.verify determines whether certificate verification is skipped when verifying tokens with the
  # configured OIDC provider (either external or the bundled Dex instance). Setting this to "true" will cause JWT
  # token verification to pass despite the OIDC provider having an invalid certificate. Only set to "true" if you
  # understand the risks.
  oidc.tls.insecure.skip.verify: "false"

  # Add Deep Links to ArgoCD UI
  # sample project level links
  project.links: |
    - url: https://myaudit-system.com?project={{.metadata.name}}
      title: Audit
      description: system audit logs
      icon.class: "fa-book"
  # sample application level links
  application.links: |
    # pkg.go.dev/text/template is used for evaluating url templates
    - url: https://mycompany.splunk.com?search={{.spec.destination.namespace}}
      title: Splunk
    # conditionally show link e.g. for specific project
    # github.com/expr-lang/expr is used for evaluation of conditions
    - url: https://mycompany.splunk.com?search={{.spec.destination.namespace}}
      title: Splunk
      if: spec.project == "default"
    - url: https://{{.metadata.annotations.splunkhost}}?search={{.spec.destination.namespace}}
      title: Splunk
      if: metadata.annotations.splunkhost
  # sample resource level links
  resource.links: |
    - url: https://mycompany.splunk.com?search={{.metadata.namespace}}
      title: Splunk
      if: kind == "Pod" || kind == "Deployment"

  extension.config: |
    extensions:
        # Name defines the endpoint that will be used to register
        # the extension route.
        # Mandatory field.
      - name: some-extension
        backend:
          # ConnectionTimeout is the maximum amount of time a dial to
          # the extension server will wait for a connect to complete.
          # Optional field. Default: 2 seconds
          connectionTimeout: 2s

          # KeepAlive specifies the interval between keep-alive probes
          # for an active network connection between the API server and
          # the extension server.
          # Optional field. Default: 15 seconds
          keepAlive: 15s

          # IdleConnectionTimeout is the maximum amount of time an idle
          # (keep-alive) connection between the API server and the extension
          # server will remain idle before closing itself.
          # Optional field. Default: 60 seconds
          idleConnectionTimeout: 60s

          # MaxIdleConnections controls the maximum number of idle (keep-alive)
          # connections between the API server and the extension server.
          # Optional field. Default: 30
          maxIdleConnections: 30

          services:
              # URL is the address where the extension backend must be available.
              # Mandatory field.
            - url: http://httpbin.org

              # Cluster if provided, will have to match the application
              # destination name or the destination server to have requests
              # properly forwarded to this service URL.
              # Optional field if only one service is specified.
              # Mandatory if multiple services are specified.
              cluster:
                name: some-cluster
                server: https://some-cluster
  # The maximum size of the payload that can be sent to the webhook server.
  webhook.maxPayloadSizeMB: "1024"

  # application.sync.impersonation.enabled enables application sync to use a custom service account, via impersonation. This allows decoupling sync from control-plane service account.
  application.sync.impersonation.enabled: "false"