global: domain: argocd.lab.local configs: params: server.insecure: true # TLS géré par Traefik cm: # URL publique (construit le redirect_uri OIDC : /auth/callback) url: https://argocd.funklab.online # SSO OIDC → Authentik (app « argocd »). L'issuer est joint server-side par # argocd-server via hairpin. clientSecret référencé depuis le secret dédié # « argocd-oidc » (label part-of=argocd, créé hors git) — évite de toucher # argocd-secret géré par helm. Voir admin/k8s/public-domain.md. oidc.config: | name: Authentik issuer: https://auth.funklab.online/application/o/argocd/ clientID: argocd clientSecret: $argocd-oidc:clientSecret requestedScopes: ["openid", "profile", "email", "groups"] rbac: scopes: "[groups]" # Membres du groupe Authentik lab-admins → admin ArgoCD policy.csv: | g, lab-admins, role:admin server: ingress: enabled: true ingressClassName: traefik hostname: argocd.lab.local resources: requests: cpu: 100m memory: 128Mi limits: memory: 256Mi repoServer: resources: requests: cpu: 100m memory: 128Mi limits: memory: 256Mi applicationSet: resources: requests: cpu: 50m memory: 64Mi limits: memory: 128Mi notifications: resources: requests: cpu: 50m memory: 64Mi limits: memory: 128Mi redis: resources: requests: cpu: 50m memory: 64Mi limits: memory: 128Mi dex: enabled: false