Configuration
1. Overview
ArgoCD is installed via the argo/argo-cd Helm chart with the release name idealogic in the argocd namespace.
2. Helm Values
The following values file is used for installation and upgrades. It is stored in the project at .argocd-backup/upgrade-values.yaml.
global:
domain: argocd.idealogic.co.za
configs:
rbac:
policy.default: role:admin
cm:
exec.enabled: "true"
admin.enabled: "true"
url: https://argocd.idealogic.co.za
timeout.reconciliation: 180s
timeout.hard.reconciliation: 0s
oidc.config: |
name: Azure
issuer: https://login.microsoftonline.com/e0fd5785-e83e-439e-b7e7-5bfb0b2e8a84/v2.0
clientID: 0dd148b2-05be-4fbc-a259-721c1d4f8a37
clientSecret: $oidc.azure.clientSecret
requestedIDTokenClaims:
groups:
essential: true
requestedScopes:
- openid
- profile
- email
notifications:
argocdUrl: https://argocd.idealogic.co.za
server:
certificate:
domain: argocd.idealogic.co.za
enabled: true
issuer:
kind: ClusterIssuer
name: letsencrypt-prod
ingress:
enabled: true
hostname: argocd.idealogic.co.za
ingressClassName: nginx
pathType: ImplementationSpecific
tls: true
annotations:
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"3. Configuration Details
3.1. OIDC Authentication
Azure AD OIDC is configured for user authentication.
| Setting | Value |
|---|---|
Provider |
Azure AD |
Tenant |
|
Client ID |
|
Issuer URL |
|
Scopes |
openid, profile, email |
Group Claims |
enabled (essential) |
The client secret is stored in the argocd-secret Kubernetes secret under the key oidc.azure.clientSecret. The Helm values reference it with the $oidc.azure.clientSecret syntax.
3.2. Ingress
ArgoCD uses SSL passthrough with nginx ingress. The TLS certificate is managed by cert-manager using the letsencrypt-prod ClusterIssuer.
Key annotations:
-
nginx.ingress.kubernetes.io/ssl-passthrough: "true"— Required for ArgoCD gRPC -
nginx.ingress.kubernetes.io/backend-protocol: HTTPS— ArgoCD server runs HTTPS
3.3. Reconciliation
| Setting | Value |
|---|---|
|
180s (3 minutes) |
|
0s (disabled) |
The reconciliation timeout controls how often ArgoCD checks for changes in Git/Helm repositories. The hard reconciliation forces a full comparison regardless of cache.
3.4. RBAC
The default RBAC policy is role:admin, meaning all authenticated users (via OIDC or local admin) get full admin access. This is configured via configs.rbac.policy.default in the Helm values.
To restrict access to specific Azure AD groups instead, replace policy.default with policy.csv rules:
configs:
rbac:
policy.default: ""
policy.csv: |
g, <azure-ad-group-object-id>, role:admin3.5. Admin Access
Local admin login is enabled (admin.enabled: "true"). The admin password is stored in argocd-secret.
The exec terminal feature is enabled (exec.enabled: "true") for pod terminal access from the ArgoCD UI.
4. Secrets
ArgoCD uses two secrets:
4.1. argocd-secret
Contains:
-
admin.password— Bcrypt hashed admin password -
admin.passwordMtime— Password modification timestamp -
oidc.azure.clientSecret— Azure AD OIDC client secret -
server.secretkey— Server encryption key for session tokens
4.2. argocd-notifications-secret
Contains notification integration credentials (if configured).
5. Retrieving Current Values
To inspect the current Helm values on the cluster:
helm get values idealogic -n argocd -o yamlTo inspect the full merged values (including defaults):
helm get values idealogic -n argocd -o yaml --all6. Modifying Configuration
To change ArgoCD configuration:
-
Update the values file
-
Run a Helm upgrade:
helm upgrade idealogic argo/argo-cd \ --version <current-chart-version> \ -n argocd \ -f argocd-values.yaml \ --wait --timeout 5m
Always specify the --version flag to avoid unintended version upgrades. Use helm list -n argocd to check the current chart version.
|