From 8d7c33a6333eb76e3d204dd4f1f2091d7d6f05aa Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 3 May 2026 22:40:36 +1000 Subject: [PATCH] chore: mount vault CA for helm TLS trust and add ArgoCD self-management - Patch argocd-repo-server to mount vault-ca-cert and set SSL_CERT_DIR so helm subprocesses trust the internal CA when pulling charts - Add argocd Application pointing at clusters/au-syd1/bootstrap so ArgoCD manages its own install going forward --- .../argocd-repo-server-vault-ca-patch.yaml | 25 +++++++++++++++++++ .../au-syd1/bootstrap/argocd-self-app.yaml | 21 ++++++++++++++++ clusters/au-syd1/bootstrap/kustomization.yaml | 5 ++++ 3 files changed, 51 insertions(+) create mode 100644 clusters/au-syd1/bootstrap/argocd-repo-server-vault-ca-patch.yaml create mode 100644 clusters/au-syd1/bootstrap/argocd-self-app.yaml diff --git a/clusters/au-syd1/bootstrap/argocd-repo-server-vault-ca-patch.yaml b/clusters/au-syd1/bootstrap/argocd-repo-server-vault-ca-patch.yaml new file mode 100644 index 0000000..513320d --- /dev/null +++ b/clusters/au-syd1/bootstrap/argocd-repo-server-vault-ca-patch.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: argocd-repo-server + namespace: argocd +spec: + template: + spec: + volumes: + - name: vault-ca-cert + secret: + secretName: vault-ca-cert + items: + - key: ca.crt + path: ca.crt + containers: + - name: argocd-repo-server + env: + - name: SSL_CERT_DIR + value: /etc/ssl/certs:/custom-certs + volumeMounts: + - name: vault-ca-cert + mountPath: /custom-certs + readOnly: true diff --git a/clusters/au-syd1/bootstrap/argocd-self-app.yaml b/clusters/au-syd1/bootstrap/argocd-self-app.yaml new file mode 100644 index 0000000..1e9eb6f --- /dev/null +++ b/clusters/au-syd1/bootstrap/argocd-self-app.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: argocd + namespace: argocd +spec: + project: default + source: + repoURL: https://git.unkin.net/unkin/argocd-apps + targetRevision: HEAD + path: clusters/au-syd1/bootstrap + destination: + server: https://kubernetes.default.svc + namespace: argocd + syncPolicy: + automated: + prune: false + selfHeal: true + syncOptions: + - ServerSideApply=true diff --git a/clusters/au-syd1/bootstrap/kustomization.yaml b/clusters/au-syd1/bootstrap/kustomization.yaml index 77727eb..5fec74b 100644 --- a/clusters/au-syd1/bootstrap/kustomization.yaml +++ b/clusters/au-syd1/bootstrap/kustomization.yaml @@ -5,6 +5,7 @@ kind: Kustomization resources: - https://raw.githubusercontent.com/argoproj/argo-cd/refs/tags/v3.3.2/manifests/ha/install.yaml - au-syd1-apps.yaml + - argocd-self-app.yaml patches: - path: argocd-cm-patch.yaml @@ -15,3 +16,7 @@ patches: target: kind: ConfigMap name: argocd-tls-certs-cm + - path: argocd-repo-server-vault-ca-patch.yaml + target: + kind: Deployment + name: argocd-repo-server