chore: mount vault CA for helm TLS trust and add ArgoCD self-management (#112)

- Patch argocd-repo-server to mount vault-ca-cert and set SSL_CERT_DIR
  so helm subprocesses trust the internal CA when pulling charts
- Add argocd Application pointing at clusters/au-syd1/bootstrap so
  ArgoCD manages its own install going forward

Reviewed-on: #112
This commit was merged in pull request #112.
This commit is contained in:
2026-05-03 22:47:53 +10:00
parent 6fb98d66b0
commit dd0e297c14
3 changed files with 51 additions and 0 deletions
@@ -0,0 +1,25 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: argocd-repo-server
namespace: argocd
spec:
template:
spec:
volumes:
- name: vault-ca-cert
secret:
secretName: vault-ca-cert
items:
- key: ca.crt
path: ca.crt
containers:
- name: argocd-repo-server
env:
- name: SSL_CERT_DIR
value: /etc/ssl/certs:/custom-certs
volumeMounts:
- name: vault-ca-cert
mountPath: /custom-certs
readOnly: true
@@ -0,0 +1,21 @@
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: argocd
namespace: argocd
spec:
project: default
source:
repoURL: https://git.unkin.net/unkin/argocd-apps
targetRevision: HEAD
path: clusters/au-syd1/bootstrap
destination:
server: https://kubernetes.default.svc
namespace: argocd
syncPolicy:
automated:
prune: false
selfHeal: true
syncOptions:
- ServerSideApply=true
@@ -5,6 +5,7 @@ kind: Kustomization
resources:
- https://raw.githubusercontent.com/argoproj/argo-cd/refs/tags/v3.3.2/manifests/ha/install.yaml
- au-syd1-apps.yaml
- argocd-self-app.yaml
patches:
- path: argocd-cm-patch.yaml
@@ -15,3 +16,7 @@ patches:
target:
kind: ConfigMap
name: argocd-tls-certs-cm
- path: argocd-repo-server-vault-ca-patch.yaml
target:
kind: Deployment
name: argocd-repo-server