feat: argocd applications on domain namespace (#149)

* added argocd configuration to install applications into different namespaces

* updated argocd version

* updated argocd configuration to support applications in different namespaces

* argocd project added namespace permissions for domain namespace

* argocd project added namespace permissions for domain namespace

* pre-commit fixs

* removed check yaml from pre-commit

.pre-commit-config.yaml

@@ -9,7 +9,6 @@ repos:
       - id: trailing-whitespace
         args: [--markdown-linebreak-ext=md]
         exclude_types: [sql]
-      - id: check-yaml
       - id: check-executables-have-shebangs
       # Cross platform
       - id: check-case-conflict

src/aks-platform/05_argocd.tf

@@ -18,7 +18,9 @@ resource "helm_release" "argocd" {
   wait      = false
 
   values = [
-    file("${path.module}/argocd/argocd_helm_setup_values.yaml")
+    templatefile("${path.module}/argocd/argocd_helm_setup_values.yaml", {
+      argocd_application_namespaces = var.argocd_application_namespaces
+    })
   ]
 
   depends_on = [
@@ -52,15 +54,15 @@ resource "azurerm_key_vault_secret" "argocd_admin_username" {
 # tools
 #
 module "argocd_workload_identity_init" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init?ref=v8.42.1"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init?ref=v8.77.0"
 
   workload_identity_name_prefix         = "argocd"
   workload_identity_resource_group_name = azurerm_resource_group.rg_aks.name
   workload_identity_location            = var.location
 }
 
 module "argocd_workload_identity_configuration" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_configuration?ref=v8.42.1"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_configuration?ref=v8.77.0"
 
   workload_identity_name_prefix         = "argocd"
   workload_identity_resource_group_name = azurerm_resource_group.rg_aks.name
@@ -77,7 +79,7 @@ module "argocd_workload_identity_configuration" {
 }
 
 module "cert_mounter_argocd_internal" {
-  source           = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cert_mounter?ref=v8.42.1"
+  source           = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cert_mounter?ref=v8.77.0"
   namespace        = "argocd"
   certificate_name = replace(local.argocd_internal_url, ".", "-")
   kv_name          = data.azurerm_key_vault.kv_core_ita.name

src/aks-platform/99_variables.tf

@@ -587,7 +587,15 @@ variable "dns_zone_internal_prefix" {
   description = "The dns subdomain."
 }
 
+#
+# Argocd
+#
 variable "argocd_helm_release_version" {
   type        = string
   description = "ArgoCD helm chart release version"
 }
+
+variable "argocd_application_namespaces" {
+  type        = list(string)
+  description = "In which namespaces argocd can create applications"
+}

src/aks-platform/README.md

@@ -43,9 +43,9 @@ Re-enable all the resource, commented before to complete the procedure
 | <a name="module_aks"></a> [aks](#module\_aks) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster | v8.42.1 |
 | <a name="module_aks_prometheus_install"></a> [aks\_prometheus\_install](#module\_aks\_prometheus\_install) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_prometheus_install | v8.34.0 |
 | <a name="module_aks_storage_class"></a> [aks\_storage\_class](#module\_aks\_storage\_class) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_storage_class | v8.34.0 |
-| <a name="module_argocd_workload_identity_configuration"></a> [argocd\_workload\_identity\_configuration](#module\_argocd\_workload\_identity\_configuration) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_configuration | v8.42.1 |
-| <a name="module_argocd_workload_identity_init"></a> [argocd\_workload\_identity\_init](#module\_argocd\_workload\_identity\_init) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init | v8.42.1 |
-| <a name="module_cert_mounter_argocd_internal"></a> [cert\_mounter\_argocd\_internal](#module\_cert\_mounter\_argocd\_internal) | git::https://github.com/pagopa/terraform-azurerm-v3.git//cert_mounter | v8.42.1 |
+| <a name="module_argocd_workload_identity_configuration"></a> [argocd\_workload\_identity\_configuration](#module\_argocd\_workload\_identity\_configuration) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_configuration | v8.77.0 |
+| <a name="module_argocd_workload_identity_init"></a> [argocd\_workload\_identity\_init](#module\_argocd\_workload\_identity\_init) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init | v8.77.0 |
+| <a name="module_cert_mounter_argocd_internal"></a> [cert\_mounter\_argocd\_internal](#module\_cert\_mounter\_argocd\_internal) | git::https://github.com/pagopa/terraform-azurerm-v3.git//cert_mounter | v8.77.0 |
 | <a name="module_keda_workload_identity_configuration"></a> [keda\_workload\_identity\_configuration](#module\_keda\_workload\_identity\_configuration) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_configuration | v8.45.0 |
 | <a name="module_keda_workload_identity_init"></a> [keda\_workload\_identity\_init](#module\_keda\_workload\_identity\_init) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init | v8.45.0 |
 | <a name="module_nginx_ingress"></a> [nginx\_ingress](#module\_nginx\_ingress) | terraform-module/release/helm | 2.7.0 |
@@ -134,6 +134,7 @@ Re-enable all the resource, commented before to complete the procedure
 | <a name="input_aks_system_node_pool"></a> [aks\_system\_node\_pool](#input\_aks\_system\_node\_pool) | AKS node pool system configuration | <pre>object({<br/>    name                         = string,<br/>    vm_size                      = string,<br/>    os_disk_type                 = string,<br/>    os_disk_size_gb              = string,<br/>    node_count_min               = number,<br/>    node_count_max               = number,<br/>    node_labels                  = map(any),<br/>    node_tags                    = map(any),<br/>    only_critical_addons_enabled = optional(bool, true)<br/>    zones                        = optional(list(any), [1, 2, 3])<br/>  })</pre> | n/a | yes |
 | <a name="input_aks_user_node_pool"></a> [aks\_user\_node\_pool](#input\_aks\_user\_node\_pool) | AKS node pool user configuration | <pre>object({<br/>    enabled                    = optional(bool, true),<br/>    name                       = string,<br/>    vm_size                    = string,<br/>    os_disk_type               = string,<br/>    os_disk_size_gb            = string,<br/>    node_count_min             = number,<br/>    node_count_max             = number,<br/>    node_labels                = map(any),<br/>    node_taints                = list(string),<br/>    node_tags                  = map(any),<br/>    ultra_ssd_enabled          = optional(bool, false),<br/>    enable_host_encryption     = optional(bool, true),<br/>    max_pods                   = optional(number, 250),<br/>    upgrade_settings_max_surge = optional(string, "30%"),<br/>    zones                      = optional(list(any), [1, 2, 3]),<br/>  })</pre> | n/a | yes |
 | <a name="input_aks_vm_size"></a> [aks\_vm\_size](#input\_aks\_vm\_size) | The size of the AKS Virtual Machine in the Node Pool. | `string` | `"Standard_DS3_v2"` | no |
+| <a name="input_argocd_application_namespaces"></a> [argocd\_application\_namespaces](#input\_argocd\_application\_namespaces) | In which namespaces argocd can create applications | `list(string)` | n/a | yes |
 | <a name="input_argocd_helm_release_version"></a> [argocd\_helm\_release\_version](#input\_argocd\_helm\_release\_version) | ArgoCD helm chart release version | `string` | n/a | yes |
 | <a name="input_cidr_subnet_system_aks"></a> [cidr\_subnet\_system\_aks](#input\_cidr\_subnet\_system\_aks) | Subnet cluster kubernetes. | `list(string)` | n/a | yes |
 | <a name="input_cidr_subnet_user_aks"></a> [cidr\_subnet\_user\_aks](#input\_cidr\_subnet\_user\_aks) | Subnet cluster kubernetes. | `list(string)` | n/a | yes |

src/aks-platform/argocd/argocd_helm_setup_values.yaml

@@ -1,35 +1,62 @@
 dex:
   enabled: true
+
 server:
   replicas: 1
   extraArgs:
     - --insecure
-  config:
-    repositories: |
-      - type: helm
-        name: argo-cd
-        url: https://argoproj.github.io/argo-helm
   ingress:
     enabled: true
-    labels: {}
     ingressClassName: "nginx"
     hostname: argocd.internal.devopslab.pagopa.it
-
     annotations:
       nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
       nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+    tls: false # Cambiato a false per evitare il TLS host doppio
     extraTls:
       - hosts:
-        - argocd.internal.devopslab.pagopa.it
-        # Based on the ingress controller used secret might be optional
+          - argocd.internal.devopslab.pagopa.it
         secretName: argocd-internal-devopslab-pagopa-it
-    https: true
+
 redis-ha:
   enabled: false
+
 repoServer:
   replicas: 1
+
 applicationSet:
   replicas: 1
+
 configs:
+  params:
+    application.namespaces: "${join(",", argocd_application_namespaces)}"
+
   cm:
-    timeout.reconciliation: 30s
+    timeout.reconciliation: 31s
+    application.resourceTrackingMethod: annotation
+
+  rbac:
+    policy.csv: |
+      p, role:readonly, applications, get, */*, allow
+      p, role:readonly, projects, get, *, allow
+      p, role:admin, applications, create, */*, allow
+      p, role:admin, applications, update, */*, allow
+      p, role:admin, applications, delete, */*, allow
+      p, role:admin, applications, sync, */*, allow
+      p, role:admin, applications, override, */*, allow
+      p, role:admin, applications, action/*, */*, allow
+      p, role:admin, projects, create, *, allow
+      p, role:admin, projects, update, *, allow
+      p, role:admin, projects, delete, *, allow
+
+controller:
+  args:
+    - --application-namespaces=${join(",", argocd_application_namespaces)}
+
+  clusterRoleRules:
+    enabled: true
+    rules:
+     - apiGroups: ["*"]
+       resources: ["*"]
+       verbs: ["*"]
+       namespaces: "[${join(", ", argocd_application_namespaces)}]"

src/aks-platform/env/itn-dev/terraform.tfvars

@@ -146,5 +146,9 @@ law_prometheus_sku               = "PerGB2018"
 law_prometheus_retention_in_days = 30
 law_prometheus_daily_quota_gb    = 0.1
 
-# https://github.com/argoproj/argo-helm/releases/tag/argo-cd-7.7.7
-argocd_helm_release_version = "7.7.7" #2.13.0
+#
+# Argocd
+#
+# https://github.com/argoproj/argo-helm/releases/tag/argo-cd-7.7.16
+argocd_helm_release_version   = "7.7.16" #2.13.0+
+argocd_application_namespaces = ["argocd", "testit", "diego", "keda"]

src/domains/diego-app/05_argocd.tf

@@ -13,7 +13,7 @@ resource "argocd_project" "project" {
   spec {
     description = "${var.domain}-project"
 
-    source_namespaces = ["argocd"]
+    source_namespaces = ["argocd", var.domain]
     source_repos      = ["*"]
 
     destination {
@@ -44,13 +44,11 @@ resource "argocd_project" "project" {
       warn = true
     }
 
-    #     role {
-    #       name = "anotherrole"
-    #       policies = [
-    #         "p, proj:myproject:testrole, applications, get, myproject/*, allow",
-    #         "p, proj:myproject:testrole, applications, sync, myproject/*, deny",
-    #       ]
-    #     }
+    # role {
+    #   name = "project-admin"
+    #   policies = [
+    #   ]
+    # }
   }
 }
 
@@ -90,7 +88,7 @@ resource "argocd_application" "diego_applications" {
 
   metadata {
     name      = each.value.name
-    namespace = "argocd"
+    namespace = var.domain
     labels = {
       name   = each.value.name
       domain = var.domain