feat: argocd upgrade

fmunteanu · fmunteanu · commit 0412f0b320ca · 2025-06-17T22:15:23.000-04:00
diff --git a/roles/argo-cd/defaults/main.yaml b/roles/argo-cd/defaults/main.yaml
@@ -111,7 +111,7 @@ argocd_vars:
         # -- Helm chart name
         name: argo-cd
         # -- Helm chart version
-        version: v7.8.28
+        version: v8.0.17
       repository:
         # -- Repository name in Helm
         name: argo-helm
@@ -216,7 +216,9 @@ argocd_vars:
           password:
       ingress:
         # -- See [documentation](https://axivo.com/k3s-cluster/tutorials/handbook/externaldns/#front-ends), for details
-        subdomain: argocd
+        subdomain:
+          api: argocd
+          grpc: grpc.argocd
       resources:
         limits:
           # -- CPU limit, `null` for no limit
@@ -239,4 +241,4 @@ argocd_vars:
       # -- Organization name
       org: argoproj
     # -- CLI version to install
-    version: v2.14.11
+    version: v3.0.6
diff --git a/roles/argo-cd/tasks/facts.yaml b/roles/argo-cd/tasks/facts.yaml
@@ -15,11 +15,12 @@
         server:
           annotations:
             api:
-              cert-manager.io/cluster-issuer: '{{ externaldns_project.cloudflare.cluster.issuer }}'
+              ingress.cilium.io/tls-passthrough: enabled
             grpc:
-              cert-manager.io/cluster-issuer: '{{ externaldns_project.cloudflare.cluster.issuer }}'
               ingress.cilium.io/tls-passthrough: enabled
-          hostname: '{{ argocd_vars.kubernetes.server.ingress.subdomain }}.{{ externaldns_vars.cloudflare.host.domain }}'
+          hostname:
+            api: '{{ argocd_vars.kubernetes.server.ingress.subdomain.api }}.{{ externaldns_vars.cloudflare.host.domain }}'
+            grpc: '{{ argocd_vars.kubernetes.server.ingress.subdomain.grpc }}.{{ externaldns_vars.cloudflare.host.domain }}'
       helm:
         chart:
           reference: '{{ argocd_vars.kubernetes.helm.repository.org }}/{{ argocd_vars.kubernetes.helm.chart.name }}'
diff --git a/roles/argo-cd/tasks/validation.yaml b/roles/argo-cd/tasks/validation.yaml
@@ -62,8 +62,8 @@
             name: '{{ argocd_vars.kubernetes.helm.chart.name }}'
             namespace: '{{ argocd_vars.kubernetes.namespace }}'
           register: release
-          changed_when: false
           when: kubeconfig.stat.exists
+          changed_when: false
 
         - name: Set comparison fact
           ansible.builtin.set_fact:
diff --git a/roles/argo-cd/templates/config_cm.j2 b/roles/argo-cd/templates/config_cm.j2
@@ -9,11 +9,14 @@ statusbadge.enabled: {{ argocd_vars.kubernetes.configs.cm.status_badge.enabled |
 resource.exclusions: |
   - apiGroups:
       - cilium.io
-      - snapshot.storage.k8s.io
     kinds:
       - CiliumClusterwideNetworkPolicy
-      - CiliumIdentity
       - CiliumNetworkPolicy
+    clusters:
+      - "*"
+  - apiGroups:
+      - snapshot.storage.k8s.io
+    kinds:
       - VolumeSnapshot
       - VolumeSnapshotContent
     clusters:
diff --git a/roles/argo-cd/templates/config_rbac.j2 b/roles/argo-cd/templates/config_rbac.j2
@@ -6,5 +6,6 @@
 policy.csv: |
 {% for user in argocd_resources.server.users %}
   {{ ', '.join(['g', user.name, 'role']) | indent(2) }}:{{ user.role }}
+  {{ ', '.join(['p', user.name, 'logs', 'get', '*/*', 'allow']) | indent(2) }}
 {% endfor %}
 policy.default: role:readonly
diff --git a/roles/argo-cd/templates/values.j2 b/roles/argo-cd/templates/values.j2
@@ -5,10 +5,12 @@ global:
       maxUnavailable: 0
     type: RollingUpdate
 {% if externaldns_vars.cloudflare.host.domain | lower != 'disabled' %}
-  domain: {{ argocd_map.ingress.server.hostname }}
+  domain: {{ argocd_map.ingress.server.hostname.api }}
 {% endif %}
   logging:
     level: {{ argocd_vars.kubernetes.global.logging.level }}
+  networkPolicy:
+    create: true
 applicationSet:
 {% if argocd_postinstall is truthy and argocd_map.metrics.service.monitor.enabled is truthy %}
   metrics:
@@ -270,30 +272,30 @@ server:
       group: cert-manager.io
       kind: ClusterIssuer
       name: {{ externaldns_project.cloudflare.cluster.issuer }}
-    privateKey:
-      rotationPolicy: Always
+  containerPorts:
+    server: 443
 {% endif %}
   ingress:
+    enabled: true
+{% if argocd_vars.kubernetes.configs.params.server.insecure is falsy %}
     annotations:
 {% for key, value in argocd_map.ingress.server.annotations.api.items() %}
       {{ key | indent(6) }}: {{ value }}
 {% endfor %}
-    enabled: true
-    ingressClassName: {{ argocd_map.ingress.class.name }}
-{% if argocd_vars.kubernetes.configs.params.server.insecure is falsy %}
     tls: true
 {% endif %}
+    ingressClassName: {{ argocd_map.ingress.class.name }}
   ingressGrpc:
+    enabled: true
+{% if argocd_vars.kubernetes.configs.params.server.insecure is falsy %}
     annotations:
-{% for key, value in argocd_map.ingress.server.annotations.grpc.items() %}
+{% for key, value in argocd_map.ingress.server.annotations.api.items() %}
       {{ key | indent(6) }}: {{ value }}
 {% endfor %}
-    enabled: true
-    ingressClassName: {{ argocd_map.ingress.class.name }}
-    hostname: {{ argocd_map.ingress.server.hostname }}
-{% if argocd_vars.kubernetes.configs.params.server.insecure is falsy %}
     tls: true
 {% endif %}
+    ingressClassName: {{ argocd_map.ingress.class.name }}
+    hostname: {{ argocd_map.ingress.server.hostname.grpc }}
 {% endif %}
 {% if argocd_postinstall is truthy and argocd_map.metrics.service.monitor.enabled is truthy %}
   metrics:
