ArgoCD Configuration
What is ArgoCD?
ArgoCD is the GitOps continuous delivery tool for TDP.
It monitors a Git repository and ensures that what is running in the Kubernetes cluster is always synchronized with what is in Git — if you change a configuration file in the repository, ArgoCD detects the change and applies it to the cluster automatically.
In TDP Kubernetes, ArgoCD is used primarily to manage the lifecycle of TDP charts themselves using the App of Apps model: a root ArgoCD Application that manages other Applications, each responsible for one TDP component.
This is described in detail in the installation and update guides.
ArgoCD uses Helm under the hood to render and apply charts. The difference is that you do not run helm upgrade manually — ArgoCD does it automatically when it detects changes in Git. The configuration workflow (values files, secrets) remains the same.
The tdp-argo chart packages Argo CD 2.12.1 as a wrapper around the upstream argo-cd chart.
Values structure (Helm)
All values must be nested under tdp-argo: (the dependency alias in Chart.yaml).
tdp-argo:
server:
resources:
requests:
cpu: "250m"
memory: "256Mi"
Prerequisites: CRDs (tdp-argo-crds)
Required: install the CRDs before the main chart:
helm upgrade --install argocd-crds \
oci://registry.tecnisys.com.br/tdp/charts/tdp-argo-crds \
--namespace <namespace> --create-namespace
The main chart keeps tdp-argo.crds.install=false to avoid CRD lifecycle conflicts in Helm.
Installation
Development
helm upgrade --install <release> \
oci://registry.tecnisys.com.br/tdp/charts/tdp-argo \
-n <namespace> --create-namespace
Production
helm upgrade --install <release> \
oci://registry.tecnisys.com.br/tdp/charts/tdp-argo \
-n <namespace> --create-namespace
Access and credentials
- User:
admin - Initial password: Secret
argocd-initial-admin-secret:
kubectl -n <namespace> get secret argocd-initial-admin-secret \
-o jsonpath="{.data.password}" | base64 -d
Public URL (configs.cm.url)
Align the URL with how users access Argo CD (relevant for Dex/LDAP):
tdp-argo:
configs:
cm:
url: https://<host>
LDAP / Dex and RBAC
See Security — ArgoCD.
NetworkPolicy
By default tdp-argo.global.networkPolicy.create: false (no NetworkPolicies).
To create the upstream allow-all policies:
tdp-argo:
global:
networkPolicy:
create: true
defaultDenyIngress: false
The upstream templates do not allow customizing rules via Helm values; for real restriction, apply your own NetworkPolicy. Generic example:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: argocd-restrict-ingress
namespace: <namespace>
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: In
values:
- <trusted-namespace>
Verification
Installation ConfigMap
kubectl get configmap tdp-argo-argo-install-properties -n <namespace> \
-o jsonpath='{.data.install\.properties}' | tail -10
RBAC
kubectl get serviceaccount -n <namespace> | grep argo
kubectl get role -n <namespace> | grep argo
kubectl get rolebinding -n <namespace> | grep argo
Dex (LDAP)
kubectl get pods -n <namespace> | grep dex
kubectl get svc -n <namespace> | grep dex
Main parameters
| Parameter | Description |
|---|---|
tdp-argo.crds.install | Install CRDs via main chart (false) |
tdp-argo.dex.enabled | Dex (required for LDAP) |
tdp-argo.configs.cm.url | External URL |
tdp-argo.configs.secret.* | Secrets (e.g. LDAP bind) |
tdp-argo.rbacConfig | RBAC policies |
tdp-argo.global.networkPolicy.* | Upstream NetworkPolicies |
Uninstallation
helm -n <namespace> uninstall <release>
Optional additional cleanup: remove orphaned PVC, ConfigMap, or Secret resources if your cluster policy requires it.