diff --git a/docs/developer-guide/debugging-remote-environment.md b/docs/developer-guide/debugging-remote-environment.md index 5548d3444af8c..5f66571d332ec 100644 --- a/docs/developer-guide/debugging-remote-environment.md +++ b/docs/developer-guide/debugging-remote-environment.md @@ -22,8 +22,11 @@ Connect to one of the services, for example, to debug the main ArgoCD server run ```shell kubectl config set-context --current --namespace argocd telepresence helm install # Installs telepresence into your cluster -telepresence connect # Starts the connection to your cluster (bound to the current namespace) -telepresence intercept argocd-server --port 8080:http --env-file .envrc.remote # Starts the interception +telepresence connect # Starts the connection to your cluster (bound to the + # current namespace) +telepresence intercept argocd-server \ + --port 8080:http \ + --env-file .envrc.remote # Starts the interception ``` * `--port` forwards traffic of remote port http to 8080 locally (use `--port 8080:https` if argocd-server terminates TLS) * `--env-file` writes all the environment variables of the remote pod into a local file, the variables are also set on the subprocess of the `--run` command diff --git a/docs/developer-guide/running-locally.md b/docs/developer-guide/running-locally.md index 25f4510e9e18a..0d955ca2da28e 100644 --- a/docs/developer-guide/running-locally.md +++ b/docs/developer-guide/running-locally.md @@ -75,8 +75,8 @@ The `make start` command of the virtualized toolchain runs the build and program Docker should be installed already. Assuming you manage installed software using [Homebrew](https://brew.sh/), you can install other prerequisites like this: ```sh -# goreman is used to start all needed processes to get a working Argo CD development -# environment (defined in `Procfile`) +# goreman is used to start all needed processes to get a working Argo CD +# development environment (defined in `Procfile`) brew install goreman # You can use `kind` to run Kubernetes inside Docker. But pointing to any other @@ -151,7 +151,8 @@ export ARGOCD_OPTS="--plaintext --insecure" After making a code change, ensure to rebuild and restart the respective service: ```sh -# Example for working on the repo server Go code, see other service names in `Procfile` +# Example for working on the repo server Go code, see other service names in +# `Procfile` goreman run restart repo-server ``` diff --git a/docs/operator-manual/application.yaml b/docs/operator-manual/application.yaml index 864a293ce6890..59a9a8e0e3324 100644 --- a/docs/operator-manual/application.yaml +++ b/docs/operator-manual/application.yaml @@ -19,15 +19,23 @@ spec: # Source of the application manifests source: - repoURL: https://github.com/argoproj/argocd-example-apps.git # Can point to either a Helm chart repo or a git repo. + repoURL: https://github.com/argoproj/argocd-example-apps.git # Can point to + # either a + # Helm chart + # repo or a + # git repo. targetRevision: HEAD # For Helm, this refers to the chart version. - path: guestbook # This has no meaning for Helm charts pulled directly from a Helm repo instead of git. + path: guestbook # This has no meaning for Helm charts pulled directly from + # a Helm repo instead of git. # helm specific config - chart: chart-name # Set this when pulling directly from a Helm repo. DO NOT set for git-hosted Helm charts. + chart: chart-name # Set this when pulling directly from a Helm repo. DO NOT + # set for git-hosted Helm charts. helm: - passCredentials: false # If true then adds --pass-credentials to Helm commands to pass credentials to all domains - # Extra parameters to set (same as setting through values.yaml, but these take precedence) + passCredentials: false # If true then adds --pass-credentials to Helm + # commands to pass credentials to all domains + # Extra parameters to set (same as setting through values.yaml, but these + # take precedence) parameters: - name: "nginx-ingress.controller.service.annotations.external-dns\\.alpha\\.kubernetes\\.io/hostname" value: mydomain.example.com @@ -48,10 +56,12 @@ spec: valueFiles: - values-prod.yaml - # Ignore locally missing valueFiles when installing Helm chart. Defaults to false + # Ignore locally missing valueFiles when installing Helm chart. Defaults + # to false ignoreMissingValueFiles: false - # Values file as block file. Prefer to use valuesObject if possible (see below) + # Values file as block file. Prefer to use valuesObject if possible (see + # below) values: | ingress: enabled: true @@ -83,25 +93,30 @@ spec: hosts: - mydomain.example.com - # Skip custom resource definition installation if chart contains custom resource definitions. Defaults to false + # Skip custom resource definition installation if chart contains custom + # resource definitions. Defaults to false skipCrds: false - # Optional Helm version to template with. If omitted it will fall back to look at the 'apiVersion' in Chart.yaml - # and decide which Helm binary to use automatically. This field can be either 'v2' or 'v3'. + # Optional Helm version to template with. If omitted it will fall back to + # look at the 'apiVersion' in Chart.yaml and decide which Helm binary to + # use automatically. This field can be either 'v2' or 'v3'. version: v2 # kustomize specific config kustomize: - # Optional kustomize version. Note: version must be configured in argocd-cm ConfigMap + # Optional kustomize version. Note: version must be configured in + # argocd-cm ConfigMap version: v3.5.4 - # Supported kustomize transformers. https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/ + # Supported kustomize transformers. + # https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/ namePrefix: prod- nameSuffix: -some-suffix commonLabels: foo: bar commonAnnotations: beep: boop-${ARGOCD_APP_REVISION} - # Toggle which enables/disables env variables substitution in commonAnnotations + # Toggle which enables/disables env variables substitution in + # commonAnnotations commonAnnotationsEnvsubst: true images: - gcr.io/heptio-images/ks-guestbook-demo:0.2 @@ -119,7 +134,8 @@ spec: extVars: - name: foo value: bar - # You can use "code" to determine if the value is either string (false, the default) or Jsonnet code (if code is true). + # You can use "code" to determine if the value is either string + # (false, the default) or Jsonnet code (if code is true). - code: true name: baz value: "true" @@ -128,19 +144,26 @@ spec: - code: false name: foo value: bar - # Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during - # manifest generation. This takes precedence over the `include` field. - # To match multiple patterns, wrap the patterns in {} and separate them with commas. For example: '{config.yaml,env-use2/*}' + # Exclude contains a glob pattern to match paths against that should be + # explicitly excluded from being used during manifest generation. This + # takes precedence over the `include` field. + # To match multiple patterns, wrap the patterns in {} and separate them + # with commas. + # For example: '{config.yaml,env-use2/*}' exclude: 'config.yaml' - # Include contains a glob pattern to match paths against that should be explicitly included during manifest - # generation. If this field is set, only matching manifests will be included. - # To match multiple patterns, wrap the patterns in {} and separate them with commas. For example: '{*.yml,*.yaml}' + # Include contains a glob pattern to match paths against that should be + # explicitly included during manifest generation. If this field is set, + # only matching manifests will be included. + # To match multiple patterns, wrap the patterns in {} and separate them + # with commas. + # For example: '{*.yml,*.yaml}' include: '*.yaml' # plugin specific config plugin: - # If the plugin is defined as a sidecar and name is not passed, the plugin will be automatically matched with the - # Application according to the plugin's discovery rules. + # If the plugin is defined as a sidecar and name is not passed, the plugin + # will be automatically matched with the Application according to the + # plugin's discovery rules. name: mypluginname # environment variables passed to the plugin env: @@ -158,10 +181,18 @@ spec: # Sources field specifies the list of sources for the application sources: - - repoURL: https://github.com/argoproj/argocd-example-apps.git # Can point to either a Helm chart repo or a git repo. + - repoURL: https://github.com/argoproj/argocd-example-apps.git # Can point + # to either + # a Helm + # chart repo + # or a git + # repo. targetRevision: HEAD # For Helm, this refers to the chart version. - path: guestbook # This has no meaning for Helm charts pulled directly from a Helm repo instead of git. - ref: my-repo # For Helm, acts as a reference to this source for fetching values files from this source. Has no meaning when under `source` field + path: guestbook # This has no meaning for Helm charts pulled directly + # from a Helm repo instead of git. + ref: my-repo # For Helm, acts as a reference to this source for fetching + # values files from this source. Has no meaning when under + # `source` field # Destination cluster and namespace to deploy the application destination: @@ -169,7 +200,8 @@ spec: server: https://kubernetes.default.svc # or cluster name # name: in-cluster - # The namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace + # The namespace will only be set for namespace-scoped resources that have + # not set a value for .metadata.namespace namespace: guestbook # Extra information to show in the Argo CD Application details tab @@ -179,18 +211,34 @@ spec: # Sync policy syncPolicy: - automated: # automated sync by default retries failed attempts 5 times with following delays between attempts ( 5s, 10s, 20s, 40s, 80s ); retry controlled using `retry` field. - prune: true # Specifies if resources should be pruned during auto-syncing ( false by default ). - selfHeal: true # Specifies if partial app sync should be executed when resources are changed only in target Kubernetes cluster and no git change detected ( false by default ). - allowEmpty: false # Allows deleting all application resources during automatic syncing ( false by default ). + automated: # automated sync by default retries failed attempts 5 times with + # following delays between attempts ( 5s, 10s, 20s, 40s, 80s ); + # retry controlled using `retry` field. + prune: true # Specifies if resources should be pruned during auto-syncing + # ( false by default ). + selfHeal: true # Specifies if partial app sync should be executed when + # resources are changed only in target Kubernetes cluster + # and no git change detected ( false by default ). + allowEmpty: false # Allows deleting all application resources during + # automatic syncing ( false by default ). syncOptions: # Sync options which modifies sync behavior - - Validate=false # disables resource validation (equivalent to 'kubectl apply --validate=false') ( true by default ). - - CreateNamespace=true # Namespace Auto-Creation ensures that namespace specified as the application destination exists in the destination cluster. - - PrunePropagationPolicy=foreground # Supported policies are background, foreground and orphan. - - PruneLast=true # Allow the ability for resource pruning to happen as a final, implicit wave of a sync operation - - RespectIgnoreDifferences=true # When syncing changes, respect fields ignored by the ignoreDifferences configuration - - ApplyOutOfSyncOnly=true # Only sync out-of-sync resources, rather than applying every object in the application - managedNamespaceMetadata: # Sets the metadata for the application namespace. Only valid if CreateNamespace=true (see above), otherwise it's a no-op. + - Validate=false # disables resource validation (equivalent to 'kubectl + # apply --validate=false') ( true by default ). + - CreateNamespace=true # Namespace Auto-Creation ensures that namespace + # specified as the application destination exists in + # the destination cluster. + - PrunePropagationPolicy=foreground # Supported policies are background, + # foreground and orphan. + - PruneLast=true # Allow the ability for resource pruning to happen as a + # final, implicit wave of a sync operation + - RespectIgnoreDifferences=true # When syncing changes, respect fields + # ignored by the ignoreDifferences + # configuration + - ApplyOutOfSyncOnly=true # Only sync out-of-sync resources, rather than + # applying every object in the application + managedNamespaceMetadata: # Sets the metadata for the application namespace. + # Only valid if CreateNamespace=true (see above), + # otherwise it's a no-op. labels: # The labels to set on the application namespace any: label you: like @@ -201,14 +249,19 @@ spec: # The retry feature is available since v1.7 retry: - limit: 5 # number of failed sync attempt retries; unlimited number of attempts if less than 0 + limit: 5 # number of failed sync attempt retries; unlimited number of + # attempts if less than 0 backoff: - duration: 5s # the amount to back off. Default unit is seconds, but could also be a duration (e.g. "2m", "1h") - factor: 2 # a factor to multiply the base duration after each failed retry - maxDuration: 3m # the maximum amount of time allowed for the backoff strategy + duration: 5s # the amount to back off. Default unit is seconds, but + # could also be a duration (e.g. "2m", "1h") + factor: 2 # a factor to multiply the base duration after each failed + # retry + maxDuration: 3m # the maximum amount of time allowed for the backoff + # strategy - # Will ignore differences between live and desired states during the diff. Note that these configurations are not - # used during the sync process unless the `RespectIgnoreDifferences=true` sync option is enabled. + # Will ignore differences between live and desired states during the diff. + # Note that these configurations are not used during the sync process unless + # the `RespectIgnoreDifferences=true` sync option is enabled. ignoreDifferences: # for the specified json pointers - group: apps @@ -223,12 +276,15 @@ spec: kind: "*" managedFieldsManagers: - kube-controller-manager - # Name and namespace are optional. If specified, they must match exactly, these are not glob patterns. + # Name and namespace are optional. If specified, they must match exactly, + # these are not glob patterns. name: my-deployment namespace: my-namespace - # RevisionHistoryLimit limits the number of items kept in the application's revision history, which is used for - # informational purposes as well as for rollbacks to previous versions. This should only be changed in exceptional - # circumstances. Setting to zero will store no history. This will reduce storage used. Increasing will increase the - # space used to store the history, so we do not recommend increasing it. + # RevisionHistoryLimit limits the number of items kept in the application's + # revision history, which is used for informational purposes as well as for + # rollbacks to previous versions. This should only be changed in exceptional + # circumstances. Setting to zero will store no history. This will reduce + # storage used. Increasing will increase the space used to store the history, + # so we do not recommend increasing it. revisionHistoryLimit: 10 diff --git a/docs/operator-manual/applicationset.yaml b/docs/operator-manual/applicationset.yaml index 88264493e248d..55b37941a0144 100644 --- a/docs/operator-manual/applicationset.yaml +++ b/docs/operator-manual/applicationset.yaml @@ -3,7 +3,8 @@ kind: ApplicationSet metadata: name: test-hello-world-appset namespace: argocd - # To preserve this annotation and label we can use the preservedFields property + # To preserve this annotation and label we can use the preservedFields + # property preservedFields: # This annotation and label exists only on this Application, and not in # the parent ApplicationSet template: @@ -22,8 +23,9 @@ spec: # Specify the configMap where the plugin configuration is located. configMapRef: name: my-plugin - # You can pass arbitrary parameters to the plugin. `input.parameters` is a map, but values may be any type. - # These parameters will also be available on the generator's output under the `generator.input.parameters` key. + # You can pass arbitrary parameters to the plugin. `input.parameters` is a + # map, but values may be any type. These parameters will also be available + # on the generator's output under the `generator.input.parameters` key. input: parameters: key1: "value1" @@ -34,24 +36,29 @@ spec: key1: "value1" key2: "value2" key3: "value3" - # You can also attach arbitrary values to the generator's output under the `values` key. These values will be - # available in templates under the `values` key. + # You can also attach arbitrary values to the generator's output under + # the `values` key. These values will be available in templates under + # the `values` key. values: value1: something - # When using a Plugin generator, the ApplicationSet controller polls every `requeueAfterSeconds` interval (defaulting to every 30 minutes) to detect changes. + # When using a Plugin generator, the ApplicationSet controller polls + # every `requeueAfterSeconds` interval (defaulting to every 30 minutes) + # to detect changes. requeueAfterSeconds: 30 # to automatically discover repositories within an organization - scmProvider: # Which protocol to clone using. cloneProtocol: ssh - # The GitHub mode uses the GitHub API to scan an organization in either github.com or GitHub Enterprise + # The GitHub mode uses the GitHub API to scan an organization in either + # github.com or GitHub Enterprise github: # The GitHub organization to scan. organization: myorg # For GitHub Enterprise: api: https://git.example.com/ - # If true, scan every branch of every repository. If false, scan only the default branch. Defaults to false. + # If true, scan every branch of every repository. If false, scan only + # the default branch. Defaults to false. allBranches: true # Reference to a Secret containing an access token. (optional) tokenRef: @@ -63,7 +70,8 @@ spec: values: name: "{{organization}}-{{repository}}" - #The GitLab mode uses the GitLab API to scan and organization in either gitlab.com or self-hosted GitLab. + #The GitLab mode uses the GitLab API to scan and organization in either + #gitlab.com or self-hosted GitLab. gitlab: #The Gitea mode uses the Gitea API to scan organizations in your instance gitea: @@ -71,18 +79,22 @@ spec: bitbucketServer: #Uses the Azure DevOps API to look up eligible repositories azureDevOps: - # The Bitbucket mode uses the Bitbucket API V2 to scan a workspace in bitbucket.org + # The Bitbucket mode uses the Bitbucket API V2 to scan a workspace in + # bitbucket.org bitbucket: - #Uses AWS ResourceGroupsTagging and AWS CodeCommit APIs to scan repos across AWS accounts and regionsz + #Uses AWS ResourceGroupsTagging and AWS CodeCommit APIs to scan repos + #across AWS accounts and regionsz awsCodeCommit: #Filters allow selecting which repositories to generate for. filters: - # Include any repository starting with "myapp" AND including a Kustomize config AND labeled with "deploy-ok" ... + # Include any repository starting with "myapp" AND including a Kustomize + # config AND labeled with "deploy-ok" ... - repositoryMatch: ^myapp pathsExist: [kubernetes/kustomization.yaml] labelMatch: deploy-ok - # ... OR include any repository starting with "otherapp" AND a Helm folder and doesn't have file disabledrepo.txt. + # ... OR include any repository starting with "otherapp" AND a Helm + # folder and doesn't have file disabledrepo.txt. - repositoryMatch: ^otherapp pathsExist: [helm] pathsDoNotExist: [disabledrepo.txt] @@ -120,12 +132,14 @@ spec: # Determines whether go templating will be used in the `template` field below. goTemplate: true - # Optional list of go templating options, see https://pkg.go.dev/text/template#Template.Option + # Optional list of go templating options, see + # https://pkg.go.dev/text/template#Template.Option # This is only relevant if `goTemplate` is true goTemplateOptions: ["missingkey=error"] # These fields are identical to the Application spec. - # The generator's template field takes precedence over the spec's template fields + # The generator's template field takes precedence over the spec's template + # fields template: metadata: name: test-hello-world-app @@ -136,16 +150,20 @@ spec: selfHeal: true syncOptions: - CreateNamespace=true - # defines from which Git repository to extract the desired Application manifests + # defines from which Git repository to extract the desired Application + # manifests source: - chart: '{{.chart}}' - # developers may customize app details using JSON files from above repo URL + # developers may customize app details using JSON files from above repo + # URL repoURL: https://github.com/argoproj/argo-cd.git targetRevision: HEAD # Path within the repository where Kubernetes manifests are located path: applicationset/examples/list-generator/guestbook/{{cluster}} helm: - useCredentials: "{{.useCredentials}}" # This field may NOT be templated, because it is a boolean field + useCredentials: "{{.useCredentials}}" # This field may NOT be + # templated, because it is a + # boolean field parameters: - name: "image.tag" value: "pull-{{head_sha}}" @@ -154,7 +172,8 @@ spec: - name: throw-away value: "{{end}}" destination: - # Only one of name or server may be specified: if both are specified, an error is returned. + # Only one of name or server may be specified: if both are specified, an + # error is returned. # Name of the cluster (within Argo CD) to deploy to name: production-cluster # cluster is restricted # API Server URL for the cluster @@ -162,23 +181,28 @@ spec: # Target namespace in which to deploy the manifests from source namespace: dev-team-one # namespace is restricted - # This sync policy pertains to the ApplicationSet, not to the Applications it creates. + # This sync policy pertains to the ApplicationSet, not to the Applications it + # creates. syncPolicy: # Prevents ApplicationSet controller from modifying or deleting Applications applicationsSync: create-only - # Prevents ApplicationSet controller from deleting Applications. Update is allowed + # Prevents ApplicationSet controller from deleting Applications. Update is + # allowed # applicationsSync: create-update - # Prevents ApplicationSet controller from modifying Applications. Delete is allowed. + # Prevents ApplicationSet controller from modifying Applications. Delete is + # allowed. # applicationsSync: create-delete syncOptions: - CreateNamespace=true - # Prevent an Application's child resources from being deleted, when the parent Application is deleted + # Prevent an Application's child resources from being deleted, when the + # parent Application is deleted preserveResourcesOnDeletion: true - # which fields of the ApplicationSet should be ignored when comparing Applications. + # which fields of the ApplicationSet should be ignored when comparing + # Applications. ignoreApplicationDifferences: - jsonPointers: - /spec/source/targetRevision @@ -187,32 +211,39 @@ spec: - .spec.source.helm.values strategy: - # This field lets you define fields which should be ignored when applying Application resources. This is helpful if you - # want to use ApplicationSets to create apps, but also want to allow users to modify those apps without having their - # changes overwritten by the ApplicationSet. - # This update strategy allows you to group Applications by labels present on the generated Application resources + # This field lets you define fields which should be ignored when applying + # Application resources. This is helpful if you want to use ApplicationSets to + # create apps, but also want to allow users to modify those apps without + # having their changes overwritten by the ApplicationSet. + # This update strategy allows you to group Applications by labels present + # on the generated Application resources type: RollingSync rollingSync: steps: - # Application groups are selected using their labels and matchExpressions + # Application groups are selected using their labels and + # matchExpressions - matchExpressions: - key: envLabel operator: In values: - env-dev - # maxUpdate: 100% # if undefined, all applications matched are updated together (default is 100%) + # maxUpdate: 100% # if undefined, all applications matched are updated + # together (default is 100%) - matchExpressions: - key: envLabel operator: In values: - env-qa - maxUpdate: 0 # if 0, no matched applications will be synced unless they're synced manually + maxUpdate: 0 # if 0, no matched applications will be synced + # unless they're synced manually - matchExpressions: - key: envLabel operator: In values: - env-prod - maxUpdate: 10% # maxUpdate supports both integer and percentage string values (rounds down, but floored at 1 Application for >0%) + maxUpdate: 10% # maxUpdate supports both integer and percentage + # string values (rounds down, but floored at 1 + # Application for >0%) ignoreApplicationDifferences: - jsonPointers: @@ -225,7 +256,8 @@ spec: - clusterDecisionResource: # ConfigMap with GVK information for the duck type resource configMapRef: my-configmap - name: quak # Choose either "name" of the resource or "labelSelector" + name: quak # Choose either "name" of the resource or + # "labelSelector" labelSelector: matchLabels: # OPTIONAL duck: spotted @@ -238,9 +270,12 @@ spec: # OPTIONAL: Checks for changes every 60sec (default 3min) requeueAfterSeconds: 60 - # The Pull Request generator uses the API of an SCMaaS provider to automatically discover open pull requests within a repository + # The Pull Request generator uses the API of an SCMaaS provider to + # automatically discover open pull requests within a repository - pullRequest: - # When using a Pull Request generator, the ApplicationSet controller polls every `requeueAfterSeconds` interval (defaulting to every 30 minutes) to detect changes. + # When using a Pull Request generator, the ApplicationSet controller polls + # every `requeueAfterSeconds` interval (defaulting to every 30 minutes) to + # detect changes. requeueAfterSeconds: 1800 # See below for provider specific options. # Specify the repository from which to fetch the GitHub Pull requests. @@ -270,16 +305,19 @@ spec: gitlab: # Specify the repository from which to fetch the Gitea Pull requests. gitea: - # Fetch pull requests from a repo hosted on a Bitbucket Server (not the same as Bitbucket Cloud). + # Fetch pull requests from a repo hosted on a Bitbucket Server (not the + # same as Bitbucket Cloud). bitbucketServer: # Fetch pull requests from a repo hosted on a Bitbucket Cloud. bitbucket: - # Specify the organization, project and repository from which you want to fetch pull requests. + # Specify the organization, project and repository from which you want to + # fetch pull requests. azuredevops: # Fetch pull requests from AWS CodeCommit repositories. awsCodeCommit: -# The list generator generates a set of two application which then filter by the key value to only select the env with value staging +# The list generator generates a set of two application which then filter by the +# key value to only select the env with value staging - list: elements: - cluster: engineering-dev @@ -288,7 +326,8 @@ spec: - cluster: engineering-prod url: https://kubernetes.default.svc env: prod - # The generator's template field takes precedence over the spec's template fields + # The generator's template field takes precedence over the spec's template + # fields template: metadata: {} spec: @@ -311,4 +350,4 @@ spec: operator: In values: - https://kubernetes.default.svc - - https://some-other-cluster \ No newline at end of file + - https://some-other-cluster diff --git a/docs/operator-manual/applicationset/Appset-Any-Namespace.md b/docs/operator-manual/applicationset/Appset-Any-Namespace.md index 4e28bc3a8172d..7db280564bfcd 100644 --- a/docs/operator-manual/applicationset/Appset-Any-Namespace.md +++ b/docs/operator-manual/applicationset/Appset-Any-Namespace.md @@ -42,9 +42,11 @@ spec: gitea: # The Gitea owner to scan. owner: myorg - # With this malicious setting, user can send all request to a Pod that will log incoming requests including headers with tokens + # With this malicious setting, user can send all request to a Pod that + # will log incoming requests including headers with tokens api: http://my-service.my-namespace.svc.cluster.local - # If true, scan every branch of every repository. If false, scan only the default branch. Defaults to false. + # If true, scan every branch of every repository. If false, scan only + # the default branch. Defaults to false. allBranches: true # By changing this token reference, user can exfiltrate any secrets tokenRef: @@ -228,4 +230,4 @@ spec: - clusters: {} # Automatically use all clusters defined within Argo CD ``` -If you don't want to allow users to discover all clusters with ApplicationSets from other namespaces you may consider deploying ArgoCD in namespace scope or use OPA rules. \ No newline at end of file +If you don't want to allow users to discover all clusters with ApplicationSets from other namespaces you may consider deploying ArgoCD in namespace scope or use OPA rules. diff --git a/docs/operator-manual/applicationset/Generators-Cluster.md b/docs/operator-manual/applicationset/Generators-Cluster.md index aa18983fe3d54..6a38a56f5546f 100644 --- a/docs/operator-manual/applicationset/Generators-Cluster.md +++ b/docs/operator-manual/applicationset/Generators-Cluster.md @@ -20,8 +20,9 @@ Within [Argo CD cluster Secrets](../../declarative-setup/#clusters) are data fie ```yaml kind: Secret data: - # Within Kubernetes these fields are actually encoded in Base64; they are decoded here for convenience. - # (They are likewise decoded when passed as parameters by the Cluster generator) + # Within Kubernetes these fields are actually encoded in Base64; they are + # decoded here for convenience. (They are likewise decoded when passed as + # parameters by the Cluster generator) config: "{'tlsClientConfig':{'insecure':false}}" name: "in-cluster2" server: "https://kubernetes.default.svc" @@ -224,7 +225,8 @@ spec: type: 'staging' # A key-value map for arbitrary parameters values: - # If `my-custom-annotation` is in your cluster secret, `revision` will be substituted with it. + # If `my-custom-annotation` is in your cluster secret, `revision` will + # be substituted with it. revision: '{{index .metadata.annotations "my-custom-annotation"}}' clusterName: '{{.name}}' - clusters: diff --git a/docs/operator-manual/applicationset/Generators-Plugin.md b/docs/operator-manual/applicationset/Generators-Plugin.md index d0888b9949b8e..898c71081092c 100644 --- a/docs/operator-manual/applicationset/Generators-Plugin.md +++ b/docs/operator-manual/applicationset/Generators-Plugin.md @@ -29,8 +29,10 @@ spec: # Specify the configMap where the plugin configuration is located. configMapRef: name: my-plugin - # You can pass arbitrary parameters to the plugin. `input.parameters` is a map, but values may be any type. - # These parameters will also be available on the generator's output under the `generator.input.parameters` key. + # You can pass arbitrary parameters to the plugin. `input.parameters` is + # a map, but values may be any type. These parameters will also be + # available on the generator's output under the + # `generator.input.parameters` key. input: parameters: key1: "value1" @@ -42,12 +44,15 @@ spec: key2: "value2" key3: "value3" - # You can also attach arbitrary values to the generator's output under the `values` key. These values will be - # available in templates under the `values` key. + # You can also attach arbitrary values to the generator's output under + # the `values` key. These values will be available in templates under + # the `values` key. values: value1: something - # When using a Plugin generator, the ApplicationSet controller polls every `requeueAfterSeconds` interval (defaulting to every 30 minutes) to detect changes. + # When using a Plugin generator, the ApplicationSet controller polls + # every `requeueAfterSeconds` interval (defaulting to every 30 minutes) + # to detect changes. requeueAfterSeconds: 30 template: metadata: @@ -75,7 +80,8 @@ metadata: name: my-plugin namespace: argocd data: - token: "$plugin.myplugin.token" # Alternatively $:plugin.myplugin.token + token: "$plugin.myplugin.token" # Alternatively + # $:plugin.myplugin.token baseUrl: "http://myplugin.plugin-ns.svc.cluster.local." ``` diff --git a/docs/operator-manual/applicationset/Generators-Pull-Request.md b/docs/operator-manual/applicationset/Generators-Pull-Request.md index a213c1dbb23bb..5f69fb0ef9de8 100644 --- a/docs/operator-manual/applicationset/Generators-Pull-Request.md +++ b/docs/operator-manual/applicationset/Generators-Pull-Request.md @@ -12,7 +12,9 @@ spec: goTemplateOptions: ["missingkey=error"] generators: - pullRequest: - # When using a Pull Request generator, the ApplicationSet controller polls every `requeueAfterSeconds` interval (defaulting to every 30 minutes) to detect changes. + # When using a Pull Request generator, the ApplicationSet controller polls + # every `requeueAfterSeconds` interval (defaulting to every 30 minutes) to + # detect changes. requeueAfterSeconds: 1800 # See below for provider specific options. github: @@ -97,7 +99,8 @@ spec: - preview # MR state is used to filter MRs only with a certain state. (optional) pullRequestState: opened - # If true, skips validating the SCM provider's TLS certificate - useful for self-signed certificates. + # If true, skips validating the SCM provider's TLS certificate - useful + # for self-signed certificates. insecure: false requeueAfterSeconds: 1800 template: @@ -138,7 +141,8 @@ spec: tokenRef: secretName: gitea-token key: token - # many gitea deployments use TLS, but many are self-hosted and self-signed certificates + # many gitea deployments use TLS, but many are self-hosted and + # self-signed certificates insecure: true requeueAfterSeconds: 1800 template: @@ -170,16 +174,18 @@ spec: repo: myrepository # URL of the Bitbucket Server. Required. api: https://mycompany.bitbucket.org - # Credentials for Basic authentication. Required for private repositories. + # Credentials for Basic authentication. Required for private + # repositories. basicAuth: # The username to authenticate with username: myuser - # Reference to a Secret containing the password or personal access token. + # Reference to a Secret containing the password or personal access + # token. passwordRef: secretName: mypassword key: password - # Labels are not supported by Bitbucket Server, so filtering by label is not possible. - # Filter PRs using the source branch name. (optional) + # Labels are not supported by Bitbucket Server, so filtering by label is + # not possible. Filter PRs using the source branch name. (optional) filters: - branchMatch: ".*-argocd" template: @@ -214,25 +220,29 @@ spec: owner: myproject # Repository slug. Required. repo: myrepository - # URL of the Bitbucket Server. (optional) Will default to 'https://api.bitbucket.org/2.0'. + # URL of the Bitbucket Server. (optional) Will default to + # 'https://api.bitbucket.org/2.0'. api: https://api.bitbucket.org/2.0 - # Credentials for Basic authentication (App Password). Either basicAuth or bearerToken - # authentication is required to access private repositories + # Credentials for Basic authentication (App Password). Either + # basicAuth or bearerToken authentication is required to access + # private repositories basicAuth: # The username to authenticate with username: myuser - # Reference to a Secret containing the password or personal access token. + # Reference to a Secret containing the password or personal access + # token. passwordRef: secretName: mypassword key: password - # Credentials for Bearer Token (App Token) authentication. Either basicAuth or bearerToken - # authentication is required to access private repositories + # Credentials for Bearer Token (App Token) authentication. Either + # basicAuth or bearerToken authentication is required to access + # private repositories bearerToken: tokenRef: secretName: repotoken key: token - # Labels are not supported by Bitbucket Cloud, so filtering by label is not possible. - # Filter PRs using the source branch name. (optional) + # Labels are not supported by Bitbucket Cloud, so filtering by label is + # not possible. Filter PRs using the source branch name. (optional) filters: - branchMatch: ".*-argocd" template: @@ -274,7 +284,8 @@ spec: project: myproject # Azure DevOps repo name to scan. Required. repo: myrepository - # The Azure DevOps API URL to talk to. If blank, use https://dev.azure.com/. + # The Azure DevOps API URL to talk to. If blank, use + # https://dev.azure.com/. api: https://dev.azure.com/ # Reference to a Secret containing an access token. (optional) tokenRef: diff --git a/docs/operator-manual/applicationset/Generators-SCM-Provider.md b/docs/operator-manual/applicationset/Generators-SCM-Provider.md index 40c8e552fe573..aa24354a755cd 100644 --- a/docs/operator-manual/applicationset/Generators-SCM-Provider.md +++ b/docs/operator-manual/applicationset/Generators-SCM-Provider.md @@ -42,7 +42,8 @@ spec: organization: myorg # For GitHub Enterprise: api: https://git.example.com/ - # If true, scan every branch of every repository. If false, scan only the default branch. Defaults to false. + # If true, scan every branch of every repository. If false, scan only + # the default branch. Defaults to false. allBranches: true # Reference to a Secret containing an access token. (optional) tokenRef: @@ -79,24 +80,30 @@ spec: generators: - scmProvider: gitlab: - # The base GitLab group to scan. You can either use the group id or the full namespaced path. + # The base GitLab group to scan. You can either use the group id or the + # full namespaced path. group: "8675309" # For self-hosted GitLab: api: https://gitlab.example.com/ - # If true, scan every branch of every repository. If false, scan only the default branch. Defaults to false. + # If true, scan every branch of every repository. If false, scan only + # the default branch. Defaults to false. allBranches: true - # If true, recurses through subgroups. If false, it searches only in the base group. Defaults to false. + # If true, recurses through subgroups. If false, it searches only in the + # base group. Defaults to false. includeSubgroups: true - # If true and includeSubgroups is also true, include Shared Projects, which is gitlab API default. - # If false only search Projects under the same path. Defaults to true. + # If true and includeSubgroups is also true, include Shared Projects, + # which is gitlab API default. If false only search Projects under the + # same path. Defaults to true. includeSharedProjects: false - # filter projects by topic. A single topic is supported by Gitlab API. Defaults to "" (all topics). + # filter projects by topic. A single topic is supported by Gitlab API. + # Defaults to "" (all topics). topic: "my-topic" # Reference to a Secret containing an access token. (optional) tokenRef: secretName: gitlab-token key: token - # If true, skips validating the SCM provider's TLS certificate - useful for self-signed certificates. + # If true, skips validating the SCM provider's TLS certificate - useful + # for self-signed certificates. insecure: false template: # ... @@ -140,7 +147,8 @@ spec: owner: myorg # The Gitea instance url api: https://gitea.mydomain.com/ - # If true, scan every branch of every repository. If false, scan only the default branch. Defaults to false. + # If true, scan every branch of every repository. If false, scan only + # the default branch. Defaults to false. allBranches: true # Reference to a Secret containing an access token. (optional) tokenRef: @@ -176,17 +184,21 @@ spec: project: myproject # URL of the Bitbucket Server. Required. api: https://mycompany.bitbucket.org - # If true, scan every branch of every repository. If false, scan only the default branch. Defaults to false. + # If true, scan every branch of every repository. If false, scan only + # the default branch. Defaults to false. allBranches: true - # Credentials for Basic authentication. Required for private repositories. + # Credentials for Basic authentication. Required for private + # repositories. basicAuth: # The username to authenticate with username: myuser - # Reference to a Secret containing the password or personal access token. + # Reference to a Secret containing the password or personal access + # token. passwordRef: secretName: mypassword key: password - # Support for filtering by labels is TODO. Bitbucket server labels are not supported for PRs, but they are for repos + # Support for filtering by labels is TODO. Bitbucket server labels are + # not supported for PRs, but they are for repos template: # ... ``` @@ -219,11 +231,14 @@ spec: organization: myorg # URL to Azure DevOps. Optional. Defaults to https://dev.azure.com. api: https://dev.azure.com - # If true, scan every branch of eligible repositories. If false, check only the default branch of the eligible repositories. Defaults to false. + # If true, scan every branch of eligible repositories. If false, check + # only the default branch of the eligible repositories. Defaults to + # false. allBranches: true # The team project within the specified Azure DevOps organization. teamProject: myProject - # Reference to a Secret containing the Azure DevOps Personal Access Token (PAT) used for accessing Azure DevOps. + # Reference to a Secret containing the Azure DevOps Personal Access + # Token (PAT) used for accessing Azure DevOps. accessTokenRef: secretName: azure-devops-scm key: accesstoken @@ -254,7 +269,8 @@ spec: owner: "example-owner" # The user to use for basic authentication with an app password. user: "example-user" - # If true, scan every branch of every repository. If false, scan only the main branch. Defaults to false. + # If true, scan every branch of every repository. If false, scan only + # the main branch. Defaults to false. allBranches: true # Reference to a Secret containing an app password. appPasswordRef: @@ -292,7 +308,8 @@ spec: # AWS role to assume to scan repos. # default to the environmental role from ApplicationSet controller. role: arn:aws:iam::111111111111:role/argocd-application-set-discovery - # If true, scan every branch of every repository. If false, scan only the main branch. Defaults to false. + # If true, scan every branch of every repository. If false, scan only + # the main branch. Defaults to false. allBranches: true # AWS resource tags to filter repos with. # see https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_GetResources.html#resourcegrouptagging-GetResources-request-TagFilters for details @@ -367,11 +384,13 @@ spec: generators: - scmProvider: filters: - # Include any repository starting with "myapp" AND including a Kustomize config AND labeled with "deploy-ok" ... + # Include any repository starting with "myapp" AND including a Kustomize + # config AND labeled with "deploy-ok" ... - repositoryMatch: ^myapp pathsExist: [kubernetes/kustomization.yaml] labelMatch: deploy-ok - # ... OR include any repository starting with "otherapp" AND a Helm folder and doesn't have file disabledrepo.txt. + # ... OR include any repository starting with "otherapp" AND a Helm folder + # and doesn't have file disabledrepo.txt. - repositoryMatch: ^otherapp pathsExist: [helm] pathsDoNotExist: [disabledrepo.txt] diff --git a/docs/operator-manual/applicationset/GoTemplate.md b/docs/operator-manual/applicationset/GoTemplate.md index 1b651200bc6cc..97679b828cefc 100644 --- a/docs/operator-manual/applicationset/GoTemplate.md +++ b/docs/operator-manual/applicationset/GoTemplate.md @@ -66,7 +66,9 @@ possible with Go text templates: spec: source: helm: - useCredentials: "{{.useCredentials}}" # This field may NOT be templated, because it is a boolean field. + useCredentials: "{{.useCredentials}}" # This field may NOT be + # templated, because it + # is a boolean field. - Templating an object field: @@ -78,7 +80,8 @@ possible with Go text templates: goTemplateOptions: ["missingkey=error"] template: spec: - syncPolicy: "{{.syncPolicy}}" # This field may NOT be templated, because it is an object field. + syncPolicy: "{{.syncPolicy}}" # This field may NOT be templated, + # because it is an object field. - Using control keywords across fields: @@ -93,7 +96,8 @@ possible with Go text templates: source: helm: parameters: - # Each of these fields is evaluated as an independent template, so the first one will fail with an error. + # Each of these fields is evaluated as an independent + # template, so the first one will fail with an error. - name: "{{range .parameters}}" - name: "{{.name}}" value: "{{.value}}" diff --git a/docs/operator-manual/applicationset/Progressive-Syncs.md b/docs/operator-manual/applicationset/Progressive-Syncs.md index edfe0dad101f2..d4dc763b9a281 100644 --- a/docs/operator-manual/applicationset/Progressive-Syncs.md +++ b/docs/operator-manual/applicationset/Progressive-Syncs.md @@ -79,7 +79,8 @@ spec: operator: In values: - env-dev - #maxUpdate: 100% # if undefined, all applications matched are updated together (default is 100%) + #maxUpdate: 100% # if undefined, all applications matched are updated + # together (default is 100%) - matchExpressions: - key: envLabel operator: In @@ -91,7 +92,9 @@ spec: operator: In values: - env-prod - maxUpdate: 10% # maxUpdate supports both integer and percentage string values (rounds down, but floored at 1 Application for >0%) + maxUpdate: 10% # maxUpdate supports both integer and percentage + # string values (rounds down, but floored at 1 + # Application for >0%) goTemplate: true goTemplateOptions: ["missingkey=error"] template: diff --git a/docs/operator-manual/applicationset/Template.md b/docs/operator-manual/applicationset/Template.md index d96fb39252fed..4a7e7920dca5a 100644 --- a/docs/operator-manual/applicationset/Template.md +++ b/docs/operator-manual/applicationset/Template.md @@ -99,7 +99,8 @@ spec: source: repoURL: https://github.com/argoproj/argo-cd.git targetRevision: HEAD - # This 'default' value is not used: it is replaced by the generator's template path, above + # This 'default' value is not used: it is replaced by the generator's + # template path, above path: applicationset/examples/template-override/default destination: server: '{{url}}' diff --git a/docs/operator-manual/applicationset/Use-Cases.md b/docs/operator-manual/applicationset/Use-Cases.md index a13c6598072ca..e2d47f3902602 100644 --- a/docs/operator-manual/applicationset/Use-Cases.md +++ b/docs/operator-manual/applicationset/Use-Cases.md @@ -97,7 +97,8 @@ spec: spec: project: dev-team-one # project is restricted source: - # developers may customize app details using JSON files from above repo URL + # developers may customize app details using JSON files from above repo + # URL repoURL: {{.app.source}} targetRevision: {{.app.revision}} path: {{.app.path}} diff --git a/docs/operator-manual/config-management-plugins.md b/docs/operator-manual/config-management-plugins.md index 7c86075ff2f7f..39f10daa8d65f 100644 --- a/docs/operator-manual/config-management-plugins.md +++ b/docs/operator-manual/config-management-plugins.md @@ -34,84 +34,107 @@ metadata: # The name of the plugin must be unique within a given Argo CD instance. name: my-plugin spec: - # The version of your plugin. Optional. If specified, the Application's spec.source.plugin.name field - # must be -. + # The version of your plugin. Optional. If specified, the Application's + # spec.source.plugin.name field must be -. version: v1.0 - # The init command runs in the Application source directory at the beginning of each manifest generation. The init - # command can output anything. A non-zero status code will fail manifest generation. + # The init command runs in the Application source directory at the beginning + # of each manifest generation. The init command can output anything. A + # non-zero status code will fail manifest generation. init: - # Init always happens immediately before generate, but its output is not treated as manifests. - # This is a good place to, for example, download chart dependencies. + # Init always happens immediately before generate, but its output is not + # treated as manifests. This is a good place to, for example, download chart + # dependencies. command: [sh] args: [-c, 'echo "Initializing..."'] - # The generate command runs in the Application source directory each time manifests are generated. Standard output - # must be ONLY valid Kubernetes Objects in either YAML or JSON. A non-zero exit code will fail manifest generation. - # To write log messages from the command, write them to stderr, it will always be displayed. - # Error output will be sent to the UI, so avoid printing sensitive information (such as secrets). + # The generate command runs in the Application source directory each time + # manifests are generated. Standard output must be ONLY valid Kubernetes + # Objects in either YAML or JSON. A non-zero exit code will fail manifest + # generation. To write log messages from the command, write them to stderr, it + # will always be displayed. Error output will be sent to the UI, so avoid + # printing sensitive information (such as secrets). generate: command: [sh, -c] args: - | echo "{\"kind\": \"ConfigMap\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"$ARGOCD_APP_NAME\", \"namespace\": \"$ARGOCD_APP_NAMESPACE\", \"annotations\": {\"Foo\": \"$ARGOCD_ENV_FOO\", \"KubeVersion\": \"$KUBE_VERSION\", \"KubeApiVersion\": \"$KUBE_API_VERSIONS\",\"Bar\": \"baz\"}}}" - # The discovery config is applied to a repository. If every configured discovery tool matches, then the plugin may be - # used to generate manifests for Applications using the repository. If the discovery config is omitted then the plugin - # will not match any application but can still be invoked explicitly by specifying the plugin name in the app spec. - # Only one of fileName, find.glob, or find.command should be specified. If multiple are specified then only the - # first (in that order) is evaluated. + # The discovery config is applied to a repository. If every configured + # discovery tool matches, then the plugin may be used to generate manifests + # for Applications using the repository. If the discovery config is omitted + # then the plugin will not match any application but can still be invoked + # explicitly by specifying the plugin name in the app spec. Only one of + # fileName, find.glob, or find.command should be specified. If multiple are + # specified then only the first (in that order) is evaluated. discover: - # fileName is a glob pattern (https://pkg.go.dev/path/filepath#Glob) that is applied to the Application's source - # directory. If there is a match, this plugin may be used for the Application. + # fileName is a glob pattern (https://pkg.go.dev/path/filepath#Glob) that is + # applied to the Application's source directory. If there is a match, this + # plugin may be used for the Application. fileName: "./subdir/s*.yaml" find: - # This does the same thing as fileName, but it supports double-start (nested directory) glob patterns. + # This does the same thing as fileName, but it supports double-start + # (nested directory) glob patterns. glob: "**/Chart.yaml" - # The find command runs in the repository's root directory. To match, it must exit with status code 0 _and_ - # produce non-empty output to standard out. + # The find command runs in the repository's root directory. To match, it + # must exit with status code 0 _and_ produce non-empty output to standard + # out. command: [sh, -c, find . -name env.yaml] - # The parameters config describes what parameters the UI should display for an Application. It is up to the user to - # actually set parameters in the Application manifest (in spec.source.plugin.parameters). The announcements _only_ - # inform the "Parameters" tab in the App Details page of the UI. + # The parameters config describes what parameters the UI should display for an + # Application. It is up to the user to actually set parameters in the + # Application manifest (in spec.source.plugin.parameters). The announcements + # _only_ inform the "Parameters" tab in the App Details page of the UI. parameters: - # Static parameter announcements are sent to the UI for _all_ Applications handled by this plugin. - # Think of the `string`, `array`, and `map` values set here as "defaults". It is up to the plugin author to make - # sure that these default values actually reflect the plugin's behavior if the user doesn't explicitly set different - # values for those parameters. + # Static parameter announcements are sent to the UI for _all_ Applications + # handled by this plugin. Think of the `string`, `array`, and `map` values + # set here as "defaults". It is up to the plugin author to make sure that + # these default values actually reflect the plugin's behavior if the user + # doesn't explicitly set different values for those parameters. static: - name: string-param title: Description of the string param tooltip: Tooltip shown when the user hovers the - # If this field is set, the UI will indicate to the user that they must set the value. + # If this field is set, the UI will indicate to the user that they must + # set the value. required: false - # itemType tells the UI how to present the parameter's value (or, for arrays and maps, values). Default is - # "string". Examples of other types which may be supported in the future are "boolean" or "number". - # Even if the itemType is not "string", the parameter value from the Application spec will be sent to the plugin - # as a string. It's up to the plugin to do the appropriate conversion. + # itemType tells the UI how to present the parameter's value (or, for + # arrays and maps, values). Default is "string". Examples of other types + # which may be supported in the future are "boolean" or "number". Even + # if the itemType is not "string", the parameter value from the + # Application spec will be sent to the plugin as a string. It's up to + # the plugin to do the appropriate conversion. itemType: "" - # collectionType describes what type of value this parameter accepts (string, array, or map) and allows the UI - # to present a form to match that type. Default is "string". This field must be present for non-string types. - # It will not be inferred from the presence of an `array` or `map` field. + # collectionType describes what type of value this parameter accepts + # (string, array, or map) and allows the UI to present a form to match + # that type. Default is "string". This field must be present for + # non-string types. It will not be inferred from the presence of an + # `array` or `map` field. collectionType: "" - # This field communicates the parameter's default value to the UI. Setting this field is optional. + # This field communicates the parameter's default value to the UI. + # Setting this field is optional. string: default-string-value - # All the fields above besides "string" apply to both the array and map type parameter announcements. + # All the fields above besides "string" apply to both the array and map + # type parameter announcements. - name: array-param - # This field communicates the parameter's default value to the UI. Setting this field is optional. + # This field communicates the parameter's default value to the UI. + # Setting this field is optional. array: [default, items] collectionType: array - name: map-param - # This field communicates the parameter's default value to the UI. Setting this field is optional. + # This field communicates the parameter's default value to the UI. + # Setting this field is optional. map: some: value collectionType: map - # Dynamic parameter announcements are announcements specific to an Application handled by this plugin. For example, - # the values for a Helm chart's values.yaml file could be sent as parameter announcements. + # Dynamic parameter announcements are announcements specific to an + # Application handled by this plugin. For example, the values for a Helm + # chart's values.yaml file could be sent as parameter announcements. dynamic: - # The command is run in an Application's source directory. Standard output must be JSON matching the schema of the - # static parameter announcements list. + # The command is run in an Application's source directory. Standard output + # must be JSON matching the schema of the static parameter announcements + # list. command: [echo, '[{"name": "example-param", "string": "default-string-value"}]'] - # If set to `true` then the plugin receives repository files with original file mode. Dangerous since the repository - # might have executable files. Set to true only if you trust the CMP plugin authors. + # If set to `true` then the plugin receives repository files with original + # file mode. Dangerous since the repository might have executable files. Set + # to true only if you trust the CMP plugin authors. preserveFileMode: false ``` @@ -177,7 +200,9 @@ entrypoint. You can use either off-the-shelf or custom-built plugin image as sid ```yaml containers: - name: my-plugin - command: [/var/run/argocd/argocd-cmp-server] # Entrypoint should be Argo CD lightweight CMP server i.e. argocd-cmp-server + command: [/var/run/argocd/argocd-cmp-server] # Entrypoint should be Argo CD + # lightweight CMP server i.e. + # argocd-cmp-server image: busybox # This can be off-the-shelf or custom-built image securityContext: runAsNonRoot: true @@ -187,12 +212,14 @@ containers: name: var-files - mountPath: /home/argocd/cmp-server/plugins name: plugins - # Remove this volumeMount if you've chosen to bake the config file into the sidecar image. + # Remove this volumeMount if you've chosen to bake the config file into the + # sidecar image. - mountPath: /home/argocd/cmp-server/config/plugin.yaml subPath: plugin.yaml name: my-plugin-config - # Starting with v2.4, do NOT mount the same tmp volume as the repo-server container. The filesystem separation helps - # mitigate path traversal attacks. + # Starting with v2.4, do NOT mount the same tmp volume as the repo-server + # container. The filesystem separation helps mitigate path traversal + # attacks. - mountPath: /tmp name: cmp-tmp volumes: @@ -373,10 +400,12 @@ First, copy the plugin's configuration into its own YAML file. Take for example data: configManagementPlugins: | - name: pluginName - init: # Optional command to initialize application source directory + init: # Optional command to initialize + # application source directory command: ["sample command"] args: ["sample args"] - generate: # Command to generate Kubernetes Objects in either YAML or JSON + generate: # Command to generate Kubernetes Objects in + # either YAML or JSON command: ["sample command"] args: ["sample args"] lockRepo: true # Defaults to false. See below. @@ -390,10 +419,12 @@ kind: ConfigManagementPlugin metadata: name: pluginName spec: - init: # Optional command to initialize application source directory + init: # Optional command to initialize application + # source directory command: ["sample command"] args: ["sample args"] - generate: # Command to generate Kubernetes Objects in either YAML or JSON + generate: # Command to generate Kubernetes Objects in + # either YAML or JSON command: ["sample command"] args: ["sample args"] ``` @@ -419,10 +450,12 @@ data: metadata: name: pluginName spec: - init: # Optional command to initialize application source directory + init: # Optional command to initialize + # application source directory command: ["sample command"] args: ["sample args"] - generate: # Command to generate Kubernetes Objects in either YAML or JSON + generate: # Command to generate Kubernetes Objects in + # either YAML or JSON command: ["sample command"] args: ["sample args"] ``` @@ -449,7 +482,9 @@ metadata: spec: source: plugin: - name: pluginName # Delete this for auto-discovery (and set `plugin: {}` if `name` was the only value) or use proper sidecar plugin name + name: pluginName # Delete this for auto-discovery (and set `plugin: {}` + # if `name` was the only value) or use proper sidecar + # plugin name ``` ### Make sure the plugin has access to the tools it needs diff --git a/docs/operator-manual/custom_tools.md b/docs/operator-manual/custom_tools.md index e94a1d5ac6d03..0c5535417b169 100644 --- a/docs/operator-manual/custom_tools.md +++ b/docs/operator-manual/custom_tools.md @@ -24,7 +24,8 @@ the helm binary with a different version than what is bundled in Argo CD: volumes: - name: custom-tools emptyDir: {} - # 2. Use an init container to download/copy custom binaries into the emptyDir + # 2. Use an init container to download/copy custom binaries into the + # emptyDir initContainers: - name: download-tools image: alpine:3.8 @@ -35,7 +36,8 @@ the helm binary with a different version than what is bundled in Argo CD: volumeMounts: - mountPath: /custom-tools name: custom-tools - # 3. Volume mount the custom binary to the bin directory (overriding the existing version) + # 3. Volume mount the custom binary to the bin directory (overriding the + # existing version) containers: - name: argocd-repo-server volumeMounts: @@ -56,8 +58,8 @@ FROM argoproj/argocd:v2.5.4 # Replace tag with the appropriate argo version # Switch to root for the ability to perform install USER root -# Install tools needed for your repo-server to retrieve & decrypt secrets, render manifests -# (e.g. curl, awscli, gpg, sops) +# Install tools needed for your repo-server to retrieve & decrypt secrets, +# render manifests (e.g. curl, awscli, gpg, sops) RUN apt-get update && \ apt-get install -y \ curl \ diff --git a/docs/operator-manual/declarative-setup.md b/docs/operator-manual/declarative-setup.md index 3830cb610796a..1bbd377a5d1e6 100644 --- a/docs/operator-manual/declarative-setup.md +++ b/docs/operator-manual/declarative-setup.md @@ -115,7 +115,8 @@ kind: AppProject metadata: name: my-project namespace: argocd - # Finalizer that ensures that project is not deleted until it is not referenced by any application + # Finalizer that ensures that project is not deleted until it is not + # referenced by any application finalizers: - resources-finalizer.argocd.argoproj.io spec: @@ -123,7 +124,8 @@ spec: # Allow manifests to deploy from any Git repos sourceRepos: - '*' - # Only permit applications to deploy to the guestbook namespace in the same cluster + # Only permit applications to deploy to the guestbook namespace in the same + # cluster destinations: - namespace: guestbook server: https://kubernetes.default.svc @@ -131,7 +133,8 @@ spec: clusterResourceWhitelist: - group: '' kind: Namespace - # Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy + # Allow all namespaced-scoped resources to be created, except for + # ResourceQuota, LimitRange, NetworkPolicy namespaceResourceBlacklist: - group: '' kind: ResourceQuota @@ -139,7 +142,8 @@ spec: kind: LimitRange - group: '' kind: NetworkPolicy - # Deny all namespaced-scoped resources from being created, except for Deployment and StatefulSet + # Deny all namespaced-scoped resources from being created, except for + # Deployment and StatefulSet namespaceResourceWhitelist: - group: 'apps' kind: Deployment @@ -153,14 +157,15 @@ spec: - p, proj:my-project:read-only, applications, get, my-project/*, allow groups: - my-oidc-group - # A role which provides sync privileges to only the guestbook-dev application, e.g. to provide - # sync privileges to a CI system + # A role which provides sync privileges to only the guestbook-dev application, + # e.g. to provide sync privileges to a CI system - name: ci-role description: Sync privileges for guestbook-dev policies: - p, proj:my-project:ci-role, applications, sync, my-project/guestbook-dev, allow - # NOTE: JWT tokens can only be generated by the API server and the token is not persisted - # anywhere by Argo CD. It can be prematurely revoked by removing the entry from this list. + # NOTE: JWT tokens can only be generated by the API server and the token is + # not persisted anywhere by Argo CD. It can be prematurely revoked by + # removing the entry from this list. jwtTokens: - iat: 1535390316 ``` @@ -564,17 +569,20 @@ execProviderConfig: installHint: string # Transport layer security configuration settings tlsClientConfig: - # Base64 encoded PEM-encoded bytes (typically read from a client certificate file). + # Base64 encoded PEM-encoded bytes (typically read from a client certificate + # file). caData: string - # Base64 encoded PEM-encoded bytes (typically read from a client certificate file). + # Base64 encoded PEM-encoded bytes (typically read from a client certificate + # file). certData: string # Server should be accessed without verifying the TLS certificate insecure: boolean - # Base64 encoded PEM-encoded bytes (typically read from a client certificate key file). + # Base64 encoded PEM-encoded bytes (typically read from a client certificate + # key file). keyData: string - # ServerName is passed to the server for SNI and is used in the client to check server - # certificates against. If ServerName is empty, the hostname used to contact the - # server is used. + # ServerName is passed to the server for SNI and is used in the client to + # check server certificates against. If ServerName is empty, the hostname + # used to contact the server is used. serverName: string ``` @@ -722,10 +730,12 @@ Example kube-system/aws-auth configmap for your cluster managed by Argo CD: ```yaml apiVersion: v1 data: - # Other groups and accounts omitted for brevity. Ensure that no other rolearns and/or groups are inadvertently removed, - # or you risk borking access to your cluster. + # Other groups and accounts omitted for brevity. Ensure that no other rolearns + # and/or groups are inadvertently removed, or you risk borking access to your + # cluster. # - # The group name is a RoleBinding which you use to map to a [Cluster]Role. See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-binding-examples + # The group name is a RoleBinding which you use to map to a [Cluster]Role. See + # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-binding-examples mapRoles: | - "groups": - "" diff --git a/docs/operator-manual/ingress.md b/docs/operator-manual/ingress.md index aad2208c21873..1c744fa8cb948 100644 --- a/docs/operator-manual/ingress.md +++ b/docs/operator-manual/ingress.md @@ -32,7 +32,8 @@ metadata: name: argocd-server-cli namespace: argocd spec: - # NOTE: the port must be ignored if you have strip_matching_host_port enabled on envoy + # NOTE: the port must be ignored if you have strip_matching_host_port enabled + # on envoy host: argocd.example.com:443 prefix: / service: argocd-server:80 @@ -256,8 +257,8 @@ metadata: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/ssl-passthrough: "true" - # If you encounter a redirect loop or are getting a 307 response code - # then you need to force the nginx ingress to connect to the backend using HTTPS. + # If you encounter a redirect loop or are getting a 307 response code then + # you need to force the nginx ingress to connect to the backend using HTTPS. # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" spec: @@ -421,7 +422,8 @@ Once we create this service, we can configure the Ingress to conditionally route metadata: annotations: alb.ingress.kubernetes.io/backend-protocol: HTTPS - # Use this annotation (which must match a service name) to route traffic to HTTP2 backends. + # Use this annotation (which must match a service name) to route traffic + # to HTTP2 backends. alb.ingress.kubernetes.io/conditions.argogrpc: | [{"field":"http-header","httpHeaderConfig":{"httpHeaderName": "Content-Type", "values":["application/grpc"]}}] alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' @@ -704,7 +706,8 @@ spec: http: paths: - pathType: ImplementationSpecific - path: "/*" # "*" is needed. Without this, the UI Javascript and CSS will not load properly + path: "/*" # "*" is needed. Without this, the UI Javascript and CSS + # will not load properly backend: service: name: argocd-server diff --git a/docs/operator-manual/notifications/triggers.md b/docs/operator-manual/notifications/triggers.md index 49a6244777959..bb8a9988aa54d 100644 --- a/docs/operator-manual/notifications/triggers.md +++ b/docs/operator-manual/notifications/triggers.md @@ -57,7 +57,8 @@ kind: ConfigMap metadata: name: argocd-notifications-cm data: - # Optional 'oncePer' property ensure that notification is sent only once per specified field value + # Optional 'oncePer' property ensure that notification is sent only once per + # specified field value # E.g. following is triggered once per sync revision trigger.on-deployed: | when: app.status.operationState.phase in ['Succeeded'] and app.status.health.status == 'Healthy' @@ -95,7 +96,8 @@ kind: ConfigMap metadata: name: argocd-notifications-cm data: - # Holds list of triggers that are used by default if trigger is not specified explicitly in the subscription + # Holds list of triggers that are used by default if trigger is not specified + # explicitly in the subscription defaultTriggers: | - on-sync-status-unknown diff --git a/docs/operator-manual/project.yaml b/docs/operator-manual/project.yaml index c4d93f536239f..c0c268fc322bc 100644 --- a/docs/operator-manual/project.yaml +++ b/docs/operator-manual/project.yaml @@ -3,7 +3,8 @@ kind: AppProject metadata: name: my-project namespace: argocd - # Finalizer that ensures that project is not deleted until it is not referenced by any application + # Finalizer that ensures that project is not deleted until it is not + # referenced by any application finalizers: - resources-finalizer.argocd.argoproj.io spec: @@ -14,8 +15,8 @@ spec: sourceRepos: - '*' - # Only permit applications to deploy to the guestbook namespace in the same cluster - # Destination clusters can be identified by 'server', 'name', or both. + # Only permit applications to deploy to the guestbook namespace in the same + # cluster Destination clusters can be identified by 'server', 'name', or both. destinations: - namespace: guestbook server: https://kubernetes.default.svc @@ -26,7 +27,8 @@ spec: - group: '' kind: Namespace - # Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy + # Allow all namespaced-scoped resources to be created, except for + # ResourceQuota, LimitRange, NetworkPolicy namespaceResourceBlacklist: - group: '' kind: ResourceQuota @@ -35,7 +37,8 @@ spec: - group: '' kind: NetworkPolicy - # Deny all namespaced-scoped resources from being created, except for Deployment and StatefulSet + # Deny all namespaced-scoped resources from being created, except for + # Deployment and StatefulSet namespaceResourceWhitelist: - group: 'apps' kind: Deployment @@ -55,19 +58,21 @@ spec: groups: - my-oidc-group - # A role which provides sync privileges to only the guestbook-dev application, e.g. to provide - # sync privileges to a CI system + # A role which provides sync privileges to only the guestbook-dev application, + # e.g. to provide sync privileges to a CI system - name: ci-role description: Sync privileges for guestbook-dev policies: - p, proj:my-project:ci-role, applications, sync, my-project/guestbook-dev, allow - # NOTE: JWT tokens can only be generated by the API server and the token is not persisted - # anywhere by Argo CD. It can be prematurely revoked by removing the entry from this list. + # NOTE: JWT tokens can only be generated by the API server and the token is + # not persisted anywhere by Argo CD. It can be prematurely revoked by + # removing the entry from this list. jwtTokens: - iat: 1535390316 - # Sync windows restrict when Applications may be synced. https://argo-cd.readthedocs.io/en/stable/user-guide/sync_windows/ + # Sync windows restrict when Applications may be synced. + # https://argo-cd.readthedocs.io/en/stable/user-guide/sync_windows/ syncWindows: - kind: allow schedule: '10 1 * * *' @@ -87,12 +92,14 @@ spec: - in-cluster - cluster1 - # By default, apps may sync to any cluster specified under the `destinations` field, even if they are not - # scoped to this project. Set the following field to `true` to restrict apps in this cluster to only clusters - # scoped to this project. + # By default, apps may sync to any cluster specified under the `destinations` + # field, even if they are not scoped to this project. Set the following field + # to `true` to restrict apps in this cluster to only clusters scoped to this + # project. permitOnlyProjectScopedClusters: false - # When using Applications-in-any-namespace, this field determines which namespaces this AppProject permits - # Applications to reside in. Details: https://argo-cd.readthedocs.io/en/stable/operator-manual/app-any-namespace/ + # When using Applications-in-any-namespace, this field determines which + # namespaces this AppProject permits Applications to reside in. Details: + # https://argo-cd.readthedocs.io/en/stable/operator-manual/app-any-namespace/ sourceNamespaces: - "argocd-apps-*" diff --git a/docs/operator-manual/reconcile.md b/docs/operator-manual/reconcile.md index a956cd9cf7b28..2667529617b91 100644 --- a/docs/operator-manual/reconcile.md +++ b/docs/operator-manual/reconcile.md @@ -102,12 +102,15 @@ metadata: data: resource.customizations.ignoreResourceUpdates.argoproj.io_Application: | jsonPointers: - # Ignore when ownerReferences change, for example when a parent ApplicationSet changes often. + # Ignore when ownerReferences change, for example when a parent + # ApplicationSet changes often. - /metadata/ownerReferences - # Ignore reconciledAt, since by itself it doesn't indicate any important change. + # Ignore reconciledAt, since by itself it doesn't indicate any important + # change. - /status/reconciledAt jqPathExpressions: - # Ignore lastTransitionTime for conditions; helpful when SharedResourceWarnings are being regularly updated but not - # actually changing in content. + # Ignore lastTransitionTime for conditions; helpful when + # SharedResourceWarnings are being regularly updated but not actually + # changing in content. - .status.conditions[].lastTransitionTime ``` diff --git a/docs/operator-manual/resource_actions.md b/docs/operator-manual/resource_actions.md index b720f589ae8d0..ab5a86cbe28dc 100644 --- a/docs/operator-manual/resource_actions.md +++ b/docs/operator-manual/resource_actions.md @@ -160,10 +160,11 @@ resource.customizations.actions.ConfigMap: | -- Copy ArgoCD tracking label so that the resource is recognized by the App cm1.metadata.labels["app.kubernetes.io/instance"] = obj.metadata.labels["app.kubernetes.io/instance"] cm1.metadata.annotations = {} - -- For Apps with auto-prune, set the prune false on the resource, so it does not get deleted - cm1.metadata.annotations["argocd.argoproj.io/sync-options"] = "Prune=false" + -- For Apps with auto-prune, set the prune false on the resource, so it + -- does not get deleted + cm1.metadata.annotations["argocd.argoproj.io/sync-options"] = "Prune=false" -- Keep the App synced even though it has a resource that is not in Git - cm1.metadata.annotations["argocd.argoproj.io/compare-options"] = "IgnoreExtraneous" + cm1.metadata.annotations["argocd.argoproj.io/compare-options"] = "IgnoreExtraneous" cm1.data = {} cm1.data.myKey1 = "myValue1" impactedResource1 = {} @@ -180,4 +181,4 @@ resource.customizations.actions.ConfigMap: | result[1] = impactedResource1 result[2] = impactedResource2 return result -``` \ No newline at end of file +``` diff --git a/docs/operator-manual/signed-release-assets.md b/docs/operator-manual/signed-release-assets.md index b574876345b5b..bce5cdcff7b27 100644 --- a/docs/operator-manual/signed-release-assets.md +++ b/docs/operator-manual/signed-release-assets.md @@ -71,7 +71,8 @@ The following command will verify the signature of an attestation and how it was Run the following command as per the [slsa-verifier documentation](https://github.com/slsa-framework/slsa-verifier/tree/main#containers): ```bash -# Get the immutable container image to prevent TOCTOU attacks https://github.com/slsa-framework/slsa-verifier#toctou-attacks +# Get the immutable container image to prevent TOCTOU attacks +# https://github.com/slsa-framework/slsa-verifier#toctou-attacks IMAGE=quay.io/argoproj/argocd:v2.7.0 IMAGE="${IMAGE}@"$(crane digest "${IMAGE}") # Verify provenance, including the tag to prevent rollback attacks. @@ -85,7 +86,8 @@ If you only want to verify up to the major or minor verion of the source reposit ```shell slsa-verifier verify-image "$IMAGE" \ --source-uri github.com/argoproj/argo-cd \ - --source-versioned-tag v2 # Note: May use v2.7 for minor version verification. + --source-versioned-tag v2 # Note: May use v2.7 for minor version + # verification. ``` The attestation payload contains a non-forgeable provenance which is base64 encoded and can be viewed by passing the `--print-provenance` option to the commands above: diff --git a/docs/operator-manual/user-management/auth0.md b/docs/operator-manual/user-management/auth0.md index 411517df05e06..1271f8962fb64 100644 --- a/docs/operator-manual/user-management/auth0.md +++ b/docs/operator-manual/user-management/auth0.md @@ -29,7 +29,7 @@ The important part to note here is that group-membership is a non-standard claim `kubectl edit configmap argocd-cm` -``` +```yaml ... data: application.instanceLabelKey: argocd.argoproj.io/instance @@ -52,14 +52,16 @@ data: ### Configure RBAC for ArgoCD `kubectl edit configmap argocd-rbac-cm` (or use helm values). -``` +```yaml ... data: policy.csv: | # let members with group someProjectGroup handle apps in someProject - # this can also be defined in the UI in the group-definition to avoid doing it there in the configmap + # this can also be defined in the UI in the group-definition to avoid doing + # it there in the configmap p, someProjectGroup, applications, *, someProject/*, allow - # let the group membership argocd-admins from OIDC become role:admin - needs to go into the configmap + # let the group membership argocd-admins from OIDC become role:admin - needs + # to go into the configmap g, argocd-global-admins, role:admin policy.default: role:readonly # essential to get argo to use groups for RBAC: diff --git a/docs/operator-manual/user-management/identity-center.md b/docs/operator-manual/user-management/identity-center.md index 0fd78b1aaf62f..b3d6460541a2a 100644 --- a/docs/operator-manual/user-management/identity-center.md +++ b/docs/operator-manual/user-management/identity-center.md @@ -46,7 +46,8 @@ dex.config: | id: aws name: "AWS IAM Identity Center" config: - # You need value of Identity Center APP SAML (IAM Identity Center sign-in URL) + # You need value of Identity Center APP SAML (IAM Identity Center sign-in + # URL) ssoURL: https://portal.sso.yourregion.amazonaws.com/saml/assertion/id # You need `caData` _OR_ `ca`, but not both. caData: diff --git a/docs/operator-manual/user-management/index.md b/docs/operator-manual/user-management/index.md index c002b77ada5ed..3dcea7f2ef3de 100644 --- a/docs/operator-manual/user-management/index.md +++ b/docs/operator-manual/user-management/index.md @@ -95,7 +95,8 @@ argocd account get --account * Set user password ```bash -# if you are managing users as the admin user, should be the current admin password. +# if you are managing users as the admin user, should be +# the current admin password. argocd account update-password \ --account \ --current-password \ @@ -320,35 +321,41 @@ data: clientID: aaaabbbbccccddddeee clientSecret: $oidc.okta.clientSecret - # Optional list of allowed aud claims. If omitted or empty, defaults to the clientID value above (and the - # cliClientID, if that is also specified). If you specify a list and want the clientID to be allowed, you must + # Optional list of allowed aud claims. If omitted or empty, defaults to the + # clientID value above (and the cliClientID, if that is also specified). If + # you specify a list and want the clientID to be allowed, you must # explicitly include it in the list. - # Token verification will pass if any of the token's audiences matches any of the audiences in this list. + # Token verification will pass if any of the token's audiences matches any + # of the audiences in this list. allowedAudiences: - aaaabbbbccccddddeee - qqqqwwwweeeerrrrttt - # Optional. If false, tokens without an audience will always fail validation. If true, tokens without an audience - # will always pass validation. - # Defaults to true for Argo CD < 2.6.0. Defaults to false for Argo CD >= 2.6.0. + # Optional. If false, tokens without an audience will always fail + # validation. If true, tokens without an audience will always pass + # validation. + # Defaults to true for Argo CD < 2.6.0. Defaults to false for Argo CD >= + # 2.6.0. skipAudienceCheckWhenTokenHasNoAudience: true - # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"] + # Optional set of OIDC scopes to request. If omitted, defaults to: + # ["openid", "profile", "email", "groups"] requestedScopes: ["openid", "profile", "email", "groups"] # Optional set of OIDC claims to request on the ID token. requestedIDTokenClaims: {"groups": {"essential": true}} - # Some OIDC providers require a separate clientID for different callback URLs. - # For example, if configuring Argo CD with self-hosted Dex, you will need a separate client ID - # for the 'localhost' (CLI) client to Dex. This field is optional. If omitted, the CLI will - # use the same clientID as the Argo CD server + # Some OIDC providers require a separate clientID for different callback + # URLs. For example, if configuring Argo CD with self-hosted Dex, you will + # need a separate client ID for the 'localhost' (CLI) client to Dex. This + # field is optional. If omitted, the CLI will use the same clientID as the + # Argo CD server cliClientID: vvvvwwwwxxxxyyyyzzzz - # PKCE authentication flow processes authorization flow from browser only - default false - # uses the clientID - # make sure the Identity Provider (IdP) is public and doesn't need clientSecret - # make sure the Identity Provider (IdP) has this redirect URI registered: https://argocd.example.com/pkce/verify + # PKCE authentication flow processes authorization flow from browser only - + # default false uses the clientID make sure the Identity Provider (IdP) is + # public and doesn't need clientSecret make sure the Identity Provider (IdP) + # has this redirect URI registered: https://argocd.example.com/pkce/verify enablePKCEAuthentication: true ``` diff --git a/docs/operator-manual/user-management/zitadel.md b/docs/operator-manual/user-management/zitadel.md index 08841983bc95f..224ec3b911155 100644 --- a/docs/operator-manual/user-management/zitadel.md +++ b/docs/operator-manual/user-management/zitadel.md @@ -101,14 +101,16 @@ Paste the following code into the action: ```javascript /** - * sets the roles an additional claim in the token with roles as value an project as key + * sets the roles an additional claim in the token with roles as value an project + * as key * * The role claims of the token look like the following: * * // added by the code below * "groups": ["{roleName}", "{roleName}", ...], * - * Flow: Complement token, Triggers: Pre Userinfo creation, Pre access token creation + * Flow: Complement token, Triggers: Pre Userinfo creation, Pre access token + * creation * * @param ctx * @param api diff --git a/docs/user-guide/best_practices.md b/docs/user-guide/best_practices.md index 718ab022f3e50..e5534e3d4ce0e 100644 --- a/docs/user-guide/best_practices.md +++ b/docs/user-guide/best_practices.md @@ -42,7 +42,8 @@ kind: Deployment metadata: name: nginx-deployment spec: - # do not include replicas in the manifests if you want replicas to be controlled by HPA + # do not include replicas in the manifests if you want replicas to be + # controlled by HPA # replicas: 1 template: spec: diff --git a/docs/user-guide/helm.md b/docs/user-guide/helm.md index c3b6aa0c6e8fa..2e0b69d5c4630 100644 --- a/docs/user-guide/helm.md +++ b/docs/user-guide/helm.md @@ -35,7 +35,8 @@ spec: project: default source: chart: nginx - repoURL: registry-1.docker.io/bitnamicharts # note: the oci:// syntax is not included. + repoURL: registry-1.docker.io/bitnamicharts # note: the oci:// syntax is + # not included. targetRevision: 15.9.0 destination: name: "in-cluster" diff --git a/docs/user-guide/projects.md b/docs/user-guide/projects.md index f5979cf3c47b3..ad626f5c689bf 100644 --- a/docs/user-guide/projects.md +++ b/docs/user-guide/projects.md @@ -188,7 +188,8 @@ JWT= argocd proj role list $PROJ argocd proj role get $PROJ $ROLE -# This command will fail because the JWT Token associated with the project role does not have a policy to allow access to the application +# This command will fail because the JWT Token associated with the project role +# does not have a policy to allow access to the application argocd app get $APP --auth-token $JWT # Adding a policy to grant access to the application for the new role argocd proj role add-policy $PROJ $ROLE --action get --permission allow --object $APP @@ -354,7 +355,8 @@ metadata: name: "some-ns" spec: destination: - # This destination might not actually be a cluster which belongs to `foo-project` + # This destination might not actually be a cluster which belongs to + # `foo-project` server: https://some-k8s-server/ namespace: "some-ns" project: foo-project