starting homelab RKE2 cluster

2026-01-13 14:42:19 +01:00
commit 9e5a1d7546
14 changed files with 464 additions and 0 deletions
@@ -0,0 +1,100 @@
+global:
+  domain: "argocd.k8s.hnrx.net"
+
+extraObjects:
+  - apiVersion: secrets.phase.dev/v1alpha1
+    kind: PhaseSecret
+    metadata:
+      name: argocd-phase-secret
+      namespace: argocd
+      labels:
+        app.kubernetes.io/part-of: argocd
+    spec:
+      phaseApp: 'argocd' # The name of your Phase application
+      phaseAppEnv: 'production' # OPTIONAL - The Phase App Environment to fetch secrets from
+      phaseAppEnvPath: '/' # OPTIONAL Path within the Phase application environment to fetch secrets from
+      phaseHost: 'https://phase.hnrx.net' # OPTIONAL - URL of a Phase Console instance
+      authentication:
+        serviceToken:
+          serviceTokenSecretReference:
+            secretName: 'phase-service-token' # Name of the Phase Service Token with access to your application
+            secretNamespace: 'default'
+      managedSecretReferences:
+        - secretName: 'argocd-authentik-client-secret' # Name of the Kubernetes managed secret that Phase will sync
+          secretNamespace: 'argocd'
+
+configs:
+  cm:
+    url: https://argocd.k8s.hnrx.net
+    dex.config: |
+      connectors:
+      - config:
+          issuer: ${AUTHENTIK_ISSUER_URL}
+          clientID: ${AUTHENTIK_CLIENT_ID}
+          clientSecret: ${AUTHENTIK_CLIENT_SECRET}
+          insecureEnableGroups: true
+          scopes:
+            - openid
+            - profile
+            - email
+        name: authentik
+        type: oidc
+        id: authentik
+        
+  params:
+    server.insecure: true
+  rbac:
+    policy.csv: |
+      g, ArgoCD Admins, role:admin
+      g, ArgoCD Viewers, role:readonly
+  secret:
+        extra:
+            dex.authentik.clientSecret: "${AUTHENTIK_CLIENT_SECRET}"
+  cmp:
+    credentialTemplates:
+      https-creds:
+        url: https://git.hnrx.net
+        username: ${GIT_USER}
+        password: ${GIT_PASSWORD}
+
+
+dex:
+  envFrom:
+    - secretRef:
+        name: argocd-authentik-client-secret
+
+server:
+  httproute:
+    enabled: true
+    parentRefs:
+      - name: argocd-gateway
+        namespace: argocd
+        sectionName: https
+    hostnames:
+      - "argocd.k8s.hnrx.net"
+    rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: argocd-server
+          port: 80
+            
+  grpcroute:
+    enabled: true
+    parentRefs:
+      - name: argocd-gateway
+        namespace: argocd
+        sectionName: http
+    hostnames:
+      - "argocd.k8s.hnrx.net"
+    rules:
+      - matches:
+          - method:
+              type: Exact
+              service: "cluster.argoproj.v1alpha1.repositorieservice"
+              method: "List"
+        backendRefs:
+          - name: argocd-server
+            port: 443