global: domain: "argocd.k8s.hnrx.net" extraObjects: - apiVersion: secrets.phase.dev/v1alpha1 kind: PhaseSecret metadata: name: argocd-phase-secret namespace: argocd labels: app.kubernetes.io/part-of: argocd spec: phaseApp: 'argocd' # The name of your Phase application phaseAppEnv: 'production' # OPTIONAL - The Phase App Environment to fetch secrets from phaseAppEnvPath: '/' # OPTIONAL Path within the Phase application environment to fetch secrets from phaseHost: 'https://phase.hnrx.net' # OPTIONAL - URL of a Phase Console instance authentication: serviceToken: serviceTokenSecretReference: secretName: 'phase-service-token' # Name of the Phase Service Token with access to your application secretNamespace: 'default' managedSecretReferences: - secretName: 'argocd-authentik-client-secret' # Name of the Kubernetes managed secret that Phase will sync secretNamespace: 'argocd' configs: cm: url: https://argocd.k8s.hnrx.net dex.config: | connectors: - config: issuer: $AUTHENTIK_ISSUER_URL clientID: $AUTHENTIK_CLIENT_ID clientSecret: $AUTHENTIK_CLIENT_SECRET insecureEnableGroups: true scopes: - openid - profile - email name: authentik type: oidc id: authentik params: server.insecure: true rbac: policy.csv: | g, ArgoCD Admins, role:admin g, ArgoCD Viewers, role:readonly secret: extra: dex.authentik.clientSecret: $AUTHENTIK_CLIENT_SECRET cmp: credentialTemplates: https-creds: url: https://git.hnrx.net username: $GIT_USER password: $GIT_PASSWORD dex: envFrom: - secretRef: name: argocd-authentik-client-secret server: httproute: enabled: true parentRefs: - name: argocd-gateway namespace: argocd sectionName: https hostnames: - "argocd.k8s.hnrx.net" rules: - matches: - path: type: PathPrefix value: / backendRefs: - name: argocd-server port: 80 grpcroute: enabled: true parentRefs: - name: argocd-gateway namespace: argocd sectionName: http hostnames: - "argocd.k8s.hnrx.net" rules: - matches: - method: type: Exact service: "cluster.argoproj.v1alpha1.repositorieservice" method: "List" backendRefs: - name: argocd-server port: 443