---
apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
data:
  url: https://argocd.peterg.nl
  dex.config: |
    connectors:
    - name: authentik
      id: authentik
      type: oidc
      config:
        issuer: $argocd-authentik-provider:dex.authentik.issuer
        clientID: $argocd-authentik-provider:dex.authentik.clientID
        clientSecret: $argocd-authentik-provider:dex.authentik.clientSecret
        insecureEnableGroups: true
        scopes:
          - openid
          - profile
          - email
          - groups
    staticClients:
    - name: Argo Workflows
      id: argo-workflows-sso
      redirectURIs:
        - https://workflows.peterg.nl/oauth2/callback
      secretEnv: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  labels:
    app.kubernetes.io/part-of: argocd
data:
  policy.default: role:readonly
  policy.csv: |
    p, role:org-admin, applications, *, */*, allow
    p, role:org-admin, clusters, get, *, allow
    p, role:org-admin, repositories, get, *, allow
    p, role:org-admin, repositories, create, *, allow
    p, role:org-admin, repositories, update, *, allow
    p, role:org-admin, repositories, delete, *, allow
    p, role:org-admin, logs, get, */*, allow
    p, role:org-admin, exec, create, */*, allow

    g, ArgoCD Admins, role:admin