home-server/clusters/noble/bootstrap/argocd/values.yaml

# Argo CD — noble lab (GitOps)
#
# Chart: argo/argo-cd — pin version on the helm command (e.g. 9.4.17).
# UI/API: **Ingress** via **Traefik** at **argo.apps.noble.lab.pcenicni.dev** (TLS: cert-manager
# ClusterIssuer + **`server.insecure`** so TLS terminates at Traefik).
# DNS: **`argo.apps.noble.lab.pcenicni.dev`** → Traefik LB **192.168.50.211** (same wildcard as apps).
#
# helm repo add argo https://argoproj.github.io/argo-helm
# helm upgrade --install argocd argo/argo-cd -n argocd --create-namespace \
#   --version 9.4.17 -f clusters/noble/bootstrap/argocd/values.yaml --wait
#
# Initial admin password: kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d
#
# Optional: kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml

global:
  domain: argo.apps.noble.lab.pcenicni.dev

configs:
  params:
    # TLS terminates at Traefik / cert-manager; Argo CD serves HTTP behind the Ingress.
    server.insecure: true

  # RBAC: default authenticated users to read-only; keep local **admin** as full admin.
  # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/
  rbac:
    policy.default: role:readonly
    policy.csv: |
      g, admin, role:admin

server:
  certificate:
    enabled: true
    domain: argo.apps.noble.lab.pcenicni.dev
    # If you change issuer.name, delete Certificate/Secret once so cert-manager can re-issue (see README.md).
    issuer:
      group: cert-manager.io
      kind: ClusterIssuer
      name: letsencrypt-prod

  ingress:
    enabled: true
    ingressClassName: traefik
    hostname: argo.apps.noble.lab.pcenicni.dev
    tls: true
    # Traefik terminates TLS; Argo serves HTTP/2 cleartext (insecure). Without h2c, UI/API can 404 or fail gRPC.
    annotations:
      traefik.ingress.kubernetes.io/service.serversscheme: h2c

  service:
    type: ClusterIP