github.com/argoproj/argo-cd@v1.8.7/docs/operator-manual/project.yaml

github.com/argoproj/argo-cd@v1.8.7/docs/operator-manual/project.yaml (about)

     1  apiVersion: argoproj.io/v1alpha1
     2  kind: AppProject
     3  metadata:
     4    name: my-project
     5    namespace: argocd
     6    # Finalizer that ensures that project is not deleted until it is not referenced by any application
     7    finalizers:
     8      - resources-finalizer.argocd.argoproj.io
     9  spec:
    10    # Project description
    11    description: Example Project
    12  
    13    # Allow manifests to deploy from any Git repos
    14    sourceRepos:
    15    - '*'
    16  
    17    # Only permit applications to deploy to the guestbook namespace in the same cluster
    18    destinations:
    19    - namespace: guestbook
    20      server: https://kubernetes.default.svc
    21  
    22    # Deny all cluster-scoped resources from being created, except for Namespace
    23    clusterResourceWhitelist:
    24    - group: ''
    25      kind: Namespace
    26  
    27    # Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy
    28    namespaceResourceBlacklist:
    29    - group: ''
    30      kind: ResourceQuota
    31    - group: ''
    32      kind: LimitRange
    33    - group: ''
    34      kind: NetworkPolicy
    35  
    36    # Deny all namespaced-scoped resources from being created, except for Deployment and StatefulSet
    37    namespaceResourceWhitelist:
    38    - group: 'apps'
    39      kind: Deployment
    40    - group: 'apps'
    41      kind: StatefulSet
    42  
    43    # Enables namespace orphaned resource monitoring.
    44    orphanedResources:
    45      warn: false
    46  
    47    roles:
    48    # A role which provides read-only access to all applications in the project
    49    - name: read-only
    50      description: Read-only privileges to my-project
    51      policies:
    52      - p, proj:my-project:read-only, applications, get, my-project/*, allow
    53      groups:
    54      - my-oidc-group
    55  
    56    # A role which provides sync privileges to only the guestbook-dev application, e.g. to provide
    57    # sync privileges to a CI system
    58    - name: ci-role
    59      description: Sync privileges for guestbook-dev
    60      policies:
    61      - p, proj:my-project:ci-role, applications, sync, my-project/guestbook-dev, allow
    62  
    63      # NOTE: JWT tokens can only be generated by the API server and the token is not persisted
    64      # anywhere by Argo CD. It can be prematurely revoked by removing the entry from this list.
    65      jwtTokens:
    66      - iat: 1535390316