API Reference

API Reference

API Reference

Packages

argocd-service.vsphere.vmware.com/v1alpha1

Overview

This package defines the Kubernetes Custom Resources for managing ArgoCD deployments. It provides declarative configuration for ArgoCD installations with support for OIDC authentication, RBAC policies, and fine-grained resource management.

Resources

  • ArgoCD: Namespace-scoped resource representing a complete ArgoCD installation

Example Usage

  • Check the version of upstream Argo CD that is supported by the Argo CD Operator

    kubectl explain argocd.spec.version

  • Basic ArgoCD deployment:

    apiVersion: argocd-service.vsphere.vmware.com/v1alpha1
kind: ArgoCD
metadata:
  name: my-argocd
  namespace: argocd
spec:
  version: "3.0.19+vmware.1-vks.1"

  • ArgoCD with OIDC authentication:

    apiVersion: argocd-service.vsphere.vmware.com/v1alpha1
kind: ArgoCD
metadata:
  name: my-argocd
  namespace: argocd
spec:
  version: "3.0.19+vmware.1-vks.1"
  url: "https://argocd.example.com"
  oidc:
    enabled: true
    name: "VCFA"
    issuer: "https://vcfa.example.com/oidc"
    clientID: "argocd-client"
    requestedScopes:
      - openid
      - profile
      - email
      - groups
  rbac:
    scopes: '[group, email]'
    policy: |
      g, **@example.com, role:admin

  • ArgoCD with RBAC policies:

    apiVersion: argocd-service.vsphere.vmware.com/v1alpha1
kind: ArgoCD
metadata:
  name: my-argocd
  namespace: argocd
spec:
  version: "3.0.19+vmware.1-vks.1"
  localAccounts:
    - Alice
    - Bob
  rbac:
    defaultPolicy: "role:readonly"
    policy: |
      p, role:devops, applications, *, */*, allow
      p, role:devops, clusters, get, *, allow
      g, Alice, role:devops
      g, Bob, role:admin

  • ArgoCD with resource filtering:

    apiVersion: argocd-service.vsphere.vmware.com/v1alpha1
kind: ArgoCD
metadata:
  name: my-argocd
  namespace: argocd
spec:
  version: "3.0.19+vmware.1-vks.1"
  resourceConfig:
    inclusions:
      - apiGroups:
          - "cluster.x-k8s.io"
        kinds:
          - "*"
        clusters:
          - "https://172.16.0.200:443"

  • ArgoCD with notification and applicationSet enabled:

    apiVersion: argocd-service.vsphere.vmware.com/v1alpha1
kind: ArgoCD
metadata:
  name: my-argocd
  namespace: argocd
spec:
  version: "3.0.19+vmware.1-vks.1"
  notification:
    enabled: true
  applicationSet:
    enabled: true

  • ArgoCD with custom component scaling:

    apiVersion: argocd-service.vsphere.vmware.com/v1alpha1
kind: ArgoCD
metadata:
  name: my-argocd
  namespace: argocd
spec:
  version: "3.0.19+vmware.1-vks.1"
  server:
    replicas: 2
    resources:
      requests:
        cpu: "500m"
        memory: "512Mi"
      limits:
        cpu: "2000m"
        memory: "2Gi"
  repo:
    replicas: 2
    resources:
      limits:
        cpu: "2000m"
        memory: "2Gi"
  controller:
    replicas: 1

Package v1alpha1 contains API Schema definitions for the argocd-service v1alpha1 API group.

Resource Types

ArgoCD

ArgoCD is the Schema for the ArgoCD API. It represents a complete ArgoCD installation in a Kubernetes cluster.

Field Description Default Validation

apiVersion string

argocd-service.vsphere.vmware.com/v1alpha1

kind string

ArgoCD

metadata ObjectMeta

Refer to Kubernetes API documentation for fields of metadata.

spec ArgoCDSpec

Spec defines the desired state of the ArgoCD deployment.

status ArgoCDStatus

Status defines the observed state of the ArgoCD deployment.

ArgoCDApplicationController

ArgoCDApplicationController configures the argocd-application-controller statefulset, which continuously monitors applications and synchronizes the desired state.

Appears In:
Field Description Default Validation

replicas integer

Replicas specifies the number of argocd-application-controller pod replicas.

resources ResourceRequirements

Resources specifies the compute resources (CPU, memory) required by argocd-application-controller pods.

ArgoCDApplicationSetController

ArgoCDApplicationSetController configures the argocd-applicationset-controller deployment, which provides support for ApplicationSet resources.

Appears In:
Field Description Default Validation

enabled boolean

Enabled enables the ApplicationSet controller.
When false, the ApplicationSet controller will not be deployed.

replicas integer

Replicas specifies the number of argocd-applicationset-controller pod replicas.

resources ResourceRequirements

Resources specifies the compute resources (CPU, memory) required by argocd-applicationset-controller pods.

ArgoCDControlledResources

ArgoCDControlledResources defines resource filters by ApiGroups, Kinds, and Clusters. This aligns with upstream ArgoCD’s Resource Exclusion/Inclusion patterns.

Appears In:
Field Description Default Validation

apiGroups string array

ApiGroups specifies the list of Kubernetes API groups to match.
Example: ["apps", "batch"]

kinds string array

Kinds specifies the list of Kubernetes resource kinds to match.
Example: ["Deployment", "StatefulSet", "Job"]

clusters string array

Clusters specifies the list of cluster names where this filter applies.
If empty, the filter applies to all clusters.

ArgoCDNotification

ArgoCDNotification configures the argocd-notifications-controller deployment, which sends event notifications via webhooks, email, Slack, etc.

Appears In:
Field Description Default Validation

enabled boolean

Enabled enables the Notifications controller.
When false, the Notifications controller will not be deployed.

replicas integer

Replicas specifies the number of argocd-notifications-controller pod replicas.

resources ResourceRequirements

Resources specifies the compute resources (CPU, memory) required by argocd-notifications-controller pods.

ArgoCDOIDC

ArgoCDOIDC configures OpenID Connect (OIDC) authentication for ArgoCD. The fields map to the keys under the oidc.config field in the argocd-cm ConfigMap. Reference https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#oidc-authentication

Appears In:
Field Description Default Validation

enabled boolean

Enabled enables OIDC authentication for ArgoCD.
When true, users can authenticate using the configured OIDC provider.

name string

Name specifies the display name for this OIDC provider configuration.

issuer string

Issuer specifies the OIDC provider URL.
Example: "https://vcfa.*.com/oidc"

clientID string

ClientID specifies the OAuth2 client ID registered with the OIDC provider.
This is obtained when registering ArgoCD as an application with your identity provider.

clientSecret string

ClientSecret specifies the OAuth2 client secret paired with ClientID.
This secret must be kept confidential and is used to authenticate ArgoCD with the OIDC provider.

requestedScopes string array

RequestedScopes specifies the OAuth2 scopes to request from the OIDC provider.
Common scopes include "openid", "profile", "email", and "groups".
Example: ["openid", "profile", "email", "groups"]

allowedAudiences string array

AllowedAudiences specifies the list of valid audiences ("aud" claim) for JWT tokens.
If specified, tokens must contain one of these audience values to be accepted.

requestedIDTokenClaims KeyValues

RequestedIDTokenClaims specifies additional claims to request in the OIDC ID token.
This is a map of claim names to their request parameters.

cliClientID string

CliClientID specifies the OAuth2 client ID for ArgoCD CLI authentication.
If not specified, the main ClientID is used for both UI and CLI authentication.

enablePKCEAuthentication boolean

EnablePKCEAuthentication enables Proof Key for Code Exchange (PKCE) for the OAuth2 flow.
PKCE provides additional security for public clients like the ArgoCD CLI.

skipAudienceCheckWhenTokenHasNoAudience boolean

SkipAudienceCheckWhenTokenHasNoAudience skips audience validation when the JWT token
does not contain an "aud" claim. Use with caution in development environments only.

insecure boolean

Insecure disables TLS certificate validation for the OIDC provider.
This should only be used in development environments with self-signed certificates.
Not recommended for production use.

ArgoCDRBAC

ArgoCDRBAC configures role-based access control (RBAC) policies for ArgoCD, including default policies, custom rules, and OIDC group mappings. The fields map to the fields in the argocd-rbac-cm.yml. Reference https://argo-cd.readthedocs.io/en/latest/operator-manual/argocd-rbac-cm-yaml/

Appears In:
Field Description Default Validation

defaultPolicy string

DefaultPolicy specifies the default role that ArgoCD falls back to when authorizing API requests.
Common values: "role:readonly" or "role:admin"

policy string

Policy defines user-defined RBAC policies and role definitions in CSV format.
Policy rules are in the form: p, subject, resource, action, object, effect
Role definitions and bindings are in the form: g, subject, inherited-subject
See https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md for additional information.

scopes string

Scopes controls which OIDC scopes to examine during RBAC enforcement.
The default value examines the "groups" scope for role mappings.

policyMatchMode string

PolicyMatchMode configures the pattern matching mode for Casbin policies.
Valid values: "glob" for glob pattern matching, "regex" for regex pattern matching.

glob

Enum: [glob regex]

ArgoCDRedis

ArgoCDRedis configures the argocd-redis deployment, which provides caching and temporary data storage.

Appears In:
Field Description Default Validation

resources ResourceRequirements

Resources specifies the compute resources (CPU, memory) required by argocd-redis pods.

ArgoCDRepo

ArgoCDRepo configures the argocd-repo-server deployment, which handles repository operations.

Appears In:
Field Description Default Validation

replicas integer

Replicas specifies the number of argocd-repo-server pod replicas.
Higher replica counts improve repository operation throughput.

resources ResourceRequirements

Resources specifies the compute resources (CPU, memory) required by argocd-repo-server pods.

ArgoCDResourceConfig

ArgoCDResourceConfig configures which Kubernetes resources ArgoCD can discover and synchronize. Reference https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#resource-exclusioninclusion Example:

resourceConfig:
  inclusions:
    - apiGroups: ["apps", "batch"]
      kinds: ["Deployment", "StatefulSet", "Job"]
      clusters: ["prod-cluster"]
  exclusions:
    - apiGroups: [""]
      kinds: ["Secret"]

if inclusions field is not specified, that means all resource groups and kinds are included for ArgoCD to discover and sync.

If exclusions field is not specified, the following API groups and resources are excluded by default in the argocd-cm ConfigMap:

resource.exclusions: |
   - apiGroups:
     - appplatform.vmware.com
   - apiGroups:
     - appplatform.wcp.vmware.com
   - apiGroups:
     - argocd-service.vsphere.vmware.com
   - apiGroups:
     - bootstrap.cluster.x-k8s.io
   - apiGroups:
     - cli.tanzu.vmware.com
   - apiGroups:
     - cli.vmware.com
   - apiGroups:
     - cns.vmware.com
   - apiGroups:
     - discovery.k8s.io
     kinds:
     - endpointslices
     - endpoints
   - apiGroups:
     - imageregistry.vmware.com
   - apiGroups:
     - infrastructure.cluster.vmware.com
   - apiGroups:
     - installers.tmc.cloud.vmware.com
   - apiGroups:
     - mobility-operator.vmware.com
   - apiGroups:
     - netoperator.vmware.com
   - apiGroups:
     - run.tanzu.vmware.com
   - apiGroups:
     - topology.tanzu.vmware.com
   - apiGroups:
     - veleroappoperator.vmware.com
   - apiGroups:
     - vmware.infrastructure.cluster.x-k8s.io
   - apiGroups:
     - coordination.k8s.io
     kinds:
     - Lease
   - apiGroups:
     - authentication.k8s.io
     - authorization.k8s.io
     kinds:
     - SelfSubjectReview
     - TokenReview
     - LocalSubjectAccessReview
     - SelfSubjectAccessReview
     - SelfSubjectRulesReview
     - SubjectAccessReview
   - apiGroups:
     - certificates.k8s.io
     kinds:
     - CertificateSigningRequest
   - apiGroups:
     - cert-manager.io
     kinds:
     - CertificateSigningRequest
   - apiGroups:
     - cilium.io
     kinds:
     - CiliumIdentity
     - CiliumEndpoint
     - CiliumEndpointSlice
   - apiGroups:
     - kyverno.io
  - reports.kyverno.io
     - wgpolicyk8s.io
     kinds:
     - PolicyReport
     - ClusterPolicyReport
     - EphemeralReport
     - ClusterEphemeralReport
     - AdmissionReport
     - ClusterAdmissionReport
     - BackgroundScanReport
     - ClusterBackgroundScanReport
     - UpdateRequest
Appears In:
Field Description Default Validation

inclusions ArgoCDControlledResources array

Inclusions defines the resources that ArgoCD should discover and sync.
Only resources matching these filters will be managed by ArgoCD.
This field maps to resource.inclusions in the argocd-cm ConfigMap.

exclusions ArgoCDControlledResources array

Exclusions defines the resources that ArgoCD should not discover and sync.
Resources matching these filters will be ignored even if they match inclusions.
This field maps to resource.exclusions in the argocd-cm ConfigMap.
Explicitly setting this field will override all default exclusions.

ArgoCDServer

ArgoCDServer configures the argocd-server deployment, which provides the API server and web UI.

Appears In:
Field Description Default Validation

replicas integer

Replicas specifies the number of argocd-server pod replicas.
Higher replica counts provide high availability for the UI and API.

resources ResourceRequirements

Resources specifies the compute resources (CPU, memory) required by argocd-server pods.

tlsCert TLSCert

TLSCert specifies the TLS certificate configuration provided by the user for HTTPS.
If not specified, ArgoCD will generate a self-signed certificate.

ArgoCDSpec

ArgoCDSpec defines the desired configuration for an ArgoCD deployment, including version, authentication, RBAC, and component settings.

Appears In:
Field Description Default Validation

paused boolean

Paused indicates that reconciliation for this resource is stopped.
This is useful for debugging or maintenance purposes.

version string

Version specifies the ArgoCD Carvel Package version to deploy.
The version must follow the pattern: X.Y.Z+vmware.W-vks.V
Example: "3.0.19+vmware.1-vks.1"

Pattern: ^(\d+)\.(\d+)\.(\d+)\+vmware\.(\d+)-vks\.(\d+)$
Required: \{}

enableLoadBalancer boolean

EnableLoadBalancer creates a LoadBalancer service for the ArgoCD Server.
When enabled, the ArgoCD UI will be accessible via an external load balancer.

true

url string

URL specifies the external URL for the ArgoCD Server.
This field is required when OIDC authentication is enabled.
Example: "https://argocd.example.com"

Pattern: ^http(s)?://

serverSideDiff boolean

ServerSideDiff enables server-side diff for all ArgoCD applications.
When enabled, resource diffs are calculated on the server side for better performance.

true

localAccounts string array

LocalAccounts defines the list of local user account names for ArgoCD authentication.
These accounts can be used to log in to ArgoCD in addition to SSO/OIDC.
Example: ["Alice", "Bob"]

oidc ArgoCDOIDC

OIDC configures OpenID Connect authentication for ArgoCD.

rbac ArgoCDRBAC

RBAC configures global role-based access control policies for ArgoCD.

resourceConfig ArgoCDResourceConfig

ResourceConfig defines which Kubernetes resources ArgoCD can discover and sync.

server ArgoCDServer

Server configures the argocd-server deployment (UI and API server).

repo ArgoCDRepo

Repo configures the argocd-repo-server deployment (repository operations).

controller ArgoCDApplicationController

Controller configures the argocd-application-controller statefulset (application reconciliation).

applicationSet ArgoCDApplicationSetController

ApplicationSet configures the argocd-applicationset-controller deployment (ApplicationSet support).

redis ArgoCDRedis

Redis configures the argocd-redis deployment (caching and temporary data).

notification ArgoCDNotification

Notification configures the argocd-notifications-controller deployment (event notifications).

ArgoCDStatus

ArgoCDStatus represents the observed state of an ArgoCD deployment.

Appears In:
Field Description Default Validation

phase string

Phase represents the current operational phase of the ArgoCD deployment.

conditions Condition array

Conditions represents the current service state of the ArgoCD deployment.

KeyValues

KeyValues represents a flexible key-value map for arbitrary configuration. This type is used for OIDC claims and other dynamic configuration that doesn’t have a fixed schema. The structure preserves any fields provided without validation, allowing for flexible configuration.

Appears In:
Field Description Default Validation

Object object (keys:string, values:interface{})

Object is a JSON compatible map with string, float, int, bool, []interface{}, or
map[string]interface{}
children.

TLSCert

TLSCert contains TLS certificate, private key, and CA certificate for HTTPS configuration. All values must be base64-encoded.

Appears In:
Field Description Default Validation

key string

Key specifies the base64-encoded private key for the TLS certificate.

cert string

Cert specifies the base64-encoded TLS certificate.

ca string

CA specifies the base64-encoded certificate authority (CA) certificate.