kind: AppProject

Kind: AppProject (project.yaml)

Relevant fields[edit]

• sourceRepos, destinations
• SignatureKeys
• cluster_resource_blacklist / NamespaceResourceBlacklist / NamespaceResourceWhitelist

kind: Application relevant fields:

• kind: Application: syncPolicy
• spec.SyncPolicy.automated.prune

Minimal example[edit]

 apiVersion: argoproj.io/v1alpha1
kind: AppProject 
metadata:
  name: my-minimal-project
spec:
  destinations:
    - server: "*"
      namespace: "*"
  sourceRepos:
    - "*"

Additional example[edit]

apiVersion: argoproj.io/v1alpha1
kind: AppProject 
metadata:
  name: infra
  namespace: argocd
spec:
  destinations:
    - server: https://kubernetes.default.svc
      namespace: default
    - server: https://kubernetes.default.svc
      namespace: infra
  sourceRepos:
    - https://charts.bitnami.com/bitnami
    - https://grafana.github.io/helm-charts
    - https://github.com/constellr/infrastructure.git

Example[edit]

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
 name: my-project
 namespace: argocd
 # Finalizer that ensures that project is not deleted until it is not referenced by any application
 finalizers:
   - resources-finalizer.argocd.argoproj.io
spec:
 description: Example Project
 # Allow manifests to deploy from any Git repos
 sourceRepos:
 - '*'
 # Only permit applications to deploy to the guestbook namespace in the same cluster
 destinations:
 - namespace: guestbook
   server: https://kubernetes.default.svc
 # Deny all cluster-scoped resources from being created, except for Namespace
 clusterResourceWhitelist:
 - group: 
   kind: Namespace
 # Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy
 namespaceResourceBlacklist:
 - group: 
   kind: ResourceQuota
 - group: 
   kind: LimitRange
 - group: 
   kind: NetworkPolicy
 # Deny all namespaced-scoped resources from being created, except for Deployment and StatefulSet
 namespaceResourceWhitelist:
 - group: 'apps'
   kind: Deployment
 - group: 'apps'
   kind: StatefulSet
 roles:
 # A role which provides read-only access to all applications in the project
 - name: read-only
   description: Read-only privileges to my-project
   policies:
   - p, proj:my-project:read-only, applications, get, my-project/*, allow
   groups:
   - my-oidc-group
 # A role which provides sync privileges to only the guestbook-dev application, e.g. to provide
 # sync privileges to a CI system
 - name: ci-role
   description: Sync privileges for guestbook-dev
   policies:
   - p, proj:my-project:ci-role, applications, sync, my-project/guestbook-dev, allow
   # NOTE: JWT tokens can only be generated by the API server and the token is not persisted
   # anywhere by Argo CD. It can be prematurely revoked by removing the entry from this list.
   jwtTokens:
   - iat: 1535390316

Related[edit]

• ArgoCD GnuPG signature verification: signatureKeys
• kubectl api-resources --api-group=argoproj.io
• Terraform resource: argocd_project

See also[edit]

• ArgoCD projects: kind: AppProject, sourceRepos, signatureKeys, Terraform resource: argocd_project
• ArgoCD projects, kind: AppProject, Terraform resource: argocd_project
• argoproj.io, argocd.argoproj.io, applications.argoproj.io, applicationsets.argoproj.io, resources-finalizer.argocd.argoproj.io, kind: Application, kind: AppProject, workflows.argoproj.io, argoproj.io/v1alpha1/, kubectl api-resources --api-group=argoproj.io