Project Specification

The following describes all the available fields of a Project:

  1. apiVersion: argoproj.io/v1alpha1
  2. kind: AppProject
  3. metadata:
  4.   name: my-project
  5.   namespace: argocd
  6.   # Finalizer that ensures that project is not deleted until it is not referenced by any application
  7.   finalizers:
  8.     - resources-finalizer.argocd.argoproj.io
  9. spec:
  10.   # Project description
  11.   description: Example Project
  13.   # Allow manifests to deploy from any Git repos
  14.   sourceRepos:
  15.   - '*'
  17.   # Only permit applications to deploy to the guestbook namespace in the same cluster
  18.   # Destination clusters can be identified by 'server', 'name', or both.
  19.   destinations:
  20.   - namespace: guestbook
  21.     server: https://kubernetes.default.svc
  22.     name: in-cluster
  24.   # Deny all cluster-scoped resources from being created, except for Namespace
  25.   clusterResourceWhitelist:
  26.   - group: ''
  27.     kind: Namespace
  29.   # Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy
  30.   namespaceResourceBlacklist:
  31.   - group: ''
  32.     kind: ResourceQuota
  33.   - group: ''
  34.     kind: LimitRange
  35.   - group: ''
  36.     kind: NetworkPolicy
  38.   # Deny all namespaced-scoped resources from being created, except for Deployment and StatefulSet
  39.   namespaceResourceWhitelist:
  40.   - group: 'apps'
  41.     kind: Deployment
  42.   - group: 'apps'
  43.     kind: StatefulSet
  45.   # Enables namespace orphaned resource monitoring.
  46.   orphanedResources:
  47.     warn: false
  49.   roles:
  50.   # A role which provides read-only access to all applications in the project
  51.   - name: read-only
  52.     description: Read-only privileges to my-project
  53.     policies:
  54.     - p, proj:my-project:read-only, applications, get, my-project/*, allow
  55.     groups:
  56.     - my-oidc-group
  58.   # A role which provides sync privileges to only the guestbook-dev application, e.g. to provide
  59.   # sync privileges to a CI system
  60.   - name: ci-role
  61.     description: Sync privileges for guestbook-dev
  62.     policies:
  63.     - p, proj:my-project:ci-role, applications, sync, my-project/guestbook-dev, allow
  65.     # NOTE: JWT tokens can only be generated by the API server and the token is not persisted
  66.     # anywhere by Argo CD. It can be prematurely revoked by removing the entry from this list.
  67.     jwtTokens:
  68.     - iat: 1535390316
  70.   # Sync windows restrict when Applications may be synced. https://argo-cd.readthedocs.io/en/stable/user-guide/sync_windows/
  71.   syncWindows:
  72.   - kind: allow
  73.     schedule: '10 1 * * *'
  74.     duration: 1h
  75.     applications:
  76.       - '*-prod'
  77.     manualSync: true
  78.   - kind: deny
  79.     schedule: '0 22 * * *'
  80.     duration: 1h
  81.     namespaces:
  82.       - default
  83.   - kind: allow
  84.     schedule: '0 23 * * *'
  85.     duration: 1h
  86.     clusters:
  87.       - in-cluster
  88.       - cluster1
  90.   # By default, apps may sync to any cluster specified under the `destinations` field, even if they are not
  91.   # scoped to this project. Set the following field to `true` to restrict apps in this cluster to only clusters
  92.   # scoped to this project.
  93.   permitOnlyProjectScopedClusters: false
  95.   # When using Applications-in-any-namespace, this field determines which namespaces this AppProject permits
  96.   # Applications to reside in. Details: https://argo-cd.readthedocs.io/en/stable/operator-manual/app-any-namespace/
  97.   sourceNamespaces:
  98.   - "argocd-apps-*"