diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index b9d91ab8ed..9f56665831 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -46,6 +46,45 @@ The command deploys Kyverno on the Kubernetes cluster with default configuration The Kyverno ClusterRole/ClusterRoleBinding that manages webhook configurations must have the suffix `:webhook`. Ex., `*:webhook` or `kyverno:webhook`. Other ClusterRole/ClusterRoleBinding names are configurable. +**Notes on using ArgoCD:** + +When deploying this chart with ArgoCD you will need to enable `Replace` in the `syncOptions`, and you probably want to ignore diff in aggregated cluster roles. + +You can do so by following instructions in these pages of ArgoCD documentation: +- [Enable Replace in the syncOptions](https://argo-cd.readthedocs.io/en/stable/user-guide/sync-options/#replace-resource-instead-of-applying-changes) +- [Ignore diff in aggregated cluster roles](https://argo-cd.readthedocs.io/en/stable/user-guide/diffing/#ignoring-rbac-changes-made-by-aggregateroles) + +ArgoCD uses helm only for templating but applies the results with `kubectl`. + +Unfortunately `kubectl` adds metadata that will cross the limit allowed by Kuberrnetes. Using `Replace` overcomes this limitation. + +Another option is to use server side apply, this will be supported in ArgoCD v2.5. + +Below is an example of ArgoCD application manifest that should work with this chart: +``` +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kyverno + namespace: argocd +spec: + destination: + namespace: kyverno + server: https://kubernetes.default.svc + project: default + source: + chart: kyverno + repoURL: https://kyverno.github.io/kyverno + targetRevision: 2.6.0 + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - Replace=true +``` + ## Uninstalling the Chart To uninstall/delete the `kyverno` deployment: diff --git a/charts/kyverno/README.md.gotmpl b/charts/kyverno/README.md.gotmpl index 6ab67cda0f..396f2a1f90 100644 --- a/charts/kyverno/README.md.gotmpl +++ b/charts/kyverno/README.md.gotmpl @@ -46,6 +46,45 @@ The command deploys Kyverno on the Kubernetes cluster with default configuration The Kyverno ClusterRole/ClusterRoleBinding that manages webhook configurations must have the suffix `:webhook`. Ex., `*:webhook` or `kyverno:webhook`. Other ClusterRole/ClusterRoleBinding names are configurable. +**Notes on using ArgoCD:** + +When deploying this chart with ArgoCD you will need to enable `Replace` in the `syncOptions`, and you probably want to ignore diff in aggregated cluster roles. + +You can do so by following instructions in these pages of ArgoCD documentation: +- [Enable Replace in the syncOptions](https://argo-cd.readthedocs.io/en/stable/user-guide/sync-options/#replace-resource-instead-of-applying-changes) +- [Ignore diff in aggregated cluster roles](https://argo-cd.readthedocs.io/en/stable/user-guide/diffing/#ignoring-rbac-changes-made-by-aggregateroles) + +ArgoCD uses helm only for templating but applies the results with `kubectl`. + +Unfortunately `kubectl` adds metadata that will cross the limit allowed by Kuberrnetes. Using `Replace` overcomes this limitation. + +Another option is to use server side apply, this will be supported in ArgoCD v2.5. + +Below is an example of ArgoCD application manifest that should work with this chart: +``` +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kyverno + namespace: argocd +spec: + destination: + namespace: kyverno + server: https://kubernetes.default.svc + project: default + source: + chart: kyverno + repoURL: https://kyverno.github.io/kyverno + targetRevision: 2.6.0 + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - Replace=true +``` + ## Uninstalling the Chart To uninstall/delete the `kyverno` deployment: