cloudogu · nihussmann · Jun 23, 2025 · Jun 12, 2025 · Jun 12, 2025 · Jun 23, 2025
diff --git a/argocd/argocd/operator/argocd.ftl.yaml b/argocd/argocd/operator/argocd.ftl.yaml
@@ -103,6 +103,7 @@ spec:
     </#list>
     </#if>
   server:
+    insecure: ${isInsecure?c}
     resources:
       limits:
         cpu: "500m"
@@ -120,7 +121,42 @@ spec:
     route:
       enabled: ${isOpenshift?c}
     host: "${argocd.host}"
+    # Enable ingress only if we are not on OpenShift and insecure mode is NOT enabled.
+    # Note: When insecure mode is enabled, forced HTTP redirect to HTTPS cannot be disabled here(likely due to a bug),
+    # so we cannot use this ingress for insecure mode. For insecure mode we use a separate file (ingress.ftl.yaml).
+    ingress:
+      enabled: ${((!isOpenshift) && (!isInsecure))?c}
+  initialRepositories: |
+    - name: argocd
+      url: ${scmm.repoUrl}argocd/argocd<#if scmm.provider == "gitlab">.git</#if>
+    - name: example-apps
+      url: ${scmm.repoUrl}argocd/example-apps<#if scmm.provider == "gitlab">.git</#if>
+    - name: cluster-resources
+      url: ${scmm.repoUrl}argocd/cluster-resources<#if scmm.provider == "gitlab">.git</#if>
+    - name: nginx-helm-jenkins
+      url: ${scmm.repoUrl}argocd/nginx-helm-jenkins<#if scmm.provider == "gitlab">.git</#if>
+    - name: nginx-helm-umbrella
+      url: ${scmm.repoUrl}argocd/nginx-helm-umbrella<#if scmm.provider == "gitlab">.git</#if>
+    - name: bitnami
+      type: helm
+      url: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
+    - name: prometheus-community
+      type: helm
+      url: https://prometheus-community.github.io/helm-charts
+    - name: codecentric
+      type: helm
+      url: https://codecentric.github.io/helm-charts
+    - name: ingress-nginx
+      type: helm
+      url: https://kubernetes.github.io/ingress-nginx
   resourceInclusions: |
+    - apiGroups:
+      - "batch"
+      kinds:
+      - "Job"
+      clusters:
+      - "https://kubernetes.default.svc"
+      - "${argocd.resourceInclusionsCluster}"
     - apiGroups:
       - ""
       kinds:

diff --git a/argocd/argocd/operator/ingress.ftl.yaml b/argocd/argocd/operator/ingress.ftl.yaml
@@ -0,0 +1,25 @@
+  <#if (!isOpenshift && isInsecure)>
+  apiVersion: networking.k8s.io/v1
+  kind: Ingress
+  metadata:
+    name: argocd
+    namespace: "${namePrefix}argocd"
+    labels:
+      app: argocd-server
+    annotations:
+      nginx.ingress.kubernetes.io/ssl-redirect: "false"
+      nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
+  spec:
+    rules:
+      - host: "${argocd.host}"
+        http:
+          paths:
+            - path: /
+              pathType: Prefix
+              backend:
+                service:
+                  name: argocd-server
+                  port:
+                    number: 80
+    </#if>
+
diff --git a/argocd/argocd/operator/rbac/example-apps-production.ftl.yaml b/argocd/argocd/operator/rbac/example-apps-production.ftl.yaml
@@ -4,6 +4,18 @@ metadata:
   namespace: "${namePrefix}example-apps-production"
   name: argocd
 rules:
+  - apiGroups:
+      - "batch"
+    resources:
+      - jobs
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
   - apiGroups:
       - "route.openshift.io"
     resources:
@@ -170,13 +182,13 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: argocd-argocd-server
-    namespace: argocd
+    namespace: "${namePrefix}argocd"
   - kind: ServiceAccount
     name: argocd-argocd-application-controller
-    namespace: argocd
+    namespace: "${namePrefix}argocd"
   - kind: ServiceAccount
     name: argocd-applicationset-controller
-    namespace: argocd
+    namespace: "${namePrefix}argocd"
 roleRef:
   kind: Role
   name: argocd

diff --git a/argocd/argocd/operator/rbac/example-apps-staging.ftl.yaml b/argocd/argocd/operator/rbac/example-apps-staging.ftl.yaml
@@ -4,6 +4,18 @@ metadata:
   namespace: "${namePrefix}example-apps-staging"
   name: argocd
 rules:
+  - apiGroups:
+      - "batch"
+    resources:
+      - jobs
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
   - apiGroups:
       - "route.openshift.io"
     resources:
@@ -170,13 +182,13 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: argocd-argocd-server
-    namespace: argocd
+    namespace: "${namePrefix}argocd"
   - kind: ServiceAccount
     name: argocd-argocd-application-controller
-    namespace: argocd
+    namespace: "${namePrefix}argocd"
   - kind: ServiceAccount
     name: argocd-applicationset-controller
-    namespace: argocd
+    namespace: "${namePrefix}argocd"
 roleRef:
   kind: Role
   name: argocd

diff --git a/argocd/argocd/operator/rbac/ingress-nginx.ftl.yaml b/argocd/argocd/operator/rbac/ingress-nginx.ftl.yaml
@@ -4,6 +4,18 @@ metadata:
   namespace: "${namePrefix}ingress-nginx"
   name: argocd
 rules:
+  - apiGroups:
+      - "batch"
+    resources:
+      - jobs
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
   - apiGroups:
       - "route.openshift.io"
     resources:
@@ -170,13 +182,13 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: argocd-argocd-server
-    namespace: argocd
+    namespace: "${namePrefix}argocd"
   - kind: ServiceAccount
     name: argocd-argocd-application-controller
-    namespace: argocd
+    namespace: "${namePrefix}argocd"
   - kind: ServiceAccount
     name: argocd-applicationset-controller
-    namespace: argocd
+    namespace: "${namePrefix}argocd"
 roleRef:
   kind: Role
   name: argocd

diff --git a/argocd/argocd/operator/rbac/monitoring.ftl.yaml b/argocd/argocd/operator/rbac/monitoring.ftl.yaml
@@ -4,6 +4,18 @@ metadata:
   namespace: "${namePrefix}monitoring"
   name: argocd
 rules:
+  - apiGroups:
+      - "batch"
+    resources:
+      - jobs
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
   - apiGroups:
       - "route.openshift.io"
     resources:
@@ -170,13 +182,13 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: argocd-argocd-server
-    namespace: argocd
+    namespace: "${namePrefix}argocd"
   - kind: ServiceAccount
     name: argocd-argocd-application-controller
-    namespace: argocd
+    namespace: "${namePrefix}argocd"
   - kind: ServiceAccount
     name: argocd-applicationset-controller
-    namespace: argocd
+    namespace: "${namePrefix}argocd"
 roleRef:
   kind: Role
   name: argocd

diff --git a/argocd/argocd/operator/rbac/secrets.ftl.yaml b/argocd/argocd/operator/rbac/secrets.ftl.yaml
@@ -4,6 +4,18 @@ metadata:
   namespace: "${namePrefix}secrets"
   name: argocd
 rules:
+  - apiGroups:
+      - "batch"
+    resources:
+      - jobs
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
   - apiGroups:
       - "route.openshift.io"
     resources:
@@ -170,13 +182,13 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: argocd-argocd-server
-    namespace: argocd
+    namespace: "${namePrefix}argocd"
   - kind: ServiceAccount
     name: argocd-argocd-application-controller
-    namespace: argocd
+    namespace: "${namePrefix}argocd"
   - kind: ServiceAccount
     name: argocd-applicationset-controller
-    namespace: argocd
+    namespace: "${namePrefix}argocd"
 roleRef:
   kind: Role
   name: argocd

diff --git a/src/main/groovy/com/cloudogu/gitops/utils/TemplatingEngine.groovy b/src/main/groovy/com/cloudogu/gitops/utils/TemplatingEngine.groovy
@@ -18,11 +18,17 @@ class TemplatingEngine {
      */
     File replaceTemplate(File templateFile, Map parameters) {
         def targetFile = new File(templateFile.toString().replace(".ftl", ""))
+        def rendered = template(templateFile, parameters)
 
-        template(templateFile, targetFile, parameters)
+        // Only write file if template has non-empty output.
+        // This avoids creating empty files when the entire template is skipped via <#if>.
+        if (rendered?.trim()) {
+            targetFile.text = rendered
+        } else {
+            targetFile.delete()
+        }
 
         templateFile.delete()
-
         return targetFile
     }