IntegrationsArgoCD
ArgoCD
Gate ArgoCD syncs with a Valqore PreSync hook.
ArgoCD Integration
Valqore integrates with ArgoCD as a PreSync hook. When ArgoCD detects a change in Git, the hook evaluates incoming manifests and either allows or blocks the sync.
Sync Flow
Git Commit → ArgoCD Detect → PreSync Job (Valqore) → Sync / BlockPreSync Hook Job
apiVersion: batch/v1
kind: Job
metadata:
name: valqore-presync
annotations:
argocd.argoproj.io/hook: PreSync
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
spec:
backoffLimit: 0
template:
spec:
serviceAccountName: valqore-presync
restartPolicy: Never
containers:
- name: valqore
image: ghcr.io/valqore/valqore-engine:latest
env:
- name: VALQORE_FAIL_ON
value: "block"
- name: VALQORE_MANIFESTS_PATH
value: "/manifests"
- name: VALQORE_API_KEY
valueFrom:
secretKeyRef:
name: valqore-secret
key: api-key
volumeMounts:
- name: manifests
mountPath: /manifests
volumes:
- name: manifests
emptyDir: {}ServiceAccount & RBAC
apiVersion: v1
kind: ServiceAccount
metadata:
name: valqore-presync
namespace: argocd
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: valqore-presync
namespace: argocd
rules:
- apiGroups: ["argoproj.io"]
resources: ["applications"]
verbs: ["get", "patch"]
- apiGroups: [""]
resources: ["configmaps", "secrets"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: valqore-presync
namespace: argocd
subjects:
- kind: ServiceAccount
name: valqore-presync
namespace: argocd
roleRef:
kind: Role
name: valqore-presync
apiGroup: rbac.authorization.k8s.ioEnvironment Variables
| Variable | Required | Default | Description |
|---|---|---|---|
VALQORE_FAIL_ON | No | block | Verdict level that causes non-zero exit. |
VALQORE_MANIFESTS_PATH | Yes | -- | Path inside container where manifests are mounted. |
VALQORE_API_KEY | Yes | -- | Valqore API key (use a Kubernetes Secret). |
Was this helpful?