Add ArgoCD deployment to cicd namespace

Deploy ArgoCD v3.2.3 for GitOps continuous delivery in the k3s cluster.

Configuration:
- New cicd namespace for CI/CD tooling
- Non-HA single instance deployment (following cluster patterns)
- Traefik ingress at argocd.f3s.buetow.org
- Prometheus ServiceMonitor integration for metrics
- 10Gi persistent volume for repo-server cache
- Insecure mode with TLS termination at proxy

Components deployed:
- argocd-server (Web UI and API)
- argocd-repo-server (Repository management)
- argocd-application-controller (Application sync)
- argocd-redis (State cache)
- argocd-applicationset-controller (Multi-app management)

Also adds argocd.f3s.buetow.org to frontends Rexfile for relayd proxy
configuration.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

7 files changed, 562 insertions, 1 deletions

diff --git a/f3s/CLAUDE.md b/f3s/CLAUDE.md
new file mode 100644
index 0000000..18cf7d2
--- /dev/null
+++ b/f3s/CLAUDE.md
@@ -0,0 +1,2 @@
+Read /home/paul/Notes/snippets/f3s/f3s.md
+
diff --git a/f3s/argocd/Justfile b/f3s/argocd/Justfile
new file mode 100644
index 0000000..6aa7b76
--- /dev/null
+++ b/f3s/argocd/Justfile
@@ -0,0 +1,43 @@
+# ArgoCD deployment automation
+# Deploys ArgoCD to the 'cicd' namespace following f3s cluster patterns
+
+NAMESPACE := "cicd"
+RELEASE_NAME := "argocd"
+
+install:
+    helm repo add argo https://argoproj.github.io/argo-helm || true
+    helm repo update
+    kubectl create namespace {{NAMESPACE}} || true
+    kubectl apply -f persistent-volumes.yaml
+    helm install {{RELEASE_NAME}} argo/argo-cd --namespace {{NAMESPACE}} -f values.yaml
+    @echo "Waiting for ArgoCD to be ready..."
+    @sleep 10
+    kubectl apply -f ingress.yaml
+    @echo ""
+    @echo "ArgoCD deployed successfully!"
+    @echo "Access UI at: http://argocd.f3s.buetow.org"
+    @echo ""
+    @echo "Get initial admin password with:"
+    @echo "kubectl -n {{NAMESPACE}} get secret argocd-initial-admin-secret -o jsonpath=\"{.data.password}\" | base64 -d"
+
+upgrade:
+    helm upgrade {{RELEASE_NAME}} argo/argo-cd --namespace {{NAMESPACE}} -f values.yaml
+    kubectl apply -f ingress.yaml
+
+uninstall:
+    kubectl delete -f ingress.yaml || true
+    helm uninstall {{RELEASE_NAME}} --namespace {{NAMESPACE}} || true
+    kubectl delete -f persistent-volumes.yaml || true
+
+status:
+    kubectl get pods -n {{NAMESPACE}} -l app.kubernetes.io/name=argocd-server
+    kubectl get svc -n {{NAMESPACE}} -l app.kubernetes.io/name=argocd-server
+    kubectl get ingress -n {{NAMESPACE}} argocd-server-ingress
+    kubectl get pvc -n {{NAMESPACE}} argocd-repo-server-pvc
+
+logs:
+    kubectl logs -n {{NAMESPACE}} -l app.kubernetes.io/name=argocd-server --tail=100 -f
+
+get-password:
+    @kubectl -n {{NAMESPACE}} get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
+    @echo ""
diff --git a/f3s/argocd/README.md b/f3s/argocd/README.md
new file mode 100644
index 0000000..56d2560
--- /dev/null
+++ b/f3s/argocd/README.md
@@ -0,0 +1,369 @@
+# ArgoCD Deployment for f3s Cluster
+
+ArgoCD is a declarative, GitOps continuous delivery tool for Kubernetes.
+
+## Overview
+
+This deployment follows f3s cluster patterns:
+- **Namespace**: `cicd` (new namespace for CI/CD tooling)
+- **Deployment Mode**: Non-HA single instance
+- **Persistence**: 10Gi hostPath volume for repo-server
+- **Ingress**: Traefik at argocd.f3s.buetow.org
+- **Monitoring**: ServiceMonitor integration with Prometheus
+
+## Architecture
+
+ArgoCD components deployed:
+- **argocd-server**: Web UI and API server (1 replica)
+- **argocd-repo-server**: Repository management and manifest generation (1 replica, with PVC)
+- **argocd-application-controller**: Monitors applications and manages deployments (1 replica)
+- **argocd-redis**: Cache for application state (1 replica)
+- **argocd-applicationset-controller**: Multi-app management (1 replica)
+- **argocd-dex-server**: Disabled (no SSO/OAuth needed)
+
+## Prerequisites
+
+Before installation, ensure storage directory exists on cluster nodes:
+
+```bash
+# SSH to each Rocky Linux k3s node (r0, r1, r2)
+ssh root@r0
+mkdir -p /data/nfs/k3svolumes/argocd/repo-server
+chmod 777 /data/nfs/k3svolumes/argocd/repo-server
+
+# Repeat for r1, r2
+ssh root@r1
+mkdir -p /data/nfs/k3svolumes/argocd/repo-server
+chmod 777 /data/nfs/k3svolumes/argocd/repo-server
+
+ssh root@r2
+mkdir -p /data/nfs/k3svolumes/argocd/repo-server
+chmod 777 /data/nfs/k3svolumes/argocd/repo-server
+```
+
+## Installation
+
+Deploy ArgoCD using the Justfile:
+
+```bash
+just install
+```
+
+This will:
+1. Add the Argo Helm repository
+2. Create persistent volume and claim
+3. Install ArgoCD Helm chart in `cicd` namespace
+4. Create Traefik ingress for the UI
+5. Display access instructions
+
+## Access ArgoCD
+
+### Web UI
+
+URL: http://argocd.f3s.buetow.org
+
+**Default credentials:**
+- Username: `admin`
+- Password: Retrieve with `just get-password`
+
+```bash
+just get-password
+```
+
+### ArgoCD CLI
+
+Install the CLI:
+
+```bash
+curl -sSL -o argocd-linux-amd64 https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64
+sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd
+rm argocd-linux-amd64
+```
+
+Login:
+
+```bash
+argocd login argocd.f3s.buetow.org --insecure
+# Enter username: admin
+# Enter password: (from just get-password)
+```
+
+## Management
+
+### Check Status
+
+```bash
+just status
+```
+
+### View Logs
+
+```bash
+just logs
+```
+
+### Upgrade ArgoCD
+
+```bash
+just upgrade
+```
+
+### Uninstall
+
+```bash
+just uninstall
+```
+
+**Warning**: This will delete all ArgoCD resources including applications, but the persistent volume data will be retained.
+
+## Post-Deployment Configuration
+
+### 1. Change Admin Password
+
+**Important**: Change the default admin password immediately after first login.
+
+Using the Web UI:
+1. Login to http://argocd.f3s.buetow.org
+2. Click on "User Info" in the left sidebar
+3. Click "Update Password"
+
+Using the CLI:
+
+```bash
+argocd login argocd.f3s.buetow.org --insecure
+argocd account update-password
+```
+
+### 2. Add Git Repositories
+
+For public repositories:
+
+```bash
+argocd repo add https://github.com/argoproj/argocd-example-apps.git
+```
+
+For private repositories (HTTPS):
+
+```bash
+argocd repo add https://github.com/yourusername/yourrepo.git \
+  --username git \
+  --password ghp_yourGitHubPersonalAccessToken
+```
+
+For private repositories (SSH):
+
+```bash
+argocd repo add git@github.com:yourusername/yourrepo.git \
+  --ssh-private-key-path ~/.ssh/id_rsa
+```
+
+### 3. Create Your First Application
+
+Using the CLI:
+
+```bash
+argocd app create guestbook \
+  --repo https://github.com/argoproj/argocd-example-apps.git \
+  --path guestbook \
+  --dest-server https://kubernetes.default.svc \
+  --dest-namespace default
+```
+
+Using the Web UI:
+1. Click "+ NEW APP" button
+2. Fill in application details
+3. Click "CREATE"
+
+### 4. Sync an Application
+
+```bash
+argocd app sync guestbook
+```
+
+Or enable auto-sync:
+
+```bash
+argocd app set guestbook --sync-policy automated
+```
+
+## Monitoring
+
+ArgoCD metrics are automatically scraped by Prometheus via ServiceMonitor.
+
+View metrics in Grafana: http://grafana.f3s.buetow.org
+
+**Recommended Grafana Dashboards:**
+- ArgoCD (ID: 14584) - https://grafana.com/grafana/dashboards/14584
+- ArgoCD Application Metrics (ID: 19993) - https://grafana.com/grafana/dashboards/19993
+
+Import dashboards:
+1. Go to Grafana → Dashboards → Import
+2. Enter dashboard ID
+3. Select Prometheus datasource
+4. Click "Import"
+
+## Troubleshooting
+
+### Check All Pods are Running
+
+```bash
+kubectl get pods -n cicd
+```
+
+Expected output:
+```
+NAME                                                READY   STATUS    RESTARTS   AGE
+argocd-application-controller-0                     1/1     Running   0          5m
+argocd-applicationset-controller-xxx                1/1     Running   0          5m
+argocd-redis-xxx                                    1/1     Running   0          5m
+argocd-repo-server-xxx                              1/1     Running   0          5m
+argocd-server-xxx                                   1/1     Running   0          5m
+```
+
+### Check Persistent Volume Binding
+
+```bash
+kubectl get pv argocd-repo-server-pv
+kubectl get pvc -n cicd argocd-repo-server-pvc
+```
+
+The PVC should be in `Bound` status.
+
+### Access Server Logs
+
+```bash
+kubectl logs -n cicd -l app.kubernetes.io/name=argocd-server
+```
+
+### Check Ingress
+
+```bash
+kubectl describe ingress -n cicd argocd-server-ingress
+```
+
+### Application Not Syncing
+
+1. Check repo-server logs:
+   ```bash
+   kubectl logs -n cicd -l app.kubernetes.io/name=argocd-repo-server
+   ```
+
+2. Check application controller logs:
+   ```bash
+   kubectl logs -n cicd -l app.kubernetes.io/name=argocd-application-controller
+   ```
+
+3. Verify repository credentials:
+   ```bash
+   argocd repo list
+   ```
+
+### Reset Admin Password
+
+If you forget the admin password:
+
+```bash
+# Delete the initial admin secret
+kubectl -n cicd delete secret argocd-initial-admin-secret
+
+# Restart the server to regenerate it
+kubectl -n cicd rollout restart deployment argocd-server
+
+# Wait for restart
+kubectl -n cicd rollout status deployment argocd-server
+
+# Get new password
+just get-password
+```
+
+## Common ArgoCD Operations
+
+### List All Applications
+
+```bash
+argocd app list
+```
+
+### Get Application Details
+
+```bash
+argocd app get <app-name>
+```
+
+### Delete an Application
+
+```bash
+argocd app delete <app-name>
+```
+
+### View Application Sync History
+
+```bash
+argocd app history <app-name>
+```
+
+### Rollback an Application
+
+```bash
+argocd app rollback <app-name> <revision-id>
+```
+
+## Security Considerations
+
+1. **TLS**: Server runs in insecure mode with TLS termination at Traefik ingress
+2. **RBAC**: Configure ArgoCD projects and RBAC policies for team access
+3. **Secret Management**: Consider using sealed-secrets or external-secrets operator
+4. **Repository Access**: Use SSH keys or personal access tokens (not passwords)
+5. **Network Policies**: Consider implementing NetworkPolicy for pod-to-pod communication restrictions
+
+## Backup and Restore
+
+### Backup ArgoCD Configuration
+
+```bash
+# Backup all ArgoCD resources
+kubectl get applications,appprojects,secrets -n cicd -o yaml > argocd-backup.yaml
+
+# Backup repo-server data (on cluster node)
+ssh root@r0
+tar czf argocd-repo-backup.tar.gz /data/nfs/k3svolumes/argocd/repo-server
+```
+
+### Restore from Backup
+
+```bash
+# Restore ArgoCD resources
+kubectl apply -f argocd-backup.yaml
+
+# Restore repo-server data (on cluster node)
+ssh root@r0
+tar xzf argocd-repo-backup.tar.gz -C /
+```
+
+## Upgrading ArgoCD
+
+Check for updates:
+
+```bash
+helm repo update
+helm search repo argo/argo-cd --versions
+```
+
+Upgrade to latest version:
+
+```bash
+just upgrade
+```
+
+Upgrade to specific version:
+
+```bash
+helm upgrade argocd argo/argo-cd --namespace cicd -f values.yaml --version X.Y.Z
+```
+
+## References
+
+- ArgoCD Documentation: https://argo-cd.readthedocs.io/
+- ArgoCD GitHub: https://github.com/argoproj/argo-cd
+- Helm Chart: https://github.com/argoproj/argo-helm
+- Example Apps: https://github.com/argoproj/argocd-example-apps
diff --git a/f3s/argocd/ingress.yaml b/f3s/argocd/ingress.yaml
new file mode 100644
index 0000000..b10c288
--- /dev/null
+++ b/f3s/argocd/ingress.yaml
@@ -0,0 +1,24 @@
+# ArgoCD UI Ingress
+# Exposes ArgoCD web interface at argocd.f3s.buetow.org
+# Following f3s cluster ingress pattern (Traefik)
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argocd-server-ingress
+  namespace: cicd
+  annotations:
+    spec.ingressClassName: traefik
+    traefik.ingress.kubernetes.io/router.entrypoints: web
+spec:
+  rules:
+    - host: argocd.f3s.buetow.org
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: argocd-server
+                port:
+                  number: 80
diff --git a/f3s/argocd/persistent-volumes.yaml b/f3s/argocd/persistent-volumes.yaml
new file mode 100644
index 0000000..d0d186e
--- /dev/null
+++ b/f3s/argocd/persistent-volumes.yaml
@@ -0,0 +1,31 @@
+# Persistent Volume and Claim for ArgoCD repo-server
+# Following the pattern from Loki and Tempo deployments
+# Storage: 10Gi at /data/nfs/k3svolumes/argocd/repo-server
+
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: argocd-repo-server-pv
+spec:
+  capacity:
+    storage: 10Gi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  hostPath:
+    path: /data/nfs/k3svolumes/argocd/repo-server
+    type: DirectoryOrCreate
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: argocd-repo-server-pvc
+  namespace: cicd
+spec:
+  storageClassName: ""  # Empty for manual binding to PV
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
diff --git a/f3s/argocd/values.yaml b/f3s/argocd/values.yaml
new file mode 100644
index 0000000..9dcc3d3
--- /dev/null
+++ b/f3s/argocd/values.yaml
@@ -0,0 +1,92 @@
+# ArgoCD Helm Chart Values Override
+# Following f3s cluster patterns: non-HA, single instance deployment
+
+global:
+  domain: argocd.f3s.buetow.org
+
+# Disable HA mode - following cluster pattern
+redis-ha:
+  enabled: false
+
+# Use standard Redis with authentication
+redis:
+  enabled: true
+
+# Controller configuration (manages k8s resources)
+controller:
+  replicas: 1
+  # Enable metrics for Prometheus integration
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+      namespace: cicd
+      additionalLabels:
+        release: prometheus
+
+# Server configuration (API/Web UI)
+server:
+  replicas: 1
+  # Run in insecure mode - TLS termination at ingress
+  insecure: true
+  # Disable built-in ingress - using separate manifest
+  ingress:
+    enabled: false
+  # Resource limits
+  resources:
+    limits:
+      cpu: 500m
+      memory: 512Mi
+    requests:
+      cpu: 250m
+      memory: 256Mi
+  # Enable metrics for Prometheus integration
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+      namespace: cicd
+      additionalLabels:
+        release: prometheus
+
+# Repo Server configuration (clones repos, generates manifests)
+repoServer:
+  replicas: 1
+  # Resource limits
+  resources:
+    limits:
+      cpu: 500m
+      memory: 512Mi
+    requests:
+      cpu: 250m
+      memory: 256Mi
+  # Enable metrics for Prometheus integration
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+      namespace: cicd
+      additionalLabels:
+        release: prometheus
+
+# ApplicationSet controller (multi-app management)
+applicationSet:
+  replicas: 1
+
+# Notifications controller - disabled
+notifications:
+  enabled: false
+
+# Dex (SSO/OAuth) - disabled for simplicity
+dex:
+  enabled: false
+
+# CRD installation
+crds:
+  install: true
+  keep: true
+
+# Server configuration parameters - run in insecure mode
+configs:
+  params:
+    server.insecure: true
diff --git a/frontends/Rexfile b/frontends/Rexfile
index e555124..f988e25 100644
--- a/frontends/Rexfile
+++ b/frontends/Rexfile
@@ -77,7 +77,7 @@ our @dns_zones_remove = qw//;
 
 # k3s cluster running on FreeBSD in my LAN
 our @f3s_hosts =
-  qw/f3s.buetow.org keybr.f3s.buetow.org anki.f3s.buetow.org bag.f3s.buetow.org flux.f3s.buetow.org audiobookshelf.f3s.buetow.org grafana.f3s.buetow.org radicale.f3s.buetow.org vault.f3s.buetow.org syncthing.f3s.buetow.org uprecords.f3s.buetow.org koreader.f3s.buetow.org filebrowser.f3s.buetow.org webdav.f3s.buetow.org/;
+  qw/f3s.buetow.org argocd.f3s.buetow.org keybr.f3s.buetow.org anki.f3s.buetow.org bag.f3s.buetow.org flux.f3s.buetow.org audiobookshelf.f3s.buetow.org grafana.f3s.buetow.org radicale.f3s.buetow.org vault.f3s.buetow.org syncthing.f3s.buetow.org uprecords.f3s.buetow.org koreader.f3s.buetow.org filebrowser.f3s.buetow.org webdav.f3s.buetow.org/;
 
 # optionally, only enable manually for temp time, as no password protection yet
 # push @f3s_hosts, 'registry.f3s.buetow.org';