From 6b519f6b12e957af5a57b05dd9778bcbf6496d98 Mon Sep 17 00:00:00 2001
From: Deep Koluguri <deepkoluguri@gmail.com>
Date: Mon, 11 May 2026 13:35:21 -0400
Subject: [PATCH] Argo: explicit cluster resource whitelist for webhooks;
 Temporal multi-source valueFiles ref=values

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 platform/bootstrap/apps/app-temporal.yaml |  4 ++--
 platform/bootstrap/root-app-project.yaml  | 11 +++++++++++
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/platform/bootstrap/apps/app-temporal.yaml b/platform/bootstrap/apps/app-temporal.yaml
index 75a4fd5..c5b4831 100644
--- a/platform/bootstrap/apps/app-temporal.yaml
+++ b/platform/bootstrap/apps/app-temporal.yaml
@@ -16,10 +16,10 @@ spec:
       targetRevision: 0.55.0
       helm:
         valueFiles:
-          - $repo/helm-values.yaml
+          - $values/helm-values.yaml
     - repoURL: http://192.168.8.248:3000/deepkoluguri/agentic-os.git
       targetRevision: main
-      ref: repo
+      ref: values
       path: ai-core/temporal
   syncPolicy:
     automated:
diff --git a/platform/bootstrap/root-app-project.yaml b/platform/bootstrap/root-app-project.yaml
index ea68495..7969369 100644
--- a/platform/bootstrap/root-app-project.yaml
+++ b/platform/bootstrap/root-app-project.yaml
@@ -13,8 +13,19 @@ spec:
     - namespace: "*"
       server: https://kubernetes.default.svc
   clusterResourceWhitelist:
+    # Broad allow; some Argo CD builds still reject certain cluster kinds unless named explicitly.
     - group: "*"
       kind: "*"
+    - group: admissionregistration.k8s.io
+      kind: MutatingWebhookConfiguration
+    - group: admissionregistration.k8s.io
+      kind: ValidatingWebhookConfiguration
+    - group: apiextensions.k8s.io
+      kind: CustomResourceDefinition
+    - group: rbac.authorization.k8s.io
+      kind: ClusterRole
+    - group: rbac.authorization.k8s.io
+      kind: ClusterRoleBinding
   namespaceResourceWhitelist:
     - group: "*"
       kind: "*"