Skip to content

Commit

Permalink
Merge branch 'argo-cd' into feat/acr-controller
Browse files Browse the repository at this point in the history
  • Loading branch information
pasha-codefresh authored Sep 26, 2024
2 parents 72fb3b7 + 821746a commit 65ed48f
Show file tree
Hide file tree
Showing 101 changed files with 2,379 additions and 923 deletions.
2 changes: 1 addition & 1 deletion .github/configs/ct-install.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ charts:
- charts/argo-cd
chart-repos:
- dandydeveloper=https://dandydeveloper.github.io/charts/
helm-extra-args: "--timeout 600s"
helm-extra-args: "--timeout 600s"
validate-chart-schema: false
validate-maintainers: true
validate-yaml: true
Expand Down
8 changes: 8 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,11 @@ updates:
schedule:
interval: weekly
day: "saturday"
commit-message:
prefix: "chore(deps)"
groups:
dependencies:
applies-to: version-updates
update-types:
- "minor"
- "patch"
8 changes: 4 additions & 4 deletions .github/workflows/lint-and-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
options: --user 1001
steps:
- name: Checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Run ah lint
working-directory: ./charts
run: ah lint
Expand All @@ -22,7 +22,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0

Expand All @@ -32,7 +32,7 @@ jobs:
version: v3.10.1 # Also update in publish.yaml

- name: Set up python
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
with:
python-version: 3.9

Expand Down Expand Up @@ -90,4 +90,4 @@ jobs:
- name: Run chart-testing (install)
run: ct install --config ./.github/configs/ct-install.yaml --target-branch ${{ github.base_ref }}
if: steps.list-changed.outputs.changed == 'true'
if: steps.list-changed.outputs.changed == 'true'
2 changes: 1 addition & 1 deletion .github/workflows/pr-title.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
name: Validate PR title
runs-on: ubuntu-latest
steps:
- uses: amannn/action-semantic-pull-request@cfb60706e18bc85e8aec535e3c577abe8f70378e # v5.5.2
- uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0

Expand Down Expand Up @@ -67,7 +67,7 @@ jobs:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

- name: Login to GHCR
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/renovate.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,21 +16,21 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Get token
uses: actions/create-github-app-token@a0de6af83968303c8c955486bf9739a57d23c7f1 # v1.10.0
uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
id: get_token
with:
app-id: ${{ vars.RENOVATE_APP_ID }}
private-key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY }}

- name: Checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Self-hosted Renovate
uses: renovatebot/github-action@063e0c946b9c1af35ef3450efc44114925d6e8e6 # v40.1.11
uses: renovatebot/github-action@630a255a1f2f56c8d8ce160bed3e3ca577ca53e2 # v40.2.7
with:
configurationFile: .github/configs/renovate-config.js
# renovate: datasource=docker depName=ghcr.io/renovatebot/renovate
renovate-version: 37.332.0
renovate-version: 38.18.0
token: '${{ steps.get_token.outputs.token }}'
env:
LOG_LEVEL: 'debug'
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,12 +33,12 @@ jobs:

steps:
- name: "Checkout code"
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false

- name: "Run analysis"
uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
with:
results_file: results.sarif
results_format: sarif
Expand All @@ -60,14 +60,14 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
with:
name: SARIF file
path: results.sarif
retention-days: 5

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5
uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
with:
sarif_file: results.sarif
60 changes: 60 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -42,3 +42,63 @@ Please refer to [SECURITY.md](SECURITY.md) for details on how to report security
### Changelog

Releases are managed independently for each helm chart, and changelogs are tracked on each release. Read more about this process [here](https://github.com/argoproj/argo-helm/blob/main/CONTRIBUTING.md#changelog).

## Charts use Helm "Capabilities"

Our charts make use of the Helm built-in object "Capabilities":
> This provides information about what capabilities the Kubernetes cluster supports.
> *Source: https://helm.sh/docs/chart_template_guide/builtin_objects/*
Today we use:

- `.Capabilities.APIVersions.Has` mostly to determine whether the CRDs for ServiceMonitors (from prometheus-operator) exists inside the cluster
- `.Capabilities.KubeVersion.Version` to handle correct apiVersion of a specific resource kind (eg. "policy/v1" vs. "policy/v1beta1")

If you use the charts only to template the manifests, without installing (`helm install ..`), you need to make sure that Helm (or the Helm SDK) receives the available APIs from your Kubernetes cluster.

For this you need to pass the `--api-versions` parameter to the `helm template` command:

```bash
helm template argocd \
oci://ghcr.io/argoproj/argo-helm/argo-cd \
--api-versions monitoring.coreos.com/v1 \
--values my-argocd-values.yaml
```

If you use other tools like [Kustomize](https://kubectl.docs.kubernetes.io/references/kustomize/builtins/) or [helmfile](https://helmfile.readthedocs.io/en/latest/#configuration) to render it, there are equivalent options.

Example with Kustomize:

```yaml
# kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

helmCharts:
- name: argo-cd
repo: oci://ghcr.io/argoproj/argo-helm
version: x.y.z
releaseName: argocd
apiVersions:
- monitoring.coreos.com/v1
valuesFile: my-argocd-values.yaml
```
Example with helmfile:
```yaml
# helmfile.yaml
repositories:
- name: argo
url: https://argoproj.github.io/argo-helm

apiVersions:
- monitoring.coreos.com/v1

releases:
- name: argocd
namespace: argocd
chart: argo/argo-cd
values:
- my-argocd-values.yaml
```
8 changes: 3 additions & 5 deletions charts/argo-cd/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
apiVersion: v2
appVersion: v2.11-2024.7.3-c0941bcb4
appVersion: v2.12-2024.9.9-ba613c5bd
kubeVersion: ">=1.23.0-0"
description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
name: argo-cd
version: 6.11.1-4-cap-2.11-2024.7.3-c0941bcb4
version: 7.4.7-1-cap-2.12-2024.9.9-ba613c5bd
home: https://github.com/argoproj/argo-helm
icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
sources:
Expand All @@ -27,6 +27,4 @@ annotations:
url: https://argoproj.github.io/argo-helm/pgp_keys.asc
artifacthub.io/changes: |
- kind: changed
description: Upgrade argo-cd to v2.11-2024.7.3-c0941bcb4 with fix - report application event from queue instead of requesting actual state again which potentially means doesn't get same data as in original event
- kind: fixed
description: Event reporter selector labeles
description: Upgrade argo-cd to v2.12-2024.9.9-ba613c5bd with reporting of resources health errors on level with application event
49 changes: 43 additions & 6 deletions charts/argo-cd/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -278,6 +278,31 @@ For full list of changes please check ArtifactHub [changelog].

Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version.

### 7.0.0

We changed the type of `.Values.configs.clusterCredentials` from `list` to `object`.
If you used the value, please migrate like below.

```yaml
# before
configs:
clusterCredentials:
- mycluster:
server: https://mycluster.example.com
labels: {}
annotations: {}
# ...
# after
configs:
clusterCredentials:
mycluster:
server: https://mycluster.example.com
labels: {}
annotations: {}
# ...
```

### 6.10.0

This version introduces authentication for Redis to mitigate GHSA-9766-5277-j5hr.
Expand Down Expand Up @@ -661,7 +686,6 @@ NAME: my-release
| eventReporter.containerSecurityContext | object | See [values.yaml] | Event reporter container-level security context |
| eventReporter.dnsConfig | object | `{}` | [DNS configuration] |
| eventReporter.dnsPolicy | string | `"ClusterFirst"` | Alternative DNS policy for event reporter pods |
| eventReporter.enabled | bool | `true` | |
| eventReporter.env | list | `[]` | Environment variables to pass to event reporter |
| eventReporter.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to event reporter |
| eventReporter.extraArgs | list | `[]` | Additional command line arguments to pass to event reporter |
Expand Down Expand Up @@ -723,7 +747,6 @@ NAME: my-release
| eventReporter.terminationGracePeriodSeconds | int | `30` | terminationGracePeriodSeconds for container lifecycle hook |
| eventReporter.tolerations | list | `[]` (defaults to global.tolerations) | [Tolerations] for use with node taints |
| eventReporter.topologySpreadConstraints | list | `[]` (defaults to global.topologySpreadConstraints) | Assign custom [TopologySpreadConstraints] rules to the event reporter |
| eventReporter.version | string | `"v2"` | |
| eventReporter.volumeMounts | list | `[]` | Additional volumeMounts to the event reporter main container |
| eventReporter.volumes | list | `[]` | Additional volumes to the event reporter pod |
| extraObjects | list | `[]` | Array of extra K8s manifests to deploy |
Expand All @@ -746,6 +769,8 @@ NAME: my-release
| global.deploymentAnnotations | object | `{}` | Annotations for the all deployed Deployments |
| global.deploymentStrategy | object | `{}` | Deployment strategy for the all deployed Deployments |
| global.domain | string | `"argocd.example.com"` | Default domain used by all components |
| global.dualStack.ipFamilies | list | `[]` | IP families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6. |
| global.dualStack.ipFamilyPolicy | string | `""` | IP family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services) |
| global.env | list | `[]` | Environment variables to pass to all deployed Deployments |
| global.hostAliases | list | `[]` | Mapping between IP and hostnames that will be injected as entries in the pod's hosts files |
| global.image.imagePullPolicy | string | `"IfNotPresent"` | If defined, a imagePullPolicy applied to all Argo CD deployments |
Expand All @@ -770,7 +795,7 @@ NAME: my-release

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| configs.clusterCredentials | list | `[]` (See [values.yaml]) | Provide one or multiple [external cluster credentials] |
| configs.clusterCredentials | object | `{}` (See [values.yaml]) | Provide one or multiple [external cluster credentials] |
| configs.cm."admin.enabled" | bool | `true` | Enable local admin user |
| configs.cm."application.instanceLabelKey" | string | Defaults to app.kubernetes.io/instance | The name of tracking label used by Argo CD for resource pruning |
| configs.cm."exec.enabled" | bool | `false` | Enable exec feature in Argo UI |
Expand Down Expand Up @@ -1041,7 +1066,7 @@ NAME: my-release
| server.certificate.privateKey.rotationPolicy | string | `"Never"` | Rotation policy of private key when certificate is re-issued. Either: `Never` or `Always` |
| server.certificate.privateKey.size | int | `2048` | Key bit size of the private key. If algorithm is set to `Ed25519`, size is ignored. |
| server.certificate.renewBefore | string | `""` (defaults to 360h = 15d if not specified) | How long before the expiry a certificate should be renewed. |
| server.certificate.secretName | string | `"argocd-server-tls"` | The name of the Secret that will be automatically created and managed by this Certificate resource |
| server.certificate.secretTemplateAnnotations | object | `{}` | Annotations that allow the certificate to be composed from data residing in existing Kubernetes Resources |
| server.certificate.usages | list | `[]` | Usages for the certificate |
| server.certificateSecret.annotations | object | `{}` | Annotations to be added to argocd-server-tls secret |
| server.certificateSecret.crt | string | `""` | Certificate data |
Expand Down Expand Up @@ -1156,6 +1181,7 @@ NAME: my-release
| server.service.externalIPs | list | `[]` | Server service external IPs |
| server.service.externalTrafficPolicy | string | `"Cluster"` | Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints |
| server.service.labels | object | `{}` | Server service labels |
| server.service.loadBalancerClass | string | `""` | The class of the load balancer implementation |
| server.service.loadBalancerIP | string | `""` | LoadBalancer will get created with the IP specified in this field |
| server.service.loadBalancerSourceRanges | list | `[]` | Source IP ranges to allow access to service from |
| server.service.nodePortHttp | int | `30080` | Server service http port for NodePort service type (only if `server.service.type` is set to "NodePort") |
Expand Down Expand Up @@ -1420,7 +1446,7 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| externalRedis.existingSecret | string | `""` | The name of an existing secret with Redis credentials (must contain key `redis-password`). When it's set, the `externalRedis.password` parameter is ignored |
| externalRedis.existingSecret | string | `""` | The name of an existing secret with Redis (must contain key `redis-password`) and Sentinel credentials. When it's set, the `externalRedis.password` parameter is ignored |
| externalRedis.host | string | `""` | External Redis server host |
| externalRedis.password | string | `""` | External Redis password |
| externalRedis.port | int | `6379` | External Redis server port |
Expand Down Expand Up @@ -1474,7 +1500,6 @@ If you use an External Redis (See Option 3 above), this Job is not deployed.
| applicationSet.certificate.privateKey.rotationPolicy | string | `"Never"` | Rotation policy of private key when certificate is re-issued. Either: `Never` or `Always` |
| applicationSet.certificate.privateKey.size | int | `2048` | Key bit size of the private key. If algorithm is set to `Ed25519`, size is ignored. |
| applicationSet.certificate.renewBefore | string | `""` (defaults to 360h = 15d if not specified) | How long before the expiry a certificate should be renewed. |
| applicationSet.certificate.secretName | string | `"argocd-applicationset-controller-tls"` | The name of the Secret that will be automatically created and managed by this Certificate resource |
| applicationSet.containerPorts.metrics | int | `8080` | Metrics container port |
| applicationSet.containerPorts.probe | int | `8081` | Probe container port |
| applicationSet.containerPorts.webhook | int | `7000` | Webhook container port |
Expand Down Expand Up @@ -1591,6 +1616,12 @@ If you use an External Redis (See Option 3 above), this Job is not deployed.
| notifications.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the notifications controller |
| notifications.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry |
| notifications.initContainers | list | `[]` | Init containers to add to the notifications controller pod |
| notifications.livenessProbe.enabled | bool | `false` | Enable Kubernetes liveness probe for notifications controller Pods |
| notifications.livenessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
| notifications.livenessProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before [probe] is initiated |
| notifications.livenessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] |
| notifications.livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed |
| notifications.livenessProbe.timeoutSeconds | int | `1` | Number of seconds after which the [probe] times out |
| notifications.logFormat | string | `""` (defaults to global.logging.format) | Notifications controller log format. Either `text` or `json` |
| notifications.logLevel | string | `""` (defaults to global.logging.level) | Notifications controller log level. One of: `debug`, `info`, `warn`, `error` |
| notifications.metrics.enabled | bool | `false` | Enables prometheus metrics server |
Expand Down Expand Up @@ -1619,6 +1650,12 @@ If you use an External Redis (See Option 3 above), this Job is not deployed.
| notifications.podAnnotations | object | `{}` | Annotations to be applied to the notifications controller Pods |
| notifications.podLabels | object | `{}` | Labels to be applied to the notifications controller Pods |
| notifications.priorityClassName | string | `""` (defaults to global.priorityClassName) | Priority class for the notifications controller pods |
| notifications.readinessProbe.enabled | bool | `false` | Enable Kubernetes liveness probe for notifications controller Pods |
| notifications.readinessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
| notifications.readinessProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before [probe] is initiated |
| notifications.readinessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] |
| notifications.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed |
| notifications.readinessProbe.timeoutSeconds | int | `1` | Number of seconds after which the [probe] times out |
| notifications.resources | object | `{}` | Resource limits and requests for the notifications controller |
| notifications.secret.annotations | object | `{}` | key:value pairs of annotations to be added to the secret |
| notifications.secret.create | bool | `true` | Whether helm chart creates notifications controller secret |
Expand Down
Loading

0 comments on commit 65ed48f

Please sign in to comment.