diff --git a/.clomonitor.yml b/.clomonitor.yml new file mode 100644 index 000000000..9f1fff8c4 --- /dev/null +++ b/.clomonitor.yml @@ -0,0 +1,21 @@ +# CLOMonitor metadata file +# This file must be located at the root of the repository + +# Checks exemptions +exemptions: + - check: dependency_update_tool + reason: "Helm deps are not currently scanned. Maintainers are watching developments to dependabot-core #2237" # Justification of this exemption (mandatory, it will be displayed on the UI) + - check: sbom + reason: "Tracking Helm dependencies is not yet a stable practice." + +# TODO: +# License scanning information +# licenseScanning: + # URL with the repository's license scanning results + # + # CLOMonitor can extract license scanning results from FOSSA and Snyk badges + # in the repository README.md file automatically. If your repository uses a + # different scanning solution, this url can be set to pass the corresponding + # check. + # url: https://license-scanning-results.url + diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 000000000..cb90a2c26 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,4 @@ +[*.{md,md.gotmpl}] +indent_style = space +indent_size = 4 +trim_trailing_whitespace = false diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..0a4fd6ca4 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,8 @@ +## Reference: https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: weekly + day: "saturday" diff --git a/.github/workflows/lint-and-test.yml b/.github/workflows/lint-and-test.yml index bcf29ef9f..bab70ca4d 100644 --- a/.github/workflows/lint-and-test.yml +++ b/.github/workflows/lint-and-test.yml @@ -19,10 +19,6 @@ jobs: with: version: v3.10.1 # Also update in publish.yaml - - name: Setup Kubectl - uses: azure/setup-kubectl@v3 - id: install - - name: Set up python uses: actions/setup-python@v4 with: @@ -30,10 +26,10 @@ jobs: - name: Setup Chart Linting id: lint - uses: helm/chart-testing-action@v2.3.0 + uses: helm/chart-testing-action@v2.3.1 with: # Note: Also update in scripts/lint.sh - version: v3.7.0 + version: v3.7.1 - name: List changed charts id: list-changed @@ -45,6 +41,7 @@ jobs: echo "::set-output name=changed::true" echo "::set-output name=changed_charts::$charts" fi + - name: Run chart-testing (lint) run: ct lint --debug --config ./.github/configs/ct-lint.yaml --target-branch ${{ github.base_ref }} --lint-conf ./.github/configs/lintconf.yaml @@ -64,6 +61,15 @@ jobs: if: steps.list-changed.outputs.changed == 'true' with: config: .github/configs/kind-config.yaml + + - name: Deploy latest ArgoCD CRDs when testing ArgoCD extensions + if: | + contains(steps.list-changed.outputs.changed_charts, 'argocd-image-updater') || + contains(steps.list-changed.outputs.changed_charts, 'argocd-apps') + run: | + helm repo add dandydeveloper https://dandydeveloper.github.io/charts/ + helm dependency build charts/argo-cd/ + helm template charts/argo-cd/ --set server.extensions.enabled=true -s templates/crds/* | kubectl apply -f - - name: Skip HPA tests of ArgoCD if: contains(steps.list-changed.outputs.changed_charts, 'argo-cd') diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 83dec55e7..a636b08bd 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -8,12 +8,18 @@ on: - edited - synchronize +permissions: + contents: read + jobs: main: + permissions: + pull-requests: read # for amannn/action-semantic-pull-request to analyze PRs + statuses: write # for amannn/action-semantic-pull-request to mark status of analyzed PR name: Validate PR title runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@v4 + - uses: amannn/action-semantic-pull-request@v5 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index d79c690a8..a4b016b81 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -31,13 +31,15 @@ jobs: run: | git config user.name "$GITHUB_ACTOR" git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - - name: Package chart + + ## This is required to consider the old Circle-CI Index and to stay compatible with all the old releases. + - name: Fetch current Chart Index run: | rm -rf .cr-release-packages mkdir .cr-release-packages helm package charts/argo-events -u -d .cr-release-packages/ - name: Run chart-releaser - uses: helm/chart-releaser-action@main + uses: helm/chart-releaser-action@v1.4.1 with: config: "./.github/configs/cr.yaml" skip_packaging: true diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 0e8a171e7..3637ed8f4 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -3,11 +3,18 @@ name: Mark stale issues and pull requests on: schedule: - cron: "30 1 * * *" + +permissions: + contents: read + jobs: stale: + permissions: + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs runs-on: ubuntu-latest steps: - - uses: actions/stale@v5 + - uses: actions/stale@v6 with: repo-token: ${{ secrets.GITHUB_TOKEN }} # Number of days of inactivity before an issue becomes stale diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 36ef70b68..49c0577bc 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -93,7 +93,7 @@ helm dependency update Minimally: ``` -helm install charts/argo-cd --namespace argocd -n argo-cd +helm install argocd argo/argo-cd -n argocd --create-namespace kubectl port-forward service/argo-cd-argocd-server -n argocd 8080:443 ``` diff --git a/README.md b/README.md index 61922839b..1d96a35fa 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,8 @@ [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Chart Publish](https://github.com/argoproj/argo-helm/actions/workflows/publish.yml/badge.svg?branch=main)](https://github.com/argoproj/argo-helm/actions/workflows/publish.yml) +[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/argo)](https://artifacthub.io/packages/search?repo=argo) +[![CLOMonitor](https://img.shields.io/endpoint?url=https://clomonitor.io/api/projects/cncf/argo/badge)](https://clomonitor.io/projects/cncf/argo) Argo Helm is a collection of **community maintained** charts for [https://argoproj.github.io](https://argoproj.github.io) projects. The charts can be added using following command: @@ -11,4 +13,12 @@ helm repo add argo https://argoproj.github.io/argo-helm ## Contributing -We'd love to have you contribute! Please refer to our [contribution guidelines](CONTRIBUTING.md) for details. \ No newline at end of file +We'd love to have you contribute! Please refer to our [contribution guidelines](CONTRIBUTING.md) for details. + +### Security Policy + +If you have a security concern relating to either this project repo or an individual helm chart, please [open an issue](https://github.com/argoproj/argo-helm/issues/new/choose) or [start a discussion](https://github.com/argoproj/argo-helm/discussions/new). + +### Changelog + +Releases are managed independently for each helm chart, and changelogs are tracked on each release. Read more about this process [here](https://github.com/argoproj/argo-helm/blob/main/CONTRIBUTING.md#changelog). \ No newline at end of file diff --git a/charts/argo-cd/Chart.lock b/charts/argo-cd/Chart.lock index 72afb4020..7a069ce95 100644 --- a/charts/argo-cd/Chart.lock +++ b/charts/argo-cd/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: redis-ha repository: https://dandydeveloper.github.io/charts/ - version: 4.22.2 -digest: sha256:b6dc7774d0cc20a7a889d10e61f3dd653bdacd7836558f4875688b5cb5051d80 -generated: "2022-09-19T12:39:19.736045+02:00" + version: 4.22.3 +digest: sha256:ef6269e4e073dad10c230ccfb069fc013608111c895c5e7568450bb3967cf195 +generated: "2022-11-03T12:04:33.673857+09:00" diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml index 84bf13d62..8f6e7b452 100644 --- a/charts/argo-cd/Chart.yaml +++ b/charts/argo-cd/Chart.yaml @@ -1,10 +1,14 @@ apiVersion: v2 -appVersion: v2.4.12 +appVersion: v2.5.4 +kubeVersion: ">=1.22.0-0" description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. name: argo-cd -version: 5.4.7 +version: 5.16.6 home: https://github.com/argoproj/argo-helm icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png +sources: + - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd + - https://github.com/argoproj/argo-cd keywords: - argoproj - argocd @@ -14,9 +18,9 @@ maintainers: url: https://argoproj.github.io/ dependencies: - name: redis-ha - version: 4.22.2 + version: 4.22.3 repository: https://dandydeveloper.github.io/charts/ condition: redis-ha.enabled annotations: artifacthub.io/changes: | - - "[Added]: Add privateKey spec handling from CertificatePrivateKey" + - "[chore]: Update new api-version for cert-manager" diff --git a/charts/argo-cd/README.md b/charts/argo-cd/README.md index c501e7406..99108a065 100644 --- a/charts/argo-cd/README.md +++ b/charts/argo-cd/README.md @@ -2,15 +2,16 @@ A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. -Source code can be found [here](https://argo-cd.readthedocs.io/en/stable/) +Source code can be found here: -## Additional Information +* +* This is a **community maintained** chart. This chart installs [argo-cd](https://argo-cd.readthedocs.io/en/stable/), a declarative, GitOps continuous delivery tool for Kubernetes. The default installation is intended to be similar to the provided Argo CD [releases](https://github.com/argoproj/argo-cd/releases). -If you want to avoid including sensitive information unencrypted (clear text) in your version control, make use of the [declarative set up](https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/) of Argo CD. +If you want to avoid including sensitive information unencrypted (clear text) in your version control, make use of the [declarative setup] of Argo CD. For instance, rather than adding repositories and their keys in your Helm values, you could deploy [SealedSecrets](https://github.com/bitnami-labs/sealed-secrets) with contents as seen in this [repositories section](https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories) or any other secrets manager service (i.e. HashiCorp Vault, AWS/GCP Secrets Manager, etc.). ## High Availability @@ -41,7 +42,7 @@ repoServer: minReplicas: 2 applicationSet: - replicas: 2 + replicaCount: 2 ``` ### HA mode without autoscaling @@ -60,7 +61,7 @@ repoServer: replicas: 2 applicationSet: - replicas: 2 + replicaCount: 2 ``` ### Synchronizing Changes from Original Repository @@ -83,15 +84,13 @@ git diff v1.8.7 v2.0.0 -- manifests/install.yaml Changes in the `CustomResourceDefinition` resources shall be fixed easily by copying 1:1 from the [`manifests/crds` folder](https://github.com/argoproj/argo-cd/tree/master/manifests/crds) into this [`charts/argo-cd/templates/crds` folder](https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd/templates/crds). -## Upgrading - ### Custom resource definitions Some users would prefer to install the CRDs _outside_ of the chart. You can disable the CRD installation of this chart by using `--set crds.install=false` when installing the chart. -Helm cannot upgrade custom resource definitions [by design](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). +Helm cannot upgrade custom resource definitions in the `/crds` folder [by design](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). Starting with 5.2.0, the CRDs have been moved to `/templates` to address this design decision. -Please use `kubectl` to upgrade CRDs manually from [templates/crds](templates/crds/) folder or via the manifests from the upstream project repo: +If you are using Argo CD chart version prior to 5.2.0 or have elected to manage the Argo CD CRDs outside of the chart, please use `kubectl` to upgrade CRDs manually from [templates/crds](templates/crds/) folder or via the manifests from the upstream project repo: ```bash kubectl apply -k "https://github.com/argoproj/argo-cd/manifests/crds?ref=" @@ -100,6 +99,42 @@ kubectl apply -k "https://github.com/argoproj/argo-cd/manifests/crds?ref=`. + +### 5.5.0 + +This version introduces new `configs.params` section that replaces command line arguments for containers. +Please refer to documentation in values.yaml for migrating the configuration. + ### 5.2.0 Custom resource definitions were moved to `templates` folder so they can be managed by Helm. @@ -301,7 +336,7 @@ server: ## Prerequisites -- Kubernetes 1.7+ +- Kubernetes: `>=1.22.0-0` - Helm v3.0.0+ ## Installing the Chart @@ -322,48 +357,85 @@ NAME: my-release | Key | Type | Default | Description | |-----|------|---------|-------------| | apiVersionOverrides.autoscaling | string | `""` | String to override apiVersion of autoscaling rendered by this helm chart | -| apiVersionOverrides.certmanager | string | `""` | String to override apiVersion of certmanager resources rendered by this helm chart | +| apiVersionOverrides.certmanager | string | `""` | String to override apiVersion of cert-manager resources rendered by this helm chart | +| apiVersionOverrides.cloudgoogle | string | `""` | String to override apiVersion of GKE resources rendered by this helm chart | | apiVersionOverrides.ingress | string | `""` | String to override apiVersion of ingresses rendered by this helm chart | +| apiVersionOverrides.pdb | string | `""` | String to override apiVersion of pod disruption budgets rendered by this helm chart | | crds.annotations | object | `{}` | Annotations to be added to all CRDs | | crds.install | bool | `true` | Install and upgrade CRDs | | crds.keep | bool | `true` | Keep CRDs on chart uninstall | | createAggregateRoles | bool | `false` | Create clusterroles that extend existing clusterroles to interact with argo-cd crds | | extraObjects | list | `[]` | Array of extra K8s manifests to deploy | | fullnameOverride | string | `""` | String to fully override `"argo-cd.fullname"` | -| global.additionalLabels | object | `{}` | Additional labels to add to all resources | +| kubeVersionOverride | string | `""` | Override the Kubernetes version, which is used to evaluate certain manifests | +| nameOverride | string | `"argocd"` | Provide a name in place of `argocd` | +| openshift.enabled | bool | `false` | enables using arbitrary uid for argo repo server | + +## Global Configs + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.additionalLabels | object | `{}` | Common labels for the all resources | +| global.deploymentAnnotations | object | `{}` | Annotations for the all deployed Deployments | | global.hostAliases | list | `[]` | Mapping between IP and hostnames that will be injected as entries in the pod's hosts files | | global.image.imagePullPolicy | string | `"IfNotPresent"` | If defined, a imagePullPolicy applied to all Argo CD deployments | | global.image.repository | string | `"quay.io/argoproj/argocd"` | If defined, a repository applied to all Argo CD deployments | | global.image.tag | string | `""` | Overrides the global Argo CD image tag whose default is the chart appVersion | -| global.imagePullSecrets | list | `[]` | If defined, uses a Secret to pull an image from a private Docker registry or repository | +| global.imagePullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry | | global.logging.format | string | `"text"` | Set the global logging format. Either: `text` or `json` | | global.logging.level | string | `"info"` | Set the global logging level. One of: `debug`, `info`, `warn` or `error` | | global.networkPolicy.create | bool | `false` | Create NetworkPolicy objects for all components | | global.networkPolicy.defaultDenyIngress | bool | `false` | Default deny all ingress traffic | | global.podAnnotations | object | `{}` | Annotations for the all deployed pods | | global.podLabels | object | `{}` | Labels for the all deployed pods | -| global.securityContext | object | `{}` | Toggle and define securityContext. See [values.yaml] | -| kubeVersionOverride | string | `""` | Override the Kubernetes version, which is used to evaluate certain manifests | -| nameOverride | string | `"argocd"` | Provide a name in place of `argocd` | -| openshift.enabled | bool | `false` | enables using arbitrary uid for argo repo server | +| global.revisionHistoryLimit | int | `3` | Number of old deployment ReplicaSets to retain. The rest will be garbage collected. | +| global.securityContext | object | `{}` (See [values.yaml]) | Toggle and define pod-level security context. | +| global.statefulsetAnnotations | object | `{}` | Annotations for the all deployed Statefulsets | ## Argo CD Configs | Key | Type | Default | Description | |-----|------|---------|-------------| | configs.clusterCredentials | list | `[]` (See [values.yaml]) | Provide one or multiple [external cluster credentials] | +| configs.cm."admin.enabled" | bool | `true` | Enable local admin user | +| configs.cm."application.instanceLabelKey" | string | Defaults to app.kubernetes.io/instance | The name of tracking label used by Argo CD for resource pruning | +| configs.cm."exec.enabled" | bool | `false` | Enable exec feature in Argo UI | +| configs.cm."server.rbac.log.enforce.enable" | bool | `false` | Enable logs RBAC enforcement | +| configs.cm."timeout.hard.reconciliation" | string | `"0s"` | Timeout to refresh application data as well as target manifests cache | +| configs.cm."timeout.reconciliation" | string | `"180s"` | Timeout to discover if a new manifests version got published to the repository | +| configs.cm.annotations | object | `{}` | Annotations to be added to argocd-cm configmap | +| configs.cm.create | bool | `true` | Create the argocd-cm configmap for [declarative setup] | +| configs.cm.url | string | `""` | Argo CD's externally facing base URL (optional). Required when configuring SSO | | configs.credentialTemplates | object | `{}` | Repository credentials to be used as Templates for other repos | | configs.credentialTemplatesAnnotations | object | `{}` | Annotations to be added to `configs.credentialTemplates` Secret | -| configs.gpgKeys | object | `{}` (See [values.yaml]) | [GnuPG](https://argo-cd.readthedocs.io/en/stable/user-guide/gpg-verification/) keys to add to the key ring | -| configs.gpgKeysAnnotations | object | `{}` | GnuPG key ring annotations | +| configs.gpg.annotations | object | `{}` | Annotations to be added to argocd-gpg-keys-cm configmap | +| configs.gpg.keys | object | `{}` (See [values.yaml]) | [GnuPG] public keys to add to the keyring | | configs.knownHosts.data.ssh_known_hosts | string | See [values.yaml] | Known Hosts | | configs.knownHostsAnnotations | object | `{}` | Known Hosts configmap annotations | +| configs.params."controller.operation.processors" | int | `10` | Number of application operation processors | +| configs.params."controller.repo.server.timeout.seconds" | int | `60` | Repo server RPC call timeout seconds. | +| configs.params."controller.self.heal.timeout.seconds" | int | `5` | Specifies timeout between application self heal attempts | +| configs.params."controller.status.processors" | int | `20` | Number of application status processors | +| configs.params."otlp.address" | string | `""` | Open-Telemetry collector address: (e.g. "otel-collector:4317") | +| configs.params."reposerver.parallelism.limit" | int | `0` | Limit on number of concurrent manifests generate requests. Any value less the 1 means no limit. | +| configs.params."server.basehref" | string | `"/"` | Value for base href in index.html. Used if Argo CD is running behind reverse proxy under subpath different from / | +| configs.params."server.disable.auth" | bool | `false` | Disable Argo CD RBAC for user authentication | +| configs.params."server.enable.gzip" | bool | `false` | Enable GZIP compression | +| configs.params."server.insecure" | bool | `false` | Run server without TLS | +| configs.params."server.rootpath" | string | `""` | Used if Argo CD is running behind reverse proxy under subpath different from / | +| configs.params."server.staticassets" | string | `"/shared/app"` | Directory path that contains additional static assets | +| configs.params."server.x.frame.options" | string | `"sameorigin"` | Set X-Frame-Options header in HTTP responses to value. To disable, set to "". | +| configs.params.annotations | object | `{}` | Annotations to be added to the argocd-cmd-params-cm ConfigMap | +| configs.rbac."policy.csv" | string | `''` (See [values.yaml]) | File containing user-defined policies and role definitions. | +| configs.rbac."policy.default" | string | `""` | The name of the default role which Argo CD will falls back to, when authorizing API requests (optional). If omitted or empty, users may be still be able to login, but will see no apps, projects, etc... | +| configs.rbac.annotations | object | `{}` | Annotations to be added to argocd-rbac-cm configmap | +| configs.rbac.create | bool | `true` | Create the argocd-rbac-cm configmap with ([Argo CD RBAC policy]) definitions. If false, it is expected the configmap will be created by something else. Argo CD will not work if there is no configmap created with the name above. | +| configs.rbac.scopes | string | `"[groups]"` | OIDC scopes to examine during rbac enforcement (in addition to `sub` scope). The scope value can be a string, or a list of strings. | | configs.repositories | object | `{}` | Repositories list to be used by applications | | configs.repositoriesAnnotations | object | `{}` | Annotations to be added to `configs.repositories` Secret | | configs.secret.annotations | object | `{}` | Annotations to be added to argocd-secret | | configs.secret.argocdServerAdminPassword | string | `""` | Bcrypt hashed admin password | | configs.secret.argocdServerAdminPasswordMtime | string | `""` (defaults to current time) | Admin password modification time. Eg. `"2006-01-02T15:04:05Z"` | -| configs.secret.argocdServerTlsConfig | object | `{}` | Argo TLS Data | | configs.secret.bitbucketServerSecret | string | `""` | Shared secret for authenticating BitbucketServer webhook events | | configs.secret.bitbucketUUID | string | `""` | UUID for authenticating Bitbucket webhook events | | configs.secret.createSecret | bool | `true` | Create the argocd-secret | @@ -380,17 +452,12 @@ NAME: my-release | Key | Type | Default | Description | |-----|------|---------|-------------| | controller.affinity | object | `{}` | Assign custom [affinity] rules to the deployment | -| controller.args.appHardResyncPeriod | string | `"0"` | define the application controller `--app-hard-resync` | -| controller.args.appResyncPeriod | string | `"180"` | define the application controller `--app-resync` | -| controller.args.operationProcessors | string | `"10"` | define the application controller `--operation-processors` | -| controller.args.repoServerTimeoutSeconds | string | `"60"` | define the application controller `--repo-server-timeout-seconds` | -| controller.args.selfHealTimeout | string | `"5"` | define the application controller `--self-heal-timeout-seconds` | -| controller.args.statusProcessors | string | `"20"` | define the application controller `--status-processors` | +| controller.args | object | `{}` | DEPRECATED - Application controller commandline flags | | controller.clusterAdminAccess.enabled | bool | `true` | Enable RBAC for local cluster deployments | | controller.clusterRoleRules.enabled | bool | `false` | Enable custom rules for the application controller's ClusterRole resource | | controller.clusterRoleRules.rules | list | `[]` | List of custom rules for the application controller's ClusterRole resource | | controller.containerPort | int | `8082` | Application controller listening port | -| controller.containerSecurityContext | object | `{}` | Application controller container-level security context | +| controller.containerSecurityContext | object | See [values.yaml] | Application controller container-level security context | | controller.env | list | `[]` | Environment variables to pass to application controller | | controller.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to application controller | | controller.extraArgs | list | `[]` | Additional command line arguments to pass to application controller | @@ -398,15 +465,8 @@ NAME: my-release | controller.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the application controller | | controller.image.repository | string | `""` (defaults to global.image.repository) | Repository to use for the application controller | | controller.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the application controller | -| controller.imagePullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry | +| controller.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry | | controller.initContainers | list | `[]` | Init containers to add to the application controller pod | -| controller.livenessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded | -| controller.livenessProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before [probe] is initiated | -| controller.livenessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] | -| controller.livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed | -| controller.livenessProbe.timeoutSeconds | int | `1` | Number of seconds after which the [probe] times out | -| controller.logFormat | string | `""` (defaults to global.logging.format) | Application controller log format. Either `text` or `json` | -| controller.logLevel | string | `""` (defaults to global.logging.level) | Application controller log level. One of: `debug`, `info`, `warn` or `error` | | controller.metrics.applicationLabels.enabled | bool | `false` | Enables additional labels in argocd_app_labels metric | | controller.metrics.applicationLabels.labels | list | `[]` | Additional labels | | controller.metrics.enabled | bool | `false` | Deploy metrics service | @@ -417,6 +477,7 @@ NAME: my-release | controller.metrics.service.portName | string | `"http-metrics"` | Metrics service port name | | controller.metrics.service.servicePort | int | `8082` | Metrics service port | | controller.metrics.serviceMonitor.additionalLabels | object | `{}` | Prometheus ServiceMonitor labels | +| controller.metrics.serviceMonitor.annotations | object | `{}` | Prometheus ServiceMonitor annotations | | controller.metrics.serviceMonitor.enabled | bool | `false` | Enable a prometheus ServiceMonitor | | controller.metrics.serviceMonitor.interval | string | `"30s"` | Prometheus ServiceMonitor interval | | controller.metrics.serviceMonitor.metricRelabelings | list | `[]` | Prometheus [MetricRelabelConfigs] to apply to samples before ingestion | @@ -428,8 +489,10 @@ NAME: my-release | controller.name | string | `"application-controller"` | Application controller name string | | controller.nodeSelector | object | `{}` | [Node selector] | | controller.pdb.annotations | object | `{}` | Annotations to be added to application controller pdb | -| controller.pdb.enabled | bool | `false` | Deploy a Poddisruptionbudget for the application controller | +| controller.pdb.enabled | bool | `false` | Deploy a [PodDisruptionBudget] for the application controller | | controller.pdb.labels | object | `{}` | Labels to be added to application controller pdb | +| controller.pdb.maxUnavailable | string | `""` | Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). | +| controller.pdb.minAvailable | string | `""` (defaults to 0 if not specified) | Number of pods that are available after eviction as number or percentage (eg.: 50%) | | controller.podAnnotations | object | `{}` | Annotations to be added to application controller pods | | controller.podLabels | object | `{}` | Labels to be added to application controller pods | | controller.priorityClassName | string | `""` | Priority class for the application controller pods | @@ -440,14 +503,12 @@ NAME: my-release | controller.readinessProbe.timeoutSeconds | int | `1` | Number of seconds after which the [probe] times out | | controller.replicas | int | `1` | The number of application controller pods to run. Additional replicas will cause sharding of managed clusters across number of replicas. | | controller.resources | object | `{}` | Resource limits and requests for the application controller pods | -| controller.service.annotations | object | `{}` | Application controller service annotations | -| controller.service.labels | object | `{}` | Application controller service labels | -| controller.service.port | int | `8082` | Application controller service port | -| controller.service.portName | string | `"https-controller"` | Application controller service port name | | controller.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | | controller.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account | | controller.serviceAccount.create | bool | `true` | Create a service account for the application controller | +| controller.serviceAccount.labels | object | `{}` | Labels applied to created service account | | controller.serviceAccount.name | string | `"argocd-application-controller"` | Service account name | +| controller.statefulsetAnnotations | object | `{}` | Annotations for the application controller StatefulSet | | controller.tolerations | list | `[]` | [Tolerations] for use with node taints | | controller.topologySpreadConstraints | list | `[]` | Assign custom [TopologySpreadConstraints] rules to the application controller | | controller.volumeMounts | list | `[]` | Additional volumeMounts to the application controller main container | @@ -464,12 +525,18 @@ NAME: my-release | repoServer.autoscaling.minReplicas | int | `1` | Minimum number of replicas for the repo server [HPA] | | repoServer.autoscaling.targetCPUUtilizationPercentage | int | `50` | Average CPU utilization percentage for the repo server [HPA] | | repoServer.autoscaling.targetMemoryUtilizationPercentage | int | `50` | Average memory utilization percentage for the repo server [HPA] | +| repoServer.certificateSecret.annotations | object | `{}` | Annotations to be added to argocd-repo-server-tls secret | +| repoServer.certificateSecret.ca | string | `""` | Certificate authority. Required for self-signed certificates. | +| repoServer.certificateSecret.crt | string | `""` | Certificate data. Must contain SANs of Repo service (ie: argocd-repo-server, argocd-repo-server.argo-cd.svc) | +| repoServer.certificateSecret.enabled | bool | `false` | Create argocd-repo-server-tls secret | +| repoServer.certificateSecret.key | string | `""` | Certificate private key | +| repoServer.certificateSecret.labels | object | `{}` | Labels to be added to argocd-repo-server-tls secret | | repoServer.clusterAdminAccess.enabled | bool | `false` | Enable RBAC for local cluster deployments | | repoServer.clusterRoleRules.enabled | bool | `false` | Enable custom rules for the Repo server's Cluster Role resource | | repoServer.clusterRoleRules.rules | list | `[]` | List of custom rules for the Repo server's Cluster Role resource | | repoServer.containerPort | int | `8081` | Configures the repo server port | -| repoServer.containerSecurityContext | object | `{}` | Repo server container-level security context | -| repoServer.copyutil.resources | object | `{}` | Resource limits and requests for the copyutil initContainer | +| repoServer.containerSecurityContext | object | See [values.yaml] | Repo server container-level security context | +| repoServer.deploymentAnnotations | object | `{}` | Annotations to be added to repo server Deployment | | repoServer.env | list | `[]` | Environment variables to pass to repo server | | repoServer.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to repo server | | repoServer.extraArgs | list | `[]` | Additional command line arguments to pass to repo server | @@ -477,21 +544,20 @@ NAME: my-release | repoServer.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the repo server | | repoServer.image.repository | string | `""` (defaults to global.image.repository) | Repository to use for the repo server | | repoServer.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the repo server | -| repoServer.imagePullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry | +| repoServer.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry | | repoServer.initContainers | list | `[]` | Init containers to add to the repo server pods | | repoServer.livenessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded | | repoServer.livenessProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before [probe] is initiated | | repoServer.livenessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] | | repoServer.livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed | | repoServer.livenessProbe.timeoutSeconds | int | `1` | Number of seconds after which the [probe] times out | -| repoServer.logFormat | string | `""` (defaults to global.logging.level) | Repo server log format: Either `text` or `json` | -| repoServer.logLevel | string | `""` (defaults to global.logging.format) | Repo server log level. One of: `debug`, `info`, `warn` or `error` | | repoServer.metrics.enabled | bool | `false` | Deploy metrics service | | repoServer.metrics.service.annotations | object | `{}` | Metrics service annotations | | repoServer.metrics.service.labels | object | `{}` | Metrics service labels | | repoServer.metrics.service.portName | string | `"http-metrics"` | Metrics service port name | | repoServer.metrics.service.servicePort | int | `8084` | Metrics service port | | repoServer.metrics.serviceMonitor.additionalLabels | object | `{}` | Prometheus ServiceMonitor labels | +| repoServer.metrics.serviceMonitor.annotations | object | `{}` | Prometheus ServiceMonitor annotations | | repoServer.metrics.serviceMonitor.enabled | bool | `false` | Enable a prometheus ServiceMonitor | | repoServer.metrics.serviceMonitor.interval | string | `"30s"` | Prometheus ServiceMonitor interval | | repoServer.metrics.serviceMonitor.metricRelabelings | list | `[]` | Prometheus [MetricRelabelConfigs] to apply to samples before ingestion | @@ -502,9 +568,11 @@ NAME: my-release | repoServer.metrics.serviceMonitor.tlsConfig | object | `{}` | Prometheus ServiceMonitor tlsConfig | | repoServer.name | string | `"repo-server"` | Repo server name | | repoServer.nodeSelector | object | `{}` | [Node selector] | -| repoServer.pdb.annotations | object | `{}` | Annotations to be added to Repo server pdb | -| repoServer.pdb.enabled | bool | `false` | Deploy a Poddisruptionbudget for the Repo server | -| repoServer.pdb.labels | object | `{}` | Labels to be added to Repo server pdb | +| repoServer.pdb.annotations | object | `{}` | Annotations to be added to repo server pdb | +| repoServer.pdb.enabled | bool | `false` | Deploy a [PodDisruptionBudget] for the repo server | +| repoServer.pdb.labels | object | `{}` | Labels to be added to repo server pdb | +| repoServer.pdb.maxUnavailable | string | `""` | Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). | +| repoServer.pdb.minAvailable | string | `""` (defaults to 0 if not specified) | Number of pods that are available after eviction as number or percentage (eg.: 50%) | | repoServer.podAnnotations | object | `{}` | Annotations to be added to repo server pods | | repoServer.podLabels | object | `{}` | Labels to be added to repo server pods | | repoServer.priorityClassName | string | `""` | Priority class for the repo server | @@ -523,6 +591,7 @@ NAME: my-release | repoServer.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | | repoServer.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account | | repoServer.serviceAccount.create | bool | `true` | Create repo server service account | +| repoServer.serviceAccount.labels | object | `{}` | Labels applied to created service account | | repoServer.serviceAccount.name | string | `""` | Repo server service account name | | repoServer.tolerations | list | `[]` | [Tolerations] for use with node taints | | repoServer.topologySpreadConstraints | list | `[]` | Assign custom [TopologySpreadConstraints] rules to the repo server | @@ -546,9 +615,9 @@ NAME: my-release | server.autoscaling.minReplicas | int | `1` | Minimum number of replicas for the Argo CD server [HPA] | | server.autoscaling.targetCPUUtilizationPercentage | int | `50` | Average CPU utilization percentage for the Argo CD server [HPA] | | server.autoscaling.targetMemoryUtilizationPercentage | int | `50` | Average memory utilization percentage for the Argo CD server [HPA] | -| server.certificate.additionalHosts | list | `[]` | Certificate manager additional hosts | +| server.certificate.additionalHosts | list | `[]` | Certificate Subject Alternate Names (SANs) | | server.certificate.domain | string | `"argocd.example.com"` | Certificate primary domain (commonName) | -| server.certificate.duration | string | `""` | The requested 'duration' (i.e. lifetime) of the Certificate. Value must be in units accepted by Go time.ParseDuration | +| server.certificate.duration | string | `""` (defaults to 2160h = 90d if not specified) | The requested 'duration' (i.e. lifetime) of the certificate. | | server.certificate.enabled | bool | `false` | Deploy a Certificate resource (requires cert-manager) | | server.certificate.issuer.group | string | `""` | Certificate issuer group. Set if using an external issuer. Eg. `cert-manager.io` | | server.certificate.issuer.kind | string | `""` | Certificate issuer kind. Either `Issuer` or `ClusterIssuer` | @@ -557,18 +626,21 @@ NAME: my-release | server.certificate.privateKey.encoding | string | `"PKCS1"` | The private key cryptography standards (PKCS) encoding for private key. Either: `PCKS1` or `PKCS8` | | server.certificate.privateKey.rotationPolicy | string | `"Never"` | Rotation policy of private key when certificate is re-issued. Either: `Never` or `Always` | | server.certificate.privateKey.size | int | `2048` | Key bit size of the private key. If algorithm is set to `Ed25519`, size is ignored. | -| server.certificate.renewBefore | string | `""` | How long before the currently issued certificate's expiry cert-manager should renew the certificate. Value must be in units accepted by Go time.ParseDuration | +| server.certificate.renewBefore | string | `""` (defaults to 360h = 15d if not specified) | How long before the expiry a certificate should be renewed. | | server.certificate.secretName | string | `"argocd-server-tls"` | The name of the Secret that will be automatically created and managed by this Certificate resource | +| server.certificateSecret.annotations | object | `{}` | Annotations to be added to argocd-server-tls secret | +| server.certificateSecret.crt | string | `""` | Certificate data | +| server.certificateSecret.enabled | bool | `false` | Create argocd-server-tls secret | +| server.certificateSecret.key | string | `""` | Private Key of the certificate | +| server.certificateSecret.labels | object | `{}` | Labels to be added to argocd-server-tls secret | | server.clusterAdminAccess.enabled | bool | `true` | Enable RBAC for local cluster deployments | -| server.config | object | See [values.yaml] | [General Argo CD configuration] | -| server.configAnnotations | object | `{}` | Annotations to be added to Argo CD ConfigMap | -| server.configEnabled | bool | `true` | Manage Argo CD configmap (Declarative Setup) | | server.containerPort | int | `8080` | Configures the server port | -| server.containerSecurityContext | object | `{}` | Servers container-level security context | +| server.containerSecurityContext | object | See [values.yaml] | Server container-level security context | +| server.deploymentAnnotations | object | `{}` | Annotations to be added to server Deployment | | server.env | list | `[]` | Environment variables to pass to Argo CD server | | server.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to Argo CD server | -| server.extensions.contents | list | `[]` | Extensions to be loaded into the server | -| server.extensions.enabled | bool | `false` | Enable support for extensions | +| server.extensions.containerSecurityContext | object | See [values.yaml] | Server UI extensions container-level security context | +| server.extensions.enabled | bool | `false` | Enable support for Argo UI extensions | | server.extensions.image.imagePullPolicy | string | `"IfNotPresent"` | Image pull policy for extensions | | server.extensions.image.repository | string | `"ghcr.io/argoproj-labs/argocd-extensions"` | Repository to use for extensions image | | server.extensions.image.tag | string | `"v0.1.0"` | Tag to use for extensions image | @@ -578,7 +650,7 @@ NAME: my-release | server.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the Argo CD server | | server.image.repository | string | `""` (defaults to global.image.repository) | Repository to use for the Argo CD server | | server.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the Argo CD server | -| server.imagePullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry | +| server.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry | | server.ingress.annotations | object | `{}` | Additional ingress annotations | | server.ingress.enabled | bool | `false` | Enable an ingress resource for the Argo CD server | | server.ingress.extraPaths | list | `[]` | Additional ingress paths | @@ -609,14 +681,13 @@ NAME: my-release | server.livenessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] | | server.livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed | | server.livenessProbe.timeoutSeconds | int | `1` | Number of seconds after which the [probe] times out | -| server.logFormat | string | `""` (defaults to global.logging.format) | Argo CD server log format: Either `text` or `json` | -| server.logLevel | string | `""` (defaults to global.logging.level) | Argo CD server log level. One of: `debug`, `info`, `warn` or `error` | | server.metrics.enabled | bool | `false` | Deploy metrics service | | server.metrics.service.annotations | object | `{}` | Metrics service annotations | | server.metrics.service.labels | object | `{}` | Metrics service labels | | server.metrics.service.portName | string | `"http-metrics"` | Metrics service port name | | server.metrics.service.servicePort | int | `8083` | Metrics service port | | server.metrics.serviceMonitor.additionalLabels | object | `{}` | Prometheus ServiceMonitor labels | +| server.metrics.serviceMonitor.annotations | object | `{}` | Prometheus ServiceMonitor annotations | | server.metrics.serviceMonitor.enabled | bool | `false` | Enable a prometheus ServiceMonitor | | server.metrics.serviceMonitor.interval | string | `"30s"` | Prometheus ServiceMonitor interval | | server.metrics.serviceMonitor.metricRelabelings | list | `[]` | Prometheus [MetricRelabelConfigs] to apply to samples before ingestion | @@ -627,15 +698,14 @@ NAME: my-release | server.metrics.serviceMonitor.tlsConfig | object | `{}` | Prometheus ServiceMonitor tlsConfig | | server.name | string | `"server"` | Argo CD server name | | server.nodeSelector | object | `{}` | [Node selector] | -| server.pdb.annotations | object | `{}` | Annotations to be added to server pdb | -| server.pdb.enabled | bool | `false` | Deploy a Poddisruptionbudget for the server | -| server.pdb.labels | object | `{}` | Labels to be added to server pdb | +| server.pdb.annotations | object | `{}` | Annotations to be added to Argo CD server pdb | +| server.pdb.enabled | bool | `false` | Deploy a [PodDisruptionBudget] for the Argo CD server | +| server.pdb.labels | object | `{}` | Labels to be added to Argo CD server pdb | +| server.pdb.maxUnavailable | string | `""` | Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). | +| server.pdb.minAvailable | string | `""` (defaults to 0 if not specified) | Number of pods that are available after eviction as number or percentage (eg.: 50%) | | server.podAnnotations | object | `{}` | Annotations to be added to server pods | | server.podLabels | object | `{}` | Labels to be added to server pods | | server.priorityClassName | string | `""` | Priority class for the Argo CD server | -| server.rbacConfig | object | `{}` | Argo CD rbac config ([Argo CD RBAC policy]) | -| server.rbacConfigAnnotations | object | `{}` | Annotations to be added to Argo CD rbac ConfigMap | -| server.rbacConfigCreate | bool | `true` | Whether or not to create the configmap. If false, it is expected the configmap will be created by something else. Argo CD will not work if there is no configMap created with the name above. | | server.readinessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded | | server.readinessProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before [probe] is initiated | | server.readinessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] | @@ -666,33 +736,60 @@ NAME: my-release | server.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | | server.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account | | server.serviceAccount.create | bool | `true` | Create server service account | +| server.serviceAccount.labels | object | `{}` | Labels applied to created service account | | server.serviceAccount.name | string | `"argocd-server"` | Server service account name | -| server.staticAssets.enabled | bool | `true` | Disable deprecated flag `--staticassets` | | server.tolerations | list | `[]` | [Tolerations] for use with node taints | | server.topologySpreadConstraints | list | `[]` | Assign custom [TopologySpreadConstraints] rules to the Argo CD server | | server.volumeMounts | list | `[]` | Additional volumeMounts to the server main container | | server.volumes | list | `[]` | Additional volumes to the server pod | +### Using AWS ALB Ingress Controller With GRPC + +If you are using an AWS ALB Ingress controller, you will need to set `server.ingressGrpc.isAWSALB` to `true`. This will create a second service with the annotation `alb.ingress.kubernetes.io/backend-protocol-version: HTTP2` and modify the server ingress to add a condition annotation to route GRPC traffic to the new service. + +Example: + +```yaml +server: + ingress: + enabled: true + annotations: + alb.ingress.kubernetes.io/backend-protocol: HTTPS + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' + alb.ingress.kubernetes.io/scheme: internal + alb.ingress.kubernetes.io/target-type: ip + ingressGrpc: + enabled: true + isAWSALB: true + awsALB: + serviceType: ClusterIP +``` + ## Dex | Key | Type | Default | Description | |-----|------|---------|-------------| | dex.affinity | object | `{}` | Assign custom [affinity] rules to the deployment | +| dex.certificateSecret.annotations | object | `{}` | Annotations to be added to argocd-dex-server-tls secret | +| dex.certificateSecret.ca | string | `""` | Certificate authority. Required for self-signed certificates. | +| dex.certificateSecret.crt | string | `""` | Certificate data. Must contain SANs of Dex service (ie: argocd-dex-server, argocd-dex-server.argo-cd.svc) | +| dex.certificateSecret.enabled | bool | `false` | Create argocd-dex-server-tls secret | +| dex.certificateSecret.key | string | `""` | Certificate private key | +| dex.certificateSecret.labels | object | `{}` | Labels to be added to argocd-dex-server-tls secret | | dex.containerPortGrpc | int | `5557` | Container port for gRPC access | | dex.containerPortHttp | int | `5556` | Container port for HTTP access | | dex.containerPortMetrics | int | `5558` | Container port for metrics access | -| dex.containerSecurityContext | object | `{}` | Dex container-level security context | +| dex.containerSecurityContext | object | See [values.yaml] | Dex container-level security context | +| dex.deploymentAnnotations | object | `{}` | Annotations to be added to the Dex server Deployment | | dex.enabled | bool | `true` | Enable dex | | dex.env | list | `[]` | Environment variables to pass to the Dex server | | dex.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to the Dex server | | dex.extraArgs | list | `[]` | Additional command line arguments to pass to the Dex server | | dex.extraContainers | list | `[]` | Additional containers to be added to the dex pod | -| dex.extraVolumeMounts | list | `[]` | Extra volumeMounts to the dex pod | -| dex.extraVolumes | list | `[]` | Extra volumes to the dex pod | | dex.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Dex imagePullPolicy | | dex.image.repository | string | `"ghcr.io/dexidp/dex"` | Dex image repository | -| dex.image.tag | string | `"v2.32.0"` | Dex image tag | -| dex.imagePullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry | +| dex.image.tag | string | `"v2.35.3"` | Dex image tag | +| dex.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry | | dex.initContainers | list | `[]` | Init containers to add to the dex pod | | dex.initImage.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Argo CD init image imagePullPolicy | | dex.initImage.repository | string | `""` (defaults to global.image.repository) | Argo CD init image repository | @@ -708,6 +805,7 @@ NAME: my-release | dex.metrics.service.labels | object | `{}` | Metrics service labels | | dex.metrics.service.portName | string | `"http-metrics"` | Metrics service port name | | dex.metrics.serviceMonitor.additionalLabels | object | `{}` | Prometheus ServiceMonitor labels | +| dex.metrics.serviceMonitor.annotations | object | `{}` | Prometheus ServiceMonitor annotations | | dex.metrics.serviceMonitor.enabled | bool | `false` | Enable a prometheus ServiceMonitor | | dex.metrics.serviceMonitor.interval | string | `"30s"` | Prometheus ServiceMonitor interval | | dex.metrics.serviceMonitor.metricRelabelings | list | `[]` | Prometheus [MetricRelabelConfigs] to apply to samples before ingestion | @@ -719,8 +817,10 @@ NAME: my-release | dex.name | string | `"dex-server"` | Dex name | | dex.nodeSelector | object | `{}` | [Node selector] | | dex.pdb.annotations | object | `{}` | Annotations to be added to Dex server pdb | -| dex.pdb.enabled | bool | `false` | Deploy a Poddisruptionbudget for the Dex server | +| dex.pdb.enabled | bool | `false` | Deploy a [PodDisruptionBudget] for the Dex server | | dex.pdb.labels | object | `{}` | Labels to be added to Dex server pdb | +| dex.pdb.maxUnavailable | string | `""` | Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). | +| dex.pdb.minAvailable | string | `""` (defaults to 0 if not specified) | Number of pods that are available after eviction as number or percentage (eg.: 50%) | | dex.podAnnotations | object | `{}` | Annotations to be added to the Dex server pods | | dex.podLabels | object | `{}` | Labels to be added to the Dex server pods | | dex.priorityClassName | string | `""` | Priority class for dex | @@ -742,8 +842,8 @@ NAME: my-release | dex.servicePortMetrics | int | `5558` | Service port for metrics access | | dex.tolerations | list | `[]` | [Tolerations] for use with node taints | | dex.topologySpreadConstraints | list | `[]` | Assign custom [TopologySpreadConstraints] rules to dex | -| dex.volumeMounts | list | `[{"mountPath":"/shared","name":"static-files"}]` | Additional volumeMounts to the dex main container | -| dex.volumes | list | `[{"emptyDir":{},"name":"static-files"}]` | Additional volumes to the dex pod | +| dex.volumeMounts | list | `[]` | Additional volumeMounts to the dex main container | +| dex.volumes | list | `[]` | Additional volumes to the dex pod | ## Redis @@ -753,7 +853,8 @@ NAME: my-release |-----|------|---------|-------------| | redis.affinity | object | `{}` | Assign custom [affinity] rules to the deployment | | redis.containerPort | int | `6379` | Redis container port | -| redis.containerSecurityContext | object | `{}` | Redis container-level security context | +| redis.containerSecurityContext | object | See [values.yaml] | Redis container-level security context | +| redis.deploymentAnnotations | object | `{}` | Annotations to be added to the Redis server Deployment | | redis.enabled | bool | `true` | Enable redis | | redis.env | list | `[]` | Environment variables to pass to the Redis server | | redis.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to the Redis server | @@ -761,10 +862,11 @@ NAME: my-release | redis.extraContainers | list | `[]` | Additional containers to be added to the redis pod | | redis.image.imagePullPolicy | string | `"IfNotPresent"` | Redis imagePullPolicy | | redis.image.repository | string | `"public.ecr.aws/docker/library/redis"` | Redis repository | -| redis.image.tag | string | `"7.0.4-alpine"` | Redis tag | -| redis.imagePullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry | +| redis.image.tag | string | `"7.0.5-alpine"` | Redis tag | +| redis.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry | | redis.initContainers | list | `[]` | Init containers to add to the redis pod | | redis.metrics.containerPort | int | `9121` | Port to use for redis-exporter sidecar | +| redis.metrics.containerSecurityContext | object | See [values.yaml] | Redis exporter security context | | redis.metrics.enabled | bool | `false` | Deploy metrics service and redis-exporter sidecar | | redis.metrics.image.imagePullPolicy | string | `"IfNotPresent"` | redis-exporter image PullPolicy | | redis.metrics.image.repository | string | `"public.ecr.aws/bitnami/redis-exporter"` | redis-exporter image repository | @@ -777,6 +879,7 @@ NAME: my-release | redis.metrics.service.servicePort | int | `9121` | Metrics service port | | redis.metrics.service.type | string | `"ClusterIP"` | Metrics service type | | redis.metrics.serviceMonitor.additionalLabels | object | `{}` | Prometheus ServiceMonitor labels | +| redis.metrics.serviceMonitor.annotations | object | `{}` | Prometheus ServiceMonitor annotations | | redis.metrics.serviceMonitor.enabled | bool | `false` | Enable a prometheus ServiceMonitor | | redis.metrics.serviceMonitor.interval | string | `"30s"` | Interval at which metrics should be scraped | | redis.metrics.serviceMonitor.metricRelabelings | list | `[]` | Prometheus [MetricRelabelConfigs] to apply to samples before ingestion | @@ -787,14 +890,16 @@ NAME: my-release | redis.metrics.serviceMonitor.tlsConfig | object | `{}` | Prometheus ServiceMonitor tlsConfig | | redis.name | string | `"redis"` | Redis name | | redis.nodeSelector | object | `{}` | [Node selector] | -| redis.pdb.annotations | object | `{}` | Annotations to be added to Redis server pdb | -| redis.pdb.enabled | bool | `false` | Deploy a Poddisruptionbudget for the Redis server | -| redis.pdb.labels | object | `{}` | Labels to be added to Redis server pdb | +| redis.pdb.annotations | object | `{}` | Annotations to be added to Redis pdb | +| redis.pdb.enabled | bool | `false` | Deploy a [PodDisruptionBudget] for the Redis | +| redis.pdb.labels | object | `{}` | Labels to be added to Redis pdb | +| redis.pdb.maxUnavailable | string | `""` | Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). | +| redis.pdb.minAvailable | string | `""` (defaults to 0 if not specified) | Number of pods that are available after eviction as number or percentage (eg.: 50%) | | redis.podAnnotations | object | `{}` | Annotations to be added to the Redis server pods | | redis.podLabels | object | `{}` | Labels to be added to the Redis server pods | | redis.priorityClassName | string | `""` | Priority class for redis | | redis.resources | object | `{}` | Resource limits and requests for redis | -| redis.securityContext | object | `{"runAsNonRoot":true,"runAsUser":999}` | Redis pod-level security context | +| redis.securityContext | object | See [values.yaml] | Redis pod-level security context | | redis.service.annotations | object | `{}` | Redis service annotations | | redis.service.labels | object | `{}` | Additional redis service labels | | redis.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | @@ -819,7 +924,7 @@ The main options are listed here: | redis-ha.exporter.enabled | bool | `true` | If `true`, the prometheus exporter sidecar is enabled | | redis-ha.haproxy.enabled | bool | `true` | Enabled HAProxy LoadBalancing/Proxy | | redis-ha.haproxy.metrics.enabled | bool | `true` | HAProxy enable prometheus metric scraping | -| redis-ha.image.tag | string | `"7.0.4-alpine"` | Redis tag | +| redis-ha.image.tag | string | `"7.0.5-alpine"` | Redis tag | | redis-ha.persistentVolume.enabled | bool | `false` | Configures persistency on Redis nodes | | redis-ha.redis.config | object | See [values.yaml] | Any valid redis config options in this section will be applied to each server (see `redis-ha` chart) | | redis-ha.redis.config.save | string | `'""'` | Will save the DB if both the given number of seconds and the given number of write operations against the DB occurred. `""` is disabled | @@ -845,29 +950,36 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide | externalRedis.password | string | `""` | External Redis password | | externalRedis.port | int | `6379` | External Redis server port | | externalRedis.secretAnnotations | object | `{}` | External Redis Secret annotations | +| externalRedis.username | string | `""` | External Redis username | ## ApplicationSet | Key | Type | Default | Description | |-----|------|---------|-------------| | applicationSet.affinity | object | `{}` | Assign custom [affinity] rules | -| applicationSet.args.debug | bool | `false` | Print debug logs | | applicationSet.args.dryRun | bool | `false` | Enable dry run mode | -| applicationSet.args.enableLeaderElection | bool | `false` | The default leader election setting | | applicationSet.args.metricsAddr | string | `":8080"` | The default metric address | | applicationSet.args.policy | string | `"sync"` | How application is synced between the generator and the cluster | | applicationSet.args.probeBindAddr | string | `":8081"` | The default health check port | -| applicationSet.enabled | bool | `true` | Enable Application Set controller | +| applicationSet.containerSecurityContext | object | See [values.yaml] | ApplicationSet controller container-level security context | +| applicationSet.deploymentAnnotations | object | `{}` | Annotations to be added to ApplicationSet controller Deployment | +| applicationSet.enabled | bool | `true` | Enable ApplicationSet controller | | applicationSet.extraArgs | list | `[]` | List of extra cli args to add | -| applicationSet.extraContainers | list | `[]` | Additional containers to be added to the applicationset controller pod | -| applicationSet.extraEnv | list | `[]` | Environment variables to pass to the controller | -| applicationSet.extraEnvFrom | list | `[]` (See [values.yaml]) | envFrom to pass to the controller | +| applicationSet.extraContainers | list | `[]` | Additional containers to be added to the ApplicationSet controller pod | +| applicationSet.extraEnv | list | `[]` | Environment variables to pass to the ApplicationSet controller | +| applicationSet.extraEnvFrom | list | `[]` (See [values.yaml]) | envFrom to pass to the ApplicationSet controller | | applicationSet.extraVolumeMounts | list | `[]` | List of extra mounts to add (normally used with extraVolumes) | | applicationSet.extraVolumes | list | `[]` | List of extra volumes to add | -| applicationSet.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the application set controller | -| applicationSet.image.repository | string | `""` (defaults to global.image.repository) | Repository to use for the application set controller | -| applicationSet.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the application set controller | -| applicationSet.imagePullSecrets | list | `[]` | If defined, uses a Secret to pull an image from a private Docker registry or repository. | +| applicationSet.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the ApplicationSet controller | +| applicationSet.image.repository | string | `""` (defaults to global.image.repository) | Repository to use for the ApplicationSet controller | +| applicationSet.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the ApplicationSet controller | +| applicationSet.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | If defined, uses a Secret to pull an image from a private Docker registry or repository. | +| applicationSet.livenessProbe.enabled | bool | `false` | Enable Kubernetes liveness probe for ApplicationSet controller | +| applicationSet.livenessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded | +| applicationSet.livenessProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before [probe] is initiated | +| applicationSet.livenessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] | +| applicationSet.livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed | +| applicationSet.livenessProbe.timeoutSeconds | int | `1` | Number of seconds after which the [probe] times out | | applicationSet.logFormat | string | `""` (defaults to global.logging.format) | ApplicationSet controller log format. Either `text` or `json` | | applicationSet.logLevel | string | `""` (defaults to global.logging.level) | ApplicationSet controller log level. One of: `debug`, `info`, `warn`, `error` | | applicationSet.metrics.enabled | bool | `false` | Deploy metrics service | @@ -876,6 +988,7 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide | applicationSet.metrics.service.portName | string | `"http-metrics"` | Metrics service port name | | applicationSet.metrics.service.servicePort | int | `8085` | Metrics service port | | applicationSet.metrics.serviceMonitor.additionalLabels | object | `{}` | Prometheus ServiceMonitor labels | +| applicationSet.metrics.serviceMonitor.annotations | object | `{}` | Prometheus ServiceMonitor annotations | | applicationSet.metrics.serviceMonitor.enabled | bool | `false` | Enable a prometheus ServiceMonitor | | applicationSet.metrics.serviceMonitor.interval | string | `"30s"` | Prometheus ServiceMonitor interval | | applicationSet.metrics.serviceMonitor.metricRelabelings | list | `[]` | Prometheus [MetricRelabelConfigs] to apply to samples before ingestion | @@ -884,28 +997,38 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide | applicationSet.metrics.serviceMonitor.scheme | string | `""` | Prometheus ServiceMonitor scheme | | applicationSet.metrics.serviceMonitor.selector | object | `{}` | Prometheus ServiceMonitor selector | | applicationSet.metrics.serviceMonitor.tlsConfig | object | `{}` | Prometheus ServiceMonitor tlsConfig | -| applicationSet.name | string | `"applicationset-controller"` | Application Set controller name string | +| applicationSet.name | string | `"applicationset-controller"` | ApplicationSet controller name string | | applicationSet.nodeSelector | object | `{}` | [Node selector] | -| applicationSet.podAnnotations | object | `{}` | Annotations for the controller pods | -| applicationSet.podLabels | object | `{}` | Labels for the controller pods | -| applicationSet.podSecurityContext | object | `{}` | Pod Security Context | +| applicationSet.pdb.annotations | object | `{}` | Annotations to be added to ApplicationSet controller pdb | +| applicationSet.pdb.enabled | bool | `false` | Deploy a [PodDisruptionBudget] for the ApplicationSet controller | +| applicationSet.pdb.labels | object | `{}` | Labels to be added to ApplicationSet controller pdb | +| applicationSet.pdb.maxUnavailable | string | `""` | Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). | +| applicationSet.pdb.minAvailable | string | `""` (defaults to 0 if not specified) | Number of pods that are available after eviction as number or percentage (eg.: 50%) | +| applicationSet.podAnnotations | object | `{}` | Annotations for the ApplicationSet controller pods | +| applicationSet.podLabels | object | `{}` | Labels for the ApplicationSet controller pods | | applicationSet.priorityClassName | string | `""` | If specified, indicates the pod's priority. If not specified, the pod priority will be default or zero if there is no default. | -| applicationSet.replicaCount | int | `1` | The number of controller pods to run | -| applicationSet.resources | object | `{}` | Resource limits and requests for the controller pods. | -| applicationSet.securityContext | object | `{}` | Security Context | -| applicationSet.service.annotations | object | `{}` | Application set service annotations | -| applicationSet.service.labels | object | `{}` | Application set service labels | -| applicationSet.service.port | int | `7000` | Application set service port | -| applicationSet.service.portName | string | `"webhook"` | Application set service port name | +| applicationSet.readinessProbe.enabled | bool | `false` | Enable Kubernetes liveness probe for ApplicationSet controller | +| applicationSet.readinessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded | +| applicationSet.readinessProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before [probe] is initiated | +| applicationSet.readinessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] | +| applicationSet.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed | +| applicationSet.readinessProbe.timeoutSeconds | int | `1` | Number of seconds after which the [probe] times out | +| applicationSet.replicaCount | int | `1` | The number of ApplicationSet controller pods to run | +| applicationSet.resources | object | `{}` | Resource limits and requests for the ApplicationSet controller pods. | +| applicationSet.service.annotations | object | `{}` | ApplicationSet service annotations | +| applicationSet.service.labels | object | `{}` | ApplicationSet service labels | +| applicationSet.service.port | int | `7000` | ApplicationSet service port | +| applicationSet.service.portName | string | `"webhook"` | ApplicationSet service port name | | applicationSet.serviceAccount.annotations | object | `{}` | Annotations to add to the service account | | applicationSet.serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| applicationSet.serviceAccount.labels | object | `{}` | Labels applied to created service account | | applicationSet.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | applicationSet.tolerations | list | `[]` | [Tolerations] for use with node taints | | applicationSet.webhook.ingress.annotations | object | `{}` | Additional ingress annotations | | applicationSet.webhook.ingress.enabled | bool | `false` | Enable an ingress resource for Webhooks | | applicationSet.webhook.ingress.extraPaths | list | `[]` | Additional ingress paths | | applicationSet.webhook.ingress.hosts | list | `[]` | List of ingress hosts | -| applicationSet.webhook.ingress.ingressClassName | string | `""` | Defines which ingress controller will implement the resource | +| applicationSet.webhook.ingress.ingressClassName | string | `""` | Defines which ingress ApplicationSet controller will implement the resource | | applicationSet.webhook.ingress.labels | object | `{}` | Additional ingress labels | | applicationSet.webhook.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` | | applicationSet.webhook.ingress.paths | list | `["/api/webhook"]` | List of ingress paths | @@ -918,15 +1041,19 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide | notifications.affinity | object | `{}` | Assign custom [affinity] rules | | notifications.argocdUrl | string | `nil` | Argo CD dashboard url; used in place of {{.context.argocdUrl}} in templates | | notifications.bots.slack.affinity | object | `{}` | Assign custom [affinity] rules | -| notifications.bots.slack.containerSecurityContext | object | `{}` | Container Security Context | +| notifications.bots.slack.containerSecurityContext | object | See [values.yaml] | Slack bot container-level security Context | | notifications.bots.slack.enabled | bool | `false` | Enable slack bot | | notifications.bots.slack.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the Slack bot | | notifications.bots.slack.image.repository | string | `""` (defaults to global.image.repository) | Repository to use for the Slack bot | | notifications.bots.slack.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the Slack bot | -| notifications.bots.slack.imagePullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry | +| notifications.bots.slack.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry | | notifications.bots.slack.nodeSelector | object | `{}` | [Node selector] | +| notifications.bots.slack.pdb.annotations | object | `{}` | Annotations to be added to Slack bot pdb | +| notifications.bots.slack.pdb.enabled | bool | `false` | Deploy a [PodDisruptionBudget] for the Slack bot | +| notifications.bots.slack.pdb.labels | object | `{}` | Labels to be added to Slack bot pdb | +| notifications.bots.slack.pdb.maxUnavailable | string | `""` | Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). | +| notifications.bots.slack.pdb.minAvailable | string | `""` (defaults to 0 if not specified) | Number of pods that are available after eviction as number or percentage (eg.: 50%) | | notifications.bots.slack.resources | object | `{}` | Resource limits and requests for the Slack bot | -| notifications.bots.slack.securityContext | object | `{"runAsNonRoot":true}` | Pod Security Context | | notifications.bots.slack.service.annotations | object | `{}` | Service annotations for Slack bot | | notifications.bots.slack.service.port | int | `80` | Service port for Slack bot | | notifications.bots.slack.service.type | string | `"LoadBalancer"` | Service type for Slack bot | @@ -934,27 +1061,29 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide | notifications.bots.slack.serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | notifications.bots.slack.serviceAccount.name | string | `"argocd-notifications-bot"` | The name of the service account to use. | | notifications.bots.slack.tolerations | list | `[]` | [Tolerations] for use with node taints | -| notifications.bots.slack.updateStrategy | object | `{"type":"Recreate"}` | The deployment strategy to use to replace existing pods with new ones | -| notifications.cm.create | bool | `true` | Whether helm chart creates controller config map | -| notifications.containerSecurityContext | object | `{}` | Container Security Context | +| notifications.cm.create | bool | `true` | Whether helm chart creates notifications controller config map | +| notifications.containerSecurityContext | object | See [values.yaml] | Notification controller container-level security Context | | notifications.context | object | `{}` | Define user-defined context | -| notifications.enabled | bool | `true` | Enable Notifications controller | -| notifications.extraArgs | list | `[]` | Extra arguments to provide to the controller | +| notifications.deploymentAnnotations | object | `{}` | Annotations to be applied to the notifications controller Deployment | +| notifications.enabled | bool | `true` | Enable notifications controller | +| notifications.extraArgs | list | `[]` | Extra arguments to provide to the notifications controller | | notifications.extraEnv | list | `[]` | Additional container environment variables | +| notifications.extraEnvFrom | list | `[]` (See [values.yaml]) | envFrom to pass to the notifications controller | | notifications.extraVolumeMounts | list | `[]` | List of extra mounts to add (normally used with extraVolumes) | | notifications.extraVolumes | list | `[]` | List of extra volumes to add | | notifications.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the notifications controller | | notifications.image.repository | string | `""` (defaults to global.image.repository) | Repository to use for the notifications controller | | notifications.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the notifications controller | -| notifications.imagePullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry | -| notifications.logFormat | string | `""` (defaults to global.logging.format) | Application controller log format. Either `text` or `json` | -| notifications.logLevel | string | `""` (defaults to global.logging.level) | Application controller log level. One of: `debug`, `info`, `warn`, `error` | +| notifications.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry | +| notifications.logFormat | string | `""` (defaults to global.logging.format) | Notifications controller log format. Either `text` or `json` | +| notifications.logLevel | string | `""` (defaults to global.logging.level) | Notifications controller log level. One of: `debug`, `info`, `warn`, `error` | | notifications.metrics.enabled | bool | `false` | Enables prometheus metrics server | | notifications.metrics.port | int | `9001` | Metrics port | | notifications.metrics.service.annotations | object | `{}` | Metrics service annotations | | notifications.metrics.service.labels | object | `{}` | Metrics service labels | | notifications.metrics.service.portName | string | `"http-metrics"` | Metrics service port name | | notifications.metrics.serviceMonitor.additionalLabels | object | `{}` | Prometheus ServiceMonitor labels | +| notifications.metrics.serviceMonitor.annotations | object | `{}` | Prometheus ServiceMonitor annotations | | notifications.metrics.serviceMonitor.enabled | bool | `false` | Enable a prometheus ServiceMonitor | | notifications.metrics.serviceMonitor.scheme | string | `""` | Prometheus ServiceMonitor scheme | | notifications.metrics.serviceMonitor.selector | object | `{}` | Prometheus ServiceMonitor selector | @@ -962,45 +1091,26 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide | notifications.name | string | `"notifications-controller"` | Notifications controller name string | | notifications.nodeSelector | object | `{}` | [Node selector] | | notifications.notifiers | object | See [values.yaml] | Configures notification services such as slack, email or custom webhook | -| notifications.podAnnotations | object | `{}` | Annotations to be applied to the controller Pods | -| notifications.podLabels | object | `{}` | Labels to be applied to the controller Pods | -| notifications.priorityClassName | string | `""` | Priority class for the controller pods | -| notifications.resources | object | `{}` | Resource limits and requests for the controller | +| notifications.pdb.annotations | object | `{}` | Annotations to be added to notifications controller pdb | +| notifications.pdb.enabled | bool | `false` | Deploy a [PodDisruptionBudget] for the notifications controller | +| notifications.pdb.labels | object | `{}` | Labels to be added to notifications controller pdb | +| notifications.pdb.maxUnavailable | string | `""` | Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). | +| notifications.pdb.minAvailable | string | `""` (defaults to 0 if not specified) | Number of pods that are available after eviction as number or percentage (eg.: 50%) | +| notifications.podAnnotations | object | `{}` | Annotations to be applied to the notifications controller Pods | +| notifications.podLabels | object | `{}` | Labels to be applied to the notifications controller Pods | +| notifications.priorityClassName | string | `""` | Priority class for the notifications controller pods | +| notifications.resources | object | `{}` | Resource limits and requests for the notifications controller | | notifications.secret.annotations | object | `{}` | key:value pairs of annotations to be added to the secret | -| notifications.secret.create | bool | `true` | Whether helm chart creates controller secret | +| notifications.secret.create | bool | `true` | Whether helm chart creates notifications controller secret | | notifications.secret.items | object | `{}` | Generic key:value pairs to be inserted into the secret | -| notifications.securityContext | object | `{"runAsNonRoot":true}` | Pod Security Context | | notifications.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | | notifications.serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| notifications.serviceAccount.labels | object | `{}` | Labels applied to created service account | | notifications.serviceAccount.name | string | `"argocd-notifications-controller"` | The name of the service account to use. | | notifications.subscriptions | list | `[]` | Contains centrally managed global application subscriptions | | notifications.templates | object | `{}` | The notification template is used to generate the notification content | | notifications.tolerations | list | `[]` | [Tolerations] for use with node taints | | notifications.triggers | object | `{}` | The trigger defines the condition when the notification should be sent | -| notifications.updateStrategy | object | `{"type":"Recreate"}` | The deployment strategy to use to replace existing pods with new ones | - -### Using AWS ALB Ingress Controller With GRPC - -If you are using an AWS ALB Ingress controller, you will need to set `server.ingressGrpc.isAWSALB` to `true`. This will create a second service with the annotation `alb.ingress.kubernetes.io/backend-protocol-version: HTTP2` and modify the server ingress to add a condition annotation to route GRPC traffic to the new service. - -Example: - -```yaml -server: - ingress: - enabled: true - annotations: - alb.ingress.kubernetes.io/backend-protocol: HTTPS - alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' - alb.ingress.kubernetes.io/scheme: internal - alb.ingress.kubernetes.io/target-type: ip - ingressGrpc: - enabled: true - isAWSALB: true - awsALB: - serviceType: ClusterIP - -``` ---------------------------------------------- Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs) @@ -1009,13 +1119,16 @@ Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/ [affinity]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ [BackendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig#backendconfigspec_v1beta1_cloudgooglecom [CSS styles]: https://argo-cd.readthedocs.io/en/stable/operator-manual/custom-styles/ +[changelog]: https://artifacthub.io/packages/helm/argo/argo-cd?modal=changelog [external cluster credentials]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#clusters [FrontendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters -[Declarative setup]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup +[declarative setup]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup [gRPC-ingress]: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/ +[GnuPG]: https://argo-cd.readthedocs.io/en/stable/user-guide/gpg-verification/ [HPA]: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ [MetricRelabelConfigs]: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs [Node selector]: https://kubernetes.io/docs/user-guide/node-selection/ +[PodDisruptionBudget]: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#pod-disruption-budgets [probe]: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes [RelabelConfigs]: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config [Tolerations]: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ diff --git a/charts/argo-cd/README.md.gotmpl b/charts/argo-cd/README.md.gotmpl index 798744ddb..a844449af 100644 --- a/charts/argo-cd/README.md.gotmpl +++ b/charts/argo-cd/README.md.gotmpl @@ -2,15 +2,15 @@ A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. -Source code can be found [here](https://argo-cd.readthedocs.io/en/stable/) +Source code can be found here: -## Additional Information +{{ template "chart.sourcesList" . }} This is a **community maintained** chart. This chart installs [argo-cd](https://argo-cd.readthedocs.io/en/stable/), a declarative, GitOps continuous delivery tool for Kubernetes. The default installation is intended to be similar to the provided Argo CD [releases](https://github.com/argoproj/argo-cd/releases). -If you want to avoid including sensitive information unencrypted (clear text) in your version control, make use of the [declarative set up](https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/) of Argo CD. +If you want to avoid including sensitive information unencrypted (clear text) in your version control, make use of the [declarative setup] of Argo CD. For instance, rather than adding repositories and their keys in your Helm values, you could deploy [SealedSecrets](https://github.com/bitnami-labs/sealed-secrets) with contents as seen in this [repositories section](https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories) or any other secrets manager service (i.e. HashiCorp Vault, AWS/GCP Secrets Manager, etc.). ## High Availability @@ -41,7 +41,7 @@ repoServer: minReplicas: 2 applicationSet: - replicas: 2 + replicaCount: 2 ``` ### HA mode without autoscaling @@ -60,7 +60,7 @@ repoServer: replicas: 2 applicationSet: - replicas: 2 + replicaCount: 2 ``` ### Synchronizing Changes from Original Repository @@ -83,15 +83,13 @@ git diff v1.8.7 v2.0.0 -- manifests/install.yaml Changes in the `CustomResourceDefinition` resources shall be fixed easily by copying 1:1 from the [`manifests/crds` folder](https://github.com/argoproj/argo-cd/tree/master/manifests/crds) into this [`charts/argo-cd/templates/crds` folder](https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd/templates/crds). -## Upgrading - ### Custom resource definitions Some users would prefer to install the CRDs _outside_ of the chart. You can disable the CRD installation of this chart by using `--set crds.install=false` when installing the chart. -Helm cannot upgrade custom resource definitions [by design](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). +Helm cannot upgrade custom resource definitions in the `/crds` folder [by design](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). Starting with 5.2.0, the CRDs have been moved to `/templates` to address this design decision. -Please use `kubectl` to upgrade CRDs manually from [templates/crds](templates/crds/) folder or via the manifests from the upstream project repo: +If you are using Argo CD chart version prior to 5.2.0 or have elected to manage the Argo CD CRDs outside of the chart, please use `kubectl` to upgrade CRDs manually from [templates/crds](templates/crds/) folder or via the manifests from the upstream project repo: ```bash kubectl apply -k "https://github.com/argoproj/argo-cd/manifests/crds?ref=" @@ -100,6 +98,42 @@ kubectl apply -k "https://github.com/argoproj/argo-cd/manifests/crds?ref=`. + +### 5.5.0 + +This version introduces new `configs.params` section that replaces command line arguments for containers. +Please refer to documentation in values.yaml for migrating the configuration. + ### 5.2.0 Custom resource definitions were moved to `templates` folder so they can be managed by Helm. @@ -302,7 +336,7 @@ server: ## Prerequisites -- Kubernetes 1.7+ +- {{ template "chart.kubeVersionLine" . }} - Helm v3.0.0+ ## Installing the Chart @@ -323,10 +357,17 @@ NAME: my-release | Key | Type | Default | Description | |-----|------|---------|-------------| {{- range .Values }} - {{- if not (or (hasPrefix "configs" .Key) (hasPrefix "controller" .Key) (hasPrefix "repoServer" .Key) (hasPrefix "server" .Key) (hasPrefix "dex" .Key) (hasPrefix "redis" .Key) (hasPrefix "externalRedis" .Key) (hasPrefix "applicationSet" .Key) (hasPrefix "notifications" .Key) ) }} + {{- if not (or (hasPrefix "global" .Key) (hasPrefix "configs" .Key) (hasPrefix "controller" .Key) (hasPrefix "repoServer" .Key) (hasPrefix "server" .Key) (hasPrefix "applicationSet" .Key) (hasPrefix "notifications" .Key) (hasPrefix "dex" .Key) (hasPrefix "redis" .Key) (hasPrefix "externalRedis" .Key) ) }} | {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | {{- end }} - {{- if hasPrefix "server.additional" .Key }} +{{- end }} + +## Global Configs + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range .Values }} + {{- if hasPrefix "global" .Key }} | {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | {{- end }} {{- end }} @@ -371,6 +412,28 @@ NAME: my-release {{- end }} {{- end }} +### Using AWS ALB Ingress Controller With GRPC + +If you are using an AWS ALB Ingress controller, you will need to set `server.ingressGrpc.isAWSALB` to `true`. This will create a second service with the annotation `alb.ingress.kubernetes.io/backend-protocol-version: HTTP2` and modify the server ingress to add a condition annotation to route GRPC traffic to the new service. + +Example: + +```yaml +server: + ingress: + enabled: true + annotations: + alb.ingress.kubernetes.io/backend-protocol: HTTPS + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' + alb.ingress.kubernetes.io/scheme: internal + alb.ingress.kubernetes.io/target-type: ip + ingressGrpc: + enabled: true + isAWSALB: true + awsALB: + serviceType: ClusterIP +``` + ## Dex | Key | Type | Default | Description | @@ -444,30 +507,6 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide {{- end }} {{- end }} - -### Using AWS ALB Ingress Controller With GRPC - -If you are using an AWS ALB Ingress controller, you will need to set `server.ingressGrpc.isAWSALB` to `true`. This will create a second service with the annotation `alb.ingress.kubernetes.io/backend-protocol-version: HTTP2` and modify the server ingress to add a condition annotation to route GRPC traffic to the new service. - -Example: - -```yaml -server: - ingress: - enabled: true - annotations: - alb.ingress.kubernetes.io/backend-protocol: HTTPS - alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' - alb.ingress.kubernetes.io/scheme: internal - alb.ingress.kubernetes.io/target-type: ip - ingressGrpc: - enabled: true - isAWSALB: true - awsALB: - serviceType: ClusterIP - -``` - ---------------------------------------------- Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs) @@ -475,13 +514,16 @@ Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/ [affinity]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ [BackendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig#backendconfigspec_v1beta1_cloudgooglecom [CSS styles]: https://argo-cd.readthedocs.io/en/stable/operator-manual/custom-styles/ +[changelog]: https://artifacthub.io/packages/helm/argo/argo-cd?modal=changelog [external cluster credentials]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#clusters [FrontendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters -[Declarative setup]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup +[declarative setup]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup [gRPC-ingress]: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/ +[GnuPG]: https://argo-cd.readthedocs.io/en/stable/user-guide/gpg-verification/ [HPA]: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ [MetricRelabelConfigs]: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs [Node selector]: https://kubernetes.io/docs/user-guide/node-selection/ +[PodDisruptionBudget]: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#pod-disruption-budgets [probe]: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes [RelabelConfigs]: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config [Tolerations]: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ diff --git a/charts/argo-cd/ci/ha-autoscaling-values.yaml b/charts/argo-cd/ci/ha-autoscaling-values.yaml index 58ac3419d..6e994e3f3 100644 --- a/charts/argo-cd/ci/ha-autoscaling-values.yaml +++ b/charts/argo-cd/ci/ha-autoscaling-values.yaml @@ -5,9 +5,6 @@ crds: redis-ha: enabled: true -controller: - enableStatefulSet: true - server: autoscaling: enabled: true diff --git a/charts/argo-cd/ci/ha-static-values.yaml b/charts/argo-cd/ci/ha-static-values.yaml index 431050e45..ad5efd351 100644 --- a/charts/argo-cd/ci/ha-static-values.yaml +++ b/charts/argo-cd/ci/ha-static-values.yaml @@ -5,14 +5,8 @@ crds: redis-ha: enabled: true -controller: - enableStatefulSet: true - server: replicas: 2 - env: - - name: ARGOCD_API_SERVER_REPLICAS - value: '2' repoServer: replicas: 2 diff --git a/charts/argo-cd/templates/NOTES.txt b/charts/argo-cd/templates/NOTES.txt index b22c105cc..98bbb96a3 100644 --- a/charts/argo-cd/templates/NOTES.txt +++ b/charts/argo-cd/templates/NOTES.txt @@ -1,22 +1,89 @@ +{{- if .Values.controller.args.statusProcessors }} +DEPRECATED option controller.args.statusProcessors - Use configs.params.controller.status.processors +{{- end }} +{{- if .Values.controller.args.operationProcessors }} +DEPRECATED option controller.args.operationProcessors - Use configs.params.controller.operation.processors +{{- end }} +{{- if .Values.controller.args.appResyncPeriod }} +DEPRECATED option controller.args.appResyncPeriod - Use server.config.timeout.reconciliation +{{- end }} +{{- if .Values.controller.args.appHardResyncPeriod }} +DEPRECATED option controller.args.appHardResyncPeriod - Use server.config.timeout.hard.reconciliation +{{- end }} +{{- if .Values.controller.args.selfHealTimeout }} +DEPRECATED option controller.args.selfHealTimeout - Use configs.params.controller.self.heal.timeout.seconds +{{- end }} +{{- if .Values.controller.args.repoServerTimeoutSeconds }} +DEPRECATED option controller.args.repoServerTimeoutSeconds - Use configs.params.controller.repo.server.timeout.seconds +{{- end }} +{{- if .Values.controller.logFormat }} +DEPRECATED option controller.logFormat - Use configs.params.controller.log.format +{{- end }} +{{- if .Values.controller.logLevel }} +DEPRECATED option controller.logLevel - Use configs.params.controller.log.level +{{- end }} +{{- if .Values.server.logFormat }} +DEPRECATED option server.logFormat - Use configs.params.server.log.format +{{- end }} +{{- if .Values.server.logLevel }} +DEPRECATED option server.logLevel - Use configs.params.server.log.level +{{- end }} +{{- if has "--insecure" .Values.server.extraArgs }} +DEPRECATED option server.extraArgs."--insecure" - Use configs.params.server.insecure +{{- end }} +{{- if .Values.repoServer.logFormat }} +DEPRECATED option repoServer.logFormat - Use configs.params.repoServer.log.format +{{- end }} +{{- if .Values.repoServer.logLevel }} +DEPRECATED option repoServer.logLevel - Use configs.params.repoServer.log.level +{{- end }} +{{- if or .Values.server.config (hasKey .Values.server "configEnabled") .Values.server.configAnnotations }} +DEPRECATED option server.config - Use configs.cm +{{- end }} +{{- if or .Values.server.rbacConfig (hasKey .Values.server "rbacConfigCreate") .Values.server.rbacConfigAnnotations }} +DEPRECATED option server.rbacConfig - Use configs.rbac +{{- end }} +{{- if .Values.configs.secret.argocdServerTlsConfig }} +DEPRECATED option config.secret.argocdServerTlsConfig - Use server.certificate or server.certificateSecret +{{- end }} +{{- if .Values.configs.gpgKeys }} +DEPRECATED option configs.gpgKeys - Use config.gpg.keys +{{- end }} +{{- if .Values.configs.gpgKeysAnnotations }} +DEPRECATED option configs.gpgKeysAnnotations - Use config.gpg.annotations +{{- end }} +{{- if .Values.controller.service }} +REMOVED option controller.service - Use controller.metrics +{{- end }} +{{- if .Values.repoServer.copyutil }} +REMOVED option repoSever.copyutil.resources - Use repoServer.resources +{{- end }} +{{- if .Values.applicationSet.args.debug }} +REMOVED option applicationSet.args.debug - Use applicationSet.logLevel: debug +{{- end }} +{{- if .Values.applicationSet.args.enableLeaderElection }} +REMOVED option applicationSet.args.enableLeaderElection - Value determined based on replicas +{{- end }} + In order to access the server UI you have the following options: -1. kubectl port-forward service/{{include "argo-cd.fullname" . }}-server -n {{ .Release.Namespace }} 8080:443 +1. kubectl port-forward service/{{ include "argo-cd.fullname" . }}-server -n {{ .Release.Namespace }} 8080:443 and then open the browser on http://localhost:8080 and accept the certificate 2. enable ingress in the values file `server.ingress.enabled` and either - - Add the annotation for ssl passthrough: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/ingress.md#option-1-ssl-passthrough - - Add the `--insecure` flag to `server.extraArgs` in the values file and terminate SSL at your ingress: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/ingress.md#option-2-multiple-ingress-objects-and-hosts + - Add the annotation for ssl passthrough: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-1-ssl-passthrough + - Set the `configs.params."server.insecure"` in the values file and terminate SSL at your ingress: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-2-multiple-ingress-objects-and-hosts -{{ if eq (index .Values.server.config "admin.enabled") "true" -}} +{{ if eq (toString (index (coalesce .Values.server.config .Values.configs.cm) "admin.enabled")) "true" -}} After reaching the UI the first time you can login with username: admin and the random password generated during the installation. You can find the password by running: kubectl -n {{ .Release.Namespace }} get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d -(You should delete the initial secret afterwards as suggested by the Getting Started Guide: https://github.com/argoproj/argo-cd/blob/master/docs/getting_started.md#4-login-using-the-cli) -{{ else if or (index .Values.server.config "dex.config") (index .Values.server.config "oidc.config") -}} +(You should delete the initial secret afterwards as suggested by the Getting Started Guide: https://argo-cd.readthedocs.io/en/stable/getting_started/#4-login-using-the-cli) +{{ else if or (index .Values.configs.cm "dex.config") (index .Values.configs.cm "oidc.config") -}} After reaching the UI the first time you can login using Dex or OIDC. {{ else -}} -After reaching the UI the first time you cannot login with username and password since you've disabled it. You should enable admin back or configure Dex via `server.config.dex.config` or OIDC via `server.config.oidc.config`. +After reaching the UI the first time you cannot login with username and password since you've disabled it. You should enable admin back or configure Dex via `configs.cm.dex.config` or OIDC via `configs.cm.oidc.config`. {{ end -}} diff --git a/charts/argo-cd/templates/_common.tpl b/charts/argo-cd/templates/_common.tpl new file mode 100644 index 000000000..f5154e47d --- /dev/null +++ b/charts/argo-cd/templates/_common.tpl @@ -0,0 +1,65 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "argo-cd.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "argo-cd.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "argo-cd.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create Argo CD app version +*/}} +{{- define "argo-cd.defaultTag" -}} +{{- default .Chart.AppVersion .Values.global.image.tag }} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "argo-cd.labels" -}} +helm.sh/chart: {{ include "argo-cd.chart" .context }} +{{ include "argo-cd.selectorLabels" (dict "context" .context "component" .component "name" .name) }} +app.kubernetes.io/managed-by: {{ .context.Release.Service }} +app.kubernetes.io/part-of: argocd +{{- with .context.Values.global.additionalLabels }} +{{ toYaml . }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "argo-cd.selectorLabels" -}} +{{- if .name -}} +app.kubernetes.io/name: {{ include "argo-cd.name" .context }}-{{ .name }} +{{ end -}} +app.kubernetes.io/instance: {{ .context.Release.Name }} +{{- if .component }} +app.kubernetes.io/component: {{ .component }} +{{- end }} +{{- end }} diff --git a/charts/argo-cd/templates/_helpers.tpl b/charts/argo-cd/templates/_helpers.tpl index d34dc0bde..bdfa010b7 100644 --- a/charts/argo-cd/templates/_helpers.tpl +++ b/charts/argo-cd/templates/_helpers.tpl @@ -1,29 +1,4 @@ {{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "argo-cd.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "argo-cd.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - {{/* Create controller name and version as used by the chart label. Truncated at 52 chars because StatefulSet label 'controller-revision-hash' is limited @@ -40,6 +15,17 @@ Create dex name and version as used by the chart label. {{- printf "%s-%s" (include "argo-cd.fullname" .) .Values.dex.name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Create Dex server endpoint +*/}} +{{- define "argo-cd.dex.server" -}} +{{- $insecure := index .Values.configs.params "dexserver.disable.tls" | toString -}} +{{- $scheme := (eq $insecure "true") | ternary "http" "https" -}} +{{- $host := include "argo-cd.dex.fullname" . -}} +{{- $port := int .Values.dex.servicePortHttp -}} +{{- printf "%s://%s:%d" $scheme $host $port }} +{{- end }} + {{/* Create redis name and version as used by the chart label. */}} @@ -55,6 +41,18 @@ Create redis name and version as used by the chart label. {{- end -}} {{- end -}} +{{/* +Return Redis server endpoint +*/}} +{{- define "argo-cd.redis.server" -}} +{{- $redisHa := (index .Values "redis-ha") -}} +{{- if or (and .Values.redis.enabled (not $redisHa.enabled)) (and $redisHa.enabled $redisHa.haproxy.enabled) }} + {{- printf "%s:%s" (include "argo-cd.redis.fullname" .) (toString .Values.redis.servicePort) }} +{{- else if and .Values.externalRedis.host .Values.externalRedis.port }} + {{- printf "%s:%s" .Values.externalRedis.host (toString .Values.externalRedis.port) }} +{{- end }} +{{- end -}} + {{/* Create argocd server name and version as used by the chart label. */}} @@ -171,116 +169,52 @@ Create the name of the notifications bots slack service account to use {{- end -}} {{- end -}} -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "argo-cd.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Common labels -*/}} -{{- define "argo-cd.labels" -}} -helm.sh/chart: {{ include "argo-cd.chart" .context }} -{{ include "argo-cd.selectorLabels" (dict "context" .context "component" .component "name" .name) }} -app.kubernetes.io/managed-by: {{ .context.Release.Service }} -app.kubernetes.io/part-of: argocd -{{- with .context.Values.global.additionalLabels }} -{{ toYaml . }} -{{- end }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "argo-cd.selectorLabels" -}} -{{- if .name -}} -app.kubernetes.io/name: {{ include "argo-cd.name" .context }}-{{ .name }} -{{ end -}} -app.kubernetes.io/instance: {{ .context.Release.Name }} -{{- if .component }} -app.kubernetes.io/component: {{ .component }} -{{- end }} -{{- end }} - -{{/* -Return the appropriate apiVersion for ingress -*/}} -{{- define "argo-cd.ingress.apiVersion" -}} -{{- if .Values.apiVersionOverrides.ingress -}} -{{- print .Values.apiVersionOverrides.ingress -}} -{{- else if semverCompare "<1.14-0" (include "argo-cd.kubeVersion" $) -}} -{{- print "extensions/v1beta1" -}} -{{- else if semverCompare "<1.19-0" (include "argo-cd.kubeVersion" $) -}} -{{- print "networking.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "networking.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for autoscaling -*/}} -{{- define "argo-cd.autoscaling.apiVersion" -}} -{{- if .Values.apiVersionOverrides.autoscaling -}} -{{- print .Values.apiVersionOverrides.autoscaling -}} -{{- else if semverCompare "<1.23-0" (include "argo-cd.kubeVersion" $) -}} -{{- print "autoscaling/v2beta1" -}} -{{- else -}} -{{- print "autoscaling/v2" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the target Kubernetes version -*/}} -{{- define "argo-cd.kubeVersion" -}} - {{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride }} -{{- end -}} - {{/* Argo Configuration Preset Values (Incluenced by Values configuration) */}} -{{- define "argo-cd.config.presets" -}} - {{- if .Values.configs.styles }} +{{- define "argo-cd.config.cm.presets" -}} +{{- if .Values.configs.styles -}} ui.cssurl: "./custom/custom.styles.css" - {{- end }} +{{- end -}} {{- end -}} {{/* Merge Argo Configuration with Preset Configuration */}} -{{- define "argo-cd.config" -}} - {{- if .Values.server.configEnabled -}} -{{- toYaml (mergeOverwrite (default dict (fromYaml (include "argo-cd.config.presets" $))) .Values.server.config) }} - {{- end -}} +{{- define "argo-cd.config.cm" -}} +{{- $config := (mergeOverwrite (deepCopy (omit .Values.configs.cm "create" "annotations")) (.Values.server.config | default dict)) -}} +{{- $preset := include "argo-cd.config.cm.presets" . | fromYaml | default dict -}} +{{- range $key, $value := mergeOverwrite $preset $config }} +{{ $key }}: {{ toString $value | toYaml }} +{{- end }} {{- end -}} {{/* -Return the default Argo CD app version +Argo Params Default Configuration Presets */}} -{{- define "argo-cd.defaultTag" -}} - {{- default .Chart.AppVersion .Values.global.image.tag }} -{{- end -}} - -{{- define "argo-cd.redisPasswordEnv" -}} -{{- if or .Values.externalRedis.password .Values.externalRedis.existingSecret -}} -- name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} - key: redis-password -{{- end -}} +{{- define "argo-cd.config.params.presets" -}} +repo.server: "{{ include "argo-cd.repoServer.fullname" . }}:{{ .Values.repoServer.service.port }}" +server.repo.server.strict.tls: {{ .Values.repoServer.certificateSecret.enabled | toString }} +{{- with include "argo-cd.redis.server" . }} +redis.server: {{ . | quote }} +{{- end }} +{{- if .Values.dex.enabled }} +server.dex.server: {{ include "argo-cd.dex.server" . | quote }} +server.dex.server.strict.tls: {{ .Values.dex.certificateSecret.enabled | toString }} +{{- end }} +{{- range $component := tuple "controller" "server" "reposerver" }} +{{ $component }}.log.format: {{ $.Values.global.logging.format | quote }} +{{ $component }}.log.level: {{ $.Values.global.logging.level | quote }} +{{- end }} {{- end -}} {{/* -Return the appropriate apiVersion for pod disruption budget +Merge Argo Params Configuration with Preset Configuration */}} -{{- define "argo-cd.podDisruptionBudget.apiVersion" -}} -{{- if semverCompare "<1.21-0" (include "argo-cd.kubeVersion" $) -}} -{{- print "policy/v1beta1" -}} -{{- else -}} -{{- print "policy/v1" -}} -{{- end -}} +{{- define "argo-cd.config.params" -}} +{{- $config := omit .Values.configs.params "annotations" }} +{{- $preset := include "argo-cd.config.params.presets" . | fromYaml | default dict -}} +{{- range $key, $value := mergeOverwrite $preset $config }} +{{ $key }}: {{ toString $value | toYaml }} +{{- end }} {{- end -}} diff --git a/charts/argo-cd/templates/_versions.tpl b/charts/argo-cd/templates/_versions.tpl new file mode 100644 index 000000000..2f2c61f9f --- /dev/null +++ b/charts/argo-cd/templates/_versions.tpl @@ -0,0 +1,80 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the target Kubernetes version +*/}} +{{- define "argo-cd.kubeVersion" -}} +{{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride }} +{{- end }} + +{{/* +Return the appropriate apiVersion for autoscaling +*/}} +{{- define "argo-cd.apiVersion.autoscaling" -}} +{{- if .Values.apiVersionOverrides.autoscaling -}} +{{- print .Values.apiVersionOverrides.autoscaling -}} +{{- else if semverCompare "<1.23-0" (include "argo-cd.kubeVersion" .) -}} +{{- print "autoscaling/v2beta1" -}} +{{- else -}} +{{- print "autoscaling/v2" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress +*/}} +{{- define "argo-cd.apiVersion.ingress" -}} +{{- if .Values.apiVersionOverrides.ingress -}} +{{- print .Values.apiVersionOverrides.ingress -}} +{{- else if semverCompare "<1.14-0" (include "argo-cd.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "argo-cd.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for pod disruption budget +*/}} +{{- define "argo-cd.apiVersion.pdb" -}} +{{- if .Values.apiVersionOverrides.pdb -}} +{{- print .Values.apiVersionOverrides.pdb -}} +{{- else if semverCompare "<1.21-0" (include "argo-cd.kubeVersion" .) -}} +{{- print "policy/v1beta1" -}} +{{- else -}} +{{- print "policy/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for cert-manager +*/}} +{{- define "argo-cd.apiVersion.cert-manager" -}} +{{- if .Values.apiVersionOverrides.certmanager -}} +{{- print .Values.apiVersionOverrides.certmanager -}} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" -}} +{{- print "cert-manager.io/v1" -}} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1beta1" -}} +{{- print "cert-manager.io/v1beta1" -}} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha3" -}} +{{- print "cert-manager.io/v1alpha3" -}} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" -}} +{{- print "cert-manager.io/v1alpha2" -}} +{{- else -}} +{{- print "certmanager.k8s.io/v1alpha1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for GKE resources +*/}} +{{- define "argo-cd.apiVersions.cloudgoogle" -}} +{{- if .Values.apiVersionOverrides.cloudgoogle -}} +{{- print .Values.apiVersionOverrides.cloudgoogle -}} +{{- else if .Capabilities.APIVersions.Has "cloud.google.com/v1" -}} +{{- print "cloud.google.com/v1" -}} +{{- else -}} +{{- print "cloud.google.com/v1beta1" -}} +{{- end -}} +{{- end -}} diff --git a/charts/argo-cd/templates/aggregate-roles.yaml b/charts/argo-cd/templates/aggregate-roles.yaml index 12d0e006e..b38939224 100644 --- a/charts/argo-cd/templates/aggregate-roles.yaml +++ b/charts/argo-cd/templates/aggregate-roles.yaml @@ -11,7 +11,12 @@ rules: - argoproj.io resources: - applications + {{- if .Values.applicationSet.enabled }} - applicationsets + {{- end }} + {{- if .Values.server.extensions.enabled }} + - argocdextensions + {{- end }} - appprojects verbs: - get @@ -31,7 +36,12 @@ rules: - argoproj.io resources: - applications + {{- if .Values.applicationSet.enabled }} - applicationsets + {{- end }} + {{- if .Values.server.extensions.enabled }} + - argocdextensions + {{- end }} - appprojects verbs: - create @@ -56,7 +66,12 @@ rules: - argoproj.io resources: - applications + {{- if .Values.applicationSet.enabled }} - applicationsets + {{- end }} + {{- if .Values.server.extensions.enabled }} + - argocdextensions + {{- end }} - appprojects verbs: - create diff --git a/charts/argo-cd/templates/argocd-application-controller/metrics-service.yaml b/charts/argo-cd/templates/argocd-application-controller/metrics.yaml similarity index 55% rename from charts/argo-cd/templates/argocd-application-controller/metrics-service.yaml rename to charts/argo-cd/templates/argocd-application-controller/metrics.yaml index 44e8eff3c..88827a850 100644 --- a/charts/argo-cd/templates/argocd-application-controller/metrics-service.yaml +++ b/charts/argo-cd/templates/argocd-application-controller/metrics.yaml @@ -1,25 +1,25 @@ -{{- if .Values.controller.metrics.enabled}} +{{- if .Values.controller.metrics.enabled }} apiVersion: v1 kind: Service metadata: -{{- if .Values.controller.metrics.service.annotations }} + name: {{ include "argo-cd.controller.fullname" . }}-metrics + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" "metrics") | nindent 4 }} + {{- with .Values.controller.metrics.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.controller.metrics.service.annotations }} annotations: - {{- range $key, $value := .Values.controller.metrics.service.annotations }} + {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} -{{- end }} - labels: - {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" "metrics") | nindent 4 }} -{{- if .Values.controller.metrics.service.labels }} -{{- toYaml .Values.controller.metrics.service.labels | nindent 4 }} -{{- end }} - name: {{ template "argo-cd.controller.fullname" . }}-metrics spec: ports: - name: {{ .Values.controller.metrics.service.portName }} protocol: TCP port: {{ .Values.controller.metrics.service.servicePort }} - targetPort: controller + targetPort: metrics selector: {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 4 }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/argo-cd/templates/argocd-application-controller/networkpolicy.yaml b/charts/argo-cd/templates/argocd-application-controller/networkpolicy.yaml index 9116fbcf7..bbb6b324b 100644 --- a/charts/argo-cd/templates/argocd-application-controller/networkpolicy.yaml +++ b/charts/argo-cd/templates/argocd-application-controller/networkpolicy.yaml @@ -10,7 +10,7 @@ spec: - from: - namespaceSelector: {} ports: - - port: controller + - port: metrics podSelector: matchLabels: {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }} diff --git a/charts/argo-cd/templates/argocd-application-controller/pdb.yaml b/charts/argo-cd/templates/argocd-application-controller/pdb.yaml new file mode 100644 index 000000000..8f2531ff3 --- /dev/null +++ b/charts/argo-cd/templates/argocd-application-controller/pdb.yaml @@ -0,0 +1,26 @@ +{{- if .Values.controller.pdb.enabled }} +apiVersion: {{ include "argo-cd.apiVersion.pdb" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "argo-cd.controller.fullname" . }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} + {{- with .Values.controller.pdb.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.controller.pdb.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +spec: + {{- with .Values.controller.pdb.maxUnavailable }} + maxUnavailable: {{ . }} + {{- else }} + minAvailable: {{ .Values.controller.pdb.minAvailable | default 0 }} + {{- end }} + selector: + matchLabels: + {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }} +{{- end }} diff --git a/charts/argo-cd/templates/argocd-application-controller/poddisruptionbudget.yaml b/charts/argo-cd/templates/argocd-application-controller/poddisruptionbudget.yaml deleted file mode 100644 index 536294f1a..000000000 --- a/charts/argo-cd/templates/argocd-application-controller/poddisruptionbudget.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if .Values.controller.pdb.enabled }} -apiVersion: {{ include "argo-cd.podDisruptionBudget.apiVersion" . }} -kind: PodDisruptionBudget -metadata: - name: {{ template "argo-cd.controller.fullname" . }} - labels: - {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} - {{- with .Values.controller.pdb.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.controller.pdb.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if .Values.controller.pdb.minAvailable }} - minAvailable: {{ .Values.controller.pdb.minAvailable }} - {{- else if .Values.controller.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.controller.pdb.maxUnavailable }} - {{- else }} - minAvailable: 0 - {{- end }} - selector: - matchLabels: - {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }} -{{- end }} diff --git a/charts/argo-cd/templates/argocd-application-controller/prometheusrule.yaml b/charts/argo-cd/templates/argocd-application-controller/prometheusrule.yaml index 485ed1aa1..c44a63f5a 100644 --- a/charts/argo-cd/templates/argocd-application-controller/prometheusrule.yaml +++ b/charts/argo-cd/templates/argocd-application-controller/prometheusrule.yaml @@ -14,6 +14,10 @@ metadata: {{- if .Values.controller.metrics.rules.additionalLabels }} {{- toYaml .Values.controller.metrics.rules.additionalLabels | nindent 4 }} {{- end }} + {{- with .Values.controller.metrics.rules.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: groups: - name: argocd diff --git a/charts/argo-cd/templates/argocd-application-controller/service.yaml b/charts/argo-cd/templates/argocd-application-controller/service.yaml deleted file mode 100644 index db5631354..000000000 --- a/charts/argo-cd/templates/argocd-application-controller/service.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: -{{- if .Values.controller.service.annotations }} - annotations: - {{- range $key, $value := .Values.controller.service.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -{{- end }} - name: {{ template "argo-cd.controller.fullname" . }} - labels: - {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} -spec: - ports: - - name: {{ .Values.controller.service.portName }} - port: {{ .Values.controller.service.port }} - targetPort: {{ .Values.controller.containerPort }} - selector: - {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 4 }} \ No newline at end of file diff --git a/charts/argo-cd/templates/argocd-application-controller/serviceaccount.yaml b/charts/argo-cd/templates/argocd-application-controller/serviceaccount.yaml index 4703236cb..96d786cd7 100644 --- a/charts/argo-cd/templates/argocd-application-controller/serviceaccount.yaml +++ b/charts/argo-cd/templates/argocd-application-controller/serviceaccount.yaml @@ -12,4 +12,7 @@ metadata: {{- end }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} + {{- range $key, $value := .Values.controller.serviceAccount.labels }} + {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} diff --git a/charts/argo-cd/templates/argocd-application-controller/servicemonitor.yaml b/charts/argo-cd/templates/argocd-application-controller/servicemonitor.yaml index 28b230db9..3c8b0ca47 100644 --- a/charts/argo-cd/templates/argocd-application-controller/servicemonitor.yaml +++ b/charts/argo-cd/templates/argocd-application-controller/servicemonitor.yaml @@ -14,6 +14,10 @@ metadata: {{- with .Values.controller.metrics.serviceMonitor.additionalLabels }} {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.controller.metrics.serviceMonitor.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: endpoints: - port: {{ .Values.controller.metrics.service.portName }} diff --git a/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml b/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml old mode 100755 new mode 100644 index bde0bfede..66486b535 --- a/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml +++ b/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml @@ -1,25 +1,32 @@ -{{- $redisHa := (index .Values "redis-ha") -}} apiVersion: apps/v1 kind: StatefulSet metadata: + {{- with (mergeOverwrite (deepCopy .Values.global.statefulsetAnnotations) .Values.controller.statefulsetAnnotations) }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} name: {{ template "argo-cd.controller.fullname" . }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} spec: + replicas: {{ .Values.controller.replicas }} + # TODO: Remove for breaking release as history limit cannot be patched + revisionHistoryLimit: 5 + serviceName: {{ include "argo-cd.controller.fullname" . }} selector: matchLabels: {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }} - serviceName: {{ template "argo-cd.controller.fullname" . }} - revisionHistoryLimit: 5 - replicas: {{ .Values.controller.replicas }} template: metadata: - {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.controller.podAnnotations) }} annotations: + checksum/cmd-params: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmd-params-cm.yaml") . | sha256sum }} + {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.controller.podAnnotations) }} {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} {{- end }} - {{- end }} + {{- end }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 8 }} {{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.controller.podLabels) }} @@ -30,96 +37,225 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.global.securityContext }} - securityContext: {{- toYaml .Values.global.securityContext | nindent 8 }} + {{- with .Values.global.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} {{- end }} containers: - command: - argocd-application-controller + {{- with .Values.controller.args.statusProcessors }} - --status-processors - - {{ .Values.controller.args.statusProcessors | quote }} + - {{ . | quote }} + {{- end }} + {{- with .Values.controller.args.operationProcessors }} - --operation-processors - - {{ .Values.controller.args.operationProcessors | quote }} + - {{ . | quote }} + {{- end }} + {{- with .Values.controller.args.appResyncPeriod }} - --app-resync - - {{ .Values.controller.args.appResyncPeriod | quote }} + - {{ . | quote }} + {{- end }} + {{- with .Values.controller.args.appHardResyncPeriod }} - --app-hard-resync - - {{ .Values.controller.args.appHardResyncPeriod | quote }} + - {{ . | quote }} + {{- end }} + {{- with .Values.controller.args.selfHealTimeout }} - --self-heal-timeout-seconds - - {{ .Values.controller.args.selfHealTimeout | quote }} - - --repo-server - - {{ template "argo-cd.repoServer.fullname" . }}:{{ .Values.repoServer.service.port }} + - {{ . | quote }} + {{- end }} + {{- with .Values.controller.args.repoServerTimeoutSeconds }} - --repo-server-timeout-seconds - - {{ .Values.controller.args.repoServerTimeoutSeconds | quote }} + - {{ . | quote }} + {{- end }} + {{- with .Values.controller.logFormat }} - --logformat - - {{ default .Values.global.logging.format .Values.controller.logFormat }} + - {{ . | quote }} + {{- end }} + {{- with .Values.controller.logLevel }} - --loglevel - - {{ default .Values.global.logging.level .Values.controller.logLevel }} + - {{ . | quote }} + {{- end }} {{- if .Values.controller.metrics.applicationLabels.enabled }} {{- range .Values.controller.metrics.applicationLabels.labels }} - --metrics-application-labels - {{ . }} {{- end }} {{- end }} - {{- if or (and .Values.redis.enabled (not $redisHa.enabled)) (and $redisHa.enabled $redisHa.haproxy.enabled) }} - - --redis - - {{ template "argo-cd.redis.fullname" . }}:{{ .Values.redis.servicePort }} - {{- else if and .Values.externalRedis.host .Values.externalRedis.port }} - - --redis - - {{ .Values.externalRedis.host }}:{{ .Values.externalRedis.port }} - {{- end }} {{- with .Values.controller.extraArgs }} {{- toYaml . | nindent 8 }} {{- end }} image: {{ default .Values.global.image.repository .Values.controller.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.controller.image.tag }} imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.controller.image.imagePullPolicy }} name: {{ .Values.controller.name }} - {{- with .Values.controller.containerSecurityContext }} - securityContext: - {{- toYaml . | nindent 10 }} - {{- end }} env: {{- with .Values.controller.env }} {{- toYaml . | nindent 10 }} {{- end }} - name: ARGOCD_CONTROLLER_REPLICAS value: {{ .Values.controller.replicas | quote }} - {{- include "argo-cd.redisPasswordEnv" . | nindent 10 }} + - name: ARGOCD_RECONCILIATION_TIMEOUT + valueFrom: + configMapKeyRef: + name: argocd-cm + key: timeout.reconciliation + optional: true + - name: ARGOCD_HARD_RECONCILIATION_TIMEOUT + valueFrom: + configMapKeyRef: + name: argocd-cm + key: timeout.hard.reconciliation + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: repo.server + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.repo.server.timeout.seconds + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.status.processors + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.operation.processors + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.log.format + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.log.level + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.metrics.cache.expiration + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.self.heal.timeout.seconds + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.repo.server.plaintext + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.repo.server.strict.tls + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_PERSIST_RESOURCE_HEALTH + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.resource.health.persist + optional: true + - name: ARGOCD_APP_STATE_CACHE_EXPIRATION + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.app.state.cache.expiration + optional: true + - name: REDIS_SERVER + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: redis.server + optional: true + - name: REDIS_COMPRESSION + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: redis.compression + optional: true + - name: REDISDB + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: redis.db + optional: true + - name: REDIS_USERNAME + valueFrom: + secretKeyRef: + name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} + key: redis-username + optional: true + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} + key: redis-password + optional: true + - name: ARGOCD_DEFAULT_CACHE_EXPIRATION + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.default.cache.expiration + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ADDRESS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: otlp.address + optional: true + - name: ARGOCD_APPLICATION_NAMESPACES + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: application.namespaces + optional: true {{- with .Values.controller.envFrom }} envFrom: {{- toYaml . | nindent 10 }} {{- end }} ports: - - name: controller + - name: metrics containerPort: {{ .Values.controller.containerPort }} protocol: TCP - livenessProbe: + readinessProbe: httpGet: path: /healthz - port: {{ .Values.controller.containerPort }} - initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.controller.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }} - readinessProbe: - tcpSocket: - port: {{ .Values.controller.containerPort }} + port: metrics initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }} timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }} successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }} + resources: + {{- toYaml .Values.controller.resources | nindent 10 }} + securityContext: + {{- toYaml .Values.controller.containerSecurityContext | nindent 10 }} workingDir: /home/argocd volumeMounts: - - name: argocd-home - mountPath: /home/argocd - - mountPath: /app/config/controller/tls - name: argocd-repo-server-tls {{- with .Values.controller.volumeMounts }} - {{- toYaml . | nindent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} - resources: - {{- toYaml .Values.controller.resources | nindent 10 }} + - mountPath: /app/config/controller/tls + name: argocd-repo-server-tls + - mountPath: /home/argocd + name: argocd-home {{- with .Values.controller.extraContainers }} {{- toYaml . | nindent 6 }} {{- end }} @@ -152,10 +288,15 @@ spec: {{- toYaml . | nindent 6 }} {{- end }} volumes: - - emptyDir: {} - name: argocd-home + {{- with .Values.controller.volumes }} + {{- toYaml . | nindent 6 }} + {{- end }} + - name: argocd-home + emptyDir: {} - name: argocd-repo-server-tls secret: + secretName: argocd-repo-server-tls + optional: true items: - key: tls.crt path: tls.crt @@ -163,11 +304,6 @@ spec: path: tls.key - key: ca.crt path: ca.crt - optional: true - secretName: argocd-repo-server-tls - {{- with .Values.controller.volumes }} - {{- toYaml . | nindent 6 }} - {{- end }} {{- with .Values.controller.initContainers }} initContainers: {{- toYaml . | nindent 6 }} diff --git a/charts/argo-cd/templates/argocd-applicationset/deployment.yaml b/charts/argo-cd/templates/argocd-applicationset/deployment.yaml index 93fa1e34a..6c48fefb4 100644 --- a/charts/argo-cd/templates/argocd-applicationset/deployment.yaml +++ b/charts/argo-cd/templates/argocd-applicationset/deployment.yaml @@ -2,11 +2,18 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ template "argo-cd.applicationSet.fullname" . }} + {{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.applicationSet.deploymentAnnotations) }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + name: {{ include "argo-cd.applicationSet.fullname" . }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }} spec: replicas: {{ .Values.applicationSet.replicaCount }} + revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }} selector: matchLabels: {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.applicationSet.name) | nindent 6 }} @@ -28,93 +35,94 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: {{ include "argo-cd.applicationSetServiceAccountName" . }} + {{- with .Values.global.securityContext }} securityContext: - {{- toYaml (mergeOverwrite (deepCopy .Values.global.securityContext) .Values.applicationSet.podSecurityContext) | nindent 8 }} + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "argo-cd.applicationSetServiceAccountName" . }} containers: - name: {{ .Values.applicationSet.name }} - securityContext: - {{- toYaml .Values.applicationSet.securityContext | nindent 12 }} + image: {{ default .Values.global.image.repository .Values.applicationSet.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.applicationSet.image.tag }} + imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.applicationSet.image.imagePullPolicy }} command: - entrypoint.sh - argocd-applicationset-controller - - --logformat - - {{ default .Values.global.logging.format .Values.applicationSet.logFormat }} - - --loglevel - - {{ default .Values.global.logging.level .Values.applicationSet.logLevel }} + - --argocd-repo-server={{ template "argo-cd.repoServer.fullname" . }}:{{ .Values.repoServer.service.port }} + - --enable-leader-election={{ gt ( .Values.applicationSet.replicaCount | int64) 1 }} - --metrics-addr={{ .Values.applicationSet.args.metricsAddr }} - --probe-addr={{ .Values.applicationSet.args.probeBindAddr }} - {{- if or (gt ( .Values.applicationSet.replicaCount | int64) 1) .Values.applicationSet.args.enableLeaderElection }} - - --enable-leader-election=true - {{- end }} - - --namespace={{ .Release.Namespace }} - - --argocd-repo-server={{ template "argo-cd.repoServer.fullname" . }}:{{ .Values.repoServer.service.port }} - --policy={{ .Values.applicationSet.args.policy }} - - --debug={{ .Values.applicationSet.args.debug }} - --dry-run={{ .Values.applicationSet.args.dryRun }} + - --logformat + - {{ default .Values.global.logging.format .Values.applicationSet.logFormat }} + - --loglevel + - {{ default .Values.global.logging.level .Values.applicationSet.logLevel }} {{- with .Values.applicationSet.extraArgs }} {{- toYaml . | nindent 12 }} {{- end }} - image: {{ default .Values.global.image.repository .Values.applicationSet.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.applicationSet.image.tag }} - imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.applicationSet.image.imagePullPolicy }} + env: + {{- with .Values.applicationSet.extraEnv }} + {{- toYaml . | nindent 12 }} + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- with .Values.applicationSet.extraEnvFrom }} + envFrom: + {{- toYaml . | nindent 12 }} + {{- end }} ports: - - name: http - containerPort: {{ (split ":" .Values.applicationSet.args.probeBindAddr)._1 }} - protocol: TCP - name: metrics containerPort: {{ (split ":" .Values.applicationSet.args.metricsAddr)._1 }} protocol: TCP + - name: probe + containerPort: {{ (split ":" .Values.applicationSet.args.probeBindAddr)._1 }} + protocol: TCP - name: webhook containerPort: 7000 protocol: TCP - {{- with .Values.applicationSet.extraEnv }} - env: - {{- toYaml . | nindent 12 }} + {{- if .Values.applicationSet.livenessProbe.enabled }} + livenessProbe: + tcpSocket: + port: probe + initialDelaySeconds: {{ .Values.applicationSet.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.applicationSet.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.applicationSet.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.applicationSet.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.applicationSet.livenessProbe.failureThreshold }} {{- end }} - {{- with .Values.applicationSet.extraEnvFrom }} - envFrom: - {{- toYaml . | nindent 12 }} + {{- if .Values.applicationSet.readinessProbe.enabled }} + readinessProbe: + tcpSocket: + port: probe + initialDelaySeconds: {{ .Values.applicationSet.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.applicationSet.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.applicationSet.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.applicationSet.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.applicationSet.readinessProbe.failureThreshold }} {{- end }} resources: {{- toYaml .Values.applicationSet.resources | nindent 12 }} + securityContext: + {{- toYaml .Values.applicationSet.containerSecurityContext | nindent 12 }} volumeMounts: - - mountPath: /tmp - name: tmp-dir - {{- if .Values.configs.knownHosts }} + {{- with .Values.applicationSet.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} - mountPath: /app/config/ssh name: ssh-known-hosts - {{- end }} - mountPath: /app/config/tls name: tls-certs - mountPath: /app/config/gpg/source name: gpg-keys - mountPath: /app/config/gpg/keys name: gpg-keyring - {{- with .Values.applicationSet.extraVolumeMounts }} - {{- toYaml . | nindent 12 }} - {{- end }} + - mountPath: /tmp + name: tmp {{- with .Values.applicationSet.extraContainers }} {{- toYaml . | nindent 8 }} {{- end }} - volumes: - - emptyDir: {} - name: tmp-dir - {{- if .Values.configs.knownHosts }} - - configMap: - name: argocd-ssh-known-hosts-cm - name: ssh-known-hosts - {{- end }} - - configMap: - name: argocd-tls-certs-cm - name: tls-certs - - configMap: - name: argocd-gpg-keys-cm - name: gpg-keys - - emptyDir: {} - name: gpg-keyring - {{- with .Values.applicationSet.extraVolumes }} - {{- toYaml . | nindent 6 }} - {{- end }} {{- with .Values.applicationSet.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -130,4 +138,21 @@ spec: {{- with .Values.applicationSet.priorityClassName }} priorityClassName: {{ . }} {{- end }} + volumes: + {{- with .Values.applicationSet.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + - name: ssh-known-hosts + configMap: + name: argocd-ssh-known-hosts-cm + - name: tls-certs + configMap: + name: argocd-tls-certs-cm + - name: gpg-keys + configMap: + name: argocd-gpg-keys-cm + - name: gpg-keyring + emptyDir: {} + - name: tmp + emptyDir: {} {{- end }} diff --git a/charts/argo-cd/templates/argocd-applicationset/metrics-service.yaml b/charts/argo-cd/templates/argocd-applicationset/metrics.yaml similarity index 65% rename from charts/argo-cd/templates/argocd-applicationset/metrics-service.yaml rename to charts/argo-cd/templates/argocd-applicationset/metrics.yaml index a6ce523fc..7a9397cdc 100644 --- a/charts/argo-cd/templates/argocd-applicationset/metrics-service.yaml +++ b/charts/argo-cd/templates/argocd-applicationset/metrics.yaml @@ -2,18 +2,18 @@ apiVersion: v1 kind: Service metadata: - {{- if .Values.applicationSet.metrics.service.annotations }} + name: {{ include "argo-cd.applicationSet.fullname" . }}-metrics + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" "metrics") | nindent 4 }} + {{- with .Values.applicationSet.metrics.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.applicationSet.metrics.service.annotations }} annotations: - {{- range $key, $value := .Values.applicationSet.metrics.service.annotations }} + {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} {{- end }} {{- end }} - labels: - {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" "metrics") | nindent 4 }} -{{- if .Values.applicationSet.metrics.service.labels }} -{{- toYaml .Values.applicationSet.metrics.service.labels | nindent 4 }} -{{- end }} - name: {{ template "argo-cd.applicationSet.fullname" . }}-metrics spec: ports: - name: {{ .Values.applicationSet.metrics.service.portName }} diff --git a/charts/argo-cd/templates/argocd-applicationset/pdb.yaml b/charts/argo-cd/templates/argocd-applicationset/pdb.yaml new file mode 100644 index 000000000..d101d5768 --- /dev/null +++ b/charts/argo-cd/templates/argocd-applicationset/pdb.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.applicationSet.enabled .Values.applicationSet.pdb.enabled }} +apiVersion: {{ include "argo-cd.apiVersion.pdb" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "argo-cd.applicationSet.fullname" . }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }} + {{- with .Values.applicationSet.pdb.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.applicationSet.pdb.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +spec: + {{- with .Values.applicationSet.pdb.maxUnavailable }} + maxUnavailable: {{ . }} + {{- else }} + minAvailable: {{ .Values.applicationSet.pdb.minAvailable | default 0 }} + {{- end }} + selector: + matchLabels: + {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.applicationSet.name) | nindent 6 }} +{{- end }} diff --git a/charts/argo-cd/templates/argocd-applicationset/role.yaml b/charts/argo-cd/templates/argocd-applicationset/role.yaml index dc83f06a9..a9ec2f92b 100644 --- a/charts/argo-cd/templates/argocd-applicationset/role.yaml +++ b/charts/argo-cd/templates/argocd-applicationset/role.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ template "argo-cd.applicationSet.fullname" . }} + name: {{ include "argo-cd.applicationSet.fullname" . }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }} rules: @@ -10,7 +10,6 @@ rules: - argoproj.io resources: - applications - - appprojects - applicationsets - applicationsets/finalizers verbs: @@ -29,37 +28,41 @@ rules: - get - patch - update + - apiGroups: + - argoproj.io + resources: + - appprojects + verbs: + - get - apiGroups: - "" resources: - events verbs: - create - - delete - get - list - patch - - update - watch - apiGroups: - "" resources: - - secrets + - configmaps verbs: + - create + - update + - delete - get - list + - patch - watch - apiGroups: - "" resources: - - configmaps + - secrets verbs: - - create - - delete - get - list - - patch - - update - watch - apiGroups: - apps diff --git a/charts/argo-cd/templates/argocd-applicationset/service.yaml b/charts/argo-cd/templates/argocd-applicationset/service.yaml index 4d2fd4eb5..9e0de5339 100644 --- a/charts/argo-cd/templates/argocd-applicationset/service.yaml +++ b/charts/argo-cd/templates/argocd-applicationset/service.yaml @@ -11,6 +11,9 @@ metadata: name: {{ template "argo-cd.applicationSet.fullname" . }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }} +{{- with .Values.applicationSet.service.labels }} +{{- toYaml . | nindent 4 }} +{{- end }} spec: ports: - name: {{ .Values.applicationSet.service.portName }} diff --git a/charts/argo-cd/templates/argocd-applicationset/serviceaccount.yaml b/charts/argo-cd/templates/argocd-applicationset/serviceaccount.yaml index 4fafac8dd..cf5c0ef51 100644 --- a/charts/argo-cd/templates/argocd-applicationset/serviceaccount.yaml +++ b/charts/argo-cd/templates/argocd-applicationset/serviceaccount.yaml @@ -12,4 +12,7 @@ metadata: {{- end }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }} + {{- range $key, $value := .Values.applicationSet.serviceAccount.labels }} + {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} diff --git a/charts/argo-cd/templates/argocd-applicationset/servicemonitor.yaml b/charts/argo-cd/templates/argocd-applicationset/servicemonitor.yaml index 10c950dab..b836ccc5b 100644 --- a/charts/argo-cd/templates/argocd-applicationset/servicemonitor.yaml +++ b/charts/argo-cd/templates/argocd-applicationset/servicemonitor.yaml @@ -15,6 +15,10 @@ metadata: {{- with .Values.applicationSet.metrics.serviceMonitor.additionalLabels }} {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.applicationSet.metrics.serviceMonitor.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: endpoints: - port: {{ .Values.applicationSet.metrics.service.portName }} diff --git a/charts/argo-cd/templates/argocd-applicationset/webhook-ingress.yaml b/charts/argo-cd/templates/argocd-applicationset/webhook-ingress.yaml index 4d1291ba1..affeec867 100644 --- a/charts/argo-cd/templates/argocd-applicationset/webhook-ingress.yaml +++ b/charts/argo-cd/templates/argocd-applicationset/webhook-ingress.yaml @@ -4,7 +4,7 @@ {{- $paths := .Values.applicationSet.webhook.ingress.paths -}} {{- $extraPaths := .Values.applicationSet.webhook.ingress.extraPaths -}} {{- $pathType := .Values.applicationSet.webhook.ingress.pathType -}} -apiVersion: {{ include "argo-cd.ingress.apiVersion" . }} +apiVersion: {{ include "argo-cd.apiVersion.ingress" . }} kind: Ingress metadata: {{- if .Values.applicationSet.webhook.ingress.annotations }} @@ -20,7 +20,7 @@ metadata: {{- toYaml .Values.applicationSet.webhook.ingress.labels | nindent 4 }} {{- end }} spec: - {{- if eq (include "argo-cd.ingress.apiVersion" $) "networking.k8s.io/v1" }} + {{- if eq (include "argo-cd.apiVersion.ingress" $) "networking.k8s.io/v1" }} {{- with .Values.applicationSet.webhook.ingress.ingressClassName }} ingressClassName: {{ . }} {{- end }} @@ -36,11 +36,11 @@ spec: {{- end }} {{- range $p := $paths }} - path: {{ $p }} - {{- if eq (include "argo-cd.ingress.apiVersion" $) "networking.k8s.io/v1" }} + {{- if eq (include "argo-cd.apiVersion.ingress" $) "networking.k8s.io/v1" }} pathType: {{ $pathType }} {{- end }} backend: - {{- if eq (include "argo-cd.ingress.apiVersion" $) "networking.k8s.io/v1" }} + {{- if eq (include "argo-cd.apiVersion.ingress" $) "networking.k8s.io/v1" }} service: name: {{ $serviceName }} port: @@ -63,11 +63,11 @@ spec: {{- end }} {{- range $p := $paths }} - path: {{ $p }} - {{- if eq (include "argo-cd.ingress.apiVersion" $) "networking.k8s.io/v1" }} + {{- if eq (include "argo-cd.apiVersion.ingress" $) "networking.k8s.io/v1" }} pathType: {{ $pathType }} {{- end }} backend: - {{- if eq (include "argo-cd.ingress.apiVersion" $) "networking.k8s.io/v1" }} + {{- if eq (include "argo-cd.apiVersion.ingress" $) "networking.k8s.io/v1" }} service: name: {{ $serviceName }} port: diff --git a/charts/argo-cd/templates/argocd-configs/argocd-cm.yaml b/charts/argo-cd/templates/argocd-configs/argocd-cm.yaml index 0da0c1ed9..a9ff71d9f 100644 --- a/charts/argo-cd/templates/argocd-configs/argocd-cm.yaml +++ b/charts/argo-cd/templates/argocd-configs/argocd-cm.yaml @@ -1,15 +1,16 @@ -{{- if .Values.server.configEnabled }} +{{- if (hasKey .Values.server "configEnabled") | ternary .Values.server.configEnabled .Values.configs.cm.create }} apiVersion: v1 kind: ConfigMap metadata: name: argocd-cm labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "cm") | nindent 4 }} - {{- if .Values.server.configAnnotations }} + {{- with (mergeOverwrite (deepCopy .Values.configs.cm.annotations) (.Values.server.configAnnotations | default dict)) }} annotations: - {{- range $key, $value := .Values.server.configAnnotations }} + {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} - {{- end }} -data: {{- include "argo-cd.config" $ | nindent 4 }} -{{- end }} \ No newline at end of file +data: + {{- include "argo-cd.config.cm" . | trim | nindent 2 }} +{{- end }} diff --git a/charts/argo-cd/templates/argocd-configs/argocd-cmd-params-cm.yaml b/charts/argo-cd/templates/argocd-configs/argocd-cmd-params-cm.yaml new file mode 100644 index 000000000..0628ff9c8 --- /dev/null +++ b/charts/argo-cd/templates/argocd-configs/argocd-cmd-params-cm.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-cmd-params-cm + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "cmd-params-cm") | nindent 4 }} + {{- if .Values.configs.params.annotations }} + annotations: + {{- range $key, $value := .Values.configs.params.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +data: + {{- include "argo-cd.config.params" . | trim | nindent 2 }} diff --git a/charts/argo-cd/templates/argocd-configs/argocd-dex-server-tls-secret.yaml b/charts/argo-cd/templates/argocd-configs/argocd-dex-server-tls-secret.yaml new file mode 100644 index 000000000..7e3ae6b0a --- /dev/null +++ b/charts/argo-cd/templates/argocd-configs/argocd-dex-server-tls-secret.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.dex.enabled .Values.dex.certificateSecret.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: argocd-dex-server-tls + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.dex.name "name" "dex-server-tls") | nindent 4 }} + {{- with .Values.dex.certificateSecret.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.dex.certificateSecret.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +type: kubernetes.io/tls +data: + {{- with .Values.dex.certificateSecret.ca }} + ca.crt: {{ . | b64enc | quote }} + {{- end }} + tls.crt: {{ .Values.dex.certificateSecret.crt | b64enc | quote }} + tls.key: {{ .Values.dex.certificateSecret.key | b64enc | quote }} +{{- end }} diff --git a/charts/argo-cd/templates/argocd-configs/argocd-gpg-keys-cm.yaml b/charts/argo-cd/templates/argocd-configs/argocd-gpg-keys-cm.yaml index e96ef9aaf..72f9823b5 100644 --- a/charts/argo-cd/templates/argocd-configs/argocd-gpg-keys-cm.yaml +++ b/charts/argo-cd/templates/argocd-configs/argocd-gpg-keys-cm.yaml @@ -1,16 +1,16 @@ apiVersion: v1 kind: ConfigMap metadata: - {{- if .Values.configs.gpgKeysAnnotations }} + name: argocd-gpg-keys-cm + labels: + {{- include "argo-cd.labels" (dict "context" . "name" "gpg-keys-cm") | nindent 4 }} + {{ with (mergeOverwrite (deepCopy .Values.configs.gpg.annotations) (.Values.configs.gpgKeysAnnotations | default dict)) -}} annotations: - {{- range $key, $value := .Values.configs.gpgKeysAnnotations }} + {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} {{- end }} {{- end }} - labels: - {{- include "argo-cd.labels" (dict "context" . "name" "gpg-keys-cm") | nindent 4 }} - name: argocd-gpg-keys-cm -{{- with .Values.configs.gpgKeys }} +{{ with (mergeOverwrite (deepCopy .Values.configs.gpg.keys) (.Values.configs.gpgKeys | default dict)) -}} data: {{- toYaml . | nindent 2 }} {{- end }} diff --git a/charts/argo-cd/templates/argocd-configs/argocd-notifications-cm.yaml b/charts/argo-cd/templates/argocd-configs/argocd-notifications-cm.yaml index e3a1dabac..593da721c 100644 --- a/charts/argo-cd/templates/argocd-configs/argocd-notifications-cm.yaml +++ b/charts/argo-cd/templates/argocd-configs/argocd-notifications-cm.yaml @@ -8,9 +8,9 @@ metadata: data: context: | argocdUrl: {{ .Values.notifications.argocdUrl | quote }} - {{- with .Values.notifications.context }} - {{- toYaml . | nindent 4 }} - {{- end }} + {{- with .Values.notifications.context }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- with .Values.notifications.notifiers }} {{- toYaml . | nindent 2 }} {{- end }} diff --git a/charts/argo-cd/templates/argocd-configs/argocd-notifications-secret.yaml b/charts/argo-cd/templates/argocd-configs/argocd-notifications-secret.yaml index 9598ee02a..dc5bd383c 100644 --- a/charts/argo-cd/templates/argocd-configs/argocd-notifications-secret.yaml +++ b/charts/argo-cd/templates/argocd-configs/argocd-notifications-secret.yaml @@ -5,11 +5,11 @@ metadata: name: argocd-notifications-secret labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }} - {{- if .Values.notifications.secret.annotations }} + {{- with .Values.notifications.secret.annotations }} annotations: - {{- range $key, $value := .Values.notifications.secret.annotations }} + {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} - {{- end }} + {{- end }} {{- end }} type: Opaque stringData: diff --git a/charts/argo-cd/templates/argocd-configs/argocd-rbac-cm.yaml b/charts/argo-cd/templates/argocd-configs/argocd-rbac-cm.yaml index b02e3a008..8ebb43d28 100644 --- a/charts/argo-cd/templates/argocd-configs/argocd-rbac-cm.yaml +++ b/charts/argo-cd/templates/argocd-configs/argocd-rbac-cm.yaml @@ -1,18 +1,18 @@ -{{- if .Values.server.rbacConfigCreate }} +{{- if (hasKey .Values.server "rbacConfigCreate") | ternary .Values.server.rbacConfigCreate .Values.configs.rbac.create }} apiVersion: v1 kind: ConfigMap metadata: name: argocd-rbac-cm labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "rbac-cm") | nindent 4 }} - {{- if .Values.server.rbacConfigAnnotations }} + {{- with (mergeOverwrite (deepCopy .Values.configs.rbac.annotations) (.Values.server.rbacConfigAnnotations | default dict)) }} annotations: - {{- range $key, $value := .Values.server.rbacConfigAnnotations }} + {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} - {{- end }} -{{- if .Values.server.rbacConfig }} +{{- with (mergeOverwrite (deepCopy (omit .Values.configs.rbac "create" "annotations")) (.Values.server.rbacConfig | default dict)) }} data: -{{- toYaml .Values.server.rbacConfig | nindent 4 }} + {{- toYaml . | nindent 2 }} {{- end }} {{- end }} diff --git a/charts/argo-cd/templates/argocd-configs/argocd-repo-server-tls-secret.yaml b/charts/argo-cd/templates/argocd-configs/argocd-repo-server-tls-secret.yaml new file mode 100644 index 000000000..7efa20519 --- /dev/null +++ b/charts/argo-cd/templates/argocd-configs/argocd-repo-server-tls-secret.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.repoServer.enabled .Values.repoServer.certificateSecret.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: argocd-repo-server-tls + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" "repo-server-tls") | nindent 4 }} + {{- with .Values.repoServer.certificateSecret.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.repoServer.certificateSecret.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +type: kubernetes.io/tls +data: + {{- with .Values.repoServer.certificateSecret.ca }} + ca.crt: {{ . | b64enc | quote }} + {{- end }} + tls.crt: {{ .Values.repoServer.certificateSecret.crt | b64enc | quote }} + tls.key: {{ .Values.repoServer.certificateSecret.key | b64enc | quote }} +{{- end }} diff --git a/charts/argo-cd/templates/argocd-configs/argocd-secret.yaml b/charts/argo-cd/templates/argocd-configs/argocd-secret.yaml index 62cf6be43..f289480d1 100644 --- a/charts/argo-cd/templates/argocd-configs/argocd-secret.yaml +++ b/charts/argo-cd/templates/argocd-configs/argocd-secret.yaml @@ -5,34 +5,34 @@ metadata: name: argocd-secret labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "secret") | nindent 4 }} - {{- if .Values.configs.secret.annotations }} + {{- with .Values.configs.secret.annotations }} annotations: - {{- range $key, $value := .Values.configs.secret.annotations }} + {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} - {{- end }} + {{- end }} {{- end }} type: Opaque {{- if or .Values.configs.secret.githubSecret (or .Values.configs.secret.gitlabSecret .Values.configs.secret.bitbucketUUID .Values.configs.secret.bitbucketServerSecret .Values.configs.secret.gogsSecret .Values.configs.secret.argocdServerAdminPassword .Values.configs.secret.argocdServerTlsConfig .Values.configs.secret.extra) }} # Setting a blank data again will wipe admin password/key/cert data: - {{- if .Values.configs.secret.githubSecret }} - webhook.github.secret: {{ .Values.configs.secret.githubSecret | b64enc }} + {{- with .Values.configs.secret.githubSecret }} + webhook.github.secret: {{ . | b64enc }} {{- end }} - {{- if .Values.configs.secret.gitlabSecret }} - webhook.gitlab.secret: {{ .Values.configs.secret.gitlabSecret | b64enc }} + {{- with .Values.configs.secret.gitlabSecret }} + webhook.gitlab.secret: {{ . | b64enc }} {{- end }} - {{- if .Values.configs.secret.bitbucketServerSecret }} - webhook.bitbucketserver.secret: {{ .Values.configs.secret.bitbucketServerSecret | b64enc }} + {{- with .Values.configs.secret.bitbucketServerSecret }} + webhook.bitbucketserver.secret: {{ . | b64enc }} {{- end }} - {{- if .Values.configs.secret.bitbucketUUID }} - webhook.bitbucket.uuid: {{ .Values.configs.secret.bitbucketUUID | b64enc }} + {{- with .Values.configs.secret.bitbucketUUID }} + webhook.bitbucket.uuid: {{ . | b64enc }} {{- end }} - {{- if .Values.configs.secret.gogsSecret }} - webhook.gogs.secret: {{ .Values.configs.secret.gogsSecret | b64enc }} + {{- with .Values.configs.secret.gogsSecret }} + webhook.gogs.secret: {{ . | b64enc }} {{- end }} - {{- if .Values.configs.secret.argocdServerTlsConfig }} - tls.key: {{ .Values.configs.secret.argocdServerTlsConfig.key | b64enc }} - tls.crt: {{ .Values.configs.secret.argocdServerTlsConfig.crt | b64enc }} + {{- with .Values.configs.secret.argocdServerTlsConfig }} + tls.key: {{ .key | b64enc }} + tls.crt: {{ .crt | b64enc }} {{- end }} {{- if .Values.configs.secret.argocdServerAdminPassword }} admin.password: {{ .Values.configs.secret.argocdServerAdminPassword | b64enc }} diff --git a/charts/argo-cd/templates/argocd-configs/argocd-server-tls-secret.yaml b/charts/argo-cd/templates/argocd-configs/argocd-server-tls-secret.yaml new file mode 100644 index 000000000..1e9f8dd38 --- /dev/null +++ b/charts/argo-cd/templates/argocd-configs/argocd-server-tls-secret.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.server.certificateSecret.enabled (not .Values.server.certificate.enabled) }} +apiVersion: v1 +kind: Secret +metadata: + name: argocd-server-tls + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "server-tls") | nindent 4 }} + {{- with .Values.server.certificateSecret.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.server.certificateSecret.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.server.certificateSecret.crt | b64enc | quote }} + tls.key: {{ .Values.server.certificateSecret.key | b64enc | quote }} +{{- end }} diff --git a/charts/argo-cd/templates/argocd-configs/argocd-ssh-known-hosts-cm.yaml b/charts/argo-cd/templates/argocd-configs/argocd-ssh-known-hosts-cm.yaml index 289885bde..844f492da 100644 --- a/charts/argo-cd/templates/argocd-configs/argocd-ssh-known-hosts-cm.yaml +++ b/charts/argo-cd/templates/argocd-configs/argocd-ssh-known-hosts-cm.yaml @@ -1,13 +1,13 @@ apiVersion: v1 -{{- toYaml .Values.configs.knownHosts | nindent 0 }} kind: ConfigMap metadata: + name: argocd-ssh-known-hosts-cm labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "ssh-known-hosts-cm") | nindent 4 }} - {{- if .Values.configs.knownHostsAnnotations }} + {{- with .Values.configs.knownHostsAnnotations }} annotations: - {{- range $key, $value := .Values.configs.knownHostsAnnotations }} + {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} - {{- end }} - name: argocd-ssh-known-hosts-cm \ No newline at end of file +{{- toYaml .Values.configs.knownHosts | nindent 0 }} diff --git a/charts/argo-cd/templates/argocd-configs/argocd-styles-cm.yaml b/charts/argo-cd/templates/argocd-configs/argocd-styles-cm.yaml index a8079671c..149104f16 100644 --- a/charts/argo-cd/templates/argocd-configs/argocd-styles-cm.yaml +++ b/charts/argo-cd/templates/argocd-configs/argocd-styles-cm.yaml @@ -2,10 +2,10 @@ apiVersion: v1 kind: ConfigMap metadata: - name: argocd-custom-styles + name: argocd-styles-cm labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }} data: custom.styles.css: | {{- .Values.configs.styles | nindent 4 }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/argo-cd/templates/argocd-configs/argocd-tls-certs-cm.yaml b/charts/argo-cd/templates/argocd-configs/argocd-tls-certs-cm.yaml index 5b3f5fe50..74b211813 100644 --- a/charts/argo-cd/templates/argocd-configs/argocd-tls-certs-cm.yaml +++ b/charts/argo-cd/templates/argocd-configs/argocd-tls-certs-cm.yaml @@ -1,15 +1,15 @@ apiVersion: v1 -{{- if .Values.configs.tlsCerts }} -{{- toYaml .Values.configs.tlsCerts | nindent 0 }} -{{- end }} kind: ConfigMap metadata: + name: argocd-tls-certs-cm labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "tls-certs-cm") | nindent 4 }} - {{- if .Values.configs.tlsCertsAnnotations }} + {{- with .Values.configs.tlsCertsAnnotations }} annotations: - {{- range $key, $value := .Values.configs.tlsCertsAnnotations }} + {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} - {{- end }} - name: argocd-tls-certs-cm \ No newline at end of file +{{- with .Values.configs.tlsCerts }} +{{- toYaml . | nindent 0 }} +{{- end }} diff --git a/charts/argo-cd/templates/argocd-configs/cluster-secrets.yaml b/charts/argo-cd/templates/argocd-configs/cluster-secrets.yaml index fce3211ec..aba14db7e 100644 --- a/charts/argo-cd/templates/argocd-configs/cluster-secrets.yaml +++ b/charts/argo-cd/templates/argocd-configs/cluster-secrets.yaml @@ -27,5 +27,5 @@ stringData: {{- end }} {{- end }} config: | - {{- required "A valid .Values.configs.clusterCredentials[].config entry is required!" .config | toPrettyJson | nindent 4 }} + {{- required "A valid .Values.configs.clusterCredentials[].config entry is required!" .config | toRawJson | nindent 4 }} {{- end }} diff --git a/charts/argo-cd/templates/argocd-configs/externalredis-secret.yaml b/charts/argo-cd/templates/argocd-configs/externalredis-secret.yaml index d2b1887fc..80dfc475b 100644 --- a/charts/argo-cd/templates/argocd-configs/externalredis-secret.yaml +++ b/charts/argo-cd/templates/argocd-configs/externalredis-secret.yaml @@ -1,15 +1,22 @@ -{{- if and .Values.externalRedis.password (not .Values.externalRedis.existingSecret) }} +{{- if and (or .Values.externalRedis.username .Values.externalRedis.password) (not .Values.externalRedis.existingSecret) }} apiVersion: v1 kind: Secret metadata: - name: {{ template "argo-cd.redis.fullname" . }} + name: {{ include "argo-cd.redis.fullname" . }} labels: {{- include "argo-cd.labels" (dict "context" $) | nindent 4 }} {{- with .Values.externalRedis.secretAnnotations }} annotations: - {{- toYaml . | nindent 4}} + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} type: Opaque data: - redis-password: {{ .Values.externalRedis.password | b64enc }} + {{- with .Values.externalRedis.username }} + redis-username: {{ . | b64enc }} + {{- end }} + {{- with .Values.externalRedis.password }} + redis-password: {{ . | b64enc }} + {{- end }} {{- end }} diff --git a/charts/argo-cd/templates/argocd-configs/repository-credentials-secret.yaml b/charts/argo-cd/templates/argocd-configs/repository-credentials-secret.yaml index 060ef5798..96efd67c6 100644 --- a/charts/argo-cd/templates/argocd-configs/repository-credentials-secret.yaml +++ b/charts/argo-cd/templates/argocd-configs/repository-credentials-secret.yaml @@ -9,7 +9,9 @@ metadata: {{- include "argo-cd.labels" (dict "context" $) | nindent 4 }} {{- with $.Values.configs.credentialTemplatesAnnotations }} annotations: - {{- toYaml . | nindent 4}} + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} data: {{- range $key, $value := $repo_cred_value }} diff --git a/charts/argo-cd/templates/argocd-configs/repository-secret.yaml b/charts/argo-cd/templates/argocd-configs/repository-secret.yaml index 4b49811ee..bd0c067ca 100644 --- a/charts/argo-cd/templates/argocd-configs/repository-secret.yaml +++ b/charts/argo-cd/templates/argocd-configs/repository-secret.yaml @@ -9,7 +9,9 @@ metadata: {{- include "argo-cd.labels" (dict "context" $) | nindent 4 }} {{- with $.Values.configs.repositoriesAnnotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} data: {{- range $key, $value := $repo_value }} diff --git a/charts/argo-cd/templates/argocd-notifications/bots/slack/deployment.yaml b/charts/argo-cd/templates/argocd-notifications/bots/slack/deployment.yaml index 0ec4565ef..da9346072 100644 --- a/charts/argo-cd/templates/argocd-notifications/bots/slack/deployment.yaml +++ b/charts/argo-cd/templates/argocd-notifications/bots/slack/deployment.yaml @@ -2,12 +2,20 @@ apiVersion: apps/v1 kind: Deployment metadata: + {{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.notifications.deploymentAnnotations) }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} name: {{ template "argo-cd.notifications.fullname" . }}-bot labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.bots.slack.name "name" .Values.notifications.bots.slack.name) | nindent 4 }} spec: + replicas: 1 + revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }} strategy: - {{- .Values.notifications.bots.slack.updateStrategy | toYaml | nindent 4 }} + type: Recreate selector: matchLabels: {{- include "argo-cd.selectorLabels" (dict "context" . "component" .Values.notifications.bots.slack.name "name" "metrics") | nindent 6 }} @@ -16,18 +24,19 @@ spec: labels: {{- include "argo-cd.selectorLabels" (dict "context" . "component" .Values.notifications.bots.slack.name "name" "metrics") | nindent 8 }} spec: - {{- with .Values.notifications.bots.slack.imagePullSecrets | default .Values.global.imagePullSecrets }} + {{- with .Values.notifications.bots.slack.imagePullSecrets | default .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ template "argo-cd.notificationsBotsSlackServiceAccountName" . }} - securityContext: {{- toYaml (mergeOverwrite (deepCopy .Values.global.securityContext) .Values.notifications.securityContext) | nindent 8 }} + {{- end }} + {{- with .Values.global.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "argo-cd.notificationsBotsSlackServiceAccountName" . }} containers: - - name: {{ template "argo-cd.notifications.fullname" . }}-bot + - name: {{ include "argo-cd.notifications.fullname" . }}-bot image: {{ default .Values.global.image.repository .Values.notifications.bots.slack.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.notifications.bots.slack.image.tag }} imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.notifications.bots.slack.image.pullPolicy }} - resources: - {{- toYaml .Values.notifications.bots.slack.resources | nindent 12 }} command: - argocd-notifications - bot @@ -35,19 +44,20 @@ spec: ports: - containerPort: 8080 name: http - {{- with .Values.notifications.bots.slack.containerSecurityContext }} - securityContext: {{- toYaml . | nindent 12 }} - {{- end }} + resources: + {{- toYaml .Values.notifications.bots.slack.resources | nindent 12 }} + securityContext: + {{- toYaml .Values.notifications.bots.slack.containerSecurityContext | nindent 12 }} {{- with .Values.notifications.bots.slack.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.notifications.bots.slack.affinity }} + {{- with .Values.notifications.bots.slack.affinity }} affinity: {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.notifications.bots.slack.tolerations }} + {{- end }} + {{- with .Values.notifications.bots.slack.tolerations }} tolerations: {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} {{ end }} diff --git a/charts/argo-cd/templates/argocd-notifications/bots/slack/pdb.yaml b/charts/argo-cd/templates/argocd-notifications/bots/slack/pdb.yaml new file mode 100644 index 000000000..458af6f7e --- /dev/null +++ b/charts/argo-cd/templates/argocd-notifications/bots/slack/pdb.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.notifications.enabled .Values.notifications.bots.slack.enabled .Values.notifications.bots.slack.pdb.enabled }} +apiVersion: {{ include "argo-cd.apiVersion.pdb" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "argo-cd.notifications.fullname" . }}-bot + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.bots.slack.name "name" .Values.notifications.bots.slack.name) | nindent 4 }} + {{- with .Values.notifications.bots.slack.pdb.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.notifications.bots.slack.pdb.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +spec: + {{- with .Values.notifications.bots.slack.pdb.maxUnavailable }} + maxUnavailable: {{ . }} + {{- else }} + minAvailable: {{ .Values.notifications.bots.slack.pdb.minAvailable | default 0 }} + {{- end }} + selector: + matchLabels: + {{- include "argo-cd.selectorLabels" (dict "context" . "component" .Values.notifications.bots.slack.name "name" "metrics") | nindent 6 }} +{{- end }} diff --git a/charts/argo-cd/templates/argocd-notifications/deployment.yaml b/charts/argo-cd/templates/argocd-notifications/deployment.yaml index cfbb54f74..2be14fdd0 100644 --- a/charts/argo-cd/templates/argocd-notifications/deployment.yaml +++ b/charts/argo-cd/templates/argocd-notifications/deployment.yaml @@ -2,12 +2,20 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ template "argo-cd.notifications.fullname" . }} + {{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.notifications.deploymentAnnotations) }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + name: {{ include "argo-cd.notifications.fullname" . }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }} spec: + replicas: 1 + revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }} strategy: - {{- .Values.notifications.updateStrategy | toYaml | nindent 4 }} + type: Recreate selector: matchLabels: {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.notifications.name) | nindent 6 }} @@ -25,43 +33,46 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- with .Values.notifications.imagePullSecrets | default .Values.global.imagePullSecrets }} + {{- with .Values.notifications.imagePullSecrets | default .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} + {{- with .Values.global.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} serviceAccountName: {{ include "argo-cd.notificationsServiceAccountName" . }} - securityContext: {{- toYaml (mergeOverwrite (deepCopy .Values.global.securityContext) .Values.notifications.securityContext) | nindent 8 }} containers: - name: {{ .Values.notifications.name }} image: {{ default .Values.global.image.repository .Values.notifications.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.notifications.image.tag }} imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.notifications.image.imagePullPolicy }} - resources: - {{- toYaml .Values.notifications.resources | nindent 12 }} command: - argocd-notifications - --loglevel={{ default .Values.global.logging.level .Values.notifications.logLevel }} - --logformat={{ default .Values.global.logging.format .Values.notifications.logFormat }} - {{- if .Values.notifications.metrics.enabled }} - --metrics-port={{ .Values.notifications.metrics.port }} - {{- end }} - --namespace={{ .Release.Namespace }} - --argocd-repo-server={{ template "argo-cd.repoServer.fullname" . }}:{{ .Values.repoServer.service.port }} {{- range .Values.notifications.extraArgs }} - {{ . | squote }} {{- end }} - workingDir: /app - ports: - {{- if .Values.notifications.metrics.enabled }} - - containerPort: {{ .Values.notifications.metrics.port }} - name: metrics - protocol: TCP - {{- end }} - {{- if .Values.notifications.containerSecurityContext }} - securityContext: {{- toYaml .Values.notifications.containerSecurityContext | nindent 12 }} - {{- end }} {{- with .Values.notifications.extraEnv }} - env: {{ toYaml . | nindent 12 }} + env: + {{- toYaml . | nindent 12 }} {{- end }} + {{- with .Values.notifications.extraEnvFrom }} + envFrom: + {{- toYaml . | nindent 12 }} + {{- end }} + ports: + - name: metrics + containerPort: {{ .Values.notifications.metrics.port }} + protocol: TCP + resources: + {{- toYaml .Values.notifications.resources | nindent 12 }} + securityContext: + {{- toYaml .Values.notifications.containerSecurityContext | nindent 12 }} + workingDir: /app volumeMounts: - name: tls-certs mountPath: /app/config/tls diff --git a/charts/argo-cd/templates/argocd-notifications/service-metrics.yaml b/charts/argo-cd/templates/argocd-notifications/metrics.yaml similarity index 63% rename from charts/argo-cd/templates/argocd-notifications/service-metrics.yaml rename to charts/argo-cd/templates/argocd-notifications/metrics.yaml index 8e0a92a8a..3b80e97b9 100644 --- a/charts/argo-cd/templates/argocd-notifications/service-metrics.yaml +++ b/charts/argo-cd/templates/argocd-notifications/metrics.yaml @@ -2,18 +2,18 @@ apiVersion: v1 kind: Service metadata: - name: {{ template "argo-cd.notifications.fullname" . }}-metrics + name: {{ include "argo-cd.notifications.fullname" . }}-metrics labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" "metrics") | nindent 4 }} -{{- if .Values.notifications.metrics.service.labels }} -{{- toYaml .Values.notifications.metrics.service.labels | nindent 4 }} -{{- end }} -{{- if .Values.notifications.metrics.service.annotations }} + {{- with .Values.notifications.metrics.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.notifications.metrics.service.annotations }} annotations: - {{- range $key, $value := .Values.notifications.metrics.service.annotations }} + {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} -{{- end }} spec: selector: {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.notifications.name) | nindent 6 }} diff --git a/charts/argo-cd/templates/argocd-notifications/pdb.yaml b/charts/argo-cd/templates/argocd-notifications/pdb.yaml new file mode 100644 index 000000000..711495a24 --- /dev/null +++ b/charts/argo-cd/templates/argocd-notifications/pdb.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.notifications.enabled .Values.notifications.pdb.enabled }} +apiVersion: {{ include "argo-cd.apiVersion.pdb" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "argo-cd.notifications.fullname" . }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }} + {{- with .Values.notifications.pdb.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.notifications.pdb.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +spec: + {{- with .Values.notifications.pdb.maxUnavailable }} + maxUnavailable: {{ . }} + {{- else }} + minAvailable: {{ .Values.notifications.pdb.minAvailable | default 0 }} + {{- end }} + selector: + matchLabels: + {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.notifications.name) | nindent 6 }} +{{- end }} diff --git a/charts/argo-cd/templates/argocd-notifications/serviceaccount.yaml b/charts/argo-cd/templates/argocd-notifications/serviceaccount.yaml index 48c6967fc..d62192804 100644 --- a/charts/argo-cd/templates/argocd-notifications/serviceaccount.yaml +++ b/charts/argo-cd/templates/argocd-notifications/serviceaccount.yaml @@ -12,4 +12,7 @@ metadata: {{- end }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }} + {{- range $key, $value := .Values.notifications.serviceAccount.labels }} + {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} diff --git a/charts/argo-cd/templates/argocd-notifications/servicemonitor.yaml b/charts/argo-cd/templates/argocd-notifications/servicemonitor.yaml index 7ed6237ae..7f11d08f3 100644 --- a/charts/argo-cd/templates/argocd-notifications/servicemonitor.yaml +++ b/charts/argo-cd/templates/argocd-notifications/servicemonitor.yaml @@ -14,6 +14,10 @@ metadata: {{- if .Values.notifications.metrics.serviceMonitor.additionalLabels }} {{- toYaml .Values.notifications.metrics.serviceMonitor.additionalLabels | nindent 4 }} {{- end }} + {{- with .Values.notifications.metrics.serviceMonitor.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: endpoints: - port: {{ .Values.notifications.metrics.service.portName }} diff --git a/charts/argo-cd/templates/argocd-repo-server/deployment.yaml b/charts/argo-cd/templates/argocd-repo-server/deployment.yaml index bf0f35a7f..d8cbb97dd 100755 --- a/charts/argo-cd/templates/argocd-repo-server/deployment.yaml +++ b/charts/argo-cd/templates/argocd-repo-server/deployment.yaml @@ -1,26 +1,35 @@ -{{- $redisHa := (index .Values "redis-ha") -}} apiVersion: apps/v1 kind: Deployment metadata: + {{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.repoServer.deploymentAnnotations) }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} name: {{ template "argo-cd.repoServer.fullname" . }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }} spec: + {{- if not .Values.repoServer.autoscaling.enabled }} + replicas: {{ .Values.repoServer.replicas }} + {{- end }} + revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }} selector: matchLabels: {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.repoServer.name) | nindent 6 }} - revisionHistoryLimit: 5 - {{- if (ne .Values.repoServer.autoscaling.enabled true) }} - replicas: {{ .Values.repoServer.replicas }} - {{- end }} template: metadata: - {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.repoServer.podAnnotations) }} annotations: + checksum/cmd-params: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmd-params-cm.yaml") . | sha256sum }} + {{- if .Values.repoServer.certificateSecret.enabled }} + checksum/repo-server-tls: {{ include (print $.Template.BasePath "/argocd-configs/argocd-repo-server-tls-secret.yaml") . | sha256sum }} + {{- end }} + {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.repoServer.podAnnotations) }} {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} {{- end }} - {{- end }} + {{- end }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 8 }} {{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.repoServer.podLabels) }} @@ -32,8 +41,9 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} automountServiceAccountToken: {{ .Values.repoServer.serviceAccount.automountServiceAccountToken }} - {{- if .Values.global.securityContext }} - securityContext: {{- toYaml .Values.global.securityContext | nindent 8 }} + {{- with .Values.global.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} {{- end }} containers: - name: {{ .Values.repoServer.name }} @@ -43,83 +53,207 @@ spec: - entrypoint.sh args: - argocd-repo-server - {{- if or (and .Values.redis.enabled (not $redisHa.enabled)) (and $redisHa.enabled $redisHa.haproxy.enabled) }} - - --redis - - {{ template "argo-cd.redis.fullname" . }}:{{ .Values.redis.servicePort }} - {{- else if and .Values.externalRedis.host .Values.externalRedis.port }} - - --redis - - {{ .Values.externalRedis.host }}:{{ .Values.externalRedis.port }} - {{- end }} + {{- with .Values.repoServer.logFormat }} - --logformat - - {{ default .Values.global.logging.format .Values.repoServer.logFormat }} + - {{ . | quote }} + {{- end }} + {{- with .Values.repoServer.logLevel }} - --loglevel - - {{ default .Values.global.logging.level .Values.repoServer.logLevel }} - {{- with .Values.repoServer.extraArgs }} - {{- . | toYaml | nindent 8 }} + - {{ . | quote }} {{- end }} - {{- if .Values.repoServer.containerSecurityContext }} - securityContext: {{- toYaml .Values.repoServer.containerSecurityContext | nindent 10 }} + {{- with .Values.repoServer.extraArgs }} + {{- toYaml . | nindent 8 }} {{- end }} env: - - name: HELM_CACHE_HOME - value: /helm-working-dir - - name: HELM_CONFIG_HOME - value: /helm-working-dir - - name: HELM_DATA_HOME - value: /helm-working-dir - {{- include "argo-cd.redisPasswordEnv" . | nindent 8 }} {{- with .Values.repoServer.env }} - {{- toYaml . | nindent 8 }} + {{- toYaml . | nindent 10 }} {{- end }} - {{- if .Values.openshift.enabled }} - - name: USER_NAME - value: argocd - {{- end }} + {{- if .Values.openshift.enabled }} + - name: USER_NAME + value: argocd + {{- end }} + - name: ARGOCD_RECONCILIATION_TIMEOUT + valueFrom: + configMapKeyRef: + name: argocd-cm + key: timeout.reconciliation + optional: true + - name: ARGOCD_REPO_SERVER_LOGFORMAT + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: reposerver.log.format + optional: true + - name: ARGOCD_REPO_SERVER_LOGLEVEL + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: reposerver.log.level + optional: true + - name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: reposerver.parallelism.limit + optional: true + - name: ARGOCD_REPO_SERVER_DISABLE_TLS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: reposerver.disable.tls + optional: true + - name: ARGOCD_TLS_MIN_VERSION + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: reposerver.tls.minversion + optional: true + - name: ARGOCD_TLS_MAX_VERSION + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: reposerver.tls.maxversion + optional: true + - name: ARGOCD_TLS_CIPHERS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: reposerver.tls.ciphers + optional: true + - name: ARGOCD_REPO_CACHE_EXPIRATION + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: reposerver.repo.cache.expiration + optional: true + - name: REDIS_SERVER + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: redis.server + optional: true + - name: REDIS_COMPRESSION + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: redis.compression + optional: true + - name: REDISDB + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: redis.db + optional: true + - name: REDIS_USERNAME + valueFrom: + secretKeyRef: + name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} + key: redis-username + optional: true + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} + key: redis-password + optional: true + - name: ARGOCD_DEFAULT_CACHE_EXPIRATION + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: reposerver.default.cache.expiration + optional: true + - name: ARGOCD_REPO_SERVER_OTLP_ADDRESS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: otlp.address + optional: true + - name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: reposerver.max.combined.directory.manifests.size + optional: true + - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: reposerver.plugin.tar.exclusions + optional: true + - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS + valueFrom: + configMapKeyRef: + key: reposerver.allow.oob.symlinks + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE + valueFrom: + configMapKeyRef: + key: reposerver.streamed.manifest.max.tar.size + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE + valueFrom: + configMapKeyRef: + key: reposerver.streamed.manifest.max.extracted.size + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_GIT_MODULES_ENABLED + valueFrom: + configMapKeyRef: + key: reposerver.enable.git.submodule + name: argocd-cmd-params-cm + optional: true + - name: HELM_CACHE_HOME + value: /helm-working-dir + - name: HELM_CONFIG_HOME + value: /helm-working-dir + - name: HELM_DATA_HOME + value: /helm-working-dir {{- with .Values.repoServer.envFrom }} - envFrom: {{- toYaml . | nindent 8 }} + envFrom: + {{- toYaml . | nindent 10 }} {{- end }} volumeMounts: {{- if .Values.repoServer.volumeMounts }} {{- toYaml .Values.repoServer.volumeMounts | nindent 8 }} {{- end }} - - mountPath: /app/config/gpg/source - name: gpg-keys - - mountPath: /app/config/gpg/keys - name: gpg-keyring - {{- if .Values.configs.knownHosts }} - mountPath: /app/config/ssh name: ssh-known-hosts - {{- end }} - mountPath: /app/config/tls name: tls-certs + - mountPath: /app/config/gpg/source + name: gpg-keys + - mountPath: /app/config/gpg/keys + name: gpg-keyring - mountPath: /app/config/reposerver/tls name: argocd-repo-server-tls - - mountPath: /tmp - name: tmp-dir - mountPath: /helm-working-dir name: helm-working-dir - mountPath: /home/argocd/cmp-server/plugins name: plugins + - mountPath: /tmp + name: tmp ports: - name: repo-server containerPort: {{ .Values.repoServer.containerPort }} protocol: TCP - {{ if .Values.repoServer.metrics.enabled }} - name: metrics containerPort: 8084 protocol: TCP - {{- end }} livenessProbe: - tcpSocket: - port: {{ .Values.repoServer.containerPort }} + httpGet: + path: /healthz?full=true + port: metrics initialDelaySeconds: {{ .Values.repoServer.livenessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.repoServer.livenessProbe.periodSeconds }} timeoutSeconds: {{ .Values.repoServer.livenessProbe.timeoutSeconds }} successThreshold: {{ .Values.repoServer.livenessProbe.successThreshold }} failureThreshold: {{ .Values.repoServer.livenessProbe.failureThreshold }} readinessProbe: - tcpSocket: - port: {{ .Values.repoServer.containerPort }} + httpGet: + path: /healthz + port: metrics initialDelaySeconds: {{ .Values.repoServer.readinessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.repoServer.readinessProbe.periodSeconds }} timeoutSeconds: {{ .Values.repoServer.readinessProbe.timeoutSeconds }} @@ -127,58 +261,66 @@ spec: failureThreshold: {{ .Values.repoServer.readinessProbe.failureThreshold }} resources: {{- toYaml .Values.repoServer.resources | nindent 10 }} + securityContext: + {{- toYaml .Values.repoServer.containerSecurityContext | nindent 10 }} {{- with .Values.repoServer.extraContainers }} {{- toYaml . | nindent 6 }} {{- end }} - {{- if .Values.repoServer.nodeSelector }} + {{- with .Values.repoServer.nodeSelector }} nodeSelector: -{{- toYaml .Values.repoServer.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.repoServer.tolerations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.repoServer.tolerations }} tolerations: -{{- toYaml .Values.repoServer.tolerations | nindent 8 }} - {{- end }} - {{- if .Values.repoServer.affinity }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.repoServer.affinity }} affinity: -{{- toYaml .Values.repoServer.affinity | nindent 8 }} - {{- end }} - {{- with .Values.repoServer.topologySpreadConstraints }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.repoServer.topologySpreadConstraints }} topologySpreadConstraints: - {{- range $constraint := . }} + {{- range $constraint := . }} - {{ toYaml $constraint | nindent 8 | trim }} {{- if not $constraint.labelSelector }} labelSelector: matchLabels: {{- include "argo-cd.selectorLabels" (dict "context" $ "name" $.Values.repoServer.name) | nindent 12 }} {{- end }} + {{- end }} {{- end }} - {{- end }} serviceAccountName: {{ template "argo-cd.repoServerServiceAccountName" . }} {{- with .Values.global.hostAliases }} hostAliases: {{- toYaml . | nindent 6 }} {{- end }} volumes: - {{- if .Values.repoServer.volumes }} - {{- toYaml .Values.repoServer.volumes | nindent 6 }} + {{- with .Values.repoServer.volumes }} + {{- toYaml . | nindent 6 }} {{- end }} - - name: gpg-keys + - name: helm-working-dir + emptyDir: {} + - name: plugins + emptyDir: {} + - name: var-files + emptyDir: {} + - name: tmp + emptyDir: {} + - name: ssh-known-hosts configMap: - name: argocd-gpg-keys-cm - - emptyDir: {} - name: gpg-keyring - {{- if .Values.configs.knownHosts }} - - configMap: name: argocd-ssh-known-hosts-cm - name: ssh-known-hosts - {{- end }} - - configMap: + - name: tls-certs + configMap: name: argocd-tls-certs-cm - name: tls-certs - - name: helm-working-dir + - name: gpg-keys + configMap: + name: argocd-gpg-keys-cm + - name: gpg-keyring emptyDir: {} - name: argocd-repo-server-tls secret: + secretName: argocd-repo-server-tls + optional: true items: - key: tls.crt path: tls.crt @@ -186,14 +328,6 @@ spec: path: tls.key - key: ca.crt path: ca.crt - optional: true - secretName: argocd-repo-server-tls - - emptyDir: {} - name: tmp-dir - - emptyDir: {} - name: var-files - - emptyDir: {} - name: plugins initContainers: - command: - cp @@ -203,17 +337,20 @@ spec: image: {{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag }} imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy }} name: copyutil + {{- with .Values.repoServer.resources }} resources: - {{- toYaml .Values.repoServer.copyutil.resources | nindent 10 }} - {{- if .Values.repoServer.containerSecurityContext }} - securityContext: {{- toYaml .Values.repoServer.containerSecurityContext | nindent 10 }} + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.repoServer.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 10 }} {{- end }} volumeMounts: - mountPath: /var/run/argocd name: var-files - {{- if .Values.repoServer.initContainers }} - {{- toYaml .Values.repoServer.initContainers | nindent 6 }} + {{- with .Values.repoServer.initContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.repoServer.priorityClassName }} + priorityClassName: {{ . }} {{- end }} -{{- if .Values.repoServer.priorityClassName }} - priorityClassName: {{ .Values.repoServer.priorityClassName }} -{{- end }} diff --git a/charts/argo-cd/templates/argocd-repo-server/hpa.yaml b/charts/argo-cd/templates/argocd-repo-server/hpa.yaml index d07478edb..d7f743205 100644 --- a/charts/argo-cd/templates/argocd-repo-server/hpa.yaml +++ b/charts/argo-cd/templates/argocd-repo-server/hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.repoServer.autoscaling.enabled }} -apiVersion: {{ include "argo-cd.autoscaling.apiVersion" . }} +apiVersion: {{ include "argo-cd.apiVersion.autoscaling" . }} kind: HorizontalPodAutoscaler metadata: labels: @@ -17,7 +17,7 @@ spec: - type: Resource resource: name: memory - {{- if eq (include "argo-cd.autoscaling.apiVersion" $) "autoscaling/v2beta1" }} + {{- if eq (include "argo-cd.apiVersion.autoscaling" $) "autoscaling/v2beta1" }} targetAverageUtilization: {{ . }} {{- else }} target: @@ -29,7 +29,7 @@ spec: - type: Resource resource: name: cpu - {{- if eq (include "argo-cd.autoscaling.apiVersion" $) "autoscaling/v2beta1" }} + {{- if eq (include "argo-cd.apiVersion.autoscaling" $) "autoscaling/v2beta1" }} targetAverageUtilization: {{ . }} {{- else }} target: diff --git a/charts/argo-cd/templates/argocd-repo-server/metrics-service.yaml b/charts/argo-cd/templates/argocd-repo-server/metrics.yaml similarity index 60% rename from charts/argo-cd/templates/argocd-repo-server/metrics-service.yaml rename to charts/argo-cd/templates/argocd-repo-server/metrics.yaml index 14ca18d9c..1124057ea 100644 --- a/charts/argo-cd/templates/argocd-repo-server/metrics-service.yaml +++ b/charts/argo-cd/templates/argocd-repo-server/metrics.yaml @@ -1,19 +1,19 @@ -{{- if .Values.repoServer.metrics.enabled}} +{{- if .Values.repoServer.metrics.enabled }} apiVersion: v1 kind: Service metadata: -{{- if .Values.repoServer.metrics.service.annotations }} + name: {{ include "argo-cd.repoServer.fullname" . }}-metrics + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" (printf "%s-metrics" .Values.repoServer.name)) | nindent 4 }} + {{- with .Values.repoServer.metrics.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.repoServer.metrics.service.annotations }} annotations: - {{- range $key, $value := .Values.repoServer.metrics.service.annotations }} + {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} -{{- end }} - labels: - {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" (printf "%s-metrics" .Values.repoServer.name)) | nindent 4 }} -{{- if .Values.repoServer.metrics.service.labels }} -{{- toYaml .Values.repoServer.metrics.service.labels | nindent 4 }} -{{- end }} - name: {{ template "argo-cd.repoServer.fullname" . }}-metrics spec: ports: - name: {{ .Values.repoServer.metrics.service.portName }} @@ -22,4 +22,4 @@ spec: targetPort: metrics selector: {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.repoServer.name) | nindent 4 }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/argo-cd/templates/argocd-repo-server/pdb.yaml b/charts/argo-cd/templates/argocd-repo-server/pdb.yaml new file mode 100644 index 000000000..7202bd392 --- /dev/null +++ b/charts/argo-cd/templates/argocd-repo-server/pdb.yaml @@ -0,0 +1,26 @@ +{{- if .Values.repoServer.pdb.enabled }} +apiVersion: {{ include "argo-cd.apiVersion.pdb" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "argo-cd.repoServer.fullname" . }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }} + {{- with .Values.repoServer.pdb.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.repoServer.pdb.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +spec: + {{- with .Values.repoServer.pdb.maxUnavailable }} + maxUnavailable: {{ . }} + {{- else }} + minAvailable: {{ .Values.repoServer.pdb.minAvailable | default 0 }} + {{- end }} + selector: + matchLabels: + {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.repoServer.name) | nindent 6 }} +{{- end }} diff --git a/charts/argo-cd/templates/argocd-repo-server/poddisruptionbudget.yaml b/charts/argo-cd/templates/argocd-repo-server/poddisruptionbudget.yaml deleted file mode 100644 index d4a4c93a8..000000000 --- a/charts/argo-cd/templates/argocd-repo-server/poddisruptionbudget.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if .Values.repoServer.pdb.enabled }} -apiVersion: {{ include "argo-cd.podDisruptionBudget.apiVersion" . }} -kind: PodDisruptionBudget -metadata: - name: {{ template "argo-cd.repoServer.fullname" . }} - labels: - {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }} - {{- with .Values.repoServer.pdb.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.repoServer.pdb.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if .Values.repoServer.pdb.minAvailable }} - minAvailable: {{ .Values.repoServer.pdb.minAvailable }} - {{- else if .Values.repoServer.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.repoServer.pdb.maxUnavailable }} - {{- else }} - minAvailable: 0 - {{- end }} - selector: - matchLabels: - {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.repoServer.name) | nindent 6 }} -{{- end }} diff --git a/charts/argo-cd/templates/argocd-repo-server/service.yaml b/charts/argo-cd/templates/argocd-repo-server/service.yaml index 6ab157477..541ea41ee 100644 --- a/charts/argo-cd/templates/argocd-repo-server/service.yaml +++ b/charts/argo-cd/templates/argocd-repo-server/service.yaml @@ -9,6 +9,9 @@ metadata: {{- end }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }} +{{- with .Values.repoServer.service.labels }} +{{- toYaml . | nindent 4 }} +{{- end }} name: {{ template "argo-cd.repoServer.fullname" . }} spec: ports: diff --git a/charts/argo-cd/templates/argocd-repo-server/serviceaccount.yaml b/charts/argo-cd/templates/argocd-repo-server/serviceaccount.yaml index b045da742..71f75583e 100644 --- a/charts/argo-cd/templates/argocd-repo-server/serviceaccount.yaml +++ b/charts/argo-cd/templates/argocd-repo-server/serviceaccount.yaml @@ -12,4 +12,7 @@ metadata: {{- end }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }} -{{- end }} \ No newline at end of file + {{- range $key, $value := .Values.repoServer.serviceAccount.labels }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- end }} diff --git a/charts/argo-cd/templates/argocd-repo-server/servicemonitor.yaml b/charts/argo-cd/templates/argocd-repo-server/servicemonitor.yaml index 8f6bf9c8c..82937d9b8 100644 --- a/charts/argo-cd/templates/argocd-repo-server/servicemonitor.yaml +++ b/charts/argo-cd/templates/argocd-repo-server/servicemonitor.yaml @@ -14,6 +14,10 @@ metadata: {{- with .Values.repoServer.metrics.serviceMonitor.additionalLabels }} {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.repoServer.metrics.serviceMonitor.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: endpoints: - port: {{ .Values.repoServer.metrics.service.portName }} diff --git a/charts/argo-cd/templates/argocd-server/alb-grpc-service.yaml b/charts/argo-cd/templates/argocd-server/aws/service.yaml similarity index 100% rename from charts/argo-cd/templates/argocd-server/alb-grpc-service.yaml rename to charts/argo-cd/templates/argocd-server/aws/service.yaml diff --git a/charts/argo-cd/templates/argocd-server/certificate.yaml b/charts/argo-cd/templates/argocd-server/certificate.yaml index 33b348916..ed844aa2c 100644 --- a/charts/argo-cd/templates/argocd-server/certificate.yaml +++ b/charts/argo-cd/templates/argocd-server/certificate.yaml @@ -1,21 +1,12 @@ {{- if .Values.server.certificate.enabled -}} -{{- if .Values.apiVersionOverrides.certmanager -}} -apiVersion: {{ .Values.apiVersionOverrides.certmanager }} -{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} -apiVersion: cert-manager.io/v1 -{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha3" }} -apiVersion: cert-manager.io/v1alpha3 -{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" }} -apiVersion: cert-manager.io/v1alpha2 -{{- else }} -apiVersion: certmanager.k8s.io/v1alpha1 -{{- end }} +apiVersion: {{ include "argo-cd.apiVersion.cert-manager" . }} kind: Certificate metadata: - name: {{ template "argo-cd.server.fullname" . }} + name: {{ include "argo-cd.server.fullname" . }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} spec: + secretName: {{ .Values.server.certificate.secretName }} commonName: {{ .Values.server.certificate.domain | quote }} dnsNames: - {{ .Values.server.certificate.domain | quote }} @@ -25,6 +16,9 @@ spec: {{- with .Values.server.certificate.duration }} duration: {{ . | quote }} {{- end }} + {{- with .Values.server.certificate.renewBefore }} + renewBefore: {{ . | quote }} + {{- end }} issuerRef: {{- with .Values.server.certificate.issuer.group }} group: {{ . | quote }} @@ -35,8 +29,4 @@ spec: privateKey: {{- toYaml . | nindent 4 }} {{- end }} - {{- with .Values.server.certificate.renewBefore }} - renewBefore: {{ . | quote }} - {{- end }} - secretName: {{ .Values.server.certificate.secretName | quote }} {{- end }} diff --git a/charts/argo-cd/templates/argocd-server/clusterrole.yaml b/charts/argo-cd/templates/argocd-server/clusterrole.yaml index caac062ec..2caa4dd04 100644 --- a/charts/argo-cd/templates/argocd-server/clusterrole.yaml +++ b/charts/argo-cd/templates/argocd-server/clusterrole.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ template "argo-cd.server.fullname" . }} + name: {{ include "argo-cd.server.fullname" . }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} rules: @@ -27,12 +27,21 @@ rules: - pods/log verbs: - get - {{- if eq (index .Values.server.config "exec.enabled") "true" }} + {{- if eq (toString (index (coalesce .Values.server.config .Values.configs.cm) "exec.enabled")) "true" }} - apiGroups: - - "" + - "" resources: - - pods/exec + - pods/exec verbs: - - create + - create {{- end }} + - apiGroups: + - argoproj.io + resources: + - applications + verbs: + - get + - list + - update + - watch {{- end }} diff --git a/charts/argo-cd/templates/argocd-server/deployment.yaml b/charts/argo-cd/templates/argocd-server/deployment.yaml index b2ca6af05..7793b11ac 100755 --- a/charts/argo-cd/templates/argocd-server/deployment.yaml +++ b/charts/argo-cd/templates/argocd-server/deployment.yaml @@ -1,26 +1,32 @@ -{{- $redisHa := (index .Values "redis-ha") -}} apiVersion: apps/v1 kind: Deployment metadata: + {{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.server.deploymentAnnotations) }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} name: {{ template "argo-cd.server.fullname" . }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} spec: + {{- if not .Values.server.autoscaling.enabled }} + replicas: {{ .Values.server.replicas }} + {{- end }} + revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }} selector: matchLabels: {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 6 }} - revisionHistoryLimit: 5 - {{- if (ne .Values.server.autoscaling.enabled true) }} - replicas: {{ .Values.server.replicas }} - {{- end }} template: metadata: - {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.server.podAnnotations) }} annotations: + checksum/cmd-params: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmd-params-cm.yaml") . | sha256sum }} + {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.server.podAnnotations) }} {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} {{- end }} - {{- end }} + {{- end }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 8 }} {{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.server.podLabels) }} @@ -31,8 +37,9 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.global.securityContext }} - securityContext: {{- toYaml .Values.global.securityContext | nindent 8 }} + {{- with .Values.global.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} {{- end }} containers: - name: {{ .Values.server.name }} @@ -40,84 +47,255 @@ spec: imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.server.image.imagePullPolicy }} command: - argocd-server - {{ if .Values.server.staticAssets.enabled }} - - --staticassets - - /shared/app - {{ end }} - - --repo-server - - {{ template "argo-cd.repoServer.fullname" . }}:{{ .Values.repoServer.service.port }} - {{- if .Values.dex.enabled }} - - --dex-server - - http://{{ template "argo-cd.dex.fullname" . }}:{{ .Values.dex.servicePortHttp }} - {{- end }} + {{- with .Values.server.logFormat }} - --logformat - - {{default .Values.global.logging.format .Values.server.logFormat }} + - {{ . | quote }} + {{- end }} + {{- with .Values.server.logLevel }} - --loglevel - - {{ default .Values.global.logging.level .Values.server.logLevel }} - {{- if or (and .Values.redis.enabled (not $redisHa.enabled)) (and $redisHa.enabled $redisHa.haproxy.enabled) }} - - --redis - - {{ template "argo-cd.redis.fullname" . }}:{{ .Values.redis.servicePort }} - {{- else if and .Values.externalRedis.host .Values.externalRedis.port }} - - --redis - - {{ .Values.externalRedis.host }}:{{ .Values.externalRedis.port }} + - {{ . | quote }} {{- end }} {{- with .Values.server.extraArgs }} - {{- . | toYaml | nindent 8 }} - {{- end }} - {{- if .Values.server.containerSecurityContext }} - securityContext: {{- toYaml .Values.server.containerSecurityContext | nindent 10 }} + {{- toYaml . | nindent 8 }} {{- end }} - {{- if or .Values.server.env .Values.externalRedis.password .Values.externalRedis.existingSecret }} env: - {{- include "argo-cd.redisPasswordEnv" . | nindent 8 }} {{- with .Values.server.env }} - {{- toYaml . | nindent 8 }} + {{- toYaml . | nindent 10 }} {{- end }} - {{- end }} + - name: ARGOCD_SERVER_INSECURE + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.insecure + optional: true + - name: ARGOCD_SERVER_BASEHREF + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.basehref + optional: true + - name: ARGOCD_SERVER_ROOTPATH + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.rootpath + optional: true + - name: ARGOCD_SERVER_LOGFORMAT + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.log.format + optional: true + - name: ARGOCD_SERVER_LOG_LEVEL + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.log.level + optional: true + - name: ARGOCD_SERVER_REPO_SERVER + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: repo.server + optional: true + - name: ARGOCD_SERVER_DEX_SERVER + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.dex.server + optional: true + - name: ARGOCD_SERVER_DISABLE_AUTH + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.disable.auth + optional: true + - name: ARGOCD_SERVER_ENABLE_GZIP + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.enable.gzip + optional: true + - name: ARGOCD_SERVER_REPO_SERVER_TIMEOUT_SECONDS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.repo.server.timeout.seconds + optional: true + - name: ARGOCD_SERVER_X_FRAME_OPTIONS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.x.frame.options + optional: true + - name: ARGOCD_SERVER_CONTENT_SECURITY_POLICY + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.content.security.policy + optional: true + - name: ARGOCD_SERVER_REPO_SERVER_PLAINTEXT + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.repo.server.plaintext + optional: true + - name: ARGOCD_SERVER_REPO_SERVER_STRICT_TLS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.repo.server.strict.tls + optional: true + - name: ARGOCD_SERVER_DEX_SERVER_PLAINTEXT + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.dex.server.plaintext + optional: true + - name: ARGOCD_SERVER_DEX_SERVER_STRICT_TLS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.dex.server.strict.tls + optional: true + - name: ARGOCD_TLS_MIN_VERSION + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.tls.minversion + optional: true + - name: ARGOCD_TLS_MAX_VERSION + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.tls.maxversion + optional: true + - name: ARGOCD_TLS_CIPHERS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.tls.ciphers + optional: true + - name: ARGOCD_SERVER_CONNECTION_STATUS_CACHE_EXPIRATION + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.connection.status.cache.expiration + optional: true + - name: ARGOCD_SERVER_OIDC_CACHE_EXPIRATION + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.oidc.cache.expiration + optional: true + - name: ARGOCD_SERVER_LOGIN_ATTEMPTS_EXPIRATION + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.login.attempts.expiration + optional: true + - name: ARGOCD_SERVER_STATIC_ASSETS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.staticassets + optional: true + - name: ARGOCD_APP_STATE_CACHE_EXPIRATION + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.app.state.cache.expiration + optional: true + - name: REDIS_SERVER + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: redis.server + optional: true + - name: REDIS_COMPRESSION + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: redis.compression + optional: true + - name: REDISDB + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: redis.db + optional: true + - name: REDIS_USERNAME + valueFrom: + secretKeyRef: + name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} + key: redis-username + optional: true + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }} + key: redis-password + optional: true + - name: ARGOCD_DEFAULT_CACHE_EXPIRATION + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.default.cache.expiration + optional: true + - name: ARGOCD_MAX_COOKIE_NUMBER + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.http.cookie.maxnumber + optional: true + - name: ARGOCD_SERVER_OTLP_ADDRESS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: otlp.address + optional: true + - name: ARGOCD_APPLICATION_NAMESPACES + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: application.namespaces + optional: true {{- with .Values.server.envFrom }} - envFrom: {{- toYaml . | nindent 8 }} + envFrom: + {{- toYaml . | nindent 10 }} {{- end }} volumeMounts: - {{- if .Values.server.volumeMounts }} -{{- toYaml .Values.server.volumeMounts | nindent 8}} - {{- end }} - {{- if .Values.server.extensions.enabled }} - - name: extensions - mountPath: /tmp/extensions/ + {{- with .Values.server.volumeMounts }} + {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.configs.knownHosts }} - mountPath: /app/config/ssh name: ssh-known-hosts - {{- end }} - mountPath: /app/config/tls name: tls-certs - mountPath: /app/config/server/tls name: argocd-repo-server-tls - {{- if .Values.configs.styles }} - - mountPath: "/shared/app/custom/custom.styles.css" - subPath: "custom.styles.css" - name: custom-styles - {{- end }} - {{- if .Values.server.containerSecurityContext.readOnlyRootFilesystem }} - - mountPath: /home/argocd/.aws - name: aws-config - {{- end }} + - mountPath: /app/config/dex/tls + name: argocd-dex-server-tls - mountPath: /home/argocd name: plugins-home + - mountPath: /shared/app/custom + name: styles - mountPath: /tmp - name: tmp-dir + name: tmp + {{- if .Values.server.extensions.enabled }} + - mountPath: /tmp/extensions + name: extensions + {{- end }} ports: - name: {{ .Values.server.name }} containerPort: {{ .Values.server.containerPort }} protocol: TCP - {{ if .Values.server.metrics.enabled }} - name: metrics containerPort: 8083 protocol: TCP - {{- end }} livenessProbe: httpGet: - path: /healthz + path: /healthz?full=true port: {{ .Values.server.containerPort }} initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }} @@ -135,9 +313,11 @@ spec: failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }} resources: {{- toYaml .Values.server.resources | nindent 10 }} - {{- if .Values.server.lifecycle }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext | nindent 10 }} + {{- with .Values.server.lifecycle }} lifecycle: - {{- toYaml .Values.server.lifecycle | nindent 10 }} + {{- toYaml . | nindent 10 }} {{- end }} {{- with .Values.server.extraContainers }} {{- toYaml . | nindent 6 }} @@ -146,69 +326,70 @@ spec: - name: argocd-extensions image: {{ .Values.server.extensions.image.repository }}:{{ .Values.server.extensions.image.tag }} imagePullPolicy: {{ .Values.server.extensions.image.imagePullPolicy }} + resources: + {{- toYaml .Values.server.extensions.resources | nindent 10 }} + securityContext: + {{- toYaml .Values.server.extensions.containerSecurityContext | nindent 10 }} volumeMounts: - name: extensions mountPath: /tmp/extensions/ - resources: - {{- toYaml .Values.server.extensions.resources | nindent 10 }} + - name: tmp + mountPath: /tmp {{- end }} - {{- if .Values.server.nodeSelector }} + {{- with .Values.server.nodeSelector }} nodeSelector: -{{- toYaml .Values.server.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.server.tolerations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.tolerations }} tolerations: -{{- toYaml .Values.server.tolerations | nindent 8 }} - {{- end }} - {{- if .Values.server.affinity }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.affinity }} affinity: -{{- toYaml .Values.server.affinity | nindent 8 }} - {{- end }} - {{- with .Values.server.topologySpreadConstraints }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.topologySpreadConstraints }} topologySpreadConstraints: - {{- range $constraint := . }} + {{- range $constraint := . }} - {{ toYaml $constraint | nindent 8 | trim }} {{- if not $constraint.labelSelector }} labelSelector: matchLabels: {{- include "argo-cd.selectorLabels" (dict "context" $ "name" $.Values.server.name) | nindent 12 }} {{- end }} + {{- end }} {{- end }} - {{- end }} serviceAccountName: {{ template "argo-cd.serverServiceAccountName" . }} {{- with .Values.global.hostAliases }} hostAliases: {{- toYaml . | nindent 6 }} {{- end }} volumes: - {{- if .Values.server.volumes }} -{{- toYaml .Values.server.volumes | nindent 6}} + {{- with .Values.server.volumes }} + {{- toYaml . | nindent 6}} {{- end }} {{- if .Values.server.extensions.enabled }} - name: extensions emptyDir: {} {{- end }} - - emptyDir: {} - name: tmp-dir - {{- if .Values.server.containerSecurityContext.readOnlyRootFilesystem }} - - emptyDir: {} - name: aws-config - {{- end }} - {{- if .Values.configs.styles }} - - configMap: - name: argocd-custom-styles - name: custom-styles - {{- end }} - {{- if .Values.configs.knownHosts }} - - configMap: + - name: plugins-home + emptyDir: {} + - name: tmp + emptyDir: {} + - name: ssh-known-hosts + configMap: name: argocd-ssh-known-hosts-cm - name: ssh-known-hosts - {{- end }} - - configMap: + - name: tls-certs + configMap: name: argocd-tls-certs-cm - name: tls-certs + - name: styles + configMap: + name: argocd-styles-cm + optional: true - name: argocd-repo-server-tls secret: + secretName: argocd-repo-server-tls + optional: true items: - key: tls.crt path: tls.crt @@ -216,14 +397,19 @@ spec: path: tls.key - key: ca.crt path: ca.crt + - name: argocd-dex-server-tls + secret: + secretName: argocd-dex-server-tls optional: true - secretName: argocd-repo-server-tls - - emptyDir: {} - name: plugins-home - {{- if .Values.server.initContainers }} + items: + - key: tls.crt + path: tls.crt + - key: ca.crt + path: ca.crt + {{- with .Values.server.initContainers }} initContainers: - {{- toYaml .Values.server.initContainers | nindent 6 }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.server.priorityClassName }} + priorityClassName: {{ . }} {{- end }} -{{- if .Values.server.priorityClassName }} - priorityClassName: {{ .Values.server.priorityClassName }} -{{- end }} diff --git a/charts/argo-cd/templates/argocd-server/extensions-rolebinding.yaml b/charts/argo-cd/templates/argocd-server/extensions-rolebinding.yaml deleted file mode 100644 index 3e8ec5d63..000000000 --- a/charts/argo-cd/templates/argocd-server/extensions-rolebinding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.server.extensions.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} - name: argocd-server-extensions -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argocd-server-extensions -subjects: -- kind: ServiceAccount - name: argocd-server -{{- end }} diff --git a/charts/argo-cd/templates/argocd-server/extensions.yaml b/charts/argo-cd/templates/argocd-server/extensions.yaml deleted file mode 100644 index 5ac595db8..000000000 --- a/charts/argo-cd/templates/argocd-server/extensions.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.server.extensions.enabled }} -{{- range $extension := .Values.server.extensions.contents }} ---- -apiVersion: argoproj.io/v1alpha1 -kind: ArgoCDExtension -metadata: - name: {{ $extension.name }} - finalizers: - - extensions-finalizer.argocd.argoproj.io - labels: - {{- include "argo-cd.labels" (dict "context" $ "component" $.Values.server.name "name" (printf "%s-extensions" $.Values.server.name)) | nindent 4 }} -spec: - sources: - - web: - url: {{ $extension.url }} -{{- end }} -{{- end }} diff --git a/charts/argo-cd/templates/argocd-server/extentions-role.yaml b/charts/argo-cd/templates/argocd-server/extentions-role.yaml deleted file mode 100644 index 53e592aea..000000000 --- a/charts/argo-cd/templates/argocd-server/extentions-role.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.server.extensions.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} - name: argocd-server-extensions -rules: -- apiGroups: - - argoproj.io - resources: - - argocdextensions - verbs: - - create - - get - - list - - watch - - update - - delete - - patch -{{- end }} diff --git a/charts/argo-cd/templates/argocd-server/backendconfig.yaml b/charts/argo-cd/templates/argocd-server/gke/backendconfig.yaml similarity index 84% rename from charts/argo-cd/templates/argocd-server/backendconfig.yaml rename to charts/argo-cd/templates/argocd-server/gke/backendconfig.yaml index 16c99c0a3..69a420930 100644 --- a/charts/argo-cd/templates/argocd-server/backendconfig.yaml +++ b/charts/argo-cd/templates/argocd-server/gke/backendconfig.yaml @@ -1,5 +1,5 @@ {{- if .Values.server.GKEbackendConfig.enabled }} -apiVersion: cloud.google.com/v1beta1 +apiVersion: {{ include "argo-cd.apiVersions.cloudgoogle" . }} kind: BackendConfig metadata: name: {{ template "argo-cd.server.fullname" . }} diff --git a/charts/argo-cd/templates/argocd-server/frontendconfig.yaml b/charts/argo-cd/templates/argocd-server/gke/frontendconfig.yaml similarity index 100% rename from charts/argo-cd/templates/argocd-server/frontendconfig.yaml rename to charts/argo-cd/templates/argocd-server/gke/frontendconfig.yaml diff --git a/charts/argo-cd/templates/argocd-server/managedCertificate.yaml b/charts/argo-cd/templates/argocd-server/gke/managedcertificate.yaml similarity index 100% rename from charts/argo-cd/templates/argocd-server/managedCertificate.yaml rename to charts/argo-cd/templates/argocd-server/gke/managedcertificate.yaml diff --git a/charts/argo-cd/templates/argocd-server/hpa.yaml b/charts/argo-cd/templates/argocd-server/hpa.yaml index c8df50171..af107b7fb 100644 --- a/charts/argo-cd/templates/argocd-server/hpa.yaml +++ b/charts/argo-cd/templates/argocd-server/hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.server.autoscaling.enabled }} -apiVersion: {{ include "argo-cd.autoscaling.apiVersion" . }} +apiVersion: {{ include "argo-cd.apiVersion.autoscaling" . }} kind: HorizontalPodAutoscaler metadata: labels: @@ -17,7 +17,7 @@ spec: - type: Resource resource: name: memory - {{- if eq (include "argo-cd.autoscaling.apiVersion" $) "autoscaling/v2beta1" }} + {{- if eq (include "argo-cd.apiVersion.autoscaling" $) "autoscaling/v2beta1" }} targetAverageUtilization: {{ . }} {{- else }} target: @@ -29,7 +29,7 @@ spec: - type: Resource resource: name: cpu - {{- if eq (include "argo-cd.autoscaling.apiVersion" $) "autoscaling/v2beta1" }} + {{- if eq (include "argo-cd.apiVersion.autoscaling" $) "autoscaling/v2beta1" }} targetAverageUtilization: {{ . }} {{- else }} target: diff --git a/charts/argo-cd/templates/argocd-server/ingress-grpc.yaml b/charts/argo-cd/templates/argocd-server/ingress-grpc.yaml index fb8cabaef..543040075 100644 --- a/charts/argo-cd/templates/argocd-server/ingress-grpc.yaml +++ b/charts/argo-cd/templates/argocd-server/ingress-grpc.yaml @@ -4,7 +4,7 @@ {{- $paths := .Values.server.ingressGrpc.paths -}} {{- $extraPaths := .Values.server.ingressGrpc.extraPaths -}} {{- $pathType := .Values.server.ingressGrpc.pathType -}} -apiVersion: {{ include "argo-cd.ingress.apiVersion" . }} +apiVersion: {{ include "argo-cd.apiVersion.ingress" . }} kind: Ingress metadata: {{- if .Values.server.ingressGrpc.annotations }} @@ -20,7 +20,7 @@ metadata: {{- toYaml .Values.server.ingressGrpc.labels | nindent 4 }} {{- end }} spec: - {{- if eq (include "argo-cd.ingress.apiVersion" $) "networking.k8s.io/v1" }} + {{- if eq (include "argo-cd.apiVersion.ingress" $) "networking.k8s.io/v1" }} {{- with .Values.server.ingressGrpc.ingressClassName }} ingressClassName: {{ . }} {{- end }} @@ -36,11 +36,11 @@ spec: {{- end -}} {{- range $p := $paths }} - path: {{ $p }} - {{- if eq (include "argo-cd.ingress.apiVersion" $) "networking.k8s.io/v1" }} + {{- if eq (include "argo-cd.apiVersion.ingress" $) "networking.k8s.io/v1" }} pathType: {{ $pathType }} {{- end }} backend: - {{- if eq (include "argo-cd.ingress.apiVersion" $) "networking.k8s.io/v1" }} + {{- if eq (include "argo-cd.apiVersion.ingress" $) "networking.k8s.io/v1" }} service: name: {{ $serviceName }} port: @@ -63,11 +63,11 @@ spec: {{- end -}} {{- range $p := $paths }} - path: {{ $p }} - {{- if eq (include "argo-cd.ingress.apiVersion" $) "networking.k8s.io/v1" }} + {{- if eq (include "argo-cd.apiVersion.ingress" $) "networking.k8s.io/v1" }} pathType: {{ $pathType }} {{- end }} backend: - {{- if eq (include "argo-cd.ingress.apiVersion" $) "networking.k8s.io/v1" }} + {{- if eq (include "argo-cd.apiVersion.ingress" $) "networking.k8s.io/v1" }} service: name: {{ $serviceName }} port: diff --git a/charts/argo-cd/templates/argocd-server/ingress.yaml b/charts/argo-cd/templates/argocd-server/ingress.yaml index 576b94df2..aeb60d242 100644 --- a/charts/argo-cd/templates/argocd-server/ingress.yaml +++ b/charts/argo-cd/templates/argocd-server/ingress.yaml @@ -4,7 +4,7 @@ {{- $paths := .Values.server.ingress.paths -}} {{- $extraPaths := .Values.server.ingress.extraPaths -}} {{- $pathType := .Values.server.ingress.pathType -}} -apiVersion: {{ include "argo-cd.ingress.apiVersion" . }} +apiVersion: {{ include "argo-cd.apiVersion.ingress" . }} kind: Ingress metadata: {{- if .Values.server.ingress.annotations }} @@ -24,7 +24,7 @@ metadata: {{- toYaml .Values.server.ingress.labels | nindent 4 }} {{- end }} spec: - {{- if eq (include "argo-cd.ingress.apiVersion" $) "networking.k8s.io/v1" }} + {{- if eq (include "argo-cd.apiVersion.ingress" $) "networking.k8s.io/v1" }} {{- with .Values.server.ingress.ingressClassName }} ingressClassName: {{ . }} {{- end }} @@ -41,11 +41,11 @@ spec: {{- range $p := $paths }} {{- if and $.Values.server.ingressGrpc.isAWSALB $.Values.server.ingressGrpc.enabled }} - path: {{ $p }} - {{- if eq (include "argo-cd.ingress.apiVersion" $) "networking.k8s.io/v1" }} + {{- if eq (include "argo-cd.apiVersion.ingress" $) "networking.k8s.io/v1" }} pathType: Prefix {{- end }} backend: - {{- if eq (include "argo-cd.ingress.apiVersion" $) "networking.k8s.io/v1" }} + {{- if eq (include "argo-cd.apiVersion.ingress" $) "networking.k8s.io/v1" }} service: name: {{ template "argo-cd.server.fullname" $ }}-grpc port: @@ -60,11 +60,11 @@ spec: {{- end }} {{- end }} - path: {{ $p }} - {{- if eq (include "argo-cd.ingress.apiVersion" $) "networking.k8s.io/v1" }} + {{- if eq (include "argo-cd.apiVersion.ingress" $) "networking.k8s.io/v1" }} pathType: {{ $pathType }} {{- end }} backend: - {{- if eq (include "argo-cd.ingress.apiVersion" $) "networking.k8s.io/v1" }} + {{- if eq (include "argo-cd.apiVersion.ingress" $) "networking.k8s.io/v1" }} service: name: {{ $serviceName }} port: @@ -87,11 +87,11 @@ spec: {{- end }} {{- range $p := $paths }} - path: {{ $p }} - {{- if eq (include "argo-cd.ingress.apiVersion" $) "networking.k8s.io/v1" }} + {{- if eq (include "argo-cd.apiVersion.ingress" $) "networking.k8s.io/v1" }} pathType: {{ $pathType }} {{- end }} backend: - {{- if eq (include "argo-cd.ingress.apiVersion" $) "networking.k8s.io/v1" }} + {{- if eq (include "argo-cd.apiVersion.ingress" $) "networking.k8s.io/v1" }} service: name: {{ $serviceName }} port: diff --git a/charts/argo-cd/templates/argocd-server/metrics-service.yaml b/charts/argo-cd/templates/argocd-server/metrics.yaml similarity index 65% rename from charts/argo-cd/templates/argocd-server/metrics-service.yaml rename to charts/argo-cd/templates/argocd-server/metrics.yaml index 4d19dc076..bf8ee083f 100644 --- a/charts/argo-cd/templates/argocd-server/metrics-service.yaml +++ b/charts/argo-cd/templates/argocd-server/metrics.yaml @@ -2,18 +2,18 @@ apiVersion: v1 kind: Service metadata: - {{- if .Values.server.metrics.service.annotations }} + name: {{ include "argo-cd.server.fullname" . }}-metrics + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" (printf "%s-metrics" .Values.server.name)) | nindent 4 }} + {{- with .Values.server.metrics.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.server.metrics.service.annotations }} annotations: - {{- range $key, $value := .Values.server.metrics.service.annotations }} + {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} -{{- end }} - labels: - {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" (printf "%s-metrics" .Values.server.name)) | nindent 4 }} -{{- if .Values.server.metrics.service.labels }} -{{- toYaml .Values.server.metrics.service.labels | nindent 4 }} -{{- end }} - name: {{ template "argo-cd.server.fullname" . }}-metrics spec: ports: - name: {{ .Values.server.metrics.service.portName }} @@ -22,4 +22,4 @@ spec: targetPort: metrics selector: {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 4 }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/argo-cd/templates/argocd-server/route.yaml b/charts/argo-cd/templates/argocd-server/openshift/route.yaml similarity index 100% rename from charts/argo-cd/templates/argocd-server/route.yaml rename to charts/argo-cd/templates/argocd-server/openshift/route.yaml diff --git a/charts/argo-cd/templates/argocd-server/pdb.yaml b/charts/argo-cd/templates/argocd-server/pdb.yaml new file mode 100644 index 000000000..81d3367be --- /dev/null +++ b/charts/argo-cd/templates/argocd-server/pdb.yaml @@ -0,0 +1,26 @@ +{{- if .Values.server.pdb.enabled }} +apiVersion: {{ include "argo-cd.apiVersion.pdb" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "argo-cd.server.fullname" . }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} + {{- with .Values.server.pdb.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.server.pdb.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +spec: + {{- with .Values.server.pdb.maxUnavailable }} + maxUnavailable: {{ . }} + {{- else }} + minAvailable: {{ .Values.server.pdb.minAvailable | default 0 }} + {{- end }} + selector: + matchLabels: + {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 6 }} +{{- end }} diff --git a/charts/argo-cd/templates/argocd-server/poddisruptionbudget.yaml b/charts/argo-cd/templates/argocd-server/poddisruptionbudget.yaml deleted file mode 100644 index 29784ce65..000000000 --- a/charts/argo-cd/templates/argocd-server/poddisruptionbudget.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if .Values.server.pdb.enabled }} -apiVersion: {{ include "argo-cd.podDisruptionBudget.apiVersion" . }} -kind: PodDisruptionBudget -metadata: - name: {{ template "argo-cd.server.fullname" . }} - labels: - {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} - {{- with .Values.server.pdb.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.server.pdb.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if .Values.server.pdb.minAvailable }} - minAvailable: {{ .Values.server.pdb.minAvailable }} - {{- else if .Values.server.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.server.pdb.maxUnavailable }} - {{- else }} - minAvailable: 0 - {{- end }} - selector: - matchLabels: - {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 6 }} -{{- end }} diff --git a/charts/argo-cd/templates/argocd-server/role.yaml b/charts/argo-cd/templates/argocd-server/role.yaml index 46eb68d52..f4c5d533e 100644 --- a/charts/argo-cd/templates/argocd-server/role.yaml +++ b/charts/argo-cd/templates/argocd-server/role.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ template "argo-cd.server.fullname" . }} + name: {{ include "argo-cd.server.fullname" . }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} rules: @@ -22,7 +22,11 @@ rules: - argoproj.io resources: - applications + - applicationsets - appprojects + {{- if .Values.server.extensions.enabled }} + - argocdextensions + {{- end }} verbs: - create - get @@ -37,4 +41,4 @@ rules: - events verbs: - create - - list \ No newline at end of file + - list diff --git a/charts/argo-cd/templates/argocd-server/serviceaccount.yaml b/charts/argo-cd/templates/argocd-server/serviceaccount.yaml index cd95480b7..a2eb9b119 100644 --- a/charts/argo-cd/templates/argocd-server/serviceaccount.yaml +++ b/charts/argo-cd/templates/argocd-server/serviceaccount.yaml @@ -12,4 +12,7 @@ metadata: {{- end }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} + {{- range $key, $value := .Values.server.serviceAccount.labels }} + {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} diff --git a/charts/argo-cd/templates/argocd-server/servicemonitor.yaml b/charts/argo-cd/templates/argocd-server/servicemonitor.yaml index 61d31390c..d00e5657d 100644 --- a/charts/argo-cd/templates/argocd-server/servicemonitor.yaml +++ b/charts/argo-cd/templates/argocd-server/servicemonitor.yaml @@ -14,6 +14,10 @@ metadata: {{- with .Values.server.metrics.serviceMonitor.additionalLabels }} {{- toYaml . | nindent 4 }} {{- end }} + annotations: + {{- range $key, $value := .Values.server.metrics.serviceMonitor.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} spec: endpoints: - port: {{ .Values.server.metrics.service.portName }} diff --git a/charts/argo-cd/templates/crds/crd-application.yaml b/charts/argo-cd/templates/crds/crd-application.yaml index bb798cf9a..23f9b6b31 100644 --- a/charts/argo-cd/templates/crds/crd-application.yaml +++ b/charts/argo-cd/templates/crds/crd-application.yaml @@ -343,8 +343,8 @@ spec: and is only valid for applications sourced from Git. type: string plugin: - description: ConfigManagementPlugin holds config management - plugin specific options + description: Plugin holds config management plugin specific + options properties: env: description: Env is a list of environment variable entries @@ -689,8 +689,7 @@ spec: and is only valid for applications sourced from Git. type: string plugin: - description: ConfigManagementPlugin holds config management plugin - specific options + description: Plugin holds config management plugin specific options properties: env: description: Env is a list of environment variable entries @@ -1045,8 +1044,8 @@ spec: and is only valid for applications sourced from Git. type: string plugin: - description: ConfigManagementPlugin holds config management - plugin specific options + description: Plugin holds config management plugin specific + options properties: env: description: Env is a list of environment variable entries @@ -1417,8 +1416,8 @@ spec: from Git. type: string plugin: - description: ConfigManagementPlugin holds config management - plugin specific options + description: Plugin holds config management plugin + specific options properties: env: description: Env is a list of environment variable @@ -1761,8 +1760,8 @@ spec: and is only valid for applications sourced from Git. type: string plugin: - description: ConfigManagementPlugin holds config management - plugin specific options + description: Plugin holds config management plugin specific + options properties: env: description: Env is a list of environment variable @@ -1813,6 +1812,10 @@ spec: reconciled using the latest git version format: date-time type: string + resourceHealthSource: + description: 'ResourceHealthSource indicates where the resource health + status is stored: inline if not set or appTree' + type: string resources: description: Resources is a list of Kubernetes resources managed by this application @@ -1849,6 +1852,9 @@ spec: description: SyncStatusCode is a type which represents possible comparison results type: string + syncWave: + format: int64 + type: integer version: type: string type: object @@ -2095,8 +2101,8 @@ spec: and is only valid for applications sourced from Git. type: string plugin: - description: ConfigManagementPlugin holds config management - plugin specific options + description: Plugin holds config management plugin specific + options properties: env: description: Env is a list of environment variable diff --git a/charts/argo-cd/templates/crds/crd-applicationset.yaml b/charts/argo-cd/templates/crds/crd-applicationset.yaml index 2a6c56ecf..48dd57c57 100644 --- a/charts/argo-cd/templates/crds/crd-applicationset.yaml +++ b/charts/argo-cd/templates/crds/crd-applicationset.yaml @@ -1,4 +1,4 @@ -{{- if .Values.crds.install }} +{{- if and .Values.crds.install .Values.applicationSet.enabled }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -9,7 +9,6 @@ metadata: {{- with .Values.crds.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - controller-gen.kubebuilder.io/version: v0.3.0 labels: app.kubernetes.io/name: applicationsets.argoproj.io app.kubernetes.io/part-of: argocd @@ -2381,6 +2380,8 @@ spec: properties: api: type: string + appSecretName: + type: string labels: items: type: string @@ -2403,6 +2404,31 @@ spec: - owner - repo type: object + gitlab: + properties: + api: + type: string + labels: + items: + type: string + type: array + project: + type: string + pullRequestState: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - project + type: object requeueAfterSeconds: format: int64 type: integer @@ -2664,6 +2690,31 @@ spec: type: object scmProvider: properties: + azureDevOps: + properties: + accessTokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + allBranches: + type: boolean + api: + type: string + organization: + type: string + teamProject: + type: string + required: + - accessTokenRef + - organization + - teamProject + type: object bitbucket: properties: allBranches: @@ -2768,6 +2819,8 @@ spec: type: boolean api: type: string + appSecretName: + type: string organization: type: string tokenRef: @@ -3065,6 +3118,29 @@ spec: - spec type: object type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object type: object type: array template: @@ -4534,6 +4610,8 @@ spec: properties: api: type: string + appSecretName: + type: string labels: items: type: string @@ -4556,6 +4634,31 @@ spec: - owner - repo type: object + gitlab: + properties: + api: + type: string + labels: + items: + type: string + type: array + project: + type: string + pullRequestState: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - project + type: object requeueAfterSeconds: format: int64 type: integer @@ -4817,6 +4920,31 @@ spec: type: object scmProvider: properties: + azureDevOps: + properties: + accessTokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + allBranches: + type: boolean + api: + type: string + organization: + type: string + teamProject: + type: string + required: + - accessTokenRef + - organization + - teamProject + type: object bitbucket: properties: allBranches: @@ -4921,6 +5049,8 @@ spec: type: boolean api: type: string + appSecretName: + type: string organization: type: string tokenRef: @@ -5218,6 +5348,29 @@ spec: - spec type: object type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object type: object type: array mergeKeys: @@ -5552,6 +5705,8 @@ spec: properties: api: type: string + appSecretName: + type: string labels: items: type: string @@ -5574,6 +5729,31 @@ spec: - owner - repo type: object + gitlab: + properties: + api: + type: string + labels: + items: + type: string + type: array + project: + type: string + pullRequestState: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - project + type: object requeueAfterSeconds: format: int64 type: integer @@ -5835,6 +6015,31 @@ spec: type: object scmProvider: properties: + azureDevOps: + properties: + accessTokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + allBranches: + type: boolean + api: + type: string + organization: + type: string + teamProject: + type: string + required: + - accessTokenRef + - organization + - teamProject + type: object bitbucket: properties: allBranches: @@ -5939,6 +6144,8 @@ spec: type: boolean api: type: string + appSecretName: + type: string organization: type: string tokenRef: @@ -6236,8 +6443,33 @@ spec: - spec type: object type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object type: object type: array + goTemplate: + type: boolean syncPolicy: properties: preserveResourcesOnDeletion: diff --git a/charts/argo-cd/templates/crds/crd-extension.yaml b/charts/argo-cd/templates/crds/crd-extension.yaml index 4105cbe7c..802f0e8cc 100644 --- a/charts/argo-cd/templates/crds/crd-extension.yaml +++ b/charts/argo-cd/templates/crds/crd-extension.yaml @@ -1,4 +1,4 @@ -{{- if .Values.crds.install }} +{{- if and .Values.crds.install .Values.server.extensions.enabled }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: diff --git a/charts/argo-cd/templates/crds/crd-project.yaml b/charts/argo-cd/templates/crds/crd-project.yaml index ae4645cd7..81e57d820 100644 --- a/charts/argo-cd/templates/crds/crd-project.yaml +++ b/charts/argo-cd/templates/crds/crd-project.yaml @@ -167,6 +167,10 @@ spec: for apps which have orphaned resources type: boolean type: object + permitOnlyProjectScopedClusters: + description: PermitOnlyProjectScopedClusters determines whether destinations + can only reference clusters which are project-scoped + type: boolean roles: description: Roles are user defined RBAC roles associated with this project @@ -229,6 +233,12 @@ spec: - keyID type: object type: array + sourceNamespaces: + description: SourceNamespaces defines the namespaces application resources + are allowed to be created in + items: + type: string + type: array sourceRepos: description: SourceRepos contains list of repository URLs which can be used for deployment diff --git a/charts/argo-cd/templates/dex/deployment.yaml b/charts/argo-cd/templates/dex/deployment.yaml index 6ce4a36db..5900070f1 100755 --- a/charts/argo-cd/templates/dex/deployment.yaml +++ b/charts/argo-cd/templates/dex/deployment.yaml @@ -2,21 +2,33 @@ apiVersion: apps/v1 kind: Deployment metadata: + {{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.dex.deploymentAnnotations) }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} name: {{ template "argo-cd.dex.fullname" . }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.dex.name "name" .Values.dex.name) | nindent 4 }} spec: + replicas: 1 + revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }} selector: matchLabels: {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.dex.name) | nindent 6 }} template: metadata: - {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.dex.podAnnotations) }} annotations: + checksum/cmd-params: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmd-params-cm.yaml") . | sha256sum }} + {{- if .Values.dex.certificateSecret.enabled }} + checksum/dex-server-tls: {{ include (print $.Template.BasePath "/argocd-configs/argocd-dex-server-tls-secret.yaml") . | sha256sum }} + {{- end }} + {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.dex.podAnnotations) }} {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} {{- end }} - {{- end }} + {{- end }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.dex.name "name" .Values.dex.name) | nindent 8 }} {{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.dex.podLabels) }} @@ -27,18 +39,14 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.global.securityContext }} - securityContext: {{- toYaml .Values.global.securityContext | nindent 8 }} + {{- with.Values.global.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} {{- end }} initContainers: - name: copyutil image: {{ default .Values.global.image.repository .Values.dex.initImage.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.dex.initImage.tag }} imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.dex.initImage.imagePullPolicy }} - resources: -{{- toYaml .Values.dex.resources | nindent 10 }} - {{- if .Values.dex.containerSecurityContext }} - securityContext: {{- toYaml .Values.dex.containerSecurityContext | nindent 10 }} - {{- end }} command: - cp - -n @@ -47,8 +55,14 @@ spec: volumeMounts: - mountPath: /shared name: static-files - {{- if .Values.dex.initContainers }} - {{- toYaml .Values.dex.initContainers | nindent 6 }} + - mountPath: /tmp + name: dexconfig + resources: + {{- toYaml .Values.dex.resources | nindent 10 }} + securityContext: + {{- toYaml .Values.dex.containerSecurityContext | nindent 10 }} + {{- with .Values.dex.initContainers }} + {{- toYaml . | nindent 6 }} {{- end }} containers: - name: {{ .Values.dex.name }} @@ -56,19 +70,24 @@ spec: imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.dex.image.imagePullPolicy }} command: - /shared/argocd-dex + args: - rundex {{- with .Values.dex.extraArgs }} - {{- . | toYaml | nindent 8 }} - {{- end }} - {{- if .Values.dex.containerSecurityContext }} - securityContext: {{- toYaml .Values.dex.containerSecurityContext | nindent 10 }} + {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.dex.env }} env: -{{- toYaml .Values.dex.env | nindent 8 }} - {{- end }} + {{- with .Values.dex.env }} + {{- toYaml . | nindent 10 }} + {{- end }} + - name: ARGOCD_DEX_SERVER_DISABLE_TLS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: dexserver.disable.tls + optional: true {{- with .Values.dex.envFrom }} - envFrom: {{- toYaml . | nindent 8 }} + envFrom: + {{- toYaml . | nindent 10 }} {{- end }} ports: - name: http @@ -85,71 +104,88 @@ spec: httpGet: path: /healthz/live port: metrics - {{- with .Values.dex.livenessProbe }} - {{- omit . "enabled" | toYaml | nindent 10 }} - {{- end }} + initialDelaySeconds: {{ .Values.dex.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.dex.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.dex.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.dex.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.dex.livenessProbe.failureThreshold }} {{- end }} {{- if .Values.dex.readinessProbe.enabled }} readinessProbe: httpGet: path: /healthz/ready port: metrics - {{- with .Values.dex.readinessProbe }} - {{- omit . "enabled" | toYaml | nindent 10 }} - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /tmp - name: tmp-dir - {{- if .Values.dex.volumeMounts }} - {{- toYaml .Values.dex.volumeMounts | nindent 8 }} - {{- end }} - {{- if .Values.dex.extraVolumeMounts }} - {{- toYaml .Values.dex.extraVolumeMounts | nindent 8 }} + initialDelaySeconds: {{ .Values.dex.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.dex.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.dex.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.dex.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.dex.readinessProbe.failureThreshold }} {{- end }} resources: {{- toYaml .Values.dex.resources | nindent 10 }} + securityContext: + {{- toYaml .Values.dex.containerSecurityContext | nindent 10 }} + volumeMounts: + {{- with .Values.dex.volumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + - name: static-files + mountPath: /shared + - name: dexconfig + mountPath: /tmp + - name: argocd-dex-server-tls + mountPath: /tls {{- with .Values.dex.extraContainers }} {{- toYaml . | nindent 6 }} {{- end }} - {{- if .Values.dex.nodeSelector }} + {{- with .Values.dex.nodeSelector }} nodeSelector: -{{- toYaml .Values.dex.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.dex.tolerations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.dex.tolerations }} tolerations: -{{- toYaml .Values.dex.tolerations | nindent 8 }} - {{- end }} - {{- if .Values.dex.affinity }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.dex.affinity }} affinity: -{{- toYaml .Values.dex.affinity | nindent 8 }} - {{- end }} - {{- with .Values.dex.topologySpreadConstraints }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.dex.topologySpreadConstraints }} topologySpreadConstraints: - {{- range $constraint := . }} + {{- range $constraint := . }} - {{ toYaml $constraint | nindent 8 | trim }} - {{- if not $constraint.labelSelector }} + {{- if not $constraint.labelSelector }} labelSelector: matchLabels: {{- include "argo-cd.selectorLabels" (dict "context" $ "name" $.Values.dex.name) | nindent 12 }} + {{- end }} {{- end }} {{- end }} - {{- end }} serviceAccountName: {{ template "argo-cd.dexServiceAccountName" . }} {{- with .Values.global.hostAliases }} hostAliases: {{- toYaml . | nindent 6 }} {{- end }} volumes: - - emptyDir: {} - name: tmp-dir - {{- if .Values.dex.volumes }} - {{- toYaml .Values.dex.volumes | nindent 6 }} + - name: static-files + emptyDir: {} + - name: dexconfig + emptyDir: {} + - name: argocd-dex-server-tls + secret: + secretName: argocd-dex-server-tls + optional: true + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + - key: ca.crt + path: ca.crt + {{- with .Values.dex.volumes }} + {{- toYaml . | nindent 6 }} {{- end }} - {{- if .Values.dex.extraVolumes }} - {{- toYaml .Values.dex.extraVolumes | nindent 6 }} + {{- with .Values.dex.priorityClassName }} + priorityClassName: {{ . }} {{- end }} -{{- if .Values.dex.priorityClassName }} - priorityClassName: {{ .Values.dex.priorityClassName }} -{{- end }} {{- end }} diff --git a/charts/argo-cd/templates/dex/pdb.yaml b/charts/argo-cd/templates/dex/pdb.yaml new file mode 100644 index 000000000..caa2ab299 --- /dev/null +++ b/charts/argo-cd/templates/dex/pdb.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.dex.enabled .Values.dex.pdb.enabled }} +apiVersion: {{ include "argo-cd.apiVersion.pdb" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "argo-cd.dex.fullname" . }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.dex.name "name" .Values.dex.name) | nindent 4 }} + {{- with .Values.dex.pdb.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.dex.pdb.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +spec: + {{- with .Values.dex.pdb.maxUnavailable }} + maxUnavailable: {{ . }} + {{- else }} + minAvailable: {{ .Values.dex.pdb.minAvailable | default 0 }} + {{- end }} + selector: + matchLabels: + {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.dex.name) | nindent 6 }} +{{- end }} diff --git a/charts/argo-cd/templates/dex/poddisruptionbudget.yaml b/charts/argo-cd/templates/dex/poddisruptionbudget.yaml deleted file mode 100644 index 7a16d8bf0..000000000 --- a/charts/argo-cd/templates/dex/poddisruptionbudget.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if .Values.dex.pdb.enabled }} -apiVersion: {{ include "argo-cd.podDisruptionBudget.apiVersion" . }} -kind: PodDisruptionBudget -metadata: - name: {{ template "argo-cd.dex.fullname" . }} - labels: - {{- include "argo-cd.labels" (dict "context" . "component" .Values.dex.name "name" .Values.dex.name) | nindent 4 }} - {{- with .Values.dex.pdb.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.dex.pdb.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if .Values.dex.pdb.minAvailable }} - minAvailable: {{ .Values.dex.pdb.minAvailable }} - {{- else if .Values.dex.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.dex.pdb.maxUnavailable }} - {{- else }} - minAvailable: 0 - {{- end }} - selector: - matchLabels: - {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.dex.name) | nindent 6 }} -{{- end }} diff --git a/charts/argo-cd/templates/dex/servicemonitor.yaml b/charts/argo-cd/templates/dex/servicemonitor.yaml index ec98991a5..d08d018f6 100644 --- a/charts/argo-cd/templates/dex/servicemonitor.yaml +++ b/charts/argo-cd/templates/dex/servicemonitor.yaml @@ -14,6 +14,10 @@ metadata: {{- with .Values.dex.metrics.serviceMonitor.additionalLabels }} {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.dex.metrics.serviceMonitor.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: endpoints: - port: {{ .Values.dex.metrics.service.portName }} diff --git a/charts/argo-cd/templates/redis/deployment.yaml b/charts/argo-cd/templates/redis/deployment.yaml index 066146cfb..38ba73bea 100755 --- a/charts/argo-cd/templates/redis/deployment.yaml +++ b/charts/argo-cd/templates/redis/deployment.yaml @@ -1,122 +1,131 @@ -{{- $redisHa := (index .Values "redis-ha") -}} +{{- $redisHa := index .Values "redis-ha" -}} {{- if and .Values.redis.enabled (not $redisHa.enabled) -}} apiVersion: apps/v1 kind: Deployment metadata: - name: {{ template "argo-cd.redis.fullname" . }} + {{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.redis.deploymentAnnotations) }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + name: {{ include "argo-cd.redis.fullname" . }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} spec: + replicas: 1 + revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }} selector: matchLabels: app.kubernetes.io/name: {{ include "argo-cd.name" . }}-{{ .Values.redis.name }} template: metadata: + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 8 }} + {{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.redis.podLabels) }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.redis.podAnnotations) }} annotations: {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} {{- end }} {{- end }} - labels: - {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 8 }} - {{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.redis.podLabels) }} - {{- toYaml . | nindent 8 }} - {{- end }} spec: {{- with .Values.redis.imagePullSecrets | default .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - automountServiceAccountToken: {{ .Values.redis.serviceAccount.automountServiceAccountToken }} - serviceAccountName: {{ template "argo-cd.redisServiceAccountName" . }} - {{- if .Values.redis.securityContext }} - securityContext: {{- toYaml .Values.redis.securityContext | nindent 8 }} + {{- with .Values.redis.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "argo-cd.redisServiceAccountName" . }} + {{- with .Values.redis.initContainers }} + initContainers: + {{- toYaml . | nindent 6 }} {{- end }} containers: - - name: {{ template "argo-cd.redis.fullname" . }} + - name: {{ .Values.redis.name }} + image: {{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }} + imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.redis.image.imagePullPolicy }} args: - --save - "" - --appendonly - "no" {{- with .Values.redis.extraArgs }} - {{- . | toYaml | nindent 8 }} - {{- end }} - image: {{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }} - imagePullPolicy: {{ .Values.redis.image.imagePullPolicy}} - {{- if .Values.redis.containerSecurityContext }} - securityContext: {{- toYaml .Values.redis.containerSecurityContext | nindent 10 }} + {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.redis.env }} + {{- with .Values.redis.env }} env: -{{- toYaml .Values.redis.env | nindent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.redis.envFrom }} - envFrom: {{- toYaml . | nindent 8 }} + envFrom: + {{- toYaml . | nindent 8 }} {{- end }} ports: - - containerPort: {{ .Values.redis.containerPort }} - name: redis -{{- if .Values.redis.volumeMounts }} - volumeMounts: -{{- toYaml .Values.redis.volumeMounts | nindent 10 }} -{{- end }} + - name: redis + containerPort: {{ .Values.redis.containerPort }} + protocol: TCP resources: -{{- toYaml .Values.redis.resources | nindent 10 }} + {{- toYaml .Values.redis.resources | nindent 10 }} + securityContext: + {{- toYaml .Values.redis.containerSecurityContext | nindent 10 }} + {{- with .Values.redis.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 10 }} + {{- end }} {{- if .Values.redis.metrics.enabled }} - name: metrics + image: {{ .Values.redis.metrics.image.repository }}:{{ .Values.redis.metrics.image.tag }} + imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.redis.metrics.image.imagePullPolicy }} env: - name: REDIS_ADDR value: {{ printf "redis://localhost:%v" .Values.redis.containerPort }} - name: REDIS_EXPORTER_WEB_LISTEN_ADDRESS value: {{ printf "0.0.0.0:%v" .Values.redis.metrics.containerPort }} - image: {{ .Values.redis.metrics.image.repository }}:{{ .Values.redis.metrics.image.tag }} - imagePullPolicy: {{ .Values.redis.metrics.image.imagePullPolicy}} ports: - - containerPort: {{ .Values.redis.metrics.containerPort }} - name: metrics + - name: metrics + containerPort: {{ .Values.redis.metrics.containerPort }} protocol: TCP - resources: {{- toYaml .Values.redis.metrics.resources | nindent 10 }} - {{- with .Values.redis.containerSecurityContext }} - securityContext: {{- toYaml . | nindent 10 }} - {{- end }} + resources: + {{- toYaml .Values.redis.metrics.resources | nindent 10 }} + securityContext: + {{- toYaml .Values.redis.metrics.containerSecurityContext | nindent 10 }} {{- end }} - {{- with .Values.redis.extraContainers }} - {{- toYaml . | nindent 6 }} - {{- end }} - {{- if .Values.redis.nodeSelector }} + {{- with .Values.redis.extraContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.redis.nodeSelector }} nodeSelector: -{{- toYaml .Values.redis.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.redis.tolerations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.redis.tolerations }} tolerations: -{{- toYaml .Values.redis.tolerations | nindent 8 }} - {{- end }} - {{- if .Values.redis.affinity }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.redis.affinity }} affinity: -{{- toYaml .Values.redis.affinity | nindent 8 }} - {{- end }} - {{- with .Values.redis.topologySpreadConstraints }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.redis.topologySpreadConstraints }} topologySpreadConstraints: - {{- range $constraint := . }} + {{- range $constraint := . }} - {{ toYaml $constraint | nindent 8 | trim }} {{- if not $constraint.labelSelector }} labelSelector: matchLabels: app.kubernetes.io/name: {{ include "argo-cd.name" $ }}-{{ $.Values.redis.name }} {{- end }} + {{- end }} {{- end }} - {{- end }} -{{- if .Values.redis.volumes }} + {{- with .Values.redis.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + {{- with .Values.redis.volumes }} volumes: -{{- toYaml .Values.redis.volumes | nindent 8}} -{{- end }} - {{- if .Values.redis.initContainers }} - initContainers: - {{- toYaml .Values.redis.initContainers | nindent 6 }} + {{- toYaml . | nindent 8}} {{- end }} -{{- if .Values.redis.priorityClassName }} - priorityClassName: {{ .Values.redis.priorityClassName }} -{{- end }} {{- end }} diff --git a/charts/argo-cd/templates/redis/metrics-service.yaml b/charts/argo-cd/templates/redis/metrics.yaml similarity index 94% rename from charts/argo-cd/templates/redis/metrics-service.yaml rename to charts/argo-cd/templates/redis/metrics.yaml index da96a22b0..6886a7402 100644 --- a/charts/argo-cd/templates/redis/metrics-service.yaml +++ b/charts/argo-cd/templates/redis/metrics.yaml @@ -3,19 +3,20 @@ apiVersion: v1 kind: Service metadata: - name: {{ template "argo-cd.redis.fullname" . }}-metrics + name: {{ include "argo-cd.redis.fullname" . }}-metrics + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} + {{- with .Values.redis.metrics.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- with .Values.redis.metrics.service.annotations }} annotations: {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} {{- end }} {{- end }} - labels: - {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} - {{- with .Values.redis.metrics.service.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} spec: + type: {{ .Values.redis.metrics.service.type }} {{- with .Values.redis.metrics.service.clusterIP }} clusterIP: {{ . }} {{- end }} @@ -26,5 +27,4 @@ spec: targetPort: metrics selector: {{- include "argo-cd.selectorLabels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} - type: {{ .Values.redis.metrics.service.type }} {{- end }} diff --git a/charts/argo-cd/templates/redis/pdb.yaml b/charts/argo-cd/templates/redis/pdb.yaml new file mode 100644 index 000000000..57fb94b32 --- /dev/null +++ b/charts/argo-cd/templates/redis/pdb.yaml @@ -0,0 +1,27 @@ +{{- $redisHa := index .Values "redis-ha" -}} +{{- if and .Values.redis.enabled (not $redisHa.enabled) .Values.redis.pdb.enabled }} +apiVersion: {{ include "argo-cd.apiVersion.pdb" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "argo-cd.redis.fullname" . }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} + {{- with .Values.redis.pdb.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.redis.pdb.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +spec: + {{- with .Values.dex.pdb.maxUnavailable }} + maxUnavailable: {{ . }} + {{- else }} + minAvailable: {{ .Values.redis.pdb.minAvailable | default 0 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "argo-cd.name" . }}-{{ .Values.redis.name }} +{{- end }} diff --git a/charts/argo-cd/templates/redis/poddisruptionbudget.yaml b/charts/argo-cd/templates/redis/poddisruptionbudget.yaml deleted file mode 100644 index 4de55b7e5..000000000 --- a/charts/argo-cd/templates/redis/poddisruptionbudget.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if .Values.redis.pdb.enabled }} -apiVersion: {{ include "argo-cd.podDisruptionBudget.apiVersion" . }} -kind: PodDisruptionBudget -metadata: - name: {{ template "argo-cd.redis.fullname" . }} - labels: - {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} - {{- with .Values.redis.pdb.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.redis.pdb.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if .Values.redis.pdb.minAvailable }} - minAvailable: {{ .Values.redis.pdb.minAvailable }} - {{- else if .Values.redis.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.redis.pdb.maxUnavailable }} - {{- else }} - minAvailable: 0 - {{- end }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "argo-cd.name" . }}-{{ .Values.redis.name }} -{{- end }} diff --git a/charts/argo-cd/templates/redis/servicemonitor.yaml b/charts/argo-cd/templates/redis/servicemonitor.yaml index 8cd9a1119..ea913467a 100644 --- a/charts/argo-cd/templates/redis/servicemonitor.yaml +++ b/charts/argo-cd/templates/redis/servicemonitor.yaml @@ -15,6 +15,10 @@ metadata: {{- with .Values.redis.metrics.serviceMonitor.additionalLabels }} {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.redis.metrics.serviceMonitor.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: endpoints: - port: {{ .Values.redis.metrics.service.portName }} diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index 152db68c0..776eb9f81 100755 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -8,6 +8,28 @@ nameOverride: argocd fullnameOverride: "" # -- Override the Kubernetes version, which is used to evaluate certain manifests kubeVersionOverride: "" +# Override APIVersions +# If you want to template helm charts but cannot access k8s API server +# you can set api versions here +apiVersionOverrides: + # -- String to override apiVersion of cert-manager resources rendered by this helm chart + certmanager: "" # cert-manager.io/v1 + # -- String to override apiVersion of GKE resources rendered by this helm chart + cloudgoogle: "" # cloud.google.com/v1 + # -- String to override apiVersion of autoscaling rendered by this helm chart + autoscaling: "" # autoscaling/v2 + # -- String to override apiVersion of ingresses rendered by this helm chart + ingress: "" # networking.k8s.io/v1beta1 + # -- String to override apiVersion of pod disruption budgets rendered by this helm chart + pdb: "" # policy/v1 + +# -- Create clusterroles that extend existing clusterroles to interact with argo-cd crds +## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles +createAggregateRoles: false + +openshift: + # -- enables using arbitrary uid for argo repo server + enabled: false ## Custom resource configuration crds: @@ -18,7 +40,16 @@ crds: # -- Annotations to be added to all CRDs annotations: {} +## Globally shared configuration global: + # -- Common labels for the all resources + additionalLabels: {} + # app: argo-cd + + # -- Number of old deployment ReplicaSets to retain. The rest will be garbage collected. + revisionHistoryLimit: 3 + + # Default image used by all components image: # -- If defined, a repository applied to all Argo CD deployments repository: quay.io/argoproj/argocd @@ -26,423 +57,488 @@ global: tag: "" # -- If defined, a imagePullPolicy applied to all Argo CD deployments imagePullPolicy: IfNotPresent + + # -- Secrets with credentials to pull images from a private registry + imagePullSecrets: [] + + # Default logging options used by all components logging: # -- Set the global logging format. Either: `text` or `json` format: text # -- Set the global logging level. One of: `debug`, `info`, `warn` or `error` level: info + + # -- Annotations for the all deployed Statefulsets + statefulsetAnnotations: {} + + # -- Annotations for the all deployed Deployments + deploymentAnnotations: {} + # -- Annotations for the all deployed pods podAnnotations: {} + # -- Labels for the all deployed pods podLabels: {} - # -- Toggle and define securityContext. See [values.yaml] + + # -- Toggle and define pod-level security context. + # @default -- `{}` (See [values.yaml]) securityContext: {} # runAsUser: 999 # runAsGroup: 999 # fsGroup: 999 - # -- If defined, uses a Secret to pull an image from a private Docker registry or repository - imagePullSecrets: [] # -- Mapping between IP and hostnames that will be injected as entries in the pod's hosts files hostAliases: [] # - ip: 10.20.30.40 # hostnames: # - git.myhostname - # -- Additional labels to add to all resources - additionalLabels: {} - # app: argo-cd - networkPolicy: # -- Create NetworkPolicy objects for all components create: false # -- Default deny all ingress traffic defaultDenyIngress: false -# Override APIVersions -# If you want to template helm charts but cannot access k8s API server -# you can set api versions here -apiVersionOverrides: - # -- String to override apiVersion of certmanager resources rendered by this helm chart - certmanager: "" # cert-manager.io/v1 - # -- String to override apiVersion of ingresses rendered by this helm chart - ingress: "" # networking.k8s.io/v1beta1 - # -- String to override apiVersion of autoscaling rendered by this helm chart - autoscaling: "" # autoscaling/v2 - -# -- Create clusterroles that extend existing clusterroles to interact with argo-cd crds -## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles -createAggregateRoles: false - -# -- Array of extra K8s manifests to deploy -extraObjects: [] - # - apiVersion: secrets-store.csi.x-k8s.io/v1 - # kind: SecretProviderClass - # metadata: - # name: argocd-secrets-store - # spec: - # provider: aws - # parameters: - # objects: | - # - objectName: "argocd" - # objectType: "secretsmanager" - # jmesPath: - # - path: "client_id" - # objectAlias: "client_id" - # - path: "client_secret" - # objectAlias: "client_secret" - # secretObjects: - # - data: - # - key: client_id - # objectName: client_id - # - key: client_secret - # objectName: client_secret - # secretName: argocd-secrets-store - # type: Opaque - # labels: - # app.kubernetes.io/part-of: argocd - -## Controller -controller: - # -- Application controller name string - name: application-controller - - image: - # -- Repository to use for the application controller - # @default -- `""` (defaults to global.image.repository) - repository: "" - # -- Tag to use for the application controller - # @default -- `""` (defaults to global.image.tag) - tag: "" - # -- Image pull policy for the application controller - # @default -- `""` (defaults to global.image.imagePullPolicy) - imagePullPolicy: "" - - # -- The number of application controller pods to run. - # Additional replicas will cause sharding of managed clusters across number of replicas. - replicas: 1 +## Argo Configs +configs: + # General Argo CD configuration + ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml + cm: + # -- Create the argocd-cm configmap for [declarative setup] + create: true - ## Application controller commandline flags - args: - # -- define the application controller `--status-processors` - statusProcessors: "20" - # -- define the application controller `--operation-processors` - operationProcessors: "10" - # -- define the application controller `--app-hard-resync` - appHardResyncPeriod: "0" - # -- define the application controller `--app-resync` - appResyncPeriod: "180" - # -- define the application controller `--self-heal-timeout-seconds` - selfHealTimeout: "5" - # -- define the application controller `--repo-server-timeout-seconds` - repoServerTimeoutSeconds: "60" + # -- Annotations to be added to argocd-cm configmap + annotations: {} - # -- Application controller log format. Either `text` or `json` - # @default -- `""` (defaults to global.logging.format) - logFormat: "" - # -- Application controller log level. One of: `debug`, `info`, `warn` or `error` - # @default -- `""` (defaults to global.logging.level) - logLevel: "" + # -- Argo CD's externally facing base URL (optional). Required when configuring SSO + url: "" - # -- Additional command line arguments to pass to application controller - extraArgs: [] + # -- The name of tracking label used by Argo CD for resource pruning + # @default -- Defaults to app.kubernetes.io/instance + application.instanceLabelKey: argocd.argoproj.io/instance - # -- Environment variables to pass to application controller - env: [] + # -- Enable logs RBAC enforcement + ## Ref: https://argo-cd.readthedocs.io/en/latest/operator-manual/upgrading/2.3-2.4/#enable-logs-rbac-enforcement + server.rbac.log.enforce.enable: false - # -- envFrom to pass to application controller - # @default -- `[]` (See [values.yaml]) - envFrom: [] - # - configMapRef: - # name: config-map-name - # - secretRef: - # name: secret-name + # -- Enable exec feature in Argo UI + ## Ref: https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac/#exec-resource + exec.enabled: false - # -- Annotations to be added to application controller pods - podAnnotations: {} + # -- Enable local admin user + ## Ref: https://argo-cd.readthedocs.io/en/latest/faq/#how-to-disable-admin-user + admin.enabled: true - # -- Labels to be added to application controller pods - podLabels: {} + # -- Timeout to discover if a new manifests version got published to the repository + timeout.reconciliation: 180s - # -- Application controller container-level security context - containerSecurityContext: - {} - # capabilities: - # drop: - # - all - # readOnlyRootFilesystem: true - # runAsNonRoot: true + # -- Timeout to refresh application data as well as target manifests cache + timeout.hard.reconciliation: 0s - # -- Application controller listening port - containerPort: 8082 + # Dex configuration + # dex.config: | + # connectors: + # # GitHub example + # - type: github + # id: github + # name: GitHub + # config: + # clientID: aabbccddeeff00112233 + # clientSecret: $dex.github.clientSecret # Alternatively $:dex.github.clientSecret + # orgs: + # - name: your-github-org - ## Readiness and liveness probes for default backend - ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ - ## - readinessProbe: - # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded - failureThreshold: 3 - # -- Number of seconds after the container has started before [probe] is initiated - initialDelaySeconds: 10 - # -- How often (in seconds) to perform the [probe] - periodSeconds: 10 - # -- Minimum consecutive successes for the [probe] to be considered successful after having failed - successThreshold: 1 - # -- Number of seconds after which the [probe] times out - timeoutSeconds: 1 - livenessProbe: - # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded - failureThreshold: 3 - # -- Number of seconds after the container has started before [probe] is initiated - initialDelaySeconds: 10 - # -- How often (in seconds) to perform the [probe] - periodSeconds: 10 - # -- Minimum consecutive successes for the [probe] to be considered successful after having failed - successThreshold: 1 - # -- Number of seconds after which the [probe] times out - timeoutSeconds: 1 + # OIDC configuration as an alternative to dex (optional). + # oidc.config: | + # name: AzureAD + # issuer: https://login.microsoftonline.com/TENANT_ID/v2.0 + # clientID: CLIENT_ID + # clientSecret: $oidc.azuread.clientSecret + # rootCA: | + # -----BEGIN CERTIFICATE----- + # ... encoded certificate data here ... + # -----END CERTIFICATE----- + # requestedIDTokenClaims: + # groups: + # essential: true + # requestedScopes: + # - openid + # - profile + # - email - # -- Additional volumeMounts to the application controller main container - volumeMounts: [] + # Argo CD configuration parameters + ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cmd-params-cm.yaml + params: + # -- Annotations to be added to the argocd-cmd-params-cm ConfigMap + annotations: {} - # -- Additional volumes to the application controller pod - volumes: [] + ## Generic parameters + # -- Open-Telemetry collector address: (e.g. "otel-collector:4317") + otlp.address: '' + + ## Controller Properties + # -- Number of application status processors + controller.status.processors: 20 + # -- Number of application operation processors + controller.operation.processors: 10 + # -- Specifies timeout between application self heal attempts + controller.self.heal.timeout.seconds: 5 + # -- Repo server RPC call timeout seconds. + controller.repo.server.timeout.seconds: 60 + + ## Server properties + # -- Run server without TLS + server.insecure: false + # -- Value for base href in index.html. Used if Argo CD is running behind reverse proxy under subpath different from / + server.basehref: / + # -- Used if Argo CD is running behind reverse proxy under subpath different from / + server.rootpath: '' + # -- Directory path that contains additional static assets + server.staticassets: /shared/app + # -- Disable Argo CD RBAC for user authentication + server.disable.auth: false + # -- Enable GZIP compression + server.enable.gzip: false + # -- Set X-Frame-Options header in HTTP responses to value. To disable, set to "". + server.x.frame.options: sameorigin + + ## Repo-server properties + # -- Limit on number of concurrent manifests generate requests. Any value less the 1 means no limit. + reposerver.parallelism.limit: 0 + + # Argo CD RBAC policy configuration + ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md + rbac: + # -- Create the argocd-rbac-cm configmap with ([Argo CD RBAC policy]) definitions. + # If false, it is expected the configmap will be created by something else. + # Argo CD will not work if there is no configmap created with the name above. + create: true - ## Controller service configuration - service: - # -- Application controller service annotations + # -- Annotations to be added to argocd-rbac-cm configmap annotations: {} - # -- Application controller service labels - labels: {} - # -- Application controller service port - port: 8082 - # -- Application controller service port name - portName: https-controller - # -- [Node selector] - nodeSelector: {} - # -- [Tolerations] for use with node taints - tolerations: [] - # -- Assign custom [affinity] rules to the deployment - affinity: {} + # -- The name of the default role which Argo CD will falls back to, when authorizing API requests (optional). + # If omitted or empty, users may be still be able to login, but will see no apps, projects, etc... + policy.default: '' - # -- Assign custom [TopologySpreadConstraints] rules to the application controller - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment - topologySpreadConstraints: [] - # - maxSkew: 1 - # topologyKey: topology.kubernetes.io/zone - # whenUnsatisfiable: DoNotSchedule + # -- File containing user-defined policies and role definitions. + # @default -- `''` (See [values.yaml]) + policy.csv: '' + # Policy rules are in the form: + # p, subject, resource, action, object, effect + # Role definitions and bindings are in the form: + # g, subject, inherited-subject + # policy.csv | + # p, role:org-admin, applications, *, */*, allow + # p, role:org-admin, clusters, get, *, allow + # p, role:org-admin, repositories, *, *, allow + # p, role:org-admin, logs, get, *, allow + # p, role:org-admin, exec, create, */*, allow + # g, your-github-org:your-team, role:org-admin + + # -- OIDC scopes to examine during rbac enforcement (in addition to `sub` scope). + # The scope value can be a string, or a list of strings. + scopes: "[groups]" + + # GnuPG public keys for commit verification + ## Ref: https://argo-cd.readthedocs.io/en/stable/user-guide/gpg-verification/ + gpg: + # -- Annotations to be added to argocd-gpg-keys-cm configmap + annotations: {} - # -- Priority class for the application controller pods - priorityClassName: "" + # -- [GnuPG] public keys to add to the keyring + # @default -- `{}` (See [values.yaml]) + ## Note: Public keys should be exported with `gpg --export --armor ` + keys: {} + # 4AEE18F83AFDEB23: | + # -----BEGIN PGP PUBLIC KEY BLOCK----- + # ... + # -----END PGP PUBLIC KEY BLOCK----- - # -- Resource limits and requests for the application controller pods - resources: {} - # limits: - # cpu: 500m - # memory: 512Mi - # requests: - # cpu: 250m - # memory: 256Mi - serviceAccount: - # -- Create a service account for the application controller - create: true - # -- Service account name - name: argocd-application-controller - # -- Annotations applied to created service account - annotations: {} - # -- Automount API credentials for the Service Account - automountServiceAccountToken: true + # -- Provide one or multiple [external cluster credentials] + # @default -- `[]` (See [values.yaml]) + ## Ref: + ## - https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#clusters + ## - https://argo-cd.readthedocs.io/en/stable/operator-manual/security/#external-cluster-credentials + clusterCredentials: [] + # - name: mycluster + # server: https://mycluster.com + # labels: {} + # annotations: {} + # config: + # bearerToken: "" + # tlsClientConfig: + # insecure: false + # caData: "" + # - name: mycluster2 + # server: https://mycluster2.com + # labels: {} + # annotations: {} + # namespaces: namespace1,namespace2 + # clusterResources: true + # config: + # bearerToken: "" + # tlsClientConfig: + # insecure: false + # caData: "" - ## Application controller metrics configuration - metrics: - # -- Deploy metrics service - enabled: false - applicationLabels: - # -- Enables additional labels in argocd_app_labels metric - enabled: false - # -- Additional labels - labels: [] - service: - # -- Metrics service annotations - annotations: {} - # -- Metrics service labels - labels: {} - # -- Metrics service port - servicePort: 8082 - # -- Metrics service port name - portName: http-metrics - serviceMonitor: - # -- Enable a prometheus ServiceMonitor - enabled: false - # -- Prometheus ServiceMonitor interval - interval: 30s - # -- Prometheus [RelabelConfigs] to apply to samples before scraping - relabelings: [] - # -- Prometheus [MetricRelabelConfigs] to apply to samples before ingestion - metricRelabelings: [] - # -- Prometheus ServiceMonitor selector - selector: {} - # prometheus: kube-prometheus - - # -- Prometheus ServiceMonitor scheme - scheme: "" - # -- Prometheus ServiceMonitor tlsConfig - tlsConfig: {} - # -- Prometheus ServiceMonitor namespace - namespace: "" # "monitoring" - # -- Prometheus ServiceMonitor labels - additionalLabels: {} - rules: - # -- Deploy a PrometheusRule for the application controller - enabled: false - # -- PrometheusRule.Spec for the application controller - spec: [] - # - alert: ArgoAppMissing - # expr: | - # absent(argocd_app_info) - # for: 15m - # labels: - # severity: critical - # annotations: - # summary: "[Argo CD] No reported applications" - # description: > - # Argo CD has not reported any applications data for the past 15 minutes which - # means that it must be down or not functioning properly. This needs to be - # resolved for this cloud to continue to maintain state. - # - alert: ArgoAppNotSynced - # expr: | - # argocd_app_info{sync_status!="Synced"} == 1 - # for: 12h - # labels: - # severity: warning - # annotations: - # summary: "[{{`{{$labels.name}}`}}] Application not synchronized" - # description: > - # The application [{{`{{$labels.name}}`}} has not been synchronized for over - # 12 hours which means that the state of this cloud has drifted away from the - # state inside Git. - # selector: - # prometheus: kube-prometheus - # namespace: monitoring - # additionalLabels: {} + # -- Known Hosts configmap annotations + knownHostsAnnotations: {} + knownHosts: + data: + # -- Known Hosts + # @default -- See [values.yaml] + ssh_known_hosts: | + bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== + github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= + github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl + github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= + gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf + gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 + ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H + vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H + # -- TLS certificate configmap annotations + tlsCertsAnnotations: {} + # -- TLS certificate + # @default -- See [values.yaml] + tlsCerts: + {} + # data: + # argocd.example.com: | + # -----BEGIN CERTIFICATE----- + # MIIF1zCCA7+gAwIBAgIUQdTcSHY2Sxd3Tq/v1eIEZPCNbOowDQYJKoZIhvcNAQEL + # BQAwezELMAkGA1UEBhMCREUxFTATBgNVBAgMDExvd2VyIFNheG9ueTEQMA4GA1UE + # BwwHSGFub3ZlcjEVMBMGA1UECgwMVGVzdGluZyBDb3JwMRIwEAYDVQQLDAlUZXN0 + # c3VpdGUxGDAWBgNVBAMMD2Jhci5leGFtcGxlLmNvbTAeFw0xOTA3MDgxMzU2MTda + # Fw0yMDA3MDcxMzU2MTdaMHsxCzAJBgNVBAYTAkRFMRUwEwYDVQQIDAxMb3dlciBT + # YXhvbnkxEDAOBgNVBAcMB0hhbm92ZXIxFTATBgNVBAoMDFRlc3RpbmcgQ29ycDES + # MBAGA1UECwwJVGVzdHN1aXRlMRgwFgYDVQQDDA9iYXIuZXhhbXBsZS5jb20wggIi + # MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCv4mHMdVUcafmaSHVpUM0zZWp5 + # NFXfboxA4inuOkE8kZlbGSe7wiG9WqLirdr39Ts+WSAFA6oANvbzlu3JrEQ2CHPc + # CNQm6diPREFwcDPFCe/eMawbwkQAPVSHPts0UoRxnpZox5pn69ghncBR+jtvx+/u + # P6HdwW0qqTvfJnfAF1hBJ4oIk2AXiip5kkIznsAh9W6WRy6nTVCeetmIepDOGe0G + # ZJIRn/OfSz7NzKylfDCat2z3EAutyeT/5oXZoWOmGg/8T7pn/pR588GoYYKRQnp+ + # YilqCPFX+az09EqqK/iHXnkdZ/Z2fCuU+9M/Zhrnlwlygl3RuVBI6xhm/ZsXtL2E + # Gxa61lNy6pyx5+hSxHEFEJshXLtioRd702VdLKxEOuYSXKeJDs1x9o6cJ75S6hko + # Ml1L4zCU+xEsMcvb1iQ2n7PZdacqhkFRUVVVmJ56th8aYyX7KNX6M9CD+kMpNm6J + # kKC1li/Iy+RI138bAvaFplajMF551kt44dSvIoJIbTr1LigudzWPqk31QaZXV/4u + # kD1n4p/XMc9HYU/was/CmQBFqmIZedTLTtK7clkuFN6wbwzdo1wmUNgnySQuMacO + # gxhHxxzRWxd24uLyk9Px+9U3BfVPaRLiOPaPoC58lyVOykjSgfpgbus7JS69fCq7 + # bEH4Jatp/10zkco+UQIDAQABo1MwUTAdBgNVHQ4EFgQUjXH6PHi92y4C4hQpey86 + # r6+x1ewwHwYDVR0jBBgwFoAUjXH6PHi92y4C4hQpey86r6+x1ewwDwYDVR0TAQH/ + # BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAFE4SdKsX9UsLy+Z0xuHSxhTd0jfn + # Iih5mtzb8CDNO5oTw4z0aMeAvpsUvjJ/XjgxnkiRACXh7K9hsG2r+ageRWGevyvx + # CaRXFbherV1kTnZw4Y9/pgZTYVWs9jlqFOppz5sStkfjsDQ5lmPJGDii/StENAz2 + # XmtiPOgfG9Upb0GAJBCuKnrU9bIcT4L20gd2F4Y14ccyjlf8UiUi192IX6yM9OjT + # +TuXwZgqnTOq6piVgr+FTSa24qSvaXb5z/mJDLlk23npecTouLg83TNSn3R6fYQr + # d/Y9eXuUJ8U7/qTh2Ulz071AO9KzPOmleYPTx4Xty4xAtWi1QE5NHW9/Ajlv5OtO + # OnMNWIs7ssDJBsB7VFC8hcwf79jz7kC0xmQqDfw51Xhhk04kla+v+HZcFW2AO9so + # 6ZdVHHQnIbJa7yQJKZ+hK49IOoBR6JgdB5kymoplLLiuqZSYTcwSBZ72FYTm3iAr + # jzvt1hxpxVDmXvRnkhRrIRhK4QgJL0jRmirBjDY+PYYd7bdRIjN7WNZLFsgplnS8 + # 9w6CwG32pRlm0c8kkiQ7FXA6BYCqOsDI8f1VGQv331OpR2Ck+FTv+L7DAmg6l37W + # +LB9LGh4OAp68ImTjqf6ioGKG0RBSznwME+r4nXtT1S/qLR6ASWUS4ViWRhbRlNK + # XWyb96wrUlv+E8I= + # -----END CERTIFICATE----- - ## Enable if you would like to grant rights to Argo CD to deploy to the local Kubernetes cluster. - clusterAdminAccess: - # -- Enable RBAC for local cluster deployments - enabled: true + # -- Repository credentials to be used as Templates for other repos + ## Creates a secret for each key/value specified below to create repository credentials + credentialTemplates: {} + # github-enterprise-creds-1: + # url: https://github.com/argoproj + # githubAppID: 1 + # githubAppInstallationID: 2 + # githubAppEnterpriseBaseUrl: https://ghe.example.com/api/v3 + # githubAppPrivateKey: | + # -----BEGIN OPENSSH PRIVATE KEY----- + # ... + # -----END OPENSSH PRIVATE KEY----- + # https-creds: + # url: https://github.com/argoproj + # password: my-password + # username: my-username + # ssh-creds: + # url: git@github.com:argoproj-labs + # sshPrivateKey: | + # -----BEGIN OPENSSH PRIVATE KEY----- + # ... + # -----END OPENSSH PRIVATE KEY----- - ## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource. - ## Defaults to off - clusterRoleRules: - # -- Enable custom rules for the application controller's ClusterRole resource - enabled: false - # -- List of custom rules for the application controller's ClusterRole resource - rules: [] + # -- Annotations to be added to `configs.credentialTemplates` Secret + credentialTemplatesAnnotations: {} - # -- Additional containers to be added to the application controller pod - extraContainers: [] + # -- Repositories list to be used by applications + ## Creates a secret for each key/value specified below to create repositories + ## Note: the last example in the list would use a repository credential template, configured under "configs.repositoryCredentials". + repositories: {} + # istio-helm-repo: + # url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts + # name: istio.io + # type: helm + # private-helm-repo: + # url: https://my-private-chart-repo.internal + # name: private-repo + # type: helm + # password: my-password + # username: my-username + # private-repo: + # url: https://github.com/argoproj/private-repo - # -- Init containers to add to the application controller pod - ## If your target Kubernetes cluster(s) require a custom auth provider executable - ## you could use this (and the same in the server pod) to bootstrap - ## that executable into your Argo CD container - initContainers: [] - # - name: download-tools - # image: alpine:3.8 - # command: [sh, -c] - # args: - # - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - && - # mv linux-amd64/helm /custom-tools/ - # volumeMounts: - # - mountPath: /custom-tools - # name: custom-tools - # volumeMounts: - # - mountPath: /usr/local/bin/helm - # name: custom-tools - # subPath: helm + # -- Annotations to be added to `configs.repositories` Secret + repositoriesAnnotations: {} - pdb: - # -- Labels to be added to application controller pdb - labels: {} - # -- Annotations to be added to application controller pdb + # Argo CD sensitive data + # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#sensitive-data-and-sso-client-secrets + secret: + # -- Create the argocd-secret + createSecret: true + # -- Annotations to be added to argocd-secret annotations: {} - # -- Deploy a Poddisruptionbudget for the application controller - enabled: false - # minAvailable: 1 - # maxUnavailable: 0 + # -- Shared secret for authenticating GitHub webhook events + githubSecret: "" + # -- Shared secret for authenticating GitLab webhook events + gitlabSecret: "" + # -- Shared secret for authenticating BitbucketServer webhook events + bitbucketServerSecret: "" + # -- UUID for authenticating Bitbucket webhook events + bitbucketUUID: "" + # -- Shared secret for authenticating Gogs webhook events + gogsSecret: "" - # -- Secrets with credentials to pull images from a private registry - imagePullSecrets: [] + # -- add additional secrets to be added to argocd-secret + ## Custom secrets. Useful for injecting SSO secrets into environment variables. + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#sensitive-data-and-sso-client-secrets + ## Note that all values must be non-empty. + extra: + {} + # LDAP_PASSWORD: "mypassword" -## Dex -dex: - # -- Enable dex - enabled: true - # -- Dex name - name: dex-server + # -- Argo TLS Data + # DEPRECATED - Use server.certificate or server.certificateSecret + # argocdServerTlsConfig: + # key: '' + # crt: '' - # -- Additional command line arguments to pass to the Dex server - extraArgs: [] + # -- Bcrypt hashed admin password + ## Argo expects the password in the secret to be bcrypt hashed. You can create this hash with + ## `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/'` + argocdServerAdminPassword: "" + # -- Admin password modification time. Eg. `"2006-01-02T15:04:05Z"` + # @default -- `""` (defaults to current time) + argocdServerAdminPasswordMtime: "" - metrics: - # -- Deploy metrics service - enabled: false - service: - # -- Metrics service annotations - annotations: {} - # -- Metrics service labels - labels: {} - # -- Metrics service port name - portName: http-metrics - serviceMonitor: - # -- Enable a prometheus ServiceMonitor - enabled: false - # -- Prometheus ServiceMonitor interval - interval: 30s - # -- Prometheus [RelabelConfigs] to apply to samples before scraping - relabelings: [] - # -- Prometheus [MetricRelabelConfigs] to apply to samples before ingestion - metricRelabelings: [] - # -- Prometheus ServiceMonitor selector - selector: {} - # prometheus: kube-prometheus + # -- Define custom [CSS styles] for your argo instance. + # This setting will automatically mount the provided CSS and reference it in the argo configuration. + # @default -- `""` (See [values.yaml]) + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/custom-styles/ + styles: "" + # styles: | + # .nav-bar { + # background: linear-gradient(to bottom, #999, #777, #333, #222, #111); + # } + +# -- Array of extra K8s manifests to deploy +extraObjects: [] + # - apiVersion: secrets-store.csi.x-k8s.io/v1 + # kind: SecretProviderClass + # metadata: + # name: argocd-secrets-store + # spec: + # provider: aws + # parameters: + # objects: | + # - objectName: "argocd" + # objectType: "secretsmanager" + # jmesPath: + # - path: "client_id" + # objectAlias: "client_id" + # - path: "client_secret" + # objectAlias: "client_secret" + # secretObjects: + # - data: + # - key: client_id + # objectName: client_id + # - key: client_secret + # objectName: client_secret + # secretName: argocd-secrets-store + # type: Opaque + # labels: + # app.kubernetes.io/part-of: argocd - # -- Prometheus ServiceMonitor scheme - scheme: "" - # -- Prometheus ServiceMonitor tlsConfig - tlsConfig: {} - # -- Prometheus ServiceMonitor namespace - namespace: "" # "monitoring" - # -- Prometheus ServiceMonitor labels - additionalLabels: {} +## Application controller +controller: + # -- Application controller name string + name: application-controller + + # -- The number of application controller pods to run. + # Additional replicas will cause sharding of managed clusters across number of replicas. + replicas: 1 + ## Application controller Pod Disruption Budget + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + pdb: + # -- Deploy a [PodDisruptionBudget] for the application controller + enabled: false + # -- Labels to be added to application controller pdb + labels: {} + # -- Annotations to be added to application controller pdb + annotations: {} + # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) + # @default -- `""` (defaults to 0 if not specified) + minAvailable: "" + # -- Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). + ## Has higher precedence over `controller.pdb.minAvailable` + maxUnavailable: "" + + ## Application controller image image: - # -- Dex image repository - repository: ghcr.io/dexidp/dex - # -- Dex image tag - tag: v2.32.0 - # -- Dex imagePullPolicy - # @default -- `""` (defaults to global.image.imagePullPolicy) - imagePullPolicy: "" - initImage: - # -- Argo CD init image repository + # -- Repository to use for the application controller # @default -- `""` (defaults to global.image.repository) repository: "" - # -- Argo CD init image tag + # -- Tag to use for the application controller # @default -- `""` (defaults to global.image.tag) tag: "" - # -- Argo CD init image imagePullPolicy + # -- Image pull policy for the application controller # @default -- `""` (defaults to global.image.imagePullPolicy) imagePullPolicy: "" - # -- Environment variables to pass to the Dex server + # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) + imagePullSecrets: [] + + # -- DEPRECATED - Application controller commandline flags + args: {} + # DEPRECATED - Use configs.params to override + # # -- define the application controller `--status-processors` + # statusProcessors: "20" + # # -- define the application controller `--operation-processors` + # operationProcessors: "10" + # # -- define the application controller `--app-hard-resync` + # appHardResyncPeriod: "0" + # # -- define the application controller `--app-resync` + # appResyncPeriod: "180" + # # -- define the application controller `--self-heal-timeout-seconds` + # selfHealTimeout: "5" + # # -- define the application controller `--repo-server-timeout-seconds` + # repoServerTimeoutSeconds: "60" + + # DEPRECATED - Use configs.params to override + # -- Application controller log format. Either `text` or `json` + # @default -- `""` (defaults to global.logging.format) + # logFormat: "" + # -- Application controller log level. One of: `debug`, `info`, `warn` or `error` + # @default -- `""` (defaults to global.logging.level) + # logLevel: "" + + # -- Additional command line arguments to pass to application controller + extraArgs: [] + + # -- Environment variables to pass to application controller env: [] - # -- envFrom to pass to the Dex server + # -- envFrom to pass to application controller # @default -- `[]` (See [values.yaml]) envFrom: [] # - configMapRef: @@ -450,30 +546,33 @@ dex: # - secretRef: # name: secret-name - # -- Annotations to be added to the Dex server pods + # -- Annotations for the application controller StatefulSet + statefulsetAnnotations: {} + + # -- Annotations to be added to application controller pods podAnnotations: {} - # -- Labels to be added to the Dex server pods + # -- Labels to be added to application controller pods podLabels: {} - ## Probes for Dex server - ## Supported from Dex >= 2.28.0 - livenessProbe: - # -- Enable Kubernetes liveness probe for Dex >= 2.28.0 - enabled: false - # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded - failureThreshold: 3 - # -- Number of seconds after the container has started before [probe] is initiated - initialDelaySeconds: 10 - # -- How often (in seconds) to perform the [probe] - periodSeconds: 10 - # -- Minimum consecutive successes for the [probe] to be considered successful after having failed - successThreshold: 1 - # -- Number of seconds after which the [probe] times out - timeoutSeconds: 1 + # -- Application controller container-level security context + # @default -- See [values.yaml] + containerSecurityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + + # -- Application controller listening port + containerPort: 8082 + + # Rediness probe for application controller + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ readinessProbe: - # -- Enable Kubernetes readiness probe for Dex >= 2.28.0 - enabled: false # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded failureThreshold: 3 # -- Number of seconds after the container has started before [probe] is initiated @@ -485,57 +584,22 @@ dex: # -- Number of seconds after which the [probe] times out timeoutSeconds: 1 - serviceAccount: - # -- Create dex service account - create: true - # -- Dex service account name - name: argocd-dex-server - # -- Annotations applied to created service account - annotations: {} - # -- Automount API credentials for the Service Account - automountServiceAccountToken: true - - # -- Additional volumeMounts to the dex main container - volumeMounts: - - name: static-files - mountPath: /shared - - # -- Additional volumes to the dex pod - volumes: - - name: static-files - emptyDir: {} - - # -- Extra volumes to the dex pod - extraVolumes: [] - - # -- Extra volumeMounts to the dex pod - extraVolumeMounts: [] + # -- Additional volumeMounts to the application controller main container + volumeMounts: [] - # -- Container port for HTTP access - containerPortHttp: 5556 - # -- Service port for HTTP access - servicePortHttp: 5556 - # -- Service port name for HTTP access - servicePortHttpName: http - # -- Container port for gRPC access - containerPortGrpc: 5557 - # -- Service port for gRPC access - servicePortGrpc: 5557 - # -- Service port name for gRPC access - servicePortGrpcName: grpc - # -- Container port for metrics access - containerPortMetrics: 5558 - # -- Service port for metrics access - servicePortMetrics: 5558 + # -- Additional volumes to the application controller pod + volumes: [] # -- [Node selector] nodeSelector: {} + # -- [Tolerations] for use with node taints tolerations: [] + # -- Assign custom [affinity] rules to the deployment affinity: {} - # -- Assign custom [TopologySpreadConstraints] rules to dex + # -- Assign custom [TopologySpreadConstraints] rules to the application controller ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment topologySpreadConstraints: [] @@ -543,160 +607,126 @@ dex: # topologyKey: topology.kubernetes.io/zone # whenUnsatisfiable: DoNotSchedule - # -- Priority class for dex + # -- Priority class for the application controller pods priorityClassName: "" - # -- Dex container-level security context - containerSecurityContext: - {} - # capabilities: - # drop: - # - all - # readOnlyRootFilesystem: true - -# -- Resource limits and requests for dex + # -- Resource limits and requests for the application controller pods resources: {} # limits: - # cpu: 50m - # memory: 64Mi + # cpu: 500m + # memory: 512Mi # requests: - # cpu: 10m - # memory: 32Mi - - # -- Additional containers to be added to the dex pod - extraContainers: [] - - # -- Init containers to add to the dex pod - initContainers: [] - # - name: download-tools - # image: alpine:3.8 - # command: [sh, -c] - # args: - # - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - && - # mv linux-amd64/helm /custom-tools/ - # volumeMounts: - # - mountPath: /custom-tools - # name: custom-tools - # volumeMounts: - # - mountPath: /usr/local/bin/helm - # name: custom-tools - # subPath: helm + # cpu: 250m + # memory: 256Mi - pdb: - # -- Labels to be added to Dex server pdb - labels: {} - # -- Annotations to be added to Dex server pdb + serviceAccount: + # -- Create a service account for the application controller + create: true + # -- Service account name + name: argocd-application-controller + # -- Annotations applied to created service account annotations: {} + # -- Labels applied to created service account + labels: {} + # -- Automount API credentials for the Service Account + automountServiceAccountToken: true - # -- Deploy a Poddisruptionbudget for the Dex server + ## Application controller metrics configuration + metrics: + # -- Deploy metrics service enabled: false - # minAvailable: 1 - # maxUnavailable: 0 - - # -- Secrets with credentials to pull images from a private registry - imagePullSecrets: [] - -## Redis -redis: - # -- Enable redis - enabled: true - # -- Redis name - name: redis - - image: - # -- Redis repository - repository: public.ecr.aws/docker/library/redis - # -- Redis tag - tag: 7.0.4-alpine - # -- Redis imagePullPolicy - imagePullPolicy: IfNotPresent - - # -- Additional command line arguments to pass to redis-server - extraArgs: [] - # - --bind - # - "0.0.0.0" - - # -- Redis container port - containerPort: 6379 - # -- Redis service port - servicePort: 6379 - - # -- Environment variables to pass to the Redis server - env: [] - - # -- envFrom to pass to the Redis server - # @default -- `[]` (See [values.yaml]) - envFrom: [] - # - configMapRef: - # name: config-map-name - # - secretRef: - # name: secret-name - - # -- Annotations to be added to the Redis server pods - podAnnotations: {} - - # -- Labels to be added to the Redis server pods - podLabels: {} - - # -- [Node selector] - nodeSelector: {} - # -- [Tolerations] for use with node taints - tolerations: [] - # -- Assign custom [affinity] rules to the deployment - affinity: {} - - # -- Assign custom [TopologySpreadConstraints] rules to redis - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment - topologySpreadConstraints: [] - # - maxSkew: 1 - # topologyKey: topology.kubernetes.io/zone - # whenUnsatisfiable: DoNotSchedule - - # -- Priority class for redis - priorityClassName: "" - - # -- Redis container-level security context - containerSecurityContext: - {} - # capabilities: - # drop: - # - all - # readOnlyRootFilesystem: true - - # -- Redis pod-level security context - securityContext: - runAsNonRoot: true - runAsUser: 999 + applicationLabels: + # -- Enables additional labels in argocd_app_labels metric + enabled: false + # -- Additional labels + labels: [] + service: + # -- Metrics service annotations + annotations: {} + # -- Metrics service labels + labels: {} + # -- Metrics service port + servicePort: 8082 + # -- Metrics service port name + portName: http-metrics + serviceMonitor: + # -- Enable a prometheus ServiceMonitor + enabled: false + # -- Prometheus ServiceMonitor interval + interval: 30s + # -- Prometheus [RelabelConfigs] to apply to samples before scraping + relabelings: [] + # -- Prometheus [MetricRelabelConfigs] to apply to samples before ingestion + metricRelabelings: [] + # -- Prometheus ServiceMonitor selector + selector: {} + # prometheus: kube-prometheus - serviceAccount: - # -- Create a service account for the redis pod - create: false - # -- Service account name for redis pod - name: "" - # -- Annotations applied to created service account - annotations: {} - # -- Automount API credentials for the Service Account - automountServiceAccountToken: false + # -- Prometheus ServiceMonitor scheme + scheme: "" + # -- Prometheus ServiceMonitor tlsConfig + tlsConfig: {} + # -- Prometheus ServiceMonitor namespace + namespace: "" # "monitoring" + # -- Prometheus ServiceMonitor labels + additionalLabels: {} + # -- Prometheus ServiceMonitor annotations + annotations: {} + rules: + # -- Deploy a PrometheusRule for the application controller + enabled: false + # -- PrometheusRule.Spec for the application controller + spec: [] + # - alert: ArgoAppMissing + # expr: | + # absent(argocd_app_info) == 1 + # for: 15m + # labels: + # severity: critical + # annotations: + # summary: "[Argo CD] No reported applications" + # description: > + # Argo CD has not reported any applications data for the past 15 minutes which + # means that it must be down or not functioning properly. This needs to be + # resolved for this cloud to continue to maintain state. + # - alert: ArgoAppNotSynced + # expr: | + # argocd_app_info{sync_status!="Synced"} == 1 + # for: 12h + # labels: + # severity: warning + # annotations: + # summary: "[{{`{{$labels.name}}`}}] Application not synchronized" + # description: > + # The application [{{`{{$labels.name}}`}} has not been synchronized for over + # 12 hours which means that the state of this cloud has drifted away from the + # state inside Git. + # selector: + # prometheus: kube-prometheus + # namespace: monitoring + # additionalLabels: {} + # annotations: {} - # -- Resource limits and requests for redis - resources: {} - # limits: - # cpu: 200m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 64Mi + ## Enable if you would like to grant rights to Argo CD to deploy to the local Kubernetes cluster. + clusterAdminAccess: + # -- Enable RBAC for local cluster deployments + enabled: true - # -- Additional volumeMounts to the redis container - volumeMounts: [] - # -- Additional volumes to the redis pod - volumes: [] + ## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource. + ## Defaults to off + clusterRoleRules: + # -- Enable custom rules for the application controller's ClusterRole resource + enabled: false + # -- List of custom rules for the application controller's ClusterRole resource + rules: [] - # -- Additional containers to be added to the redis pod + # -- Additional containers to be added to the application controller pod extraContainers: [] - # -- Init containers to add to the redis pod + # -- Init containers to add to the application controller pod + ## If your target Kubernetes cluster(s) require a custom auth provider executable + ## you could use this (and the same in the server pod) to bootstrap + ## that executable into your Argo CD container initContainers: [] # - name: download-tools # image: alpine:3.8 @@ -712,49 +742,30 @@ redis: # name: custom-tools # subPath: helm - service: - # -- Redis service annotations - annotations: {} - # -- Additional redis service labels - labels: {} +## Dex +dex: + # -- Enable dex + enabled: true + # -- Dex name + name: dex-server + + # -- Additional command line arguments to pass to the Dex server + extraArgs: [] metrics: - # -- Deploy metrics service and redis-exporter sidecar + # -- Deploy metrics service enabled: false - image: - # -- redis-exporter image repository - repository: public.ecr.aws/bitnami/redis-exporter - # -- redis-exporter image tag - tag: 1.26.0-debian-10-r2 - # -- redis-exporter image PullPolicy - imagePullPolicy: IfNotPresent - # -- Port to use for redis-exporter sidecar - containerPort: 9121 - # -- Resource limits and requests for redis-exporter sidecar - resources: {} - # limits: - # cpu: 50m - # memory: 64Mi - # requests: - # cpu: 10m - # memory: 32Mi service: - # -- Metrics service type - type: ClusterIP - # -- Metrics service clusterIP. `None` makes a "headless service" (no virtual IP) - clusterIP: None # -- Metrics service annotations annotations: {} # -- Metrics service labels labels: {} - # -- Metrics service port - servicePort: 9121 # -- Metrics service port name portName: http-metrics serviceMonitor: # -- Enable a prometheus ServiceMonitor enabled: false - # -- Interval at which metrics should be scraped + # -- Prometheus ServiceMonitor interval interval: 30s # -- Prometheus [RelabelConfigs] to apply to samples before scraping relabelings: [] @@ -772,138 +783,55 @@ redis: namespace: "" # "monitoring" # -- Prometheus ServiceMonitor labels additionalLabels: {} + # -- Prometheus ServiceMonitor annotations + annotations: {} + ## Dex Pod Disruption Budget + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ pdb: - # -- Labels to be added to Redis server pdb + # -- Deploy a [PodDisruptionBudget] for the Dex server + enabled: false + # -- Labels to be added to Dex server pdb labels: {} - # -- Annotations to be added to Redis server pdb + # -- Annotations to be added to Dex server pdb annotations: {} - - # -- Deploy a Poddisruptionbudget for the Redis server - enabled: false - # minAvailable: 1 - # maxUnavailable: 0 + # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) + # @default -- `""` (defaults to 0 if not specified) + minAvailable: "" + # -- Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). + ## Has higher precedence over `dex.pdb.minAvailable` + maxUnavailable: "" + + ## Dex image + image: + # -- Dex image repository + repository: ghcr.io/dexidp/dex + # -- Dex image tag + tag: v2.35.3 + # -- Dex imagePullPolicy + # @default -- `""` (defaults to global.image.imagePullPolicy) + imagePullPolicy: "" # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) imagePullSecrets: [] -# This key configures Redis-HA subchart and when enabled (redis-ha.enabled=true) -# the custom redis deployment is omitted -# Check the redis-ha chart for more properties -redis-ha: - # -- Enables the Redis HA subchart and disables the custom Redis single node deployment - enabled: false - exporter: - # -- If `true`, the prometheus exporter sidecar is enabled - enabled: true - persistentVolume: - # -- Configures persistency on Redis nodes - enabled: false - redis: - # -- Redis convention for naming the cluster group: must match `^[\\w-\\.]+$` and can be templated - masterGroupName: argocd - # -- Any valid redis config options in this section will be applied to each server (see `redis-ha` chart) - # @default -- See [values.yaml] - config: - # -- Will save the DB if both the given number of seconds and the given number of write operations against the DB occurred. `""` is disabled - # @default -- `'""'` - save: '""' - haproxy: - # -- Enabled HAProxy LoadBalancing/Proxy - enabled: true - metrics: - # -- HAProxy enable prometheus metric scraping - enabled: true - image: - # -- Redis tag - tag: 7.0.4-alpine - - ## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - topologySpreadConstraints: - # -- Enable Redis HA topology spread constraints - enabled: false - # -- Max skew of pods tolerated - # @default -- `""` (defaults to `1`) - maxSkew: "" - # -- Topology key for spread - # @default -- `""` (defaults to `topology.kubernetes.io/zone`) - topologyKey: "" - # -- Enforcement policy, hard or soft - # @default -- `""` (defaults to `ScheduleAnyway`) - whenUnsatisfiable: "" - -# External Redis parameters -externalRedis: - # -- External Redis server host - host: "" - # -- External Redis password - password: "" - # -- External Redis server port - port: 6379 - # -- The name of an existing secret with Redis credentials (must contain key `redis-password`). - # When it's set, the `externalRedis.password` parameter is ignored - existingSecret: "" - # -- External Redis Secret annotations - secretAnnotations: {} - -## Server -server: - # -- Argo CD server name - name: server - - # -- The number of server pods to run - replicas: 1 - - autoscaling: - # -- Enable Horizontal Pod Autoscaler ([HPA]) for the Argo CD server - enabled: false - # -- Minimum number of replicas for the Argo CD server [HPA] - minReplicas: 1 - # -- Maximum number of replicas for the Argo CD server [HPA] - maxReplicas: 5 - # -- Average CPU utilization percentage for the Argo CD server [HPA] - targetCPUUtilizationPercentage: 50 - # -- Average memory utilization percentage for the Argo CD server [HPA] - targetMemoryUtilizationPercentage: 50 - # -- Configures the scaling behavior of the target in both Up and Down directions. - # This is only available on HPA apiVersion `autoscaling/v2beta2` and newer - behavior: {} - # scaleDown: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 1 - # periodSeconds: 180 - # scaleUp: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 2 - # periodSeconds: 60 - image: - # -- Repository to use for the Argo CD server + # Argo CD init image that creates Dex config + initImage: + # -- Argo CD init image repository # @default -- `""` (defaults to global.image.repository) - repository: "" # defaults to global.image.repository - # -- Tag to use for the Argo CD server + repository: "" + # -- Argo CD init image tag # @default -- `""` (defaults to global.image.tag) - tag: "" # defaults to global.image.tag - # -- Image pull policy for the Argo CD server + tag: "" + # -- Argo CD init image imagePullPolicy # @default -- `""` (defaults to global.image.imagePullPolicy) - imagePullPolicy: "" # IfNotPresent - - # -- Additional command line arguments to pass to Argo CD server - extraArgs: [] - # - --insecure - - # This flag is used to either remove or pass the CLI flag --staticassets /shared/app to the Argo CD server app - staticAssets: - # -- Disable deprecated flag `--staticassets` - enabled: true + imagePullPolicy: "" - # -- Environment variables to pass to Argo CD server + # -- Environment variables to pass to the Dex server env: [] - # -- envFrom to pass to Argo CD server + # -- envFrom to pass to the Dex server # @default -- `[]` (See [values.yaml]) envFrom: [] # - configMapRef: @@ -911,29 +839,49 @@ server: # - secretRef: # name: secret-name - # -- Specify postStart and preStop lifecycle hooks for your argo-cd-server container - lifecycle: {} + # TLS certificate configuration via Secret + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/#configuring-tls-to-argocd-dex-server + ## Note: Issuing certificates via cert-manager in not supported right now because it's not possible to restart Dex automatically without extra controllers. + certificateSecret: + # -- Create argocd-dex-server-tls secret + enabled: false + # -- Labels to be added to argocd-dex-server-tls secret + labels: {} + # -- Annotations to be added to argocd-dex-server-tls secret + annotations: {} + # -- Certificate authority. Required for self-signed certificates. + ca: '' + # -- Certificate private key + key: '' + # -- Certificate data. Must contain SANs of Dex service (ie: argocd-dex-server, argocd-dex-server.argo-cd.svc) + crt: '' - # -- Argo CD server log format: Either `text` or `json` - # @default -- `""` (defaults to global.logging.format) - logFormat: "" - # -- Argo CD server log level. One of: `debug`, `info`, `warn` or `error` - # @default -- `""` (defaults to global.logging.level) - logLevel: "" + # -- Annotations to be added to the Dex server Deployment + deploymentAnnotations: {} - # -- Annotations to be added to server pods + # -- Annotations to be added to the Dex server pods podAnnotations: {} - # -- Labels to be added to server pods + # -- Labels to be added to the Dex server pods podLabels: {} - # -- Configures the server port - containerPort: 8080 + # -- Dex container-level security context + # @default -- See [values.yaml] + containerSecurityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL - ## Readiness and liveness probes for default backend - ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ - ## - readinessProbe: + ## Probes for Dex server + ## Supported from Dex >= 2.28.0 + livenessProbe: + # -- Enable Kubernetes liveness probe for Dex >= 2.28.0 + enabled: false # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded failureThreshold: 3 # -- Number of seconds after the container has started before [probe] is initiated @@ -944,7 +892,9 @@ server: successThreshold: 1 # -- Number of seconds after which the [probe] times out timeoutSeconds: 1 - livenessProbe: + readinessProbe: + # -- Enable Kubernetes readiness probe for Dex >= 2.28.0 + enabled: false # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded failureThreshold: 3 # -- Number of seconds after the container has started before [probe] is initiated @@ -956,12 +906,39 @@ server: # -- Number of seconds after which the [probe] times out timeoutSeconds: 1 - # -- Additional volumeMounts to the server main container + serviceAccount: + # -- Create dex service account + create: true + # -- Dex service account name + name: argocd-dex-server + # -- Annotations applied to created service account + annotations: {} + # -- Automount API credentials for the Service Account + automountServiceAccountToken: true + + # -- Additional volumeMounts to the dex main container volumeMounts: [] - # -- Additional volumes to the server pod + # -- Additional volumes to the dex pod volumes: [] + # -- Container port for HTTP access + containerPortHttp: 5556 + # -- Service port for HTTP access + servicePortHttp: 5556 + # -- Service port name for HTTP access + servicePortHttpName: http + # -- Container port for gRPC access + containerPortGrpc: 5557 + # -- Service port for gRPC access + servicePortGrpc: 5557 + # -- Service port name for gRPC access + servicePortGrpcName: grpc + # -- Container port for metrics access + containerPortMetrics: 5558 + # -- Service port for metrics access + servicePortMetrics: 5558 + # -- [Node selector] nodeSelector: {} # -- [Tolerations] for use with node taints @@ -969,7 +946,7 @@ server: # -- Assign custom [affinity] rules to the deployment affinity: {} - # -- Assign custom [TopologySpreadConstraints] rules to the Argo CD server + # -- Assign custom [TopologySpreadConstraints] rules to dex ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment topologySpreadConstraints: [] @@ -977,416 +954,165 @@ server: # topologyKey: topology.kubernetes.io/zone # whenUnsatisfiable: DoNotSchedule - # -- Priority class for the Argo CD server + # -- Priority class for dex priorityClassName: "" - # -- Servers container-level security context - containerSecurityContext: - {} - # capabilities: - # drop: - # - all - # readOnlyRootFilesystem: true - - # -- Resource limits and requests for the Argo CD server + # -- Resource limits and requests for dex resources: {} # limits: - # cpu: 100m - # memory: 128Mi - # requests: # cpu: 50m # memory: 64Mi + # requests: + # cpu: 10m + # memory: 32Mi - ## Certificate configuration - certificate: - # -- Deploy a Certificate resource (requires cert-manager) - enabled: false - # -- Certificate primary domain (commonName) - domain: argocd.example.com - # -- The requested 'duration' (i.e. lifetime) of the Certificate. Value must be in units accepted by Go time.ParseDuration - duration: "" - # -- How long before the currently issued certificate's expiry cert-manager should renew the certificate. Value must be in units accepted by Go time.ParseDuration - renewBefore: "" - # Private key of the certificate - privateKey: - # -- Rotation policy of private key when certificate is re-issued. Either: `Never` or `Always` - rotationPolicy: Never - # -- The private key cryptography standards (PKCS) encoding for private key. Either: `PCKS1` or `PKCS8` - encoding: PKCS1 - # -- Algorithm used to generate certificate private key. One of: `RSA`, `Ed25519` or `ECDSA` - algorithm: RSA - # -- Key bit size of the private key. If algorithm is set to `Ed25519`, size is ignored. - size: 2048 - issuer: - # -- Certificate issuer group. Set if using an external issuer. Eg. `cert-manager.io` - group: "" - # -- Certificate issuer kind. Either `Issuer` or `ClusterIssuer` - kind: "" - # -- Certificate isser name. Eg. `letsencrypt` - name: "" - # -- Certificate manager additional hosts - additionalHosts: [] - # -- The name of the Secret that will be automatically created and managed by this Certificate resource - secretName: argocd-server-tls - - ## Server service configuration - service: - # -- Server service annotations - annotations: {} - # -- Server service labels - labels: {} - # -- Server service type - type: ClusterIP - # -- Server service http port for NodePort service type (only if `server.service.type` is set to "NodePort") - nodePortHttp: 30080 - # -- Server service https port for NodePort service type (only if `server.service.type` is set to "NodePort") - nodePortHttps: 30443 - # -- Server service http port - servicePortHttp: 80 - # -- Server service https port - servicePortHttps: 443 - # -- Server service http port name, can be used to route traffic via istio - servicePortHttpName: http - # -- Server service https port name, can be used to route traffic via istio - servicePortHttpsName: https - # -- Use named target port for argocd - ## Named target ports are not supported by GCE health checks, so when deploying argocd on GKE - ## and exposing it via GCE ingress, the health checks fail and the load balancer returns a 502. - namedTargetPort: true - # -- LoadBalancer will get created with the IP specified in this field - loadBalancerIP: "" - # -- Source IP ranges to allow access to service from - loadBalancerSourceRanges: [] - # -- Server service external IPs - externalIPs: [] - # -- Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints - externalTrafficPolicy: "" - # -- Used to maintain session affinity. Supports `ClientIP` and `None` - sessionAffinity: "" - - ## Server metrics service configuration - metrics: - # -- Deploy metrics service - enabled: false - service: - # -- Metrics service annotations - annotations: {} - # -- Metrics service labels - labels: {} - # -- Metrics service port - servicePort: 8083 - # -- Metrics service port name - portName: http-metrics - serviceMonitor: - # -- Enable a prometheus ServiceMonitor - enabled: false - # -- Prometheus ServiceMonitor interval - interval: 30s - # -- Prometheus [RelabelConfigs] to apply to samples before scraping - relabelings: [] - # -- Prometheus [MetricRelabelConfigs] to apply to samples before ingestion - metricRelabelings: [] - # -- Prometheus ServiceMonitor selector - selector: {} - # prometheus: kube-prometheus - - # -- Prometheus ServiceMonitor scheme - scheme: "" - # -- Prometheus ServiceMonitor tlsConfig - tlsConfig: {} - # -- Prometheus ServiceMonitor namespace - namespace: "" # monitoring - # -- Prometheus ServiceMonitor labels - additionalLabels: {} - - serviceAccount: - # -- Create server service account - create: true - # -- Server service account name - name: argocd-server - # -- Annotations applied to created service account - annotations: {} - # -- Automount API credentials for the Service Account - automountServiceAccountToken: true - - ingress: - # -- Enable an ingress resource for the Argo CD server - enabled: false - # -- Additional ingress annotations - annotations: {} - # -- Additional ingress labels - labels: {} - # -- Defines which ingress controller will implement the resource - ingressClassName: "" - - # -- List of ingress hosts - ## Argo Ingress. - ## Hostnames must be provided if Ingress is enabled. - ## Secrets must be manually created in the namespace - hosts: - [] - # - argocd.example.com - - # -- List of ingress paths - paths: - - / - # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` - pathType: Prefix - # -- Additional ingress paths - extraPaths: - [] - # - path: /* - # backend: - # serviceName: ssl-redirect - # servicePort: use-annotation - ## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used) - # - path: /* - # pathType: Prefix - # backend: - # service: - # name: ssl-redirect - # port: - # name: use-annotation + # -- Additional containers to be added to the dex pod + extraContainers: [] - # -- Ingress TLS configuration - tls: - [] - # - secretName: argocd-tls-certificate - # hosts: - # - argocd.example.com + # -- Init containers to add to the dex pod + initContainers: [] + # - name: download-tools + # image: alpine:3.8 + # command: [sh, -c] + # args: + # - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - && + # mv linux-amd64/helm /custom-tools/ + # volumeMounts: + # - mountPath: /custom-tools + # name: custom-tools + # volumeMounts: + # - mountPath: /usr/local/bin/helm + # name: custom-tools + # subPath: helm - # -- Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp` - https: false +## Redis +redis: + # -- Enable redis + enabled: true + # -- Redis name + name: redis - # dedicated ingress for gRPC as documented at - # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/ - ingressGrpc: - # -- Enable an ingress resource for the Argo CD server for dedicated [gRPC-ingress] + ## Redis Pod Disruption Budget + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + pdb: + # -- Deploy a [PodDisruptionBudget] for the Redis enabled: false - # -- Setup up gRPC ingress to work with an AWS ALB - isAWSALB: false - # -- Additional ingress annotations for dedicated [gRPC-ingress] - annotations: {} - # -- Additional ingress labels for dedicated [gRPC-ingress] + # -- Labels to be added to Redis pdb labels: {} - # -- Defines which ingress controller will implement the resource [gRPC-ingress] - ingressClassName: "" - - awsALB: - # -- Service type for the AWS ALB gRPC service - ## Service Type if isAWSALB is set to true - ## Can be of type NodePort or ClusterIP depending on which mode you are - ## are running. Instance mode needs type NodePort, IP mode needs type - ## ClusterIP - ## Ref: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/how-it-works/#ingress-traffic - serviceType: NodePort - # -- Backend protocol version for the AWS ALB gRPC service - ## This tells AWS to send traffic from the ALB using HTTP2. Can use gRPC as well if you want to leverage gRPC specific features - backendProtocolVersion: HTTP2 - - # -- List of ingress hosts for dedicated [gRPC-ingress] - ## Argo Ingress. - ## Hostnames must be provided if Ingress is enabled. - ## Secrets must be manually created in the namespace - ## - hosts: - [] - # - argocd.example.com + # -- Annotations to be added to Redis pdb + annotations: {} + # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) + # @default -- `""` (defaults to 0 if not specified) + minAvailable: "" + # -- Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). + ## Has higher precedence over `redis.pdb.minAvailable` + maxUnavailable: "" + + ## Redis image + image: + # -- Redis repository + repository: public.ecr.aws/docker/library/redis + # -- Redis tag + tag: 7.0.5-alpine + # -- Redis imagePullPolicy + imagePullPolicy: IfNotPresent - # -- List of ingress paths for dedicated [gRPC-ingress] - paths: - - / - # -- Ingress path type for dedicated [gRPC-ingress]. One of `Exact`, `Prefix` or `ImplementationSpecific` - pathType: Prefix - # -- Additional ingress paths for dedicated [gRPC-ingress] - extraPaths: - [] - # - path: /* - # backend: - # serviceName: ssl-redirect - # servicePort: use-annotation - ## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used) - # - path: /* - # pathType: Prefix - # backend: - # service: - # name: ssl-redirect - # port: - # name: use-annotation + # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) + imagePullSecrets: [] - # -- Ingress TLS configuration for dedicated [gRPC-ingress] - tls: - [] - # - secretName: argocd-tls-certificate - # hosts: - # - argocd.example.com + # -- Additional command line arguments to pass to redis-server + extraArgs: [] + # - --bind + # - "0.0.0.0" - # -- Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp` - https: false + # -- Redis container port + containerPort: 6379 + # -- Redis service port + servicePort: 6379 - # Create a OpenShift Route with SSL passthrough for UI and CLI - # Consider setting 'hostname' e.g. https://argocd.apps-crc.testing/ using your Default Ingress Controller Domain - # Find your domain with: kubectl describe --namespace=openshift-ingress-operator ingresscontroller/default | grep Domain: - # If 'hostname' is an empty string "" OpenShift will create a hostname for you. - route: - # -- Enable an OpenShift Route for the Argo CD server - enabled: false - # -- Openshift Route annotations - annotations: {} - # -- Hostname of OpenShift Route - hostname: "" - # -- Termination type of Openshift Route - termination_type: passthrough - # -- Termination policy of Openshift Route - termination_policy: None + # -- Environment variables to pass to the Redis server + env: [] - # -- Manage Argo CD configmap (Declarative Setup) - ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml - configEnabled: true - # -- [General Argo CD configuration] - # @default -- See [values.yaml] - config: - # Argo CD's externally facing base URL (optional). Required when configuring SSO - url: "" - # Argo CD instance label key - application.instanceLabelKey: argocd.argoproj.io/instance + # -- envFrom to pass to the Redis server + # @default -- `[]` (See [values.yaml]) + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name - # Enable logs RBAC enforcement - # Ref: https://argo-cd.readthedocs.io/en/latest/operator-manual/upgrading/2.3-2.4/#enable-logs-rbac-enforcement - server.rbac.log.enforce.enable: "false" + # -- Annotations to be added to the Redis server Deployment + deploymentAnnotations: {} - # exec.enabled indicates whether the UI exec feature is enabled. It is disabled by default. - # Ref: https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac/#exec-resource - exec.enabled: "false" + # -- Annotations to be added to the Redis server pods + podAnnotations: {} - # admin.enabled indicates whether the admin user is enabled. It is enabled by default. - # https://argo-cd.readthedocs.io/en/latest/faq/#how-to-disable-admin-user - admin.enabled: "true" + # -- Labels to be added to the Redis server pods + podLabels: {} - # dex.config: | - # connectors: - # # GitHub example - # - type: github - # id: github - # name: GitHub - # config: - # clientID: aabbccddeeff00112233 - # clientSecret: $dex.github.clientSecret # Alternatively $:dex.github.clientSecret - # orgs: - # - name: your-github-org + # -- Redis pod-level security context + # @default -- See [values.yaml] + securityContext: + runAsNonRoot: true + runAsUser: 999 + seccompProfile: + type: RuntimeDefault - # oidc.config: | - # name: AzureAD - # issuer: https://login.microsoftonline.com/TENANT_ID/v2.0 - # clientID: CLIENT_ID - # clientSecret: $oidc.azuread.clientSecret - # requestedIDTokenClaims: - # groups: - # essential: true - # requestedScopes: - # - openid - # - profile - # - email + # -- Redis container-level security context + # @default -- See [values.yaml] + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL - # -- Annotations to be added to Argo CD ConfigMap - configAnnotations: {} + # -- [Node selector] + nodeSelector: {} + # -- [Tolerations] for use with node taints + tolerations: [] + # -- Assign custom [affinity] rules to the deployment + affinity: {} - # -- Argo CD rbac config ([Argo CD RBAC policy]) - ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md - rbacConfig: - {} - # policy.csv is a file containing user-defined RBAC policies and role definitions (optional). - # Policy rules are in the form: - # p, subject, resource, action, object, effect - # Role definitions and bindings are in the form: - # g, subject, inherited-subject - # See https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md for additional information. - # policy.csv: | - # # Grant all members of the group 'my-org:team-alpha; the ability to sync apps in 'my-project' - # p, my-org:team-alpha, applications, sync, my-project/*, allow - # # Grant all members of 'my-org:team-beta' admins - # g, my-org:team-beta, role:admin - # policy.default is the name of the default role which Argo CD will falls back to, when - # authorizing API requests (optional). If omitted or empty, users may be still be able to login, - # but will see no apps, projects, etc... - # policy.default: role:readonly - # scopes controls which OIDC scopes to examine during rbac enforcement (in addition to `sub` scope). - # If omitted, defaults to: '[groups]'. The scope value can be a string, or a list of strings. - # scopes: '[cognito:groups, email]' - - # -- Annotations to be added to Argo CD rbac ConfigMap - rbacConfigAnnotations: {} - - # -- Whether or not to create the configmap. If false, it is expected the configmap will be created - # by something else. Argo CD will not work if there is no configMap created with the name above. - rbacConfigCreate: true + # -- Assign custom [TopologySpreadConstraints] rules to redis + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule - ## Enable Admin ClusterRole resources. - ## Enable if you would like to grant rights to Argo CD to deploy to the local Kubernetes cluster. - clusterAdminAccess: - # -- Enable RBAC for local cluster deployments - enabled: true + # -- Priority class for redis + priorityClassName: "" - GKEbackendConfig: - # -- Enable BackendConfig custom resource for Google Kubernetes Engine - enabled: false - # -- [BackendConfigSpec] - spec: {} - # spec: - # iap: - # enabled: true - # oauthclientCredentials: - # secretName: argocd-secret + serviceAccount: + # -- Create a service account for the redis pod + create: false + # -- Service account name for redis pod + name: "" + # -- Annotations applied to created service account + annotations: {} + # -- Automount API credentials for the Service Account + automountServiceAccountToken: false - ## Create a Google Managed Certificate for use with the GKE Ingress Controller - ## https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs - GKEmanagedCertificate: - # -- Enable ManagedCertificate custom resource for Google Kubernetes Engine. - enabled: false - # -- Domains for the Google Managed Certificate - domains: - - argocd.example.com + # -- Resource limits and requests for redis + resources: {} + # limits: + # cpu: 200m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 64Mi - ## Create a Google FrontendConfig Custom Resource, for use with the GKE Ingress Controller - ## https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters - GKEfrontendConfig: - # -- Enable FrontConfig custom resource for Google Kubernetes Engine - enabled: false - # -- [FrontendConfigSpec] - spec: {} - # spec: - # redirectToHttps: - # enabled: true - # responseCodeName: RESPONSE_CODE + # -- Additional volumeMounts to the redis container + volumeMounts: [] + # -- Additional volumes to the redis pod + volumes: [] - # -- Additional containers to be added to the server pod - ## See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. + # -- Additional containers to be added to the redis pod extraContainers: [] - # - name: my-sidecar - # image: nginx:latest - # - name: lemonldap-ng-controller - # image: lemonldapng/lemonldap-ng-controller:0.2.0 - # args: - # - /lemonldap-ng-controller - # - --alsologtostderr - # - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration - # env: - # - name: POD_NAME - # valueFrom: - # fieldRef: - # fieldPath: metadata.name - # - name: POD_NAMESPACE - # valueFrom: - # fieldRef: - # fieldPath: metadata.namespace - # volumeMounts: - # - name: copy-portal-skins - # mountPath: /srv/var/lib/lemonldap-ng/portal/skins - # -- Init containers to add to the server pod - ## If your target Kubernetes cluster(s) require a custom auth provider executable - ## you could use this (and the same in the application controller pod) to bootstrap - ## that executable into your Argo CD container + # -- Init containers to add to the redis pod initContainers: [] # - name: download-tools # image: alpine:3.8 @@ -1402,65 +1128,163 @@ server: # name: custom-tools # subPath: helm - extensions: - # -- Enable support for extensions - ## This function in tech preview stage, do expect unstability or breaking changes in newer versions. Bump image.tag if necessary. + service: + # -- Redis service annotations + annotations: {} + # -- Additional redis service labels + labels: {} + + metrics: + # -- Deploy metrics service and redis-exporter sidecar enabled: false - image: - # -- Repository to use for extensions image - repository: "ghcr.io/argoproj-labs/argocd-extensions" - # -- Tag to use for extensions image - tag: "v0.1.0" - # -- Image pull policy for extensions + # -- redis-exporter image repository + repository: public.ecr.aws/bitnami/redis-exporter + # -- redis-exporter image tag + tag: 1.26.0-debian-10-r2 + # -- redis-exporter image PullPolicy imagePullPolicy: IfNotPresent + # -- Port to use for redis-exporter sidecar + containerPort: 9121 - # -- Resource limits and requests for the argocd-extensions container + # -- Redis exporter security context + # @default -- See [values.yaml] + containerSecurityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + + # -- Resource limits and requests for redis-exporter sidecar resources: {} - # limits: - # cpu: 50m - # memory: 128Mi - # requests: - # cpu: 10m - # memory: 64Mi + # limits: + # cpu: 50m + # memory: 64Mi + # requests: + # cpu: 10m + # memory: 32Mi + service: + # -- Metrics service type + type: ClusterIP + # -- Metrics service clusterIP. `None` makes a "headless service" (no virtual IP) + clusterIP: None + # -- Metrics service annotations + annotations: {} + # -- Metrics service labels + labels: {} + # -- Metrics service port + servicePort: 9121 + # -- Metrics service port name + portName: http-metrics + serviceMonitor: + # -- Enable a prometheus ServiceMonitor + enabled: false + # -- Interval at which metrics should be scraped + interval: 30s + # -- Prometheus [RelabelConfigs] to apply to samples before scraping + relabelings: [] + # -- Prometheus [MetricRelabelConfigs] to apply to samples before ingestion + metricRelabelings: [] + # -- Prometheus ServiceMonitor selector + selector: {} + # prometheus: kube-prometheus - # -- Extensions to be loaded into the server - contents: [] - # - name: argo-rollouts - # url: https://github.com/argoproj-labs/rollout-extension/releases/download/v0.1.0/extension.tar + # -- Prometheus ServiceMonitor scheme + scheme: "" + # -- Prometheus ServiceMonitor tlsConfig + tlsConfig: {} + # -- Prometheus ServiceMonitor namespace + namespace: "" # "monitoring" + # -- Prometheus ServiceMonitor labels + additionalLabels: {} + # -- Prometheus ServiceMonitor annotations + annotations: {} - pdb: - # -- Labels to be added to server pdb - labels: {} - # -- Annotations to be added to server pdb - annotations: {} - # -- Deploy a Poddisruptionbudget for the server +# This key configures Redis-HA subchart and when enabled (redis-ha.enabled=true) +# the custom redis deployment is omitted +# Check the redis-ha chart for more properties +redis-ha: + # -- Enables the Redis HA subchart and disables the custom Redis single node deployment + enabled: false + exporter: + # -- If `true`, the prometheus exporter sidecar is enabled + enabled: true + persistentVolume: + # -- Configures persistency on Redis nodes enabled: false - # minAvailable: 1 - # maxUnavailable: 0 + redis: + # -- Redis convention for naming the cluster group: must match `^[\\w-\\.]+$` and can be templated + masterGroupName: argocd + # -- Any valid redis config options in this section will be applied to each server (see `redis-ha` chart) + # @default -- See [values.yaml] + config: + # -- Will save the DB if both the given number of seconds and the given number of write operations against the DB occurred. `""` is disabled + # @default -- `'""'` + save: '""' + haproxy: + # -- Enabled HAProxy LoadBalancing/Proxy + enabled: true + metrics: + # -- HAProxy enable prometheus metric scraping + enabled: true + image: + # -- Redis tag + tag: 7.0.5-alpine - # -- Secrets with credentials to pull images from a private registry - imagePullSecrets: [] + ## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: + # -- Enable Redis HA topology spread constraints + enabled: false + # -- Max skew of pods tolerated + # @default -- `""` (defaults to `1`) + maxSkew: "" + # -- Topology key for spread + # @default -- `""` (defaults to `topology.kubernetes.io/zone`) + topologyKey: "" + # -- Enforcement policy, hard or soft + # @default -- `""` (defaults to `ScheduleAnyway`) + whenUnsatisfiable: "" -## Repo Server -repoServer: - # -- Repo server name - name: repo-server +# External Redis parameters +externalRedis: + # -- External Redis server host + host: "" + # -- External Redis username + username: "" + # -- External Redis password + password: "" + # -- External Redis server port + port: 6379 + # -- The name of an existing secret with Redis credentials (must contain key `redis-password`). + # When it's set, the `externalRedis.password` parameter is ignored + existingSecret: "" + # -- External Redis Secret annotations + secretAnnotations: {} - # -- The number of repo server pods to run +## Server +server: + # -- Argo CD server name + name: server + + # -- The number of server pods to run replicas: 1 + ## Argo CD server Horizontal Pod Autoscaler autoscaling: - # -- Enable Horizontal Pod Autoscaler ([HPA]) for the repo server + # -- Enable Horizontal Pod Autoscaler ([HPA]) for the Argo CD server enabled: false - # -- Minimum number of replicas for the repo server [HPA] + # -- Minimum number of replicas for the Argo CD server [HPA] minReplicas: 1 - # -- Maximum number of replicas for the repo server [HPA] + # -- Maximum number of replicas for the Argo CD server [HPA] maxReplicas: 5 - # -- Average CPU utilization percentage for the repo server [HPA] + # -- Average CPU utilization percentage for the Argo CD server [HPA] targetCPUUtilizationPercentage: 50 - # -- Average memory utilization percentage for the repo server [HPA] + # -- Average memory utilization percentage for the Argo CD server [HPA] targetMemoryUtilizationPercentage: 50 # -- Configures the scaling behavior of the target in both Up and Down directions. # This is only available on HPA apiVersion `autoscaling/v2beta2` and newer @@ -1478,24 +1302,45 @@ repoServer: # value: 2 # periodSeconds: 60 + ## Argo CD server Pod Disruption Budget + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + pdb: + # -- Deploy a [PodDisruptionBudget] for the Argo CD server + enabled: false + # -- Labels to be added to Argo CD server pdb + labels: {} + # -- Annotations to be added to Argo CD server pdb + annotations: {} + # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) + # @default -- `""` (defaults to 0 if not specified) + minAvailable: "" + # -- Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). + ## Has higher precedence over `server.pdb.minAvailable` + maxUnavailable: "" + + ## Argo CD server image image: - # -- Repository to use for the repo server + # -- Repository to use for the Argo CD server # @default -- `""` (defaults to global.image.repository) repository: "" # defaults to global.image.repository - # -- Tag to use for the repo server + # -- Tag to use for the Argo CD server # @default -- `""` (defaults to global.image.tag) tag: "" # defaults to global.image.tag - # -- Image pull policy for the repo server + # -- Image pull policy for the Argo CD server # @default -- `""` (defaults to global.image.imagePullPolicy) imagePullPolicy: "" # IfNotPresent - # -- Additional command line arguments to pass to repo server + # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) + imagePullSecrets: [] + + # -- Additional command line arguments to pass to Argo CD server extraArgs: [] - # -- Environment variables to pass to repo server + # -- Environment variables to pass to Argo CD server env: [] - # -- envFrom to pass to repo server + # -- envFrom to pass to Argo CD server # @default -- `[]` (See [values.yaml]) envFrom: [] # - configMapRef: @@ -1503,25 +1348,31 @@ repoServer: # - secretRef: # name: secret-name - # -- Repo server log format: Either `text` or `json` - # @default -- `""` (defaults to global.logging.level) - logFormat: "" - # -- Repo server log level. One of: `debug`, `info`, `warn` or `error` + # -- Specify postStart and preStop lifecycle hooks for your argo-cd-server container + lifecycle: {} + + # DEPRECATED - Use configs.params to override + # -- Argo CD server log format: Either `text` or `json` # @default -- `""` (defaults to global.logging.format) - logLevel: "" + # logFormat: "" + # -- Argo CD server log level. One of: `debug`, `info`, `warn` or `error` + # @default -- `""` (defaults to global.logging.level) + # logLevel: "" - # -- Annotations to be added to repo server pods + # -- Annotations to be added to server Deployment + deploymentAnnotations: {} + + # -- Annotations to be added to server pods podAnnotations: {} - # -- Labels to be added to repo server pods + # -- Labels to be added to server pods podLabels: {} - # -- Configures the repo server port - containerPort: 8081 + # -- Configures the server port + containerPort: 8080 ## Readiness and liveness probes for default backend ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ - ## readinessProbe: # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded failureThreshold: 3 @@ -1545,16 +1396,11 @@ repoServer: # -- Number of seconds after which the [probe] times out timeoutSeconds: 1 - # -- Additional volumeMounts to the repo server main container + # -- Additional volumeMounts to the server main container volumeMounts: [] - # -- Additional volumes to the repo server pod + # -- Additional volumes to the server pod volumes: [] - ## Use init containers to configure custom tooling - ## https://argo-cd.readthedocs.io/en/stable/operator-manual/custom_tools/ - ## When using the volumes & volumeMounts section bellow, please comment out those above. - # - name: custom-tools - # emptyDir: {} # -- [Node selector] nodeSelector: {} @@ -1563,7 +1409,7 @@ repoServer: # -- Assign custom [affinity] rules to the deployment affinity: {} - # -- Assign custom [TopologySpreadConstraints] rules to the repo server + # -- Assign custom [TopologySpreadConstraints] rules to the Argo CD server ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment topologySpreadConstraints: [] @@ -1571,38 +1417,119 @@ repoServer: # topologyKey: topology.kubernetes.io/zone # whenUnsatisfiable: DoNotSchedule - # -- Priority class for the repo server + # -- Priority class for the Argo CD server priorityClassName: "" - # -- Repo server container-level security context + # -- Server container-level security context + # @default -- See [values.yaml] containerSecurityContext: - {} - # capabilities: - # drop: - # - all - # readOnlyRootFilesystem: true + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL - # -- Resource limits and requests for the repo server pods + # -- Resource limits and requests for the Argo CD server resources: {} # limits: - # cpu: 50m + # cpu: 100m # memory: 128Mi # requests: - # cpu: 10m + # cpu: 50m # memory: 64Mi - ## Repo server service configuration - service: - # -- Repo server service annotations + # TLS certificate configuration via cert-manager + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/#tls-certificates-used-by-argocd-server + certificate: + # -- Deploy a Certificate resource (requires cert-manager) + enabled: false + # -- The name of the Secret that will be automatically created and managed by this Certificate resource + secretName: argocd-server-tls + # -- Certificate primary domain (commonName) + domain: argocd.example.com + # -- Certificate Subject Alternate Names (SANs) + additionalHosts: [] + # -- The requested 'duration' (i.e. lifetime) of the certificate. + # @default -- `""` (defaults to 2160h = 90d if not specified) + ## Ref: https://cert-manager.io/docs/usage/certificate/#renewal + duration: "" + # -- How long before the expiry a certificate should be renewed. + # @default -- `""` (defaults to 360h = 15d if not specified) + ## Ref: https://cert-manager.io/docs/usage/certificate/#renewal + renewBefore: "" + # Certificate issuer + ## Ref: https://cert-manager.io/docs/concepts/issuer + issuer: + # -- Certificate issuer group. Set if using an external issuer. Eg. `cert-manager.io` + group: "" + # -- Certificate issuer kind. Either `Issuer` or `ClusterIssuer` + kind: "" + # -- Certificate isser name. Eg. `letsencrypt` + name: "" + # Private key of the certificate + privateKey: + # -- Rotation policy of private key when certificate is re-issued. Either: `Never` or `Always` + rotationPolicy: Never + # -- The private key cryptography standards (PKCS) encoding for private key. Either: `PCKS1` or `PKCS8` + encoding: PKCS1 + # -- Algorithm used to generate certificate private key. One of: `RSA`, `Ed25519` or `ECDSA` + algorithm: RSA + # -- Key bit size of the private key. If algorithm is set to `Ed25519`, size is ignored. + size: 2048 + + # TLS certificate configuration via Secret + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/#tls-certificates-used-by-argocd-server + certificateSecret: + # -- Create argocd-server-tls secret + enabled: false + # -- Annotations to be added to argocd-server-tls secret annotations: {} - # -- Repo server service labels + # -- Labels to be added to argocd-server-tls secret labels: {} - # -- Repo server service port - port: 8081 - # -- Repo server service port name - portName: https-repo-server + # -- Private Key of the certificate + key: '' + # -- Certificate data + crt: '' + + ## Server service configuration + service: + # -- Server service annotations + annotations: {} + # -- Server service labels + labels: {} + # -- Server service type + type: ClusterIP + # -- Server service http port for NodePort service type (only if `server.service.type` is set to "NodePort") + nodePortHttp: 30080 + # -- Server service https port for NodePort service type (only if `server.service.type` is set to "NodePort") + nodePortHttps: 30443 + # -- Server service http port + servicePortHttp: 80 + # -- Server service https port + servicePortHttps: 443 + # -- Server service http port name, can be used to route traffic via istio + servicePortHttpName: http + # -- Server service https port name, can be used to route traffic via istio + servicePortHttpsName: https + # -- Use named target port for argocd + ## Named target ports are not supported by GCE health checks, so when deploying argocd on GKE + ## and exposing it via GCE ingress, the health checks fail and the load balancer returns a 502. + namedTargetPort: true + # -- LoadBalancer will get created with the IP specified in this field + loadBalancerIP: "" + # -- Source IP ranges to allow access to service from + loadBalancerSourceRanges: [] + # -- Server service external IPs + externalIPs: [] + # -- Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints + externalTrafficPolicy: "" + # -- Used to maintain session affinity. Supports `ClientIP` and `None` + sessionAffinity: "" - ## Repo server metrics service configuration + ## Server metrics service configuration metrics: # -- Deploy metrics service enabled: false @@ -1612,7 +1539,7 @@ repoServer: # -- Metrics service labels labels: {} # -- Metrics service port - servicePort: 8084 + servicePort: 8083 # -- Metrics service port name portName: http-metrics serviceMonitor: @@ -1633,62 +1560,221 @@ repoServer: # -- Prometheus ServiceMonitor tlsConfig tlsConfig: {} # -- Prometheus ServiceMonitor namespace - namespace: "" # "monitoring" + namespace: "" # monitoring # -- Prometheus ServiceMonitor labels additionalLabels: {} + # -- Prometheus ServiceMonitor annotations + annotations: {} - ## Enable Admin ClusterRole resources. - ## Enable if you would like to grant cluster rights to Argo CD repo server. - clusterAdminAccess: - # -- Enable RBAC for local cluster deployments - enabled: false - ## Enable Custom Rules for the Repo server's Cluster Role resource - ## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource. - ## Defaults to off - clusterRoleRules: - # -- Enable custom rules for the Repo server's Cluster Role resource - enabled: false - # -- List of custom rules for the Repo server's Cluster Role resource - rules: [] - - ## Repo server service account - ## If create is set to true, make sure to uncomment the name and update the rbac section below serviceAccount: - # -- Create repo server service account + # -- Create server service account create: true - # -- Repo server service account name - name: "" # "argocd-repo-server" + # -- Server service account name + name: argocd-server # -- Annotations applied to created service account annotations: {} + # -- Labels applied to created service account + labels: {} # -- Automount API credentials for the Service Account automountServiceAccountToken: true - # -- Additional containers to be added to the repo server pod - extraContainers: [] + ingress: + # -- Enable an ingress resource for the Argo CD server + enabled: false + # -- Additional ingress annotations + annotations: {} + # -- Additional ingress labels + labels: {} + # -- Defines which ingress controller will implement the resource + ingressClassName: "" - # -- Repo server rbac rules - rbac: [] - # - apiGroups: - # - argoproj.io - # resources: - # - applications - # verbs: - # - get - # - list - # - watch + # -- List of ingress hosts + ## Argo Ingress. + ## Hostnames must be provided if Ingress is enabled. + ## Secrets must be manually created in the namespace + hosts: + [] + # - argocd.example.com - # Init container to copy argocd binary - copyutil: - # -- Resource limits and requests for the copyutil initContainer - resources: {} - # limits: - # cpu: 50m - # memory: 64Mi - # requests: - # cpu: 10m - # memory: 32Mi + # -- List of ingress paths + paths: + - / + # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` + pathType: Prefix + # -- Additional ingress paths + extraPaths: + [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + ## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used) + # - path: /* + # pathType: Prefix + # backend: + # service: + # name: ssl-redirect + # port: + # name: use-annotation + + # -- Ingress TLS configuration + tls: + [] + # - secretName: your-certificate-name + # hosts: + # - argocd.example.com + + # -- Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp` + https: false + + # dedicated ingress for gRPC as documented at + # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/ + ingressGrpc: + # -- Enable an ingress resource for the Argo CD server for dedicated [gRPC-ingress] + enabled: false + # -- Setup up gRPC ingress to work with an AWS ALB + isAWSALB: false + # -- Additional ingress annotations for dedicated [gRPC-ingress] + annotations: {} + # -- Additional ingress labels for dedicated [gRPC-ingress] + labels: {} + # -- Defines which ingress controller will implement the resource [gRPC-ingress] + ingressClassName: "" + + awsALB: + # -- Service type for the AWS ALB gRPC service + ## Service Type if isAWSALB is set to true + ## Can be of type NodePort or ClusterIP depending on which mode you are + ## are running. Instance mode needs type NodePort, IP mode needs type + ## ClusterIP + ## Ref: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/how-it-works/#ingress-traffic + serviceType: NodePort + # -- Backend protocol version for the AWS ALB gRPC service + ## This tells AWS to send traffic from the ALB using HTTP2. Can use gRPC as well if you want to leverage gRPC specific features + backendProtocolVersion: HTTP2 + + # -- List of ingress hosts for dedicated [gRPC-ingress] + ## Argo Ingress. + ## Hostnames must be provided if Ingress is enabled. + ## Secrets must be manually created in the namespace + ## + hosts: + [] + # - argocd.example.com + + # -- List of ingress paths for dedicated [gRPC-ingress] + paths: + - / + # -- Ingress path type for dedicated [gRPC-ingress]. One of `Exact`, `Prefix` or `ImplementationSpecific` + pathType: Prefix + # -- Additional ingress paths for dedicated [gRPC-ingress] + extraPaths: + [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + ## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used) + # - path: /* + # pathType: Prefix + # backend: + # service: + # name: ssl-redirect + # port: + # name: use-annotation + + # -- Ingress TLS configuration for dedicated [gRPC-ingress] + tls: + [] + # - secretName: your-certificate-name + # hosts: + # - argocd.example.com + + # -- Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp` + https: false + + # Create a OpenShift Route with SSL passthrough for UI and CLI + # Consider setting 'hostname' e.g. https://argocd.apps-crc.testing/ using your Default Ingress Controller Domain + # Find your domain with: kubectl describe --namespace=openshift-ingress-operator ingresscontroller/default | grep Domain: + # If 'hostname' is an empty string "" OpenShift will create a hostname for you. + route: + # -- Enable an OpenShift Route for the Argo CD server + enabled: false + # -- Openshift Route annotations + annotations: {} + # -- Hostname of OpenShift Route + hostname: "" + # -- Termination type of Openshift Route + termination_type: passthrough + # -- Termination policy of Openshift Route + termination_policy: None + + ## Enable Admin ClusterRole resources. + ## Enable if you would like to grant rights to Argo CD to deploy to the local Kubernetes cluster. + clusterAdminAccess: + # -- Enable RBAC for local cluster deployments + enabled: true + + GKEbackendConfig: + # -- Enable BackendConfig custom resource for Google Kubernetes Engine + enabled: false + # -- [BackendConfigSpec] + spec: {} + # spec: + # iap: + # enabled: true + # oauthclientCredentials: + # secretName: argocd-secret + + ## Create a Google Managed Certificate for use with the GKE Ingress Controller + ## https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs + GKEmanagedCertificate: + # -- Enable ManagedCertificate custom resource for Google Kubernetes Engine. + enabled: false + # -- Domains for the Google Managed Certificate + domains: + - argocd.example.com + + ## Create a Google FrontendConfig Custom Resource, for use with the GKE Ingress Controller + ## https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters + GKEfrontendConfig: + # -- Enable FrontConfig custom resource for Google Kubernetes Engine + enabled: false + # -- [FrontendConfigSpec] + spec: {} + # spec: + # redirectToHttps: + # enabled: true + # responseCodeName: RESPONSE_CODE + + # -- Additional containers to be added to the server pod + ## See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. + extraContainers: [] + # - name: my-sidecar + # image: nginx:latest + # - name: lemonldap-ng-controller + # image: lemonldapng/lemonldap-ng-controller:0.2.0 + # args: + # - /lemonldap-ng-controller + # - --alsologtostderr + # - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration + # env: + # - name: POD_NAME + # valueFrom: + # fieldRef: + # fieldPath: metadata.name + # - name: POD_NAMESPACE + # valueFrom: + # fieldRef: + # fieldPath: metadata.namespace + # volumeMounts: + # - name: copy-portal-skins + # mountPath: /srv/var/lib/lemonldap-ng/portal/skins - # -- Init containers to add to the repo server pods + # -- Init containers to add to the server pod + ## If your target Kubernetes cluster(s) require a custom auth provider executable + ## you could use this (and the same in the application controller pod) to bootstrap + ## that executable into your Argo CD container initContainers: [] # - name: download-tools # image: alpine:3.8 @@ -1704,269 +1790,393 @@ repoServer: # name: custom-tools # subPath: helm + ## Argo UI extensions + ## This function in tech preview stage, do expect unstability or breaking changes in newer versions. + ## Ref: https://github.com/argoproj-labs/argocd-extensions + extensions: + # -- Enable support for Argo UI extensions + enabled: false + + ## Argo UI extensions image + image: + # -- Repository to use for extensions image + repository: "ghcr.io/argoproj-labs/argocd-extensions" + # -- Tag to use for extensions image + tag: "v0.1.0" + # -- Image pull policy for extensions + imagePullPolicy: IfNotPresent + + # -- Server UI extensions container-level security context + # @default -- See [values.yaml] + containerSecurityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + + # -- Resource limits and requests for the argocd-extensions container + resources: {} + # limits: + # cpu: 50m + # memory: 128Mi + # requests: + # cpu: 10m + # memory: 64Mi + +## Repo Server +repoServer: + # -- Repo server name + name: repo-server + + # -- The number of repo server pods to run + replicas: 1 + + ## Repo server Horizontal Pod Autoscaler + autoscaling: + # -- Enable Horizontal Pod Autoscaler ([HPA]) for the repo server + enabled: false + # -- Minimum number of replicas for the repo server [HPA] + minReplicas: 1 + # -- Maximum number of replicas for the repo server [HPA] + maxReplicas: 5 + # -- Average CPU utilization percentage for the repo server [HPA] + targetCPUUtilizationPercentage: 50 + # -- Average memory utilization percentage for the repo server [HPA] + targetMemoryUtilizationPercentage: 50 + # -- Configures the scaling behavior of the target in both Up and Down directions. + # This is only available on HPA apiVersion `autoscaling/v2beta2` and newer + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + + ## Repo server Pod Disruption Budget + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ pdb: - # -- Labels to be added to Repo server pdb + # -- Deploy a [PodDisruptionBudget] for the repo server + enabled: false + # -- Labels to be added to repo server pdb labels: {} - # -- Annotations to be added to Repo server pdb + # -- Annotations to be added to repo server pdb annotations: {} - - # -- Deploy a Poddisruptionbudget for the Repo server - enabled: false - # minAvailable: 1 - # maxUnavailable: 0 + # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) + # @default -- `""` (defaults to 0 if not specified) + minAvailable: "" + # -- Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). + ## Has higher precedence over `repoServer.pdb.minAvailable` + maxUnavailable: "" + + ## Repo server image + image: + # -- Repository to use for the repo server + # @default -- `""` (defaults to global.image.repository) + repository: "" # defaults to global.image.repository + # -- Tag to use for the repo server + # @default -- `""` (defaults to global.image.tag) + tag: "" # defaults to global.image.tag + # -- Image pull policy for the repo server + # @default -- `""` (defaults to global.image.imagePullPolicy) + imagePullPolicy: "" # IfNotPresent # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) imagePullSecrets: [] -## Argo Configs -configs: - # -- Provide one or multiple [external cluster credentials] + # -- Additional command line arguments to pass to repo server + extraArgs: [] + + # -- Environment variables to pass to repo server + env: [] + + # -- envFrom to pass to repo server # @default -- `[]` (See [values.yaml]) - ## Ref: - ## - https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#clusters - ## - https://argo-cd.readthedocs.io/en/stable/operator-manual/security/#external-cluster-credentials - clusterCredentials: [] - # - name: mycluster - # server: https://mycluster.com - # labels: {} - # annotations: {} - # config: - # bearerToken: "" - # tlsClientConfig: - # insecure: false - # caData: "" - # - name: mycluster2 - # server: https://mycluster2.com - # labels: {} - # annotations: {} - # namespaces: namespace1,namespace2 - # clusterResources: true - # config: - # bearerToken: "" - # tlsClientConfig: - # insecure: false - # caData: "" + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name - # -- GnuPG key ring annotations - gpgKeysAnnotations: {} - # -- [GnuPG](https://argo-cd.readthedocs.io/en/stable/user-guide/gpg-verification/) keys to add to the key ring - # @default -- `{}` (See [values.yaml]) - gpgKeys: {} - # 4AEE18F83AFDEB23: | - # -----BEGIN PGP PUBLIC KEY BLOCK----- - # - # mQENBFmUaEEBCACzXTDt6ZnyaVtueZASBzgnAmK13q9Urgch+sKYeIhdymjuMQta - # x15OklctmrZtqre5kwPUosG3/B2/ikuPYElcHgGPL4uL5Em6S5C/oozfkYzhwRrT - # SQzvYjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ - # 7Fy4+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPa - # buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v - # yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAG0NUdpdEh1YiAod2ViLWZs - # b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+iQEiBBMBCAAW - # BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEH/iATWFmi2oxlBh3wAsySNCNV4IPf - # DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6 - # 9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws - # +8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5 - # 4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O - # j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48= - # =Bvzs - # -----END PGP PUBLIC KEY BLOCK----- + # DEPRECATED - Use configs.params to override + # -- Repo server log format: Either `text` or `json` + # @default -- `""` (defaults to global.logging.level) + # logFormat: "" + # -- Repo server log level. One of: `debug`, `info`, `warn` or `error` + # @default -- `""` (defaults to global.logging.format) + # logLevel: "" - # -- Known Hosts configmap annotations - knownHostsAnnotations: {} - knownHosts: - data: - # -- Known Hosts - # @default -- See [values.yaml] - ssh_known_hosts: | - bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== - github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= - github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl - github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== - gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= - gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf - gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 - ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H - vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H - # -- TLS certificate configmap annotations - tlsCertsAnnotations: {} - # -- TLS certificate - # @default -- See [values.yaml] - tlsCerts: - {} - # data: - # argocd.example.com: | - # -----BEGIN CERTIFICATE----- - # MIIF1zCCA7+gAwIBAgIUQdTcSHY2Sxd3Tq/v1eIEZPCNbOowDQYJKoZIhvcNAQEL - # BQAwezELMAkGA1UEBhMCREUxFTATBgNVBAgMDExvd2VyIFNheG9ueTEQMA4GA1UE - # BwwHSGFub3ZlcjEVMBMGA1UECgwMVGVzdGluZyBDb3JwMRIwEAYDVQQLDAlUZXN0 - # c3VpdGUxGDAWBgNVBAMMD2Jhci5leGFtcGxlLmNvbTAeFw0xOTA3MDgxMzU2MTda - # Fw0yMDA3MDcxMzU2MTdaMHsxCzAJBgNVBAYTAkRFMRUwEwYDVQQIDAxMb3dlciBT - # YXhvbnkxEDAOBgNVBAcMB0hhbm92ZXIxFTATBgNVBAoMDFRlc3RpbmcgQ29ycDES - # MBAGA1UECwwJVGVzdHN1aXRlMRgwFgYDVQQDDA9iYXIuZXhhbXBsZS5jb20wggIi - # MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCv4mHMdVUcafmaSHVpUM0zZWp5 - # NFXfboxA4inuOkE8kZlbGSe7wiG9WqLirdr39Ts+WSAFA6oANvbzlu3JrEQ2CHPc - # CNQm6diPREFwcDPFCe/eMawbwkQAPVSHPts0UoRxnpZox5pn69ghncBR+jtvx+/u - # P6HdwW0qqTvfJnfAF1hBJ4oIk2AXiip5kkIznsAh9W6WRy6nTVCeetmIepDOGe0G - # ZJIRn/OfSz7NzKylfDCat2z3EAutyeT/5oXZoWOmGg/8T7pn/pR588GoYYKRQnp+ - # YilqCPFX+az09EqqK/iHXnkdZ/Z2fCuU+9M/Zhrnlwlygl3RuVBI6xhm/ZsXtL2E - # Gxa61lNy6pyx5+hSxHEFEJshXLtioRd702VdLKxEOuYSXKeJDs1x9o6cJ75S6hko - # Ml1L4zCU+xEsMcvb1iQ2n7PZdacqhkFRUVVVmJ56th8aYyX7KNX6M9CD+kMpNm6J - # kKC1li/Iy+RI138bAvaFplajMF551kt44dSvIoJIbTr1LigudzWPqk31QaZXV/4u - # kD1n4p/XMc9HYU/was/CmQBFqmIZedTLTtK7clkuFN6wbwzdo1wmUNgnySQuMacO - # gxhHxxzRWxd24uLyk9Px+9U3BfVPaRLiOPaPoC58lyVOykjSgfpgbus7JS69fCq7 - # bEH4Jatp/10zkco+UQIDAQABo1MwUTAdBgNVHQ4EFgQUjXH6PHi92y4C4hQpey86 - # r6+x1ewwHwYDVR0jBBgwFoAUjXH6PHi92y4C4hQpey86r6+x1ewwDwYDVR0TAQH/ - # BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAFE4SdKsX9UsLy+Z0xuHSxhTd0jfn - # Iih5mtzb8CDNO5oTw4z0aMeAvpsUvjJ/XjgxnkiRACXh7K9hsG2r+ageRWGevyvx - # CaRXFbherV1kTnZw4Y9/pgZTYVWs9jlqFOppz5sStkfjsDQ5lmPJGDii/StENAz2 - # XmtiPOgfG9Upb0GAJBCuKnrU9bIcT4L20gd2F4Y14ccyjlf8UiUi192IX6yM9OjT - # +TuXwZgqnTOq6piVgr+FTSa24qSvaXb5z/mJDLlk23npecTouLg83TNSn3R6fYQr - # d/Y9eXuUJ8U7/qTh2Ulz071AO9KzPOmleYPTx4Xty4xAtWi1QE5NHW9/Ajlv5OtO - # OnMNWIs7ssDJBsB7VFC8hcwf79jz7kC0xmQqDfw51Xhhk04kla+v+HZcFW2AO9so - # 6ZdVHHQnIbJa7yQJKZ+hK49IOoBR6JgdB5kymoplLLiuqZSYTcwSBZ72FYTm3iAr - # jzvt1hxpxVDmXvRnkhRrIRhK4QgJL0jRmirBjDY+PYYd7bdRIjN7WNZLFsgplnS8 - # 9w6CwG32pRlm0c8kkiQ7FXA6BYCqOsDI8f1VGQv331OpR2Ck+FTv+L7DAmg6l37W - # +LB9LGh4OAp68ImTjqf6ioGKG0RBSznwME+r4nXtT1S/qLR6ASWUS4ViWRhbRlNK - # XWyb96wrUlv+E8I= - # -----END CERTIFICATE----- + # -- Annotations to be added to repo server Deployment + deploymentAnnotations: {} - # -- Repository credentials to be used as Templates for other repos - ## Creates a secret for each key/value specified below to create repository credentials - credentialTemplates: {} - # github-enterprise-creds-1: - # url: https://github.com/argoproj - # githubAppID: 1 - # githubAppInstallationID: 2 - # githubAppEnterpriseBaseUrl: https://ghe.example.com/api/v3 - # githubAppPrivateKey: | - # -----BEGIN OPENSSH PRIVATE KEY----- - # ... - # -----END OPENSSH PRIVATE KEY----- - # https-creds: - # url: https://github.com/argoproj - # password: my-password - # username: my-username - # ssh-creds: - # url: git@github.com:argoproj-labs - # sshPrivateKey: | - # -----BEGIN OPENSSH PRIVATE KEY----- - # ... - # -----END OPENSSH PRIVATE KEY----- + # -- Annotations to be added to repo server pods + podAnnotations: {} + + # -- Labels to be added to repo server pods + podLabels: {} + + # -- Configures the repo server port + containerPort: 8081 + + ## Readiness and liveness probes for default backend + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + readinessProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 3 + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 10 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 1 + livenessProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 3 + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 10 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 1 + + # -- Additional volumeMounts to the repo server main container + volumeMounts: [] + + # -- Additional volumes to the repo server pod + volumes: [] + ## Use init containers to configure custom tooling + ## https://argo-cd.readthedocs.io/en/stable/operator-manual/custom_tools/ + ## When using the volumes & volumeMounts section bellow, please comment out those above. + # - name: custom-tools + # emptyDir: {} + + # -- [Node selector] + nodeSelector: {} + # -- [Tolerations] for use with node taints + tolerations: [] + # -- Assign custom [affinity] rules to the deployment + affinity: {} - # -- Annotations to be added to `configs.credentialTemplates` Secret - credentialTemplatesAnnotations: {} + # -- Assign custom [TopologySpreadConstraints] rules to the repo server + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule - # -- Repositories list to be used by applications - ## Creates a secret for each key/value specified below to create repositories - ## Note: the last example in the list would use a repository credential template, configured under "configs.repositoryCredentials". - repositories: {} - # istio-helm-repo: - # url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts - # name: istio.io - # type: helm - # private-helm-repo: - # url: https://my-private-chart-repo.internal - # name: private-repo - # type: helm - # password: my-password - # username: my-username - # private-repo: - # url: https://github.com/argoproj/private-repo + # -- Priority class for the repo server + priorityClassName: "" - # -- Annotations to be added to `configs.repositories` Secret - repositoriesAnnotations: {} + # -- Repo server container-level security context + # @default -- See [values.yaml] + containerSecurityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL - secret: - # -- Create the argocd-secret - createSecret: true - # -- Annotations to be added to argocd-secret + # -- Resource limits and requests for the repo server pods + resources: {} + # limits: + # cpu: 50m + # memory: 128Mi + # requests: + # cpu: 10m + # memory: 64Mi + + # TLS certificate configuration via Secret + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/#configuring-tls-to-argocd-repo-server + ## Note: Issuing certificates via cert-manager in not supported right now because it's not possible to restart repo server automatically without extra controllers. + certificateSecret: + # -- Create argocd-repo-server-tls secret + enabled: false + # -- Annotations to be added to argocd-repo-server-tls secret annotations: {} + # -- Labels to be added to argocd-repo-server-tls secret + labels: {} + # -- Certificate authority. Required for self-signed certificates. + ca: '' + # -- Certificate private key + key: '' + # -- Certificate data. Must contain SANs of Repo service (ie: argocd-repo-server, argocd-repo-server.argo-cd.svc) + crt: '' - # -- Shared secret for authenticating GitHub webhook events - githubSecret: "" - # -- Shared secret for authenticating GitLab webhook events - gitlabSecret: "" - # -- Shared secret for authenticating BitbucketServer webhook events - bitbucketServerSecret: "" - # -- UUID for authenticating Bitbucket webhook events - bitbucketUUID: "" - # -- Shared secret for authenticating Gogs webhook events - gogsSecret: "" + ## Repo server service configuration + service: + # -- Repo server service annotations + annotations: {} + # -- Repo server service labels + labels: {} + # -- Repo server service port + port: 8081 + # -- Repo server service port name + portName: https-repo-server - # -- add additional secrets to be added to argocd-secret - ## Custom secrets. Useful for injecting SSO secrets into environment variables. - ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#sensitive-data-and-sso-client-secrets - ## Note that all values must be non-empty. - extra: - {} - # LDAP_PASSWORD: "mypassword" + ## Repo server metrics service configuration + metrics: + # -- Deploy metrics service + enabled: false + service: + # -- Metrics service annotations + annotations: {} + # -- Metrics service labels + labels: {} + # -- Metrics service port + servicePort: 8084 + # -- Metrics service port name + portName: http-metrics + serviceMonitor: + # -- Enable a prometheus ServiceMonitor + enabled: false + # -- Prometheus ServiceMonitor interval + interval: 30s + # -- Prometheus [RelabelConfigs] to apply to samples before scraping + relabelings: [] + # -- Prometheus [MetricRelabelConfigs] to apply to samples before ingestion + metricRelabelings: [] + # -- Prometheus ServiceMonitor selector + selector: {} + # prometheus: kube-prometheus - # -- Argo TLS Data - argocdServerTlsConfig: - {} - # key: - # crt: | - # -----BEGIN CERTIFICATE----- - # - # -----END CERTIFICATE----- - # -----BEGIN CERTIFICATE----- - # - # -----END CERTIFICATE----- + # -- Prometheus ServiceMonitor scheme + scheme: "" + # -- Prometheus ServiceMonitor tlsConfig + tlsConfig: {} + # -- Prometheus ServiceMonitor namespace + namespace: "" # "monitoring" + # -- Prometheus ServiceMonitor labels + additionalLabels: {} + # -- Prometheus ServiceMonitor annotations + annotations: {} - # -- Bcrypt hashed admin password - ## Argo expects the password in the secret to be bcrypt hashed. You can create this hash with - ## `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/'` - argocdServerAdminPassword: "" - # -- Admin password modification time. Eg. `"2006-01-02T15:04:05Z"` - # @default -- `""` (defaults to current time) - argocdServerAdminPasswordMtime: "" + ## Enable Admin ClusterRole resources. + ## Enable if you would like to grant cluster rights to Argo CD repo server. + clusterAdminAccess: + # -- Enable RBAC for local cluster deployments + enabled: false + ## Enable Custom Rules for the Repo server's Cluster Role resource + ## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource. + ## Defaults to off + clusterRoleRules: + # -- Enable custom rules for the Repo server's Cluster Role resource + enabled: false + # -- List of custom rules for the Repo server's Cluster Role resource + rules: [] - # -- Define custom [CSS styles] for your argo instance. - # This setting will automatically mount the provided CSS and reference it in the argo configuration. - # @default -- `""` (See [values.yaml]) - ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/custom-styles/ - styles: "" - # styles: | - # .nav-bar { - # background: linear-gradient(to bottom, #999, #777, #333, #222, #111); - # } + ## Repo server service account + ## If create is set to true, make sure to uncomment the name and update the rbac section below + serviceAccount: + # -- Create repo server service account + create: true + # -- Repo server service account name + name: "" # "argocd-repo-server" + # -- Annotations applied to created service account + annotations: {} + # -- Labels applied to created service account + labels: {} + # -- Automount API credentials for the Service Account + automountServiceAccountToken: true -openshift: - # -- enables using arbitrary uid for argo repo server - enabled: false + # -- Additional containers to be added to the repo server pod + extraContainers: [] + + # -- Repo server rbac rules + rbac: [] + # - apiGroups: + # - argoproj.io + # resources: + # - applications + # verbs: + # - get + # - list + # - watch + + # -- Init containers to add to the repo server pods + initContainers: [] + # - name: download-tools + # image: alpine:3.8 + # command: [sh, -c] + # args: + # - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - && + # mv linux-amd64/helm /custom-tools/ + # volumeMounts: + # - mountPath: /custom-tools + # name: custom-tools + # volumeMounts: + # - mountPath: /usr/local/bin/helm + # name: custom-tools + # subPath: helm +## ApplicationSet controller applicationSet: - # -- Enable Application Set controller + # -- Enable ApplicationSet controller enabled: true - # -- Application Set controller name string + # -- ApplicationSet controller name string name: applicationset-controller - # -- The number of controller pods to run + # -- The number of ApplicationSet controller pods to run replicaCount: 1 + ## ApplicationSet controller Pod Disruption Budget + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + pdb: + # -- Deploy a [PodDisruptionBudget] for the ApplicationSet controller + enabled: false + # -- Labels to be added to ApplicationSet controller pdb + labels: {} + # -- Annotations to be added to ApplicationSet controller pdb + annotations: {} + # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) + # @default -- `""` (defaults to 0 if not specified) + minAvailable: "" + # -- Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). + ## Has higher precedence over `applicationSet.pdb.minAvailable` + maxUnavailable: "" + + ## ApplicationSet controller image image: - # -- Repository to use for the application set controller + # -- Repository to use for the ApplicationSet controller # @default -- `""` (defaults to global.image.repository) repository: "" - # -- Tag to use for the application set controller + # -- Tag to use for the ApplicationSet controller # @default -- `""` (defaults to global.image.tag) tag: "" - # -- Image pull policy for the application set controller + # -- Image pull policy for the ApplicationSet controller # @default -- `""` (defaults to global.image.imagePullPolicy) imagePullPolicy: "" + # -- If defined, uses a Secret to pull an image from a private Docker registry or repository. + # @default -- `[]` (defaults to global.imagePullSecrets) + imagePullSecrets: [] + args: # -- The default metric address metricsAddr: :8080 # -- The default health check port probeBindAddr: :8081 - # -- The default leader election setting - enableLeaderElection: false # -- How application is synced between the generator and the cluster policy: sync - # -- Print debug logs - debug: false # -- Enable dry run mode dryRun: false @@ -1977,7 +2187,7 @@ applicationSet: # @default -- `""` (defaults to global.logging.level) logLevel: "" - # -- Additional containers to be added to the applicationset controller pod + # -- Additional containers to be added to the ApplicationSet controller pod extraContainers: [] ## Metrics service configuration @@ -2014,19 +2224,18 @@ applicationSet: namespace: "" # monitoring # -- Prometheus ServiceMonitor labels additionalLabels: {} + # -- Prometheus ServiceMonitor annotations + annotations: {} - # -- If defined, uses a Secret to pull an image from a private Docker registry or repository. - imagePullSecrets: [] - - ## Application set service configuration + ## ApplicationSet service configuration service: - # -- Application set service annotations + # -- ApplicationSet service annotations annotations: {} - # -- Application set service labels + # -- ApplicationSet service labels labels: {} - # -- Application set service port + # -- ApplicationSet service port port: 7000 - # -- Application set service port name + # -- ApplicationSet service port name portName: webhook serviceAccount: @@ -2034,30 +2243,64 @@ applicationSet: create: true # -- Annotations to add to the service account annotations: {} + # -- Labels applied to created service account + labels: {} # -- The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" - # -- Annotations for the controller pods + # -- Annotations to be added to ApplicationSet controller Deployment + deploymentAnnotations: {} + + # -- Annotations for the ApplicationSet controller pods podAnnotations: {} - # -- Labels for the controller pods + # -- Labels for the ApplicationSet controller pods podLabels: {} - # -- Pod Security Context - podSecurityContext: {} - # fsGroup: 2000 + # -- ApplicationSet controller container-level security context + # @default -- See [values.yaml] + containerSecurityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + + ## Probes for ApplicationSet controller (optional) + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + readinessProbe: + # -- Enable Kubernetes liveness probe for ApplicationSet controller + enabled: false + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 10 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 10 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 1 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 3 - # -- Security Context - securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - - # -- Resource limits and requests for the controller pods. + livenessProbe: + # -- Enable Kubernetes liveness probe for ApplicationSet controller + enabled: false + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 10 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 10 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 1 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 3 + + # -- Resource limits and requests for the ApplicationSet controller pods. resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -2095,12 +2338,12 @@ applicationSet: # -- List of extra cli args to add extraArgs: [] - # -- Environment variables to pass to the controller + # -- Environment variables to pass to the ApplicationSet controller extraEnv: [] # - name: "MY_VAR" # value: "value" - # -- envFrom to pass to the controller + # -- envFrom to pass to the ApplicationSet controller # @default -- `[]` (See [values.yaml]) extraEnvFrom: [] # - configMapRef: @@ -2118,7 +2361,7 @@ applicationSet: annotations: {} # -- Additional ingress labels labels: {} - # -- Defines which ingress controller will implement the resource + # -- Defines which ingress ApplicationSet controller will implement the resource ingressClassName: "" # -- List of ingress hosts @@ -2153,8 +2396,9 @@ applicationSet: # hosts: # - argocd-applicationset.example.com +## Notifications controller notifications: - # -- Enable Notifications controller + # -- Enable notifications controller enabled: true # -- Notifications controller name string @@ -2166,6 +2410,23 @@ notifications: # -- Argo CD dashboard url; used in place of {{.context.argocdUrl}} in templates argocdUrl: + ## Notifications controller Pod Disruption Budget + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + pdb: + # -- Deploy a [PodDisruptionBudget] for the notifications controller + enabled: false + # -- Labels to be added to notifications controller pdb + labels: {} + # -- Annotations to be added to notifications controller pdb + annotations: {} + # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) + # @default -- `""` (defaults to 0 if not specified) + minAvailable: "" + # -- Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). + ## Has higher precedence over `notifications.pdb.minAvailable` + maxUnavailable: "" + + ## Notifications controller image image: # -- Repository to use for the notifications controller # @default -- `""` (defaults to global.image.repository) @@ -2178,15 +2439,12 @@ notifications: imagePullPolicy: "" # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) imagePullSecrets: [] # -- [Node selector] nodeSelector: {} - # -- The deployment strategy to use to replace existing pods with new ones - updateStrategy: - type: Recreate - # -- Define user-defined context ## For more information: https://argocd-notifications.readthedocs.io/en/stable/templates/#defining-user-defined-context context: {} @@ -2194,7 +2452,7 @@ notifications: # environmentName: staging secret: - # -- Whether helm chart creates controller secret + # -- Whether helm chart creates notifications controller secret create: true # -- key:value pairs of annotations to be added to the secret @@ -2216,19 +2474,27 @@ notifications: # email-password: # For more information: https://argocd-notifications.readthedocs.io/en/stable/services/email/ - # -- Application controller log format. Either `text` or `json` + # -- Notifications controller log format. Either `text` or `json` # @default -- `""` (defaults to global.logging.format) logFormat: "" - # -- Application controller log level. One of: `debug`, `info`, `warn`, `error` + # -- Notifications controller log level. One of: `debug`, `info`, `warn`, `error` # @default -- `""` (defaults to global.logging.level) logLevel: "" - # -- Extra arguments to provide to the controller + # -- Extra arguments to provide to the notifications controller extraArgs: [] # -- Additional container environment variables extraEnv: [] + # -- envFrom to pass to the notifications controller + # @default -- `[]` (See [values.yaml]) + extraEnvFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + # -- List of extra mounts to add (normally used with extraVolumes) extraVolumeMounts: [] # - mountPath: /tmp/foobar @@ -2259,6 +2525,8 @@ notifications: # prometheus: kube-prometheus # -- Prometheus ServiceMonitor labels additionalLabels: {} + # -- Prometheus ServiceMonitor annotations + annotations: {} # namespace: monitoring # interval: 30s # scrapeTimeout: 10s @@ -2274,23 +2542,31 @@ notifications: # service.slack: | # token: $slack-token - # -- Annotations to be applied to the controller Pods + # -- Annotations to be applied to the notifications controller Deployment + deploymentAnnotations: {} + + # -- Annotations to be applied to the notifications controller Pods podAnnotations: {} - # -- Labels to be applied to the controller Pods + # -- Labels to be applied to the notifications controller Pods podLabels: {} - # -- Pod Security Context - securityContext: + # -- Notification controller container-level security Context + # @default -- See [values.yaml] + containerSecurityContext: runAsNonRoot: true - - # -- Container Security Context - containerSecurityContext: {} - - # -- Priority class for the controller pods + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + + # -- Priority class for the notifications controller pods priorityClassName: "" - # -- Resource limits and requests for the controller + # -- Resource limits and requests for the notifications controller resources: {} # limits: # cpu: 100m @@ -2310,8 +2586,10 @@ notifications: # -- Annotations applied to created service account annotations: {} + # -- Labels applied to created service account + labels: {} cm: - # -- Whether helm chart creates controller config map + # -- Whether helm chart creates notifications controller config map create: true # -- Contains centrally managed global application subscriptions @@ -2597,10 +2875,23 @@ notifications: ## You have to set secret.notifiers.slack.signingSecret enabled: false - # -- The deployment strategy to use to replace existing pods with new ones - updateStrategy: - type: Recreate - + ## Slack bot Pod Disruption Budget + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + pdb: + # -- Deploy a [PodDisruptionBudget] for the Slack bot + enabled: false + # -- Labels to be added to Slack bot pdb + labels: {} + # -- Annotations to be added to Slack bot pdb + annotations: {} + # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) + # @default -- `""` (defaults to 0 if not specified) + minAvailable: "" + # -- Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). + ## Has higher precedence over `notifications.bots.slack.pdb.minAvailable` + maxUnavailable: "" + + ## Slack bot image image: # -- Repository to use for the Slack bot # @default -- `""` (defaults to global.image.repository) @@ -2613,6 +2904,7 @@ notifications: imagePullPolicy: "" # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) imagePullSecrets: [] service: @@ -2634,12 +2926,17 @@ notifications: # -- Annotations applied to created service account annotations: {} - # -- Pod Security Context - securityContext: + # -- Slack bot container-level security Context + # @default -- See [values.yaml] + containerSecurityContext: runAsNonRoot: true - - # -- Container Security Context - containerSecurityContext: {} + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL # -- Resource limits and requests for the Slack bot resources: {} diff --git a/charts/argo-events/Chart.yaml b/charts/argo-events/Chart.yaml index a7dbf979a..cc3b8d887 100644 --- a/charts/argo-events/Chart.yaml +++ b/charts/argo-events/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: v1.7.2-cap-CR-14600 +appVersion: v1.7.3-cap-CR-19893 description: A Helm chart for Argo Events, the event-driven workflow automation framework name: argo-events -version: 2.0.5-1-cf-init +version: 2.0.9-1-cap-CR-19893 home: https://github.com/argoproj/argo-helm icon: https://argoproj.github.io/argo-events/assets/logo.png keywords: @@ -15,4 +15,4 @@ maintainers: url: https://argoproj.github.io/ annotations: artifacthub.io/changes: | - - "[Changed]: Upgrade Argo events controller to v1.7.2-cap-CR-14600" + - "[Added]: Ability to specify port for webhook deployment" diff --git a/charts/argo-events/README.md b/charts/argo-events/README.md index a6afd6290..c13d1806c 100644 --- a/charts/argo-events/README.md +++ b/charts/argo-events/README.md @@ -177,6 +177,7 @@ done | webhook.pdb.labels | object | `{}` | Labels to be added to admission webhook pdb | | webhook.podAnnotations | object | `{}` | Annotations to be added to event controller pods | | webhook.podLabels | object | `{}` | Labels to be added to event controller pods | +| webhook.port | int | `443` | Port to listen on | | webhook.priorityClassName | string | `""` | Priority class for the event controller pods | | webhook.readinessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded | | webhook.readinessProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before [probe] is initiated | diff --git a/charts/argo-events/templates/_helpers.tpl b/charts/argo-events/templates/_helpers.tpl index efbdc6692..d18f2ca94 100644 --- a/charts/argo-events/templates/_helpers.tpl +++ b/charts/argo-events/templates/_helpers.tpl @@ -68,6 +68,34 @@ Create chart name and version as used by the chart label. {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Create kubernetes friendly chart version label for the controller. + +Examples: +image.tag = v1.7.3 +output = v1.7.3 + +image.tag = v1.7.3@sha256:a40f4f3ea20d354f00ab469a9f73102668fa545c4d632e1a8e11a206ad3093f3 +output = v1.7.3 +*/}} +{{- define "argo-events.controller_chart_version_label" -}} +{{- regexReplaceAll "[^a-zA-Z0-9-_.]+" (regexReplaceAll "@sha256:[a-f0-9]+" (default (include "argo-events.defaultTag" .) .Values.controller.image.tag) "") "" | trunc 63 | quote -}} +{{- end -}} + +{{/* +Create kubernetes friendly chart version label for the events webhook. + +Examples: +image.tag = v1.7.3 +output = v1.7.3 + +image.tag = v1.7.3@sha256:a40f4f3ea20d354f00ab469a9f73102668fa545c4d632e1a8e11a206ad3093f3 +output = v1.7.3 +*/}} +{{- define "argo-events.webhook_chart_version_label" -}} +{{- regexReplaceAll "[^a-zA-Z0-9-_.]+" (regexReplaceAll "@sha256:[a-f0-9]+" (default (include "argo-events.defaultTag" .) .Values.webhook.image.tag) "") "" | trunc 63 | quote -}} +{{- end -}} + {{/* Common labels */}} @@ -97,3 +125,14 @@ Return the default Argo Events app version {{- define "argo-events.defaultTag" -}} {{- default .Chart.AppVersion .Values.global.image.tag }} {{- end -}} + +{{/* +Define Pdb apiVersion +*/}} +{{- define "argo-events.pdb.apiVersion" -}} +{{- if .Capabilities.APIVersions.Has "policy/v1" }} +{{- printf "policy/v1" -}} +{{- else }} +{{- printf "policy/v1beta1" -}} +{{- end }} +{{- end }} diff --git a/charts/argo-events/templates/argo-events-controller/deployment.yaml b/charts/argo-events/templates/argo-events-controller/deployment.yaml index 88ecf66fa..ab41c26b4 100644 --- a/charts/argo-events/templates/argo-events-controller/deployment.yaml +++ b/charts/argo-events/templates/argo-events-controller/deployment.yaml @@ -4,7 +4,7 @@ metadata: name: {{ include "argo-events.controller.fullname" . }} labels: {{- include "argo-events.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} - app.kubernetes.io/version: {{ default (include "argo-events.defaultTag" .) .Values.controller.image.tag | quote }} + app.kubernetes.io/version: {{ include "argo-events.controller_chart_version_label" . }} spec: selector: matchLabels: @@ -22,7 +22,7 @@ spec: {{- end }} labels: {{- include "argo-events.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 8 }} - app.kubernetes.io/version: {{ default (include "argo-events.defaultTag" .) .Values.controller.image.tag | quote }} + app.kubernetes.io/version: {{ include "argo-events.controller_chart_version_label" . }} {{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.controller.podLabels) }} {{- toYaml . | nindent 8 }} {{- end }} diff --git a/charts/argo-events/templates/argo-events-controller/pdb.yaml b/charts/argo-events/templates/argo-events-controller/pdb.yaml index 576fcfcf9..f1a7b7217 100644 --- a/charts/argo-events/templates/argo-events-controller/pdb.yaml +++ b/charts/argo-events/templates/argo-events-controller/pdb.yaml @@ -1,5 +1,5 @@ {{- if .Values.controller.pdb.enabled }} -apiVersion: policy/v1beta1 +apiVersion: {{ template "argo-events.pdb.apiVersion" . }} kind: PodDisruptionBudget metadata: name: {{ template "argo-events.controller.fullname" . }} diff --git a/charts/argo-events/templates/argo-events-webhook/deployment.yaml b/charts/argo-events/templates/argo-events-webhook/deployment.yaml index 8def5183a..2f0478afd 100644 --- a/charts/argo-events/templates/argo-events-webhook/deployment.yaml +++ b/charts/argo-events/templates/argo-events-webhook/deployment.yaml @@ -5,7 +5,7 @@ metadata: name: events-webhook labels: {{- include "argo-events.labels" (dict "context" . "component" .Values.webhook.name "name" .Values.webhook.name) | nindent 4 }} - app.kubernetes.io/version: {{ default (include "argo-events.defaultTag" .) .Values.webhook.image.tag | quote }} + app.kubernetes.io/version: {{ include "argo-events.webhook_chart_version_label" . }} spec: selector: matchLabels: @@ -22,7 +22,7 @@ spec: {{- end }} labels: {{- include "argo-events.labels" (dict "context" . "component" .Values.webhook.name "name" .Values.webhook.name) | nindent 8 }} - app.kubernetes.io/version: {{ default (include "argo-events.defaultTag" .) .Values.webhook.image.tag | quote }} + app.kubernetes.io/version: {{ include "argo-events.webhook_chart_version_label" . }} {{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.webhook.podLabels) }} {{- toYaml . | nindent 8 }} {{- end }} @@ -37,7 +37,7 @@ spec: {{- end }} containers: - name: {{ .Values.webhook.name }} - image: {{ default .Values.global.image.repository .Values.webhook.image.repository }}:{{ default (include "argo-events.defaultTag" .) .Values.controller.image.tag }} + image: {{ default .Values.global.image.repository .Values.webhook.image.repository }}:{{ default (include "argo-events.defaultTag" .) .Values.webhook.image.tag }} imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.webhook.image.imagePullPolicy }} args: - webhook-service @@ -50,6 +50,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: PORT + value: "{{ .Values.webhook.port }}" {{- with .Values.webhook.env }} {{- toYaml . | nindent 8 }} {{- end }} @@ -63,7 +65,7 @@ spec: {{- end }} ports: - name: webhook - containerPort: 443 + containerPort: {{ .Values.webhook.port }} protocol: TCP livenessProbe: tcpSocket: diff --git a/charts/argo-events/templates/argo-events-webhook/pdb.yaml b/charts/argo-events/templates/argo-events-webhook/pdb.yaml index 3bf082256..15bf97bf7 100644 --- a/charts/argo-events/templates/argo-events-webhook/pdb.yaml +++ b/charts/argo-events/templates/argo-events-webhook/pdb.yaml @@ -1,5 +1,5 @@ {{- if and .Values.webhook.enabled .Values.webhook.pdb.enabled (not .Values.controller.rbac.namespaced) }} -apiVersion: policy/v1beta1 +apiVersion: {{ template "argo-events.pdb.apiVersion" . }} kind: PodDisruptionBudget metadata: name: {{ template "argo-events.webhook.fullname" . }} diff --git a/charts/argo-events/values.yaml b/charts/argo-events/values.yaml index 0ae12221f..8153e183f 100644 --- a/charts/argo-events/values.yaml +++ b/charts/argo-events/values.yaml @@ -322,6 +322,9 @@ webhook: # -- Labels to be added to event controller pods podLabels: {} + # -- Port to listen on + port: 443 + # -- Event controller container-level security context containerSecurityContext: {} # capabilities: diff --git a/charts/argo-rollouts/Chart.yaml b/charts/argo-rollouts/Chart.yaml index 320bad6a5..6688d9b0b 100644 --- a/charts/argo-rollouts/Chart.yaml +++ b/charts/argo-rollouts/Chart.yaml @@ -1,13 +1,18 @@ apiVersion: v2 -appVersion: "v1.2.2" +appVersion: v1.3.1 description: A Helm chart for Argo Rollouts name: argo-rollouts -version: 2.20.0 -icon: https://argoproj.github.io/argo-rollouts/assets/logo.png +version: 2.21.1 home: https://github.com/argoproj/argo-helm +icon: https://argoproj.github.io/argo-rollouts/assets/logo.png +keywords: + - argoproj + - argo-rollouts +sources: + - https://github.com/argoproj/argo-rollouts maintainers: - name: argoproj url: https://argoproj.github.io/ annotations: artifacthub.io/changes: | - - "[Added]: initContainer option to controller pod, updated secrets roles" + - "[Changed]: Upgrade ArgoRollouts to v1.3.1" diff --git a/charts/argo-rollouts/README.md b/charts/argo-rollouts/README.md index d0881293f..e471d2841 100644 --- a/charts/argo-rollouts/README.md +++ b/charts/argo-rollouts/README.md @@ -176,4 +176,4 @@ Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/ [Tolerations]: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ [priorityClassName]: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/ [Pod Disruption Budget]: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#pod-disruption-budgets -[values.yaml]: https://github.com/argoproj/argo-helm/blob/argo-rollouts-2.20.0/charts/argo-rollouts/values.yaml +[values.yaml]: values.yaml diff --git a/charts/argo-rollouts/README.md.gotmpl b/charts/argo-rollouts/README.md.gotmpl index 6682d1686..445c84dbd 100644 --- a/charts/argo-rollouts/README.md.gotmpl +++ b/charts/argo-rollouts/README.md.gotmpl @@ -98,4 +98,4 @@ Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/ [Tolerations]: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ [priorityClassName]: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/ [Pod Disruption Budget]: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#pod-disruption-budgets -[values.yaml]: https://github.com/argoproj/argo-helm/blob/argo-rollouts-{{ .Version }}/charts/argo-rollouts/values.yaml +[values.yaml]: values.yaml diff --git a/charts/argo-rollouts/templates/crds/analysis-run-crd.yaml b/charts/argo-rollouts/templates/crds/analysis-run-crd.yaml index f5cba9979..0d95f6f53 100644 --- a/charts/argo-rollouts/templates/crds/analysis-run-crd.yaml +++ b/charts/argo-rollouts/templates/crds/analysis-run-crd.yaml @@ -202,6 +202,13 @@ spec: query: type: string type: object + influxdb: + properties: + profile: + type: string + query: + type: string + type: object job: properties: metadata: @@ -2575,6 +2582,9 @@ spec: maxSkew: format: int32 type: integer + minDomains: + format: int32 + type: integer topologyKey: type: string whenUnsatisfiable: @@ -2875,5 +2885,4 @@ spec: served: true storage: true subresources: {} - {{- end }} diff --git a/charts/argo-rollouts/templates/crds/analysis-template-crd.yaml b/charts/argo-rollouts/templates/crds/analysis-template-crd.yaml index 7b23b54df..862af976d 100644 --- a/charts/argo-rollouts/templates/crds/analysis-template-crd.yaml +++ b/charts/argo-rollouts/templates/crds/analysis-template-crd.yaml @@ -198,6 +198,13 @@ spec: query: type: string type: object + influxdb: + properties: + profile: + type: string + query: + type: string + type: object job: properties: metadata: @@ -2571,6 +2578,9 @@ spec: maxSkew: format: int32 type: integer + minDomains: + format: int32 + type: integer topologyKey: type: string whenUnsatisfiable: diff --git a/charts/argo-rollouts/templates/crds/cluster-analysis-template-crd.yaml b/charts/argo-rollouts/templates/crds/cluster-analysis-template-crd.yaml index 8ea109f71..60604611c 100644 --- a/charts/argo-rollouts/templates/crds/cluster-analysis-template-crd.yaml +++ b/charts/argo-rollouts/templates/crds/cluster-analysis-template-crd.yaml @@ -198,6 +198,13 @@ spec: query: type: string type: object + influxdb: + properties: + profile: + type: string + query: + type: string + type: object job: properties: metadata: @@ -2571,6 +2578,9 @@ spec: maxSkew: format: int32 type: integer + minDomains: + format: int32 + type: integer topologyKey: type: string whenUnsatisfiable: diff --git a/charts/argo-rollouts/templates/crds/experiment-crd.yaml b/charts/argo-rollouts/templates/crds/experiment-crd.yaml index 90b4b4997..86af19320 100644 --- a/charts/argo-rollouts/templates/crds/experiment-crd.yaml +++ b/charts/argo-rollouts/templates/crds/experiment-crd.yaml @@ -2477,6 +2477,9 @@ spec: maxSkew: format: int32 type: integer + minDomains: + format: int32 + type: integer topologyKey: type: string whenUnsatisfiable: @@ -2606,4 +2609,4 @@ spec: served: true storage: true subresources: {} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/argo-rollouts/templates/crds/rollout-crd.yaml b/charts/argo-rollouts/templates/crds/rollout-crd.yaml index 596f55ca3..ec58d318a 100644 --- a/charts/argo-rollouts/templates/crds/rollout-crd.yaml +++ b/charts/argo-rollouts/templates/crds/rollout-crd.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.7.0 + controller-gen.kubebuilder.io/version: v0.7.0 {{- if .Values.keepCRDs }} "helm.sh/resource-policy": keep {{- end }} @@ -603,6 +603,74 @@ spec: format: int32 type: integer type: object + setHeaderRoute: + properties: + match: + items: + properties: + headerName: + type: string + headerValue: + properties: + exact: + type: string + prefix: + type: string + regex: + type: string + type: object + required: + - headerName + - headerValue + type: object + type: array + name: + type: string + type: object + setMirrorRoute: + properties: + match: + items: + properties: + headers: + additionalProperties: + properties: + exact: + type: string + prefix: + type: string + regex: + type: string + type: object + type: object + method: + properties: + exact: + type: string + prefix: + type: string + regex: + type: string + type: object + path: + properties: + exact: + type: string + prefix: + type: string + regex: + type: string + type: object + type: object + type: array + name: + type: string + percentage: + format: int32 + type: integer + required: + - name + type: object setWeight: format: int32 type: integer @@ -743,6 +811,15 @@ spec: type: object type: array type: object + managedRoutes: + items: + properties: + name: + type: string + required: + - name + type: object + type: array nginx: properties: additionalIngressAnnotations: @@ -763,6 +840,13 @@ spec: trafficSplitName: type: string type: object + traefik: + properties: + weightedTraefikServiceName: + type: string + required: + - weightedTraefikServiceName + type: object type: object type: object type: object @@ -3083,6 +3167,9 @@ spec: maxSkew: format: int32 type: integer + minDomains: + format: int32 + type: integer topologyKey: type: string whenUnsatisfiable: diff --git a/charts/argo-workflows/Chart.yaml b/charts/argo-workflows/Chart.yaml index c991b85a2..870bef4b2 100644 --- a/charts/argo-workflows/Chart.yaml +++ b/charts/argo-workflows/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: v3.4.0 +appVersion: v3.4.4 name: argo-workflows description: A Helm chart for Argo Workflows type: application -version: 0.18.0 +version: 0.22.1 icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png home: https://github.com/argoproj/argo-helm sources: @@ -13,5 +13,5 @@ maintainers: url: https://argoproj.github.io/ annotations: artifacthub.io/changes: | - - "[Changed]: Upgrade ArgoWorkflows to v3.4.0" - - "[Fixed]: Remove unsupported attributes on metricsConfig and telemetryConfig, from workflow-controller-configmap" + - "[Fixed]: avoid app.kubernetes.io/version kubernetes label from exceeding maximum length (63) + - "[Fixed]: generated value for app.kubernetes.io/version label is now valid even when defining a controller/server/executor.image.tag with a SHA digest" diff --git a/charts/argo-workflows/README.md b/charts/argo-workflows/README.md index 130a035c3..711a1f52e 100644 --- a/charts/argo-workflows/README.md +++ b/charts/argo-workflows/README.md @@ -41,7 +41,11 @@ Fields to note: | Key | Type | Default | Description | |-----|------|---------|-------------| +| crds.annotations | object | `{}` | Annotations to be added to all CRDs | +| crds.install | bool | `true` | Install and upgrade CRDs | +| crds.keep | bool | `true` | Keep CRDs on chart uninstall | | createAggregateRoles | bool | `true` | Create clusterroles that extend existing clusterroles to interact with argo-cd crds | +| extraObjects | list | `[]` | Array of extra K8s manifests to deploy | | fullnameOverride | string | `nil` | String to fully override "argo-workflows.fullname" template | | images.pullPolicy | string | `"Always"` | imagePullPolicy to apply to all containers | | images.pullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry | @@ -58,6 +62,7 @@ Fields to note: | workflow.rbac.create | bool | `true` | Adds Role and RoleBinding for the above specified service account to be able to run workflows. A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below) | | workflow.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | | workflow.serviceAccount.create | bool | `false` | Specifies whether a service account should be created | +| workflow.serviceAccount.labels | object | `{}` | Labels applied to created service account | | workflow.serviceAccount.name | string | `"argo-workflow"` | Service account which is used to run workflows | ### Workflow Controller @@ -103,12 +108,15 @@ Fields to note: | controller.podSecurityContext | object | `{}` | SecurityContext to set on the controller pods | | controller.priorityClassName | string | `""` | Leverage a PriorityClass to ensure your pods survive resource shortages. | | controller.rbac.create | bool | `true` | Adds Role and RoleBinding for the controller. | +| controller.rbac.secretWhitelist | list | `[]` | Allows controller to get, list, and watch certain k8s secrets | | controller.replicas | int | `1` | The number of controller pods to run | | controller.resourceRateLimit | object | `{}` | Globally limits the rate at which pods are created. This is intended to mitigate flooding of the Kubernetes API server by workflows with a large amount of parallel nodes. | | controller.resources | object | `{}` | Resource limits and requests for the controller | +| controller.retentionPolicy | object | `{}` | Workflow retention by number of workflows | | controller.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | the controller container's securityContext | | controller.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | | controller.serviceAccount.create | bool | `true` | Create a service account for the controller | +| controller.serviceAccount.labels | object | `{}` | Labels applied to created service account | | controller.serviceAccount.name | string | `""` | Service account name | | controller.serviceAnnotations | object | `{}` | Annotations to be applied to the controller Service | | controller.serviceLabels | object | `{}` | Optional labels to add to the controller Service | @@ -125,6 +133,7 @@ Fields to note: | controller.telemetryConfig.servicePort | int | `8081` | telemetry service port | | controller.telemetryConfig.servicePortName | string | `"telemetry"` | telemetry service port name | | controller.tolerations | list | `[]` | [Tolerations] for use with node taints | +| controller.topologySpreadConstraints | list | `[]` | Assign custom [TopologySpreadConstraints] rules to the workflow controller | | controller.volumeMounts | list | `[]` | Additional volume mounts to the controller main container | | controller.volumes | list | `[]` | Additional volumes to the controller pod | | controller.workflowDefaults | object | `{}` | Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level. Only valid for 2.7+ | @@ -136,8 +145,8 @@ Fields to note: | Key | Type | Default | Description | |-----|------|---------|-------------| -| mainContainer.env | object | `{}` | Adds environment variables for the Workflow main container | -| mainContainer.imagePullPolicy | string | `"Always"` | imagePullPolicy to apply to Workflow main container | +| mainContainer.env | list | `[]` | Adds environment variables for the Workflow main container | +| mainContainer.imagePullPolicy | string | `""` | imagePullPolicy to apply to Workflow main container. Defaults to `.Values.images.pullPolicy`. | | mainContainer.resources | object | `{}` | Resource limits and requests for the Workflow main container | | mainContainer.securityContext | object | `{}` | sets security context for the Workflow main container | @@ -145,7 +154,8 @@ Fields to note: | Key | Type | Default | Description | |-----|------|---------|-------------| -| executor.env | object | `{}` | Adds environment variables for the executor. | +| executor.env | list | `[]` | Adds environment variables for the executor. | +| executor.image.pullPolicy | string | `""` | Image PullPolicy to use for the Workflow Executors. Defaults to `.Values.images.pullPolicy`. | | executor.image.registry | string | `"quay.io"` | Registry to use for the Workflow Executors | | executor.image.repository | string | `"argoproj/argoexec"` | Repository to use for the Workflow Executors | | executor.image.tag | string | `""` | Image tag for the workflow executor. Defaults to `.Values.images.tag`. | @@ -193,6 +203,7 @@ Fields to note: | server.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true}` | Servers container-level security context | | server.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | | server.serviceAccount.create | bool | `true` | Create a service account for the server | +| server.serviceAccount.labels | object | `{}` | Labels applied to created service account | | server.serviceAccount.name | string | `""` | Service account name | | server.serviceAnnotations | object | `{}` | Annotations to be applied to the UI Service | | server.serviceLabels | object | `{}` | Optional labels to add to the UI Service | @@ -202,6 +213,7 @@ Fields to note: | server.serviceType | string | `"ClusterIP"` | Service type for server pods | | server.sso | object | `{}` | SSO configuration when SSO is specified as a server auth mode. | | server.tolerations | list | `[]` | [Tolerations] for use with node taints | +| server.topologySpreadConstraints | list | `[]` | Assign custom [TopologySpreadConstraints] rules to the argo server | | server.volumeMounts | list | `[]` | Additional volume mounts to the server main container. | | server.volumes | list | `[]` | Additional volumes to the server pod. | @@ -210,8 +222,10 @@ Fields to note: | Key | Type | Default | Description | |-----|------|---------|-------------| | artifactRepository.archiveLogs | bool | `false` | Archive the main container logs as an artifact | +| artifactRepository.azure | object | `{}` (See [values.yaml]) | Store artifact in Azure Blob Storage | | artifactRepository.gcs | object | `{}` (See [values.yaml]) | Store artifact in a GCS object store | | artifactRepository.s3 | object | See [values.yaml] | Store artifact in a S3-compliant object store | +| customArtifactRepository | object | `{}` | The section of custom artifact repository. Will be added to the config in case useDefaultArtifactRepo is set to false | | useDefaultArtifactRepo | bool | `false` | Influences the creation of the ConfigMap for the workflow-controller itself. | | useStaticCredentials | bool | `true` | Use static credentials for S3 (eg. when not using AWS IRSA) | @@ -241,4 +255,5 @@ Fields to note: [Pod Disruption Budget]: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ [probe]: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes [Tolerations]: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +[TopologySpreadConstraints]: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ [values.yaml]: values.yaml diff --git a/charts/argo-workflows/README.md.gotmpl b/charts/argo-workflows/README.md.gotmpl index 27f43013b..28ee4fdce 100644 --- a/charts/argo-workflows/README.md.gotmpl +++ b/charts/argo-workflows/README.md.gotmpl @@ -42,7 +42,7 @@ Fields to note: | Key | Type | Default | Description | |-----|------|---------|-------------| {{- range .Values }} - {{- if not (or (hasPrefix "workflow" .Key) (hasPrefix "controller" .Key) (hasPrefix "executor" .Key) (hasPrefix "server" .Key) (hasPrefix "artifactRepository" .Key) (hasPrefix "use" .Key) (hasPrefix "mainContainer" .Key) ) }} + {{- if not (or (hasPrefix "workflow" .Key) (hasPrefix "controller" .Key) (hasPrefix "executor" .Key) (hasPrefix "server" .Key) (hasPrefix "artifactRepository" .Key) (hasPrefix "customArtifact" .Key) (hasPrefix "use" .Key) (hasPrefix "mainContainer" .Key) ) }} | {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | {{- end }} {{- end }} @@ -102,7 +102,7 @@ Fields to note: | Key | Type | Default | Description | |-----|------|---------|-------------| {{- range .Values }} - {{- if or (hasPrefix "artifactRepository" .Key) (hasPrefix "use" .Key) }} + {{- if or (hasPrefix "artifactRepository" .Key) (hasPrefix "use" .Key) (hasPrefix "customArtifact" .Key) }} | {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | {{- end }} {{- end }} @@ -133,4 +133,5 @@ Fields to note: [Pod Disruption Budget]: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ [probe]: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes [Tolerations]: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +[TopologySpreadConstraints]: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ [values.yaml]: values.yaml diff --git a/charts/argo-workflows/ci/default-values.yaml b/charts/argo-workflows/ci/default-values.yaml index 507f1e542..ffc41c8a6 100644 --- a/charts/argo-workflows/ci/default-values.yaml +++ b/charts/argo-workflows/ci/default-values.yaml @@ -1 +1,3 @@ # Test with default values +crds: + keep: false diff --git a/charts/argo-workflows/ci/enable-ingress-values.yaml b/charts/argo-workflows/ci/enable-ingress-values.yaml index d3485603b..05dae8861 100644 --- a/charts/argo-workflows/ci/enable-ingress-values.yaml +++ b/charts/argo-workflows/ci/enable-ingress-values.yaml @@ -1,3 +1,6 @@ +crds: + keep: false + server: ingress: enabled: true diff --git a/charts/argo-workflows/ci/enable-metrics-values.yaml b/charts/argo-workflows/ci/enable-metrics-values.yaml index 64c56cc19..32c007be1 100644 --- a/charts/argo-workflows/ci/enable-metrics-values.yaml +++ b/charts/argo-workflows/ci/enable-metrics-values.yaml @@ -1,3 +1,6 @@ +crds: + keep: false + controller: serviceMonitor: enabled: false diff --git a/charts/argo-workflows/ci/enable-rbac-values.yaml b/charts/argo-workflows/ci/enable-rbac-values.yaml index 10f717aca..709240840 100644 --- a/charts/argo-workflows/ci/enable-rbac-values.yaml +++ b/charts/argo-workflows/ci/enable-rbac-values.yaml @@ -1,3 +1,6 @@ +crds: + keep: false + workflow: serviceAccount: create: true # Specifies whether a service account should be created diff --git a/charts/argo-workflows/templates/_helpers.tpl b/charts/argo-workflows/templates/_helpers.tpl index f0306cac9..a3ce89349 100644 --- a/charts/argo-workflows/templates/_helpers.tpl +++ b/charts/argo-workflows/templates/_helpers.tpl @@ -45,6 +45,32 @@ Create chart name and version as used by the chart label. {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Create kubernetes friendly chart version label for the controller. +Examples: +image.tag = v3.4.4 +output = v3.4.4 + +image.tag = v3.4.4@sha256:d06860f1394a94ac3ff8401126ef32ba28915aa6c3c982c7e607ea0b4dadb696 +output = v3.4.4 +*/}} +{{- define "argo-workflows.controller_chart_version_label" -}} +{{- regexReplaceAll "[^a-zA-Z0-9-_.]+" (regexReplaceAll "@sha256:[a-f0-9]+" (default (include "argo-workflows.defaultTag" .) .Values.controller.image.tag) "") "" | trunc 63 | quote -}} +{{- end -}} + +{{/* +Create kubernetes friendly chart version label for the server. +Examples: +image.tag = v3.4.4 +output = v3.4.4 + +image.tag = v3.4.4@sha256:d06860f1394a94ac3ff8401126ef32ba28915aa6c3c982c7e607ea0b4dadb696 +output = v3.4.4 +*/}} +{{- define "argo-workflows.server_chart_version_label" -}} +{{- regexReplaceAll "[^a-zA-Z0-9-_.]+" (regexReplaceAll "@sha256:[a-f0-9]+" (default (include "argo-workflows.defaultTag" .) .Values.server.image.tag) "") "" | trunc 63 | quote -}} +{{- end -}} + {{/* Common labels */}} diff --git a/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml b/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml index 4b0f389a3..34f91c0da 100644 --- a/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml +++ b/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml @@ -164,6 +164,17 @@ rules: resourceNames: {{/* for HTTP templates */}} - argo-workflows-agent-ca-certificates +{{- with .Values.controller.rbac.secretWhitelist }} +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + resourceNames: {{- toYaml . | nindent 4 }} +{{- end }} {{- if .Values.controller.clusterWorkflowTemplates.enabled }} --- diff --git a/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml b/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml index f0744cf01..0f29b5768 100644 --- a/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml +++ b/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml @@ -27,7 +27,7 @@ data: {{- end }} {{- if or .Values.mainContainer.resources .Values.mainContainer.env .Values.mainContainer.securityContext}} mainContainer: - imagePullPolicy: {{ .Values.images.pullPolicy }} + imagePullPolicy: {{ default (.Values.images.pullPolicy) .Values.mainContainer.imagePullPolicy }} {{- with .Values.mainContainer.resources }} resources: {{- toYaml . | nindent 8 }} {{- end }} @@ -40,7 +40,7 @@ data: {{- end }} {{- if or .Values.executor.resources .Values.executor.env .Values.executor.securityContext}} executor: - imagePullPolicy: {{ .Values.images.pullPolicy }} + imagePullPolicy: {{ default (.Values.images.pullPolicy) .Values.executor.image.pullPolicy }} {{- with .Values.executor.resources }} resources: {{- toYaml . | nindent 8 }} {{- end }} @@ -56,10 +56,13 @@ data: {{- if .Values.artifactRepository.archiveLogs }} archiveLogs: {{ .Values.artifactRepository.archiveLogs }} {{- end }} - {{- if .Values.artifactRepository.gcs }} - gcs: -{{ toYaml .Values.artifactRepository.gcs | indent 8}} - {{- else }} + {{- with .Values.artifactRepository.gcs }} + gcs: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.artifactRepository.azure }} + azure: {{- toYaml . | nindent 8 }} + {{- end }} + {{- if and (not .Values.artifactRepository.gcs) (not .Values.artifactRepository.azure) }} s3: {{- if .Values.useStaticCredentials }} accessKeySecret: @@ -89,7 +92,11 @@ data: {{- toYaml . | nindent 10 }} {{- end }} {{- end }} - {{- end}} + {{- else }} + {{- if .Values.customArtifactRepository }} + artifactRepository: {{- toYaml .Values.customArtifactRepository | nindent 6 }} + {{- end }} + {{- end }} {{- if .Values.controller.metricsConfig.enabled }} metricsConfig: enabled: {{ .Values.controller.metricsConfig.enabled }} @@ -119,7 +126,37 @@ data: workflowDefaults: {{ toYaml .Values.controller.workflowDefaults | indent 6 }}{{- end }} {{- with .Values.server.sso }} - sso: {{- toYaml . | nindent 6 }} + sso: + issuer: {{ .issuer }} + clientId: + name: {{ .clientId.name }} + key: {{ .clientId.key }} + clientSecret: + name: {{ .clientSecret.name }} + key: {{ .clientSecret.key }} + redirectUrl: {{ .redirectUrl }} + {{- with .rbac }} + rbac: + enabled: {{ .enabled }} + {{- end }} + {{- if .scopes }} + scopes: {{ toYaml .scopes | nindent 8 }} + {{- end }} + {{- if .issuerAlias }} + issuerAlias: {{ .issuerAlias }} + {{- end }} + {{- if .sessionExpiry }} + sessionExpiry: {{ .sessionExpiry }} + {{- end }} + {{- if .customGroupClaimName }} + customGroupClaimName: {{ .customGroupClaimName }} + {{- end }} + {{- if .userInfoPath }} + userInfoPath: {{ .userInfoPath }} + {{- end }} + {{- if .insecureSkipVerify }} + insecureSkipVerify: {{ .insecureSkipVerify }} + {{- end }} {{- end }} {{- with .Values.controller.workflowRestrictions }} workflowRestrictions: {{- toYaml . | nindent 6 }} @@ -130,3 +167,6 @@ data: {{- with .Values.controller.navColor }} navColor: {{ . }} {{- end }} + {{- with .Values.controller.retentionPolicy }} + retentionPolicy: {{- toYaml . | nindent 6 }} + {{- end }} diff --git a/charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml b/charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml index 53cab4463..7ce171556 100644 --- a/charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml +++ b/charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml @@ -4,7 +4,7 @@ metadata: name: {{ template "argo-workflows.controller.fullname" . }} labels: {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} - app.kubernetes.io/version: {{ default (include "argo-workflows.defaultTag" .) .Values.controller.image.tag | trunc 63 | quote }} + app.kubernetes.io/version: {{ include "argo-workflows.controller_chart_version_label" . }} {{- with .Values.controller.deploymentAnnotations }} annotations: {{- toYaml . | nindent 4 }} @@ -18,7 +18,7 @@ spec: metadata: labels: {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 8 }} - app.kubernetes.io/version: {{ default (include "argo-workflows.defaultTag" .) .Values.controller.image.tag | trunc 63 | quote }} + app.kubernetes.io/version: {{ include "argo-workflows.controller_chart_version_label" . }} {{- with.Values.controller.podLabels }} {{- toYaml . | nindent 8 }} {{- end }} @@ -106,6 +106,17 @@ spec: affinity: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- range $constraint := . }} + - {{ toYaml $constraint | nindent 8 | trim }} + {{- if not $constraint.labelSelector }} + labelSelector: + matchLabels: + {{- include "argo-workflows.selectorLabels" (dict "context" $ "name" $.Values.controller.name) | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} {{- with .Values.controller.priorityClassName }} priorityClassName: {{ . }} {{- end }} diff --git a/charts/argo-workflows/templates/controller/workflow-controller-sa.yaml b/charts/argo-workflows/templates/controller/workflow-controller-sa.yaml index 3acc93ab3..362459005 100644 --- a/charts/argo-workflows/templates/controller/workflow-controller-sa.yaml +++ b/charts/argo-workflows/templates/controller/workflow-controller-sa.yaml @@ -5,6 +5,9 @@ metadata: name: {{ template "argo-workflows.controllerServiceAccountName" . }} labels: {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} + {{- with .Values.controller.serviceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} {{ with .Values.controller.serviceAccount.annotations }} annotations: {{- toYaml .| nindent 4 }} diff --git a/charts/argo-workflows/templates/controller/workflow-role.yaml b/charts/argo-workflows/templates/controller/workflow-role.yaml index 38c0ed439..51050d0fa 100644 --- a/charts/argo-workflows/templates/controller/workflow-role.yaml +++ b/charts/argo-workflows/templates/controller/workflow-role.yaml @@ -42,6 +42,7 @@ rules: - argoproj.io resources: - workflowtasksets + - workflowartifactgctasks verbs: - list - watch @@ -49,8 +50,7 @@ rules: - argoproj.io resources: - workflowtasksets/status - {{/* TODO: This resource is for app version <= v3.2, so please remove it when app version v3.2 is no more used. */}} - - workflowtasksets + - workflowartifactgctasks/status verbs: - patch {{- end }} diff --git a/charts/argo-workflows/templates/controller/workflow-sa.yaml b/charts/argo-workflows/templates/controller/workflow-sa.yaml index 43e6cbf62..8928b32e8 100644 --- a/charts/argo-workflows/templates/controller/workflow-sa.yaml +++ b/charts/argo-workflows/templates/controller/workflow-sa.yaml @@ -7,6 +7,9 @@ metadata: name: {{ $.Values.workflow.serviceAccount.name }} labels: {{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $.Values.controller.name) | nindent 4 }} + {{- with $.Values.workflow.serviceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- with $namespace }} namespace: {{ . }} {{- end }} diff --git a/charts/argo-workflows/crds/argoproj.io_clusterworkflowtemplates.yaml b/charts/argo-workflows/templates/crds/argoproj.io_clusterworkflowtemplates.yaml similarity index 78% rename from charts/argo-workflows/crds/argoproj.io_clusterworkflowtemplates.yaml rename to charts/argo-workflows/templates/crds/argoproj.io_clusterworkflowtemplates.yaml index 889dfe2f5..7f767b24d 100644 --- a/charts/argo-workflows/crds/argoproj.io_clusterworkflowtemplates.yaml +++ b/charts/argo-workflows/templates/crds/argoproj.io_clusterworkflowtemplates.yaml @@ -1,7 +1,15 @@ +{{- if .Values.crds.install }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: clusterworkflowtemplates.argoproj.io + annotations: + {{- if .Values.crds.keep }} + "helm.sh/resource-policy": keep + {{- end }} + {{- with .Values.crds.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: group: argoproj.io names: @@ -34,3 +42,4 @@ spec: type: object served: true storage: true +{{- end }} diff --git a/charts/argo-workflows/crds/argoproj.io_cronworkflows.yaml b/charts/argo-workflows/templates/crds/argoproj.io_cronworkflows.yaml similarity index 79% rename from charts/argo-workflows/crds/argoproj.io_cronworkflows.yaml rename to charts/argo-workflows/templates/crds/argoproj.io_cronworkflows.yaml index 812cf1143..7b932d8f6 100644 --- a/charts/argo-workflows/crds/argoproj.io_cronworkflows.yaml +++ b/charts/argo-workflows/templates/crds/argoproj.io_cronworkflows.yaml @@ -1,7 +1,15 @@ +{{- if .Values.crds.install }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: cronworkflows.argoproj.io + annotations: + {{- if .Values.crds.keep }} + "helm.sh/resource-policy": keep + {{- end }} + {{- with .Values.crds.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: group: argoproj.io names: @@ -38,3 +46,4 @@ spec: type: object served: true storage: true +{{- end }} diff --git a/charts/argo-workflows/crds/argoproj.io_workflowartifactgctasks.yaml b/charts/argo-workflows/templates/crds/argoproj.io_workflowartifactgctasks.yaml similarity index 82% rename from charts/argo-workflows/crds/argoproj.io_workflowartifactgctasks.yaml rename to charts/argo-workflows/templates/crds/argoproj.io_workflowartifactgctasks.yaml index dbc98e913..dcebddb24 100644 --- a/charts/argo-workflows/crds/argoproj.io_workflowartifactgctasks.yaml +++ b/charts/argo-workflows/templates/crds/argoproj.io_workflowartifactgctasks.yaml @@ -1,7 +1,15 @@ +{{- if .Values.crds.install }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: workflowartifactgctasks.argoproj.io + annotations: + {{- if .Values.crds.keep }} + "helm.sh/resource-policy": keep + {{- end }} + {{- with .Values.crds.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: group: argoproj.io names: @@ -39,3 +47,4 @@ spec: storage: true subresources: status: {} +{{- end }} diff --git a/charts/argo-workflows/crds/argoproj.io_workfloweventbindings.yaml b/charts/argo-workflows/templates/crds/argoproj.io_workfloweventbindings.yaml similarity index 77% rename from charts/argo-workflows/crds/argoproj.io_workfloweventbindings.yaml rename to charts/argo-workflows/templates/crds/argoproj.io_workfloweventbindings.yaml index 22e2ecf0f..097fa5cda 100644 --- a/charts/argo-workflows/crds/argoproj.io_workfloweventbindings.yaml +++ b/charts/argo-workflows/templates/crds/argoproj.io_workfloweventbindings.yaml @@ -1,7 +1,15 @@ +{{- if .Values.crds.install }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: workfloweventbindings.argoproj.io + annotations: + {{- if .Values.crds.keep }} + "helm.sh/resource-policy": keep + {{- end }} + {{- with .Values.crds.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: group: argoproj.io names: @@ -33,3 +41,4 @@ spec: type: object served: true storage: true +{{- end }} diff --git a/charts/argo-workflows/crds/argoproj.io_workflows.yaml b/charts/argo-workflows/templates/crds/argoproj.io_workflows.yaml similarity index 85% rename from charts/argo-workflows/crds/argoproj.io_workflows.yaml rename to charts/argo-workflows/templates/crds/argoproj.io_workflows.yaml index 7a5b598d5..85b71f916 100644 --- a/charts/argo-workflows/crds/argoproj.io_workflows.yaml +++ b/charts/argo-workflows/templates/crds/argoproj.io_workflows.yaml @@ -1,7 +1,15 @@ +{{- if .Values.crds.install }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: workflows.argoproj.io + annotations: + {{- if .Values.crds.keep }} + "helm.sh/resource-policy": keep + {{- end }} + {{- with .Values.crds.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: group: argoproj.io names: @@ -53,3 +61,4 @@ spec: served: true storage: true subresources: {} +{{- end }} diff --git a/charts/argo-workflows/crds/argoproj.io_workflowtaskresults.yaml b/charts/argo-workflows/templates/crds/argoproj.io_workflowtaskresults.yaml similarity index 98% rename from charts/argo-workflows/crds/argoproj.io_workflowtaskresults.yaml rename to charts/argo-workflows/templates/crds/argoproj.io_workflowtaskresults.yaml index e76677f72..e9bb93f69 100644 --- a/charts/argo-workflows/crds/argoproj.io_workflowtaskresults.yaml +++ b/charts/argo-workflows/templates/crds/argoproj.io_workflowtaskresults.yaml @@ -1,7 +1,15 @@ +{{- if .Values.crds.install }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: workflowtaskresults.argoproj.io + annotations: + {{- if .Values.crds.keep }} + "helm.sh/resource-policy": keep + {{- end }} + {{- with .Values.crds.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: group: argoproj.io names: @@ -582,3 +590,4 @@ spec: type: object served: true storage: true +{{- end }} diff --git a/charts/argo-workflows/crds/argoproj.io_workflowtasksets.yaml b/charts/argo-workflows/templates/crds/argoproj.io_workflowtasksets.yaml similarity index 80% rename from charts/argo-workflows/crds/argoproj.io_workflowtasksets.yaml rename to charts/argo-workflows/templates/crds/argoproj.io_workflowtasksets.yaml index 22cf52b19..746929413 100644 --- a/charts/argo-workflows/crds/argoproj.io_workflowtasksets.yaml +++ b/charts/argo-workflows/templates/crds/argoproj.io_workflowtasksets.yaml @@ -1,7 +1,15 @@ +{{- if .Values.crds.install }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: workflowtasksets.argoproj.io + annotations: + {{- if .Values.crds.keep }} + "helm.sh/resource-policy": keep + {{- end }} + {{- with .Values.crds.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: group: argoproj.io names: @@ -39,3 +47,4 @@ spec: storage: true subresources: status: {} +{{- end }} diff --git a/charts/argo-workflows/crds/argoproj.io_workflowtemplates.yaml b/charts/argo-workflows/templates/crds/argoproj.io_workflowtemplates.yaml similarity index 77% rename from charts/argo-workflows/crds/argoproj.io_workflowtemplates.yaml rename to charts/argo-workflows/templates/crds/argoproj.io_workflowtemplates.yaml index 8165ec25b..810e6f51b 100644 --- a/charts/argo-workflows/crds/argoproj.io_workflowtemplates.yaml +++ b/charts/argo-workflows/templates/crds/argoproj.io_workflowtemplates.yaml @@ -1,7 +1,15 @@ +{{- if .Values.crds.install }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: workflowtemplates.argoproj.io + annotations: + {{- if .Values.crds.keep }} + "helm.sh/resource-policy": keep + {{- end }} + {{- with .Values.crds.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: group: argoproj.io names: @@ -33,3 +41,4 @@ spec: type: object served: true storage: true +{{- end }} diff --git a/charts/argo-workflows/templates/extra-manifests.yaml b/charts/argo-workflows/templates/extra-manifests.yaml new file mode 100644 index 000000000..a9bb3b6ba --- /dev/null +++ b/charts/argo-workflows/templates/extra-manifests.yaml @@ -0,0 +1,4 @@ +{{ range .Values.extraObjects }} +--- +{{ tpl (toYaml .) $ }} +{{ end }} diff --git a/charts/argo-workflows/templates/server/server-cluster-roles.yaml b/charts/argo-workflows/templates/server/server-cluster-roles.yaml index 669446478..c3c4e6887 100644 --- a/charts/argo-workflows/templates/server/server-cluster-roles.yaml +++ b/charts/argo-workflows/templates/server/server-cluster-roles.yaml @@ -30,7 +30,7 @@ rules: - list - watch - delete - {{- if .Values.server.sso }} +{{- if .Values.server.sso }} - apiGroups: - "" resources: @@ -46,7 +46,7 @@ rules: - secrets verbs: - create - {{- if .Values.server.sso.rbac }} + {{- if .Values.server.sso.rbac }} - apiGroups: - "" resources: @@ -55,8 +55,8 @@ rules: - get - list - watch - {{- end }} {{- end }} +{{- end }} - apiGroups: - "" resources: diff --git a/charts/argo-workflows/templates/server/server-deployment.yaml b/charts/argo-workflows/templates/server/server-deployment.yaml index d4881d52b..e1e9b680d 100644 --- a/charts/argo-workflows/templates/server/server-deployment.yaml +++ b/charts/argo-workflows/templates/server/server-deployment.yaml @@ -5,7 +5,7 @@ metadata: name: {{ template "argo-workflows.server.fullname" . }} labels: {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} - app.kubernetes.io/version: {{ default (include "argo-workflows.defaultTag" .) .Values.server.image.tag | trunc 63 | quote }} + app.kubernetes.io/version: {{ include "argo-workflows.server_chart_version_label" . }} {{- with .Values.server.deploymentAnnotations }} annotations: {{- toYaml . | nindent 4 }} @@ -19,7 +19,7 @@ spec: metadata: labels: {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 8 }} - app.kubernetes.io/version: {{ default (include "argo-workflows.defaultTag" .) .Values.server.image.tag | trunc 63 | quote }} + app.kubernetes.io/version: {{ include "argo-workflows.server_chart_version_label" . }} {{- with .Values.server.podLabels }} {{- toYaml . | nindent 8 }} {{- end }} @@ -109,6 +109,17 @@ spec: affinity: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{- range $constraint := . }} + - {{ toYaml $constraint | nindent 8 | trim }} + {{- if not $constraint.labelSelector }} + labelSelector: + matchLabels: + {{- include "argo-workflows.selectorLabels" (dict "context" $ "name" $.Values.server.name) | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} {{- with .Values.server.priorityClassName }} priorityClassName: {{ . }} {{- end }} diff --git a/charts/argo-workflows/templates/server/server-sa.yaml b/charts/argo-workflows/templates/server/server-sa.yaml index 5525d7af9..2f6644edb 100644 --- a/charts/argo-workflows/templates/server/server-sa.yaml +++ b/charts/argo-workflows/templates/server/server-sa.yaml @@ -5,6 +5,9 @@ metadata: name: {{ template "argo-workflows.serverServiceAccountName" . }} labels: {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} + {{- with .Values.server.serviceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- with .Values.server.serviceAccount.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/argo-workflows/templates/server/server-service.yaml b/charts/argo-workflows/templates/server/server-service.yaml index 3b147ab22..22fc2b01d 100644 --- a/charts/argo-workflows/templates/server/server-service.yaml +++ b/charts/argo-workflows/templates/server/server-service.yaml @@ -5,7 +5,7 @@ metadata: name: {{ template "argo-workflows.server.fullname" . }} labels: {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} - app.kubernetes.io/version: {{ default (include "argo-workflows.defaultTag" .) .Values.server.image.tag | trunc 63 | quote }} + app.kubernetes.io/version: {{ include "argo-workflows.server_chart_version_label" . }} {{- with .Values.server.serviceAnnotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/argo-workflows/values.yaml b/charts/argo-workflows/values.yaml index 578fb1da0..18d28ad46 100644 --- a/charts/argo-workflows/values.yaml +++ b/charts/argo-workflows/values.yaml @@ -7,6 +7,15 @@ images: pullSecrets: [] # - name: argo-pull-secret +## Custom resource configuration +crds: + # -- Install and upgrade CRDs + install: true + # -- Keep CRDs on chart uninstall + keep: true + # -- Annotations to be added to all CRDs + annotations: {} + # -- Create clusterroles that extend existing clusterroles to interact with argo-cd crds ## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles createAggregateRoles: true @@ -32,6 +41,8 @@ workflow: serviceAccount: # -- Specifies whether a service account should be created create: false + # -- Labels applied to created service account + labels: {} # -- Annotations applied to created service account annotations: {} # -- Service account which is used to run workflows @@ -61,6 +72,8 @@ controller: rbac: # -- Adds Role and RoleBinding for the controller. create: true + # -- Allows controller to get, list, and watch certain k8s secrets + secretWhitelist: [] # -- Limits the maximum number of incomplete workflows in a namespace namespaceParallelism: @@ -170,6 +183,8 @@ controller: create: true # -- Service account name name: "" + # -- Labels applied to created service account + labels: {} # -- Annotations applied to created service account annotations: {} @@ -252,6 +267,15 @@ controller: tolerations: [] # -- Assign custom [affinity] rules affinity: {} + + # -- Assign custom [TopologySpreadConstraints] rules to the workflow controller + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # -- Leverage a PriorityClass to ensure your pods survive resource shortages. ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ priorityClassName: "" @@ -267,14 +291,20 @@ controller: # -- Extra containers to be added to the controller deployment extraContainers: [] + # -- Workflow retention by number of workflows + retentionPolicy: {} + # completed: 10 + # failed: 3 + # errored: 3 + # mainContainer adds default config for main container that could be overriden in workflows template mainContainer: - # -- imagePullPolicy to apply to Workflow main container - imagePullPolicy: Always + # -- imagePullPolicy to apply to Workflow main container. Defaults to `.Values.images.pullPolicy`. + imagePullPolicy: "" # -- Resource limits and requests for the Workflow main container resources: {} # -- Adds environment variables for the Workflow main container - env: {} + env: [] # -- sets security context for the Workflow main container securityContext: {} @@ -287,10 +317,12 @@ executor: repository: argoproj/argoexec # -- Image tag for the workflow executor. Defaults to `.Values.images.tag`. tag: "" + # -- Image PullPolicy to use for the Workflow Executors. Defaults to `.Values.images.pullPolicy`. + pullPolicy: "" # -- Resource limits and requests for the Workflow Executors resources: {} # -- Adds environment variables for the executor. - env: {} + env: [] # -- sets security context for the executor container securityContext: {} @@ -344,6 +376,8 @@ server: create: true # -- Service account name name: "" + # -- Labels applied to created service account + labels: {} # -- Annotations applied to created service account annotations: {} @@ -375,6 +409,14 @@ server: # -- Assign custom [affinity] rules affinity: {} + # -- Assign custom [TopologySpreadConstraints] rules to the argo server + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # -- Leverage a PriorityClass to ensure your pods survive resource shortages ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ priorityClassName: "" @@ -487,6 +529,32 @@ server: # -- Extra containers to be added to the server deployment extraContainers: [] +# -- Array of extra K8s manifests to deploy +extraObjects: [] + # - apiVersion: secrets-store.csi.x-k8s.io/v1 + # kind: SecretProviderClass + # metadata: + # name: argo-server-sso + # spec: + # provider: aws + # parameters: + # objects: | + # - objectName: "argo/server/sso" + # objectType: "secretsmanager" + # jmesPath: + # - path: "client_id" + # objectAlias: "client_id" + # - path: "client_secret" + # objectAlias: "client_secret" + # secretObjects: + # - data: + # - key: client_id + # objectName: client_id + # - key: client_secret + # objectName: client_secret + # secretName: argo-server-sso-secrets-store + # type: Opaque + # -- Influences the creation of the ConfigMap for the workflow-controller itself. useDefaultArtifactRepo: false # -- Use static credentials for S3 (eg. when not using AWS IRSA) @@ -530,3 +598,35 @@ artifactRepository: # serviceAccountKeySecret: # name: my-gcs-credentials # key: serviceAccountKey + # -- Store artifact in Azure Blob Storage + # @default -- `{}` (See [values.yaml]) + azure: {} + # endpoint: https://mystorageaccountname.blob.core.windows.net + # container: my-container-name + # blob: path/in/container + ## accountKeySecret is a secret selector. + ## It references the k8s secret named 'my-azure-storage-credentials'. + ## This secret is expected to have have the key 'account-access-key', + ## containing the base64 encoded credentials to the storage account. + ## If a managed identity has been assigned to the machines running the + ## workflow (e.g., https://docs.microsoft.com/en-us/azure/aks/use-managed-identity) + ## then accountKeySecret is not needed, and useSDKCreds should be + ## set to true instead: + # useSDKCreds: true + # accountKeySecret: + # name: my-azure-storage-credentials + # key: account-access-key + +# -- The section of custom artifact repository. +# Will be added to the config in case useDefaultArtifactRepo is set to false +customArtifactRepository: {} +# customArtifactRepository: +# archiveLogs: true +# artifactory: +# repoUrl: https://artifactory.example.com/raw +# usernameSecret: +# name: artifactory-creds +# key: username +# passwordSecret: +# name: artifactory-creds +# key: password diff --git a/charts/argocd-apps/Chart.yaml b/charts/argocd-apps/Chart.yaml index 6a3fda064..7a5840b72 100644 --- a/charts/argocd-apps/Chart.yaml +++ b/charts/argocd-apps/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: argocd-apps description: A Helm chart for managing additional Argo CD Applications and Projects type: application -version: 0.0.1 +version: 0.0.5 home: https://github.com/argoproj/argo-helm icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png keywords: @@ -14,4 +14,4 @@ maintainers: url: https://argoproj.github.io/ annotations: artifacthub.io/changes: | - - "[Added]: Add additional Applications and Projects" + - "[Added]: Support sourceNamespaces for AppProject" diff --git a/charts/argocd-apps/README.md b/charts/argocd-apps/README.md index ea205caa3..fc994888a 100644 --- a/charts/argocd-apps/README.md +++ b/charts/argocd-apps/README.md @@ -25,6 +25,8 @@ $ helm install my-release argo/argocd-apps | Key | Type | Default | Description | |-----|------|---------|-------------| | applications | list | `[]` (See [values.yaml]) | Deploy Argo CD Applications within this helm release | +| applicationsets | list | `[]` (See [values.yaml]) | Deploy Argo CD ApplicationSets within this helm release | +| extensions | list | `[]` (See [values.yaml]) | Deploy Argo UI Extensions within this helm release | | projects | list | `[]` (See [values.yaml]) | Deploy Argo CD Projects within this helm release | ---------------------------------------------- diff --git a/charts/argocd-apps/ci/applicationsets-values.yaml b/charts/argocd-apps/ci/applicationsets-values.yaml new file mode 100644 index 000000000..a76ed41a5 --- /dev/null +++ b/charts/argocd-apps/ci/applicationsets-values.yaml @@ -0,0 +1,45 @@ +# Test with applicationsets + +applicationsets: +- name: guestbook + namespace: default # Only for test purpose. + additionalLabels: {} + additionalAnnotations: {} + # See PR #10026 (ArgoCD v2.5 or later) + # goTemplate: false + generators: + - git: + repoURL: https://github.com/argoproj/argocd-example-apps.git + revision: HEAD + directories: + - path: guestbook + - path: kustomize-* + template: + metadata: + name: '{{path.basename}}' + labels: {} + annotations: {} + spec: + project: default + source: + repoURL: https://github.com/argoproj/argocd-example-apps.git + targetRevision: HEAD + path: '{{path}}' + destination: + server: https://kubernetes.default.svc + namespace: default + syncPolicy: + automated: + prune: false + selfHeal: false + ignoreDifferences: + - group: apps + kind: Deployment + jsonPointers: + - /spec/replicas + info: + - name: url + value: https://argoproj.github.io/ + syncPolicy: + # Set Application finalizer + preserveResourcesOnDeletion: false diff --git a/charts/argocd-apps/ci/extensions-values.yaml b/charts/argocd-apps/ci/extensions-values.yaml new file mode 100644 index 000000000..15a9fa73b --- /dev/null +++ b/charts/argocd-apps/ci/extensions-values.yaml @@ -0,0 +1,12 @@ +# Test with extensions + +extensions: + - name: example + namespace: default + additionalLabels: {} + additionalAnnotations: {} + sources: + - git: + url: https://github.com/argoproj-labs/argocd-example-extension.git + - web: + url: https://github.com/argoproj-labs/argocd-example-extension/releases/download/v0.1.0/extension.tar diff --git a/charts/argocd-apps/templates/applicationsets.yaml b/charts/argocd-apps/templates/applicationsets.yaml new file mode 100644 index 000000000..20898d0a8 --- /dev/null +++ b/charts/argocd-apps/templates/applicationsets.yaml @@ -0,0 +1,73 @@ + +{{- range .Values.applicationsets }} +--- +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + {{- with .additionalAnnotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- with .additionalLabels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ .name }} + {{- with .namespace }} + namespace: {{ . }} + {{- end }} +spec: + {{- if hasKey . "goTemplate" }} + goTemplate: {{ .goTemplate }} + {{- end }} + {{- with .generators }} + generators: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .syncPolicy }} + syncPolicy: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .template }} + template: + {{- with .metadata }} + metadata: + {{- with .annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | squote }} + {{- end }} + {{- end }} + {{- with .labels }} + labels: + {{- toYaml . | nindent 8 }} + {{- end }} + name: {{ .name | squote }} + {{- with .namespace }} + namespace: {{ . | squote }} + {{- end }} + {{- end }} + {{- with .spec }} + spec: + project: {{ tpl .project $ }} + source: + {{- toYaml .source | nindent 8 }} + destination: + {{- toYaml .destination | nindent 8 }} + {{- with .syncPolicy }} + syncPolicy: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .ignoreDifferences }} + ignoreDifferences: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .info }} + info: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end -}} + {{- end }} +{{- end }} diff --git a/charts/argocd-apps/templates/extensions.yaml b/charts/argocd-apps/templates/extensions.yaml new file mode 100644 index 000000000..1893c2a7b --- /dev/null +++ b/charts/argocd-apps/templates/extensions.yaml @@ -0,0 +1,27 @@ +{{- range .Values.extensions }} +--- +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCDExtension +metadata: + name: {{ .name }} + {{- with .namespace }} + namespace: {{ . }} + {{- end }} + finalizers: + - extensions-finalizer.argocd.argoproj.io + {{- with .additionalLabels }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .additionalAnnotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +{{- with .sources }} +spec: + sources: + {{- toYaml . | nindent 4 }} +{{- end }} +{{- end }} diff --git a/charts/argocd-apps/templates/projects.yaml b/charts/argocd-apps/templates/projects.yaml index 5832810bd..f747d1b61 100644 --- a/charts/argocd-apps/templates/projects.yaml +++ b/charts/argocd-apps/templates/projects.yaml @@ -23,10 +23,14 @@ metadata: {{- end }} spec: description: {{ .description }} + {{- with .sourceRepos }} sourceRepos: - {{- toYaml .sourceRepos | nindent 4 }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .destinations }} destinations: - {{- toYaml .destinations | nindent 4 }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- with .clusterResourceWhitelist }} clusterResourceWhitelist: {{- toYaml . | nindent 4 }} @@ -59,4 +63,8 @@ spec: signatureKeys: {{- toYaml . | nindent 4 }} {{- end }} + {{- with .sourceNamespaces }} + sourceNamespaces: + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} diff --git a/charts/argocd-apps/values.yaml b/charts/argocd-apps/values.yaml index ec3cbb410..b3eaa5d21 100644 --- a/charts/argocd-apps/values.yaml +++ b/charts/argocd-apps/values.yaml @@ -74,3 +74,67 @@ projects: [] # manualSync: true # signatureKeys: # - keyID: ABCDEF1234567890 +# sourceNamespaces: +# - argocd + +# -- Deploy Argo CD ApplicationSets within this helm release +# @default -- `[]` (See [values.yaml]) +## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/applicationset/ +applicationsets: [] +# - name: guestbook +# namespace: argocd +# additionalLabels: {} +# additionalAnnotations: {} +# # See PR #10026 (ArgoCD v2.5 or later) +# # goTemplate: false +# generators: +# - git: +# repoURL: https://github.com/argoproj/argocd-example-apps.git +# revision: HEAD +# directories: +# - path: guestbook +# - path: kustomize-* +# template: +# metadata: +# name: '{{path.basename}}' +# labels: {} +# annotations: {} +# spec: +# project: default +# source: +# repoURL: https://github.com/argoproj/argocd-example-apps.git +# targetRevision: HEAD +# path: '{{path}}' +# destination: +# server: https://kubernetes.default.svc +# namespace: default +# syncPolicy: +# automated: +# prune: false +# selfHeal: false +# ignoreDifferences: +# - group: apps +# kind: Deployment +# jsonPointers: +# - /spec/replicas +# info: +# - name: url +# value: https://argoproj.github.io/ +# syncPolicy: +# # Set Application finalizer +# preserveResourcesOnDeletion: false + +# -- Deploy Argo UI Extensions within this helm release +# @default -- `[]` (See [values.yaml]) +## This function in tech preview stage, do expect unstability or breaking changes in newer versions. Bump image.tag if necessary. +## Ref: https://github.com/argoproj-labs/argocd-extensions +extensions: [] + # - name: example + # namespace: argocd + # additionalLabels: {} + # additionalAnnotations: {} + # sources: + # - git: + # url: https://github.com/argoproj-labs/argocd-example-extension.git + # - web: + # url: https://github.com/argoproj-labs/argocd-example-extension/releases/download/v0.1.0/extension.tar diff --git a/charts/argocd-image-updater/Chart.yaml b/charts/argocd-image-updater/Chart.yaml index a5b2ecd76..049ed8cea 100644 --- a/charts/argocd-image-updater/Chart.yaml +++ b/charts/argocd-image-updater/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: argocd-image-updater description: A Helm chart for Argo CD Image Updater, a tool to automatically update the container images of Kubernetes workloads which are managed by Argo CD type: application -version: 0.8.0 +version: 0.8.1 appVersion: v0.12.0 home: https://github.com/argoproj-labs/argocd-image-updater icon: https://argocd-image-updater.readthedocs.io/en/stable/assets/logo.png @@ -15,4 +15,4 @@ maintainers: url: https://argoproj.github.io/ annotations: artifacthub.io/changes: | - - "[Changed]: Update to argocd-image-updater v0.12" + - "[Added]: Add support for additional initContainers and additional volume/volumeMounts" diff --git a/charts/argocd-image-updater/README.md b/charts/argocd-image-updater/README.md index 7d80daac2..10259e19c 100644 --- a/charts/argocd-image-updater/README.md +++ b/charts/argocd-image-updater/README.md @@ -91,6 +91,7 @@ The `config.registries` value can be used exactly as it looks in the documentati | image.repository | string | `"quay.io/argoprojlabs/argocd-image-updater"` | Default image repository | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | | imagePullSecrets | list | `[]` | ImagePullSecrets for the image updater deployment | +| initContainers | list | `[]` | Init containers to add to the image updater pod | | metrics.enabled | bool | `false` | Deploy metrics service | | metrics.service.annotations | object | `{}` | Metrics service annotations | | metrics.service.labels | object | `{}` | Metrics service labels | @@ -115,6 +116,8 @@ The `config.registries` value can be used exactly as it looks in the documentati | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | tolerations | list | `[]` | Kubernetes toleration settings for the deployment | | updateStrategy | object | `{"type":"Recreate"}` | The deployment strategy to use to replace existing pods with new ones | +| volumeMounts | list | `[]` | Additional volumeMounts to the image updater main container | +| volumes | list | `[]` | Additional volumes to the image updater pod | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs) diff --git a/charts/argocd-image-updater/templates/deployment.yaml b/charts/argocd-image-updater/templates/deployment.yaml index a80d26bec..61136fb8f 100644 --- a/charts/argocd-image-updater/templates/deployment.yaml +++ b/charts/argocd-image-updater/templates/deployment.yaml @@ -138,6 +138,9 @@ spec: - mountPath: /scripts name: authscripts {{- end }} + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 10}} + {{- end }} volumes: - configMap: items: @@ -164,6 +167,9 @@ spec: name: argocd-image-updater-ssh-config optional: true name: ssh-config + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -176,3 +182,7 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.initContainers }} + initContainers: + {{- toYaml . | nindent 6 }} + {{- end }} diff --git a/charts/argocd-image-updater/values.yaml b/charts/argocd-image-updater/values.yaml index d6ebd232b..9ac3e1ef0 100644 --- a/charts/argocd-image-updater/values.yaml +++ b/charts/argocd-image-updater/values.yaml @@ -42,6 +42,29 @@ extraEnv: [] # - name: AWS_REGION # value: "us-west-1" +# -- Init containers to add to the image updater pod +initContainers: [] + # - name: download-tools + # image: alpine:3.8 + # command: [sh, -c] + # args: + # - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - && + # mv linux-amd64/helm /custom-tools/ + # volumeMounts: + # - mountPath: /custom-tools + # name: custom-tools + +# -- Additional volumeMounts to the image updater main container +volumeMounts: [] + +# -- Additional volumes to the image updater pod +volumes: [] + ## Use init containers to configure custom tooling + ## https://argo-cd.readthedocs.io/en/stable/operator-manual/custom_tools/ + ## When using the volumes & volumeMounts section bellow, please comment out those above. + # - name: custom-tools + # emptyDir: {} + config: # -- API kind that is used to manage Argo CD applications (`kubernetes` or `argocd`) applicationsAPIKind: "" diff --git a/scripts/lint.sh b/scripts/lint.sh index 4fcf08709..b44a6cee4 100755 --- a/scripts/lint.sh +++ b/scripts/lint.sh @@ -9,7 +9,7 @@ echo -e "\n-- Linting all Helm Charts --\n" docker run \ -v "$SRCROOT:/workdir" \ --entrypoint /bin/sh \ - quay.io/helmpack/chart-testing:v3.7.0 \ + quay.io/helmpack/chart-testing:v3.7.1 \ -c cd /workdir \ ct lint \ --config .github/configs/ct-lint.yaml \