WIP on upgrade-argo-workflows: c33f9e3 Merge pull request #42 from co…

…defresh-io/workflows-v3.4.4-cap-CR-20826

charts/argo-workflows/Chart.yaml

@@ -1,17 +1,20 @@
 apiVersion: v2
-appVersion: v3.4.4-cap-CR-20826
+appVersion: v3.5.4
 name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
-version: 0.22.10-2-CR-20826
-icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png
+version: 0.40.9
+icon: https://argoproj.github.io/argo-workflows/assets/logo.png
 home: https://github.com/argoproj/argo-helm
 sources:
   - https://github.com/argoproj/argo-workflows
 maintainers:
   - name: argoproj
     url: https://argoproj.github.io/
 annotations:
+  artifacthub.io/signKey: |
+    fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
+    url: https://argoproj.github.io/argo-helm/pgp_keys.asc
   artifacthub.io/changes: |
-    - kind: fixed
-      description: Align changelog structure to show changelogs on Artifact Hub
+    - kind: added
+      description: Add MySQL persistence support explicitly on README

charts/argo-workflows/README.md.gotmpl

@@ -6,26 +6,91 @@ If you want your deployment of this helm chart to most closely match the [argo C
 
 ## Pre-Requisites
 
-This chart uses an install hook to configure the CRD definition. Installation of CRDs is a somewhat privileged process in itself and in RBAC enabled clusters the `default` service account for namespaces does not typically have the ability to create these.
-
-A few options are:
-
-- Manually create a ServiceAccount in the Namespace in which your release will be deployed w/ appropriate bindings to perform this action and set the `serviceAccountName` field in the Workflow spec
-- Augment the `default` ServiceAccount permissions in the Namespace in which your Release is deployed to have the appropriate permissions
+### Custom resource definitions
+
+Some users would prefer to install the CRDs _outside_ of the chart. You can disable the CRD installation of this chart by using `--set crds.install=false` when installing the chart.
+
+Helm cannot upgrade custom resource definitions in the `<chart>/crds` folder [by design](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). Starting with 3.4.0 (chart version 0.19.0), the CRDs have been moved to `<chart>/templates` to address this design decision.
+
+If you are using Argo Workflows chart version prior to 3.4.0 (chart version 0.19.0) or have elected to manage the Argo Workflows CRDs outside of the chart, please use `kubectl` to upgrade CRDs manually from [templates/crds](templates/crds/) folder or via the manifests from the upstream project repo:
+
+```bash
+kubectl apply -k "https://github.com/argoproj/argo-workflows/manifests/base/crds/full?ref=<appVersion>"
+
+# Eg. version v3.3.9
+kubectl apply -k "https://github.com/argoproj/argo-workflows/manifests/base/crds/full?ref=v3.3.9"
+```
+
+### ServiceAccount for Workflow Spec
+In order for each Workflow run, you create ServiceAccount via `values.yaml` like below.
+
+```yaml
+workflow:
+  serviceAccount:
+    create: true
+    name: "argo-workflow"
+  rbac:
+    create: true
+controller:
+  workflowNamespaces:
+    - default
+    - foo
+    - bar
+```
+
+Set ServiceAccount on Workflow.
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Workflow
+metadata:
+  generateName: hello-world-
+spec:
+  entrypoint: whalesay
+  serviceAccountName: argo-workflow # Set ServiceAccount
+  templates:
+    - name: whalesay
+      container:
+        image: docker/whalesay
+        command: [ cowsay ]
+        args: [ "hello world" ]
+```
+
+## Installing the Chart
+
+To install the chart with the release name `my-release`:
+
+```console
+$ helm repo add argo https://argoproj.github.io/argo-helm
+"argo" has been added to your repositories
+
+$ helm install my-release argo/argo-workflows
+NAME: my-release
+...
+```
 
 ## Changelog
 
 For full list of changes, please check ArtifactHub [changelog].
 
 ## Usage Notes
 
+### High Availability
+
+This chart installs the non-HA version of Argo Workflows by default. If you want to run in HA mode, you can use [these example values](ci/ha-values.yaml) as a starting point.
+Please see the upstream [Operator Manual's High Availability page](https://argoproj.github.io/argo-workflows/high-availability/) to understand how to scale Argo Workflows in depth.
+
 ### Workflow controller
 
 This chart defaults to setting the `controller.instanceID.enabled` to `false` now, which means the deployed controller will act upon any workflow deployed to the cluster. If you would like to limit the behavior and deploy multiple workflow controllers, please use the `controller.instanceID.enabled` attribute along with one of its configuration options to set the `instanceID` of the workflow controller to be properly scoped for your needs.
 
-### Workflow server authentication
+### Argo Workflows server authentication
+
+Argo Workflows server provides some choices for authentication mechanism and you can configure `.Values.server.authModes`. By default, authentication mode is `[server]`, for local development purposes or cases where your gateway authentication is covered by some other means.
+Please refer to [Argo Server Auth Mode] for more details.
+
+Argo Workflows server also supports SSO and you can enable it to configure `.Values.server.sso` and `.Values.server.authModes`. In order to manage access levels, you can optionally add RBAC to SSO. Please refer to [SSO RBAC] for more details.
 
-By default, the chart requires some kind of authentication mechanism. This adopts the [default behaviour from the Argo project](https://github.com/argoproj/argo-workflows/pull/5211) itself. However, for local development purposes, or cases where your gateway authentication is covered by some other means, you can set the authentication mode for the Argo server by setting the `server.extraArgs: [--auth-mode=server]`. There are a few additional comments in the values.yaml file itself, including commented-out settings to disable authentication on the server UI itself using the same `--auth-mode=server` setting.
 
 ## Values
 
@@ -132,11 +197,16 @@ Fields to note:
 1. moved the field previously known as `telemetryServicePort` inside the `telemetryConfig` as `telemetryConfig.servicePort` - same for `metricsConfig`
 
 [affinity]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+[BackendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig#backendconfigspec_v1beta1_cloudgooglecom
+[FrontendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
 [links]: https://argoproj.github.io/argo-workflows/links/
+[columns]: https://github.com/argoproj/argo-workflows/pull/10693
 [Node selector]: https://kubernetes.io/docs/user-guide/node-selection/
 [Pod Disruption Budget]: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
 [probe]: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
 [Tolerations]: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
 [TopologySpreadConstraints]: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
 [values.yaml]: values.yaml
 [changelog]: https://artifacthub.io/packages/helm/argo/argo-workflows?modal=changelog
+[SSO RBAC]: https://argo-workflows.readthedocs.io/en/latest/argo-server-sso/
+[Argo Server Auth Mode]: https://argo-workflows.readthedocs.io/en/latest/argo-server-auth-mode/ 

charts/argo-workflows/ci/default-values.yaml

@@ -1,4 +1,3 @@
 # Test with default values
 crds:
-  install: true
   keep: false

charts/argo-workflows/ci/enable-artifact-repo-ref.yaml

@@ -0,0 +1,41 @@
+artifactRepositoryRef:
+  # 1st ConfigMap
+  artifact-repositories:
+    annotations:
+      workflows.argoproj.io/default-artifact-repository: default-v1-s3-artifact-repository
+    # 1st data
+    default-v1-s3-artifact-repository:
+      archiveLogs: true
+      s3:
+        bucket: my-bucket
+        endpoint: minio:9000
+        insecure: true
+        accessKeySecret:
+          name: my-minio-cred
+          key: accesskey
+        secretKeySecret:
+          name: my-minio-cred
+          key: secretkey
+    # 2nd data
+    oss-artifact-repository:
+      archiveLogs: false
+      oss:
+        endpoint: http://oss-cn-zhangjiakou-internal.aliyuncs.com
+        bucket: $mybucket
+        accessKeySecret:
+          name: $mybucket-credentials
+          key: accessKey
+        secretKeySecret:
+          name: $mybucket-credentials
+          key: secretKey
+  # 2nd ConfigMap
+  another-artifact-repositories:
+    annotations:
+      workflows.argoproj.io/default-artifact-repository: gcs
+    gcs:
+      archiveLogs: false
+      bucket: my-bucket
+      keyFormat: prefix/in/bucket/{{workflow.name}}/{{pod.name}}
+      serviceAccountKeySecret:
+        name: my-gcs-credentials
+        key: serviceAccountKey

charts/argo-workflows/ci/enable-artifact-repo-values.yaml

@@ -0,0 +1,46 @@
+# Test with artifact repository
+crds:
+  keep: false
+
+useStaticCredentials: true
+artifactRepository:
+  archiveLogs: false
+  s3:
+    accessKeySecret:
+      name: "{{ .Release.Name }}-minio"
+      key: accesskey
+    secretKeySecret:
+      name: "{{ .Release.Name }}-minio"
+      key: secretkey
+    insecure: false
+    bucket:
+    endpoint:
+    region:
+    roleARN:
+    useSDKCreds: true
+    encryptionOptions:
+      enableEncryption: true
+  gcs:
+    bucket: project-argo
+    keyFormat: "{{ `{{workflow.namespace}}/{{workflow.name}}/{{pod.name}}` }}"
+    serviceAccountKeySecret:
+      name: my-gcs-credentials
+      key: serviceAccountKey
+  azure:
+    endpoint: https://mystorageaccountname.blob.core.windows.net
+    container: my-container-name
+    blobNameFormat: path/in/container
+    useSDKCreds: true
+    accountKeySecret:
+      name: my-azure-storage-credentials
+      key: account-access-key
+
+customArtifactRepository:
+  artifactory:
+    repoUrl: https://artifactory.example.com/raw
+    usernameSecret:
+      name: artifactory-creds
+      key: username
+    passwordSecret:
+      name: artifactory-creds
+      key: password

charts/argo-workflows/ci/enable-ingress-values.yaml

@@ -1,9 +1,8 @@
 crds:
-  install: true
   keep: false
 
 server:
   ingress:
     enabled: true
     hosts:
-      - argo-workflows.127.0.0.1.xip.io
+      - argo-workflows.example.com

charts/argo-workflows/ci/enable-metrics-values.yaml

@@ -1,5 +1,4 @@
 crds:
-  install: true
   keep: false
 
 controller:

charts/argo-workflows/ci/enable-rbac-values.yaml

@@ -1,5 +1,4 @@
 crds:
-  install: true
   keep: false
 
 workflow:

charts/argo-workflows/ci/ha-values.yaml

@@ -0,0 +1,23 @@
+# Sample values for High Availability configuration, following https://argoproj.github.io/argo-workflows/high-availability/
+
+controller:
+  # in v3.0+, a second controller can be ran as a hot-standby: https://argoproj.github.io/argo-workflows/high-availability/#workflow-controller
+  replicas: 2 # should be strictly greater than PDB minAvailable
+  # enable PDB with at least one Pod
+  pdb:
+    # -- Configure [Pod Disruption Budget] for the controller pods
+    enabled: true
+    minAvailable: 1
+
+server:
+  # enable HPA with at least two Pods
+  autoscaling:
+    # -- Enable Horizontal Pod Autoscaler ([HPA]) for the Argo Server
+    enabled: true
+    # -- Minimum number of replicas for the Argo Server [HPA]
+    minReplicas: 2 # should be strictly greater than PDB minAvailable
+  # enable PDB with at least one Pod
+  pdb:
+    # -- Configure [Pod Disruption Budget] for the controller pods
+    enabled: true
+    minAvailable: 1

charts/argo-workflows/templates/NOTES.txt

@@ -1,3 +1,7 @@
+{{- if .Values.server.authMode }}
+DEPRECATED option server.authMode - Use server.authModes
+{{- end }}
+
 1. Get Argo Server external IP/domain by running:
 
 kubectl --namespace {{ .Release.Namespace }} get services -o wide | grep {{ template "argo-workflows.server.fullname" . }}

charts/argo-workflows/templates/_helpers.tpl

@@ -79,6 +79,9 @@ helm.sh/chart: {{ include "argo-workflows.chart" .context }}
 {{ include "argo-workflows.selectorLabels" (dict "context" .context "component" .component "name" .name) }}
 app.kubernetes.io/managed-by: {{ .context.Release.Service }}
 app.kubernetes.io/part-of: argo-workflows
+{{- with .context.Values.commonLabels }}
+{{ toYaml .}}
+{{- end }}
 {{- end }}
 
 {{/*
@@ -94,6 +97,13 @@ app.kubernetes.io/component: {{ .component }}
 {{- end }}
 {{- end }}
 
+{{/*
+Create the name of the controller configMap
+*/}}
+{{- define "argo-workflows.controller.config-map.name" -}}
+{{- .Values.controller.configMap.name | default (printf "%s-%s" (include "argo-workflows.controller.fullname" .) "configmap") | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{/*
 Create the name of the server service account to use
 */}}
@@ -153,3 +163,29 @@ Return full image name including or excluding registry based on existence
   {{ .image.repository }}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Return the appropriate apiVersion for autoscaling
+*/}}
+{{- define "argo-workflows.apiVersion.autoscaling" -}}
+{{- if .Values.apiVersionOverrides.autoscaling -}}
+{{- print .Values.apiVersionOverrides.autoscaling -}}
+{{- else if semverCompare "<1.23-0" (include "argo-workflows.kubeVersion" .) -}}
+{{- print "autoscaling/v2beta1" -}}
+{{- else -}}
+{{- print "autoscaling/v2" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for GKE resources
+*/}}
+{{- define "argo-workflows.apiVersions.cloudgoogle" -}}
+{{- if .Values.apiVersionOverrides.cloudgoogle -}}
+{{- print .Values.apiVersionOverrides.cloudgoogle -}}
+{{- else if .Capabilities.APIVersions.Has "cloud.google.com/v1" -}}
+{{- print "cloud.google.com/v1" -}}
+{{- else -}}
+{{- print "cloud.google.com/v1beta1" -}}
+{{- end -}}
+{{- end -}}

charts/argo-workflows/templates/controller/artifact-repository-ref-cm.yaml

@@ -0,0 +1,19 @@
+{{- range $cm_name, $cm_val := .Values.artifactRepositoryRef }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $cm_name }}
+  namespace: {{ $.Release.Namespace | quote }}
+  labels:
+    {{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $cm_name) | nindent 4 }}
+  {{- with $cm_val.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+data:
+  {{- range $data_key, $data_val := (omit $cm_val "annotations") }}
+  {{- $data_key | nindent 2 }}: |
+    {{- toYaml $data_val | nindent 4 }}
+  {{- end }}
+{{- end }}