DevFW-CICD/argocd-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #97 from codefresh-io/feat/acr-controller

Browse source 
feat: support acr controller as part of argocd deployment
This commit is contained in:
pasha-codefresh 2024-09-26 15:56:19 +03:00 committed by GitHub
commit 06f5f7ac29
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
11 changed files with 505 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
charts/argo-cd/Chart.yaml
View file

@ -1,5 +1,5 @@
apiVersion: v2 apiVersion: v2
appVersion: v2.12-2024.9.9-ba613c5bd appVersion: v2.12-2024.9.23-0dc32342c
kubeVersion: ">=1.23.0-0" kubeVersion: ">=1.23.0-0"
description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
name: argo-cd name: argo-cd
@ -27,4 +27,4 @@ annotations:
url: https://argoproj.github.io/argo-helm/pgp_keys.asc url: https://argoproj.github.io/argo-helm/pgp_keys.asc
artifacthub.io/changes: | artifacthub.io/changes: |
- kind: changed - kind: changed
description: Upgrade argo-cd to v2.12-2024.9.9-ba613c5bd with reporting of resources health errors on level with application event description: Upgrade argo-cd to v2.12-2024.9.23-0dc32342c with and add acr controller support

41
charts/argo-cd/README.md
View file

@ -669,6 +669,47 @@ NAME: my-release
| Key | Type | Default | Description | | Key | Type | Default | Description |
|-----|------|---------|-------------| |-----|------|---------|-------------|
| acrController.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules to the deployment |
| acrController.clusterRoleRules.enabled | bool | `false` | Enable custom rules for the acr controller's ClusterRole resource |
| acrController.clusterRoleRules.rules | list | `[]` | List of custom rules for the acr controller's ClusterRole resource |
| acrController.containerPorts.health | int | `8090` | |
| acrController.containerSecurityContext | object | See [values.yaml] | acr controller container-level security context |
| acrController.dnsConfig | object | `{}` | [DNS configuration] |
| acrController.dnsPolicy | string | `"ClusterFirst"` | Alternative DNS policy for acr controller pods |
| acrController.enabled | bool | `false` | |
| acrController.env | list | `[]` | Environment variables to pass to acr controller |
| acrController.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to acr controller |
| acrController.extraArgs | list | `[]` | Additional command line arguments to pass to acr controller |
| acrController.extraContainers | list | `[]` | Additional containers to be added to the acr controller pod |
| acrController.hostNetwork | bool | `false` | Host Network for acr controller pods |
| acrController.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the acr controller |
| acrController.image.repository | string | `""` (defaults to global.image.repository) | Repository to use for the acr controller |
| acrController.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the acr controller |
| acrController.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry |
| acrController.initContainers | list | `[]` | Init containers to add to the acr controller pod |
| acrController.name | string | `"acr-controller"` | |
| acrController.nodeSelector | object | `{}` (defaults to global.nodeSelector) | [Node selector] |
| acrController.podAnnotations | object | `{}` | Annotations to be added to acr controller pods |
| acrController.podLabels | object | `{}` | Labels to be added to acr controller pods |
| acrController.priorityClassName | string | `""` (defaults to global.priorityClassName) | Priority class for the acr controller pods |
| acrController.readinessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
| acrController.readinessProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before [probe] is initiated |
| acrController.readinessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] |
| acrController.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed |
| acrController.readinessProbe.timeoutSeconds | int | `1` | Number of seconds after which the [probe] times out |
| acrController.replicas | int | `1` | |
| acrController.resources | object | `{}` | Resource limits and requests for the acr controller pods |
| acrController.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
| acrController.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
| acrController.serviceAccount.create | bool | `true` | Create a service account for the acr controller |
| acrController.serviceAccount.labels | object | `{}` | Labels applied to created service account |
| acrController.serviceAccount.name | string | `"acr-controller"` | Service account name |
| acrController.statefulsetAnnotations | object | `{}` | Annotations for the acr controller StatefulSet |
| acrController.terminationGracePeriodSeconds | int | `30` | terminationGracePeriodSeconds for container lifecycle hook |
| acrController.tolerations | list | `[]` (defaults to global.tolerations) | [Tolerations] for use with node taints |
| acrController.topologySpreadConstraints | list | `[]` (defaults to global.topologySpreadConstraints) | Assign custom [TopologySpreadConstraints] rules to the acr controller |
| acrController.volumeMounts | list | `[]` | Additional volumeMounts to the acr controller main container |
| acrController.volumes | list | `[]` | Additional volumes to the acr controller pod |
| apiVersionOverrides | object | `{}` | | | apiVersionOverrides | object | `{}` | |
| applicationVersioning.enabled | bool | `true` | enables the Codefresh application versioning feature | | applicationVersioning.enabled | bool | `true` | enables the Codefresh application versioning feature |
| applicationVersioning.useApplicationConfiguration | bool | `true` | use ApplicationConfiguration CRD to manage application versioning | | applicationVersioning.useApplicationConfiguration | bool | `true` | use ApplicationConfiguration CRD to manage application versioning |

17
charts/argo-cd/templates/_helpers.tpl
View file

@ -285,3 +285,20 @@ Helper template to set argocd server url in event reporter
{{- end }} {{- end }}
{{- printf "%s:%v" (include "argo-cd.server.fullname" .) $port }} {{- printf "%s:%v" (include "argo-cd.server.fullname" .) $port }}
{{- end -}} {{- end -}}
{{/*
Create acr controller name and version as used by the chart label.
*/}}
{{- define "argo-cd.acr-controller.fullname" -}}
{{- printf "%s-%s" (include "argo-cd.fullname" .) .Values.acrController.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the acr controller service account to use
*/}}
{{- define "argo-cd.acrControllerServiceAccountName" -}}
{{- if .Values.acrController.serviceAccount.create -}}
{{ default (include "argo-cd.acr-controller.fullname" .) .Values.acrController.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.acrController.serviceAccount.name }}
{{- end -}}
{{- end -}}

26
charts/argo-cd/templates/acr-controller/clusterrole.yaml Normal file
View file

@ -0,0 +1,26 @@
{{- if .Values.acrController.enabled }}
{{- $config := .Values.acrController.clusterAdminAccess | default dict -}}
{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "argo-cd.acr-controller.fullname" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }}
rules:
{{- if .Values.acrController.clusterRoleRules.enabled }}
{{- toYaml .Values.acrController.clusterRoleRules.rules | nindent 2 }}
{{- else }}
- apiGroups:
- argoproj.io
resources:
- applications
verbs:
- get
- list
- watch
- patch
- update
{{- end }}
{{- end }}
{{- end }}

19
charts/argo-cd/templates/acr-controller/clusterrolebinding.yaml Normal file
View file

@ -0,0 +1,19 @@
{{- if .Values.acrController.enabled }}
{{- $config := .Values.acrController.clusterAdminAccess | default dict -}}
{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "argo-cd.acr-controller.fullname" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "argo-cd.acr-controller.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "argo-cd.acrControllerServiceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

161
charts/argo-cd/templates/acr-controller/deployment.yaml Normal file
View file

@ -0,0 +1,161 @@
{{- if .Values.acrController.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
{{- with (mergeOverwrite (deepCopy .Values.global.statefulsetAnnotations) .Values.acrController.statefulsetAnnotations) }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
name: {{ template "argo-cd.acr-controller.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }}
spec:
replicas: {{ .Values.acrController.replicas }}
# TODO: Remove for breaking release as history limit cannot be patched
revisionHistoryLimit: 5
selector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.acrController.name) | nindent 6 }}
template:
metadata:
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 8 }}
{{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.acrController.podLabels) }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.acrController.imagePullSecrets | default .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.global.hostAliases }}
hostAliases:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.global.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.acrController.priorityClassName | default .Values.global.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- if .Values.acrController.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.acrController.terminationGracePeriodSeconds }}
{{- end }}
serviceAccountName: {{ include "argo-cd.acrControllerServiceAccountName" . }}
containers:
- args:
- /usr/local/bin/argocd-application-change-revision-controller
{{- with .Values.acrController.extraArgs }}
{{- toYaml . | nindent 8 }}
{{- end }}
image: {{ default .Values.global.image.repository .Values.acrController.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.acrController.image.tag }}
imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.acrController.image.imagePullPolicy }}
name: {{ .Values.acrController.name }}
env:
{{- with (concat .Values.global.env .Values.acrController.env) }}
{{- toYaml . | nindent 10 }}
{{- end }}
- name: ARGOCD_SERVER
value: "http://argocd-server:80"
- name: ARGOCD_TOKEN
valueFrom:
secretKeyRef:
key: token
name: argocd-token
- name: ARGOCD_APPLICATION_NAMESPACES
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: application.namespaces
optional: true
- name: ACR_CONTROLLER_LOGFORMAT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: acr.log.format
optional: true
- name: ACR_CONTROLLER_LOG_LEVEL
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: acr.log.level
optional: true
- name: ACR_CONTROLLER_LISTEN_ADDRESS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: acr.listen.address
optional: true
{{- with .Values.acrController.envFrom }}
envFrom:
{{- toYaml . | nindent 10 }}
{{- end }}
ports:
- name: health
containerPort: {{ .Values.acrController.containerPorts.health }}
protocol: TCP
livenessProbe:
httpGet:
path: /healthz?full=true
port: health
initialDelaySeconds: 3
periodSeconds: 30
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /healthz
port: health
initialDelaySeconds: {{ .Values.acrController.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.acrController.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.acrController.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.acrController.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.acrController.readinessProbe.failureThreshold }}
resources:
{{- toYaml .Values.acrController.resources | nindent 12 }}
{{- with .Values.acrController.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.acrController.extraContainers }}
{{- tpl (toYaml .) $ | nindent 6 }}
{{- end }}
{{- with .Values.acrController.initContainers }}
initContainers:
{{- tpl (toYaml .) $ | nindent 6 }}
{{- end }}
{{- with include "argo-cd.affinity" (dict "context" . "component" .Values.acrController) }}
affinity:
{{- trim . | nindent 8 }}
{{- end }}
{{- with .Values.acrController.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.acrController.tolerations | default .Values.global.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.acrController.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
topologySpreadConstraints:
{{- range $constraint := . }}
- {{ toYaml $constraint | nindent 8 | trim }}
{{- if not $constraint.labelSelector }}
labelSelector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" $ "name" $.Values.acrController.name) | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.acrController.hostNetwork }}
hostNetwork: {{ .Values.acrController.hostNetwork }}
{{- end }}
{{- with .Values.acrController.dnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.acrController.dnsPolicy }}
{{- end }}

20
charts/argo-cd/templates/acr-controller/role.yaml Normal file
View file

@ -0,0 +1,20 @@
{{- if .Values.acrController.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "argo-cd.acr-controller.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }}
rules:
- apiGroups:
- argoproj.io
resources:
- applications
verbs:
- get
- list
- watch
- patch
- update
{{- end }}

17
charts/argo-cd/templates/acr-controller/rolebinding.yaml Normal file
View file

@ -0,0 +1,17 @@
{{- if .Values.acrController.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "argo-cd.acr-controller.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "argo-cd.acr-controller.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "argo-cd.acrControllerServiceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

19
charts/argo-cd/templates/acr-controller/serviceaccount.yaml Normal file
View file

@ -0,0 +1,19 @@
{{- if and .Values.acrController.enabled .Values.acrController.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: {{ .Values.acrController.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ template "argo-cd.acrControllerServiceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
{{- if .Values.acrController.serviceAccount.annotations }}
annotations:
{{- range $key, $value := .Values.acrController.serviceAccount.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }}
{{- range $key, $value := .Values.acrController.serviceAccount.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}

12
charts/argo-cd/templates/crds/crd-application.yaml
View file

@ -125,6 +125,12 @@ spec:
sync: sync:
description: Sync contains parameters for the operation description: Sync contains parameters for the operation
properties: properties:
changeRevision:
type: string
changeRevisions:
items:
type: string
type: array
dryRun: dryRun:
description: DryRun specifies to perform a `kubectl apply --dry-run` description: DryRun specifies to perform a `kubectl apply --dry-run`
without actually performing the sync without actually performing the sync
@ -2547,6 +2553,12 @@ spec:
sync: sync:
description: Sync contains parameters for the operation description: Sync contains parameters for the operation
properties: properties:
changeRevision:
type: string
changeRevisions:
items:
type: string
type: array
dryRun: dryRun:
description: DryRun specifies to perform a `kubectl apply description: DryRun specifies to perform a `kubectl apply
--dry-run` without actually performing the sync --dry-run` without actually performing the sync

171
charts/argo-cd/values.yaml
View file

@ -3948,3 +3948,174 @@ eventReporter:
enabled: false enabled: false
# -- List of custom rules for the event reporter's ClusterRole resource # -- List of custom rules for the event reporter's ClusterRole resource
rules: [] rules: []
acrController:
# Enabled we need to skip argo-cd chart tests for this component
enabled: false
name: acr-controller
## Amount of replicas for event reporting sharding
replicas: 1
## ACR controller image
image:
# -- Repository to use for the acr controller
# @default -- `""` (defaults to global.image.repository)
repository: ""
# -- Tag to use for the acr controller
# @default -- `""` (defaults to global.image.tag)
tag: ""
# -- Image pull policy for the acr controller
# @default -- `""` (defaults to global.image.imagePullPolicy)
imagePullPolicy: ""
# -- Secrets with credentials to pull images from a private registry
# @default -- `[]` (defaults to global.imagePullSecrets)
imagePullSecrets: []
# -- Additional command line arguments to pass to acr controller
extraArgs: []
# -- Environment variables to pass to acr controller
env: []
# -- envFrom to pass to acr controller
# @default -- `[]` (See [values.yaml])
envFrom: []
# - configMapRef:
# name: config-map-name
# - secretRef:
# name: secret-name
# -- Additional containers to be added to the acr controller pod
## Note: Supports use of custom Helm templates
extraContainers: []
# -- Init containers to add to the acr controller pod
## If your target Kubernetes cluster(s) require a custom credential (exec) plugin
## you could use this (and the same in the server pod) to provide such executable
## Ref: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins
## Note: Supports use of custom Helm templates
initContainers: []
# - name: download-tools
# image: alpine:3
# command: [sh, -c]
# args:
# - wget -qO kubelogin.zip https://github.com/Azure/kubelogin/releases/download/v0.0.25/kubelogin-linux-amd64.zip &&
# unzip kubelogin.zip && mv bin/linux_amd64/kubelogin /custom-tools/
# volumeMounts:
# - mountPath: /custom-tools
# name: custom-tools
# -- Additional volumeMounts to the acr controller main container
volumeMounts: []
# - mountPath: /usr/local/bin/kubelogin
# name: custom-tools
# subPath: kubelogin
# -- Additional volumes to the acr controller pod
volumes: []
# - name: custom-tools
# emptyDir: {}
# -- Annotations for the acr controller StatefulSet
statefulsetAnnotations: {}
# -- Annotations to be added to acr controller pods
podAnnotations: {}
# -- Labels to be added to acr controller pods
podLabels: {}
# -- Resource limits and requests for the acr controller pods
resources: {}
# limits:
# cpu: 500m
# memory: 512Mi
# requests:
# cpu: 250m
# memory: 256Mi
# ACR controller container ports
containerPorts:
health: 8090
# -- Host Network for acr controller pods
hostNetwork: false
# -- [DNS configuration]
dnsConfig: {}
# -- Alternative DNS policy for acr controller pods
dnsPolicy: "ClusterFirst"
# -- acr controller container-level security context
# @default -- See [values.yaml]
containerSecurityContext:
runAsNonRoot: true
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
# Readiness probe for acr controller
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
readinessProbe:
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
failureThreshold: 3
# -- Number of seconds after the container has started before [probe] is initiated
initialDelaySeconds: 10
# -- How often (in seconds) to perform the [probe]
periodSeconds: 10
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
successThreshold: 1
# -- Number of seconds after which the [probe] times out
timeoutSeconds: 1
# -- terminationGracePeriodSeconds for container lifecycle hook
terminationGracePeriodSeconds: 30
# -- Priority class for the acr controller pods
# @default -- `""` (defaults to global.priorityClassName)
priorityClassName: ""
# -- [Node selector]
# @default -- `{}` (defaults to global.nodeSelector)
nodeSelector: {}
# -- [Tolerations] for use with node taints
# @default -- `[]` (defaults to global.tolerations)
tolerations: []
# -- Assign custom [affinity] rules to the deployment
# @default -- `{}` (defaults to global.affinity preset)
affinity: {}
# -- Assign custom [TopologySpreadConstraints] rules to the acr controller
# @default -- `[]` (defaults to global.topologySpreadConstraints)
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: DoNotSchedule
serviceAccount:
# -- Create a service account for the acr controller
create: true
# -- Service account name
name: acr-controller
# -- Annotations applied to created service account
annotations: {}
# -- Labels applied to created service account
labels: {}
# -- Automount API credentials for the Service Account
automountServiceAccountToken: true
## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource.
## Defaults to off
clusterRoleRules:
# -- Enable custom rules for the acr controller's ClusterRole resource
enabled: false
# -- List of custom rules for the acr controller's ClusterRole resource
rules: []