diff --git a/charts/argo-cd/README.md b/charts/argo-cd/README.md new file mode 100644 index 00000000..28f08c73 --- /dev/null +++ b/charts/argo-cd/README.md @@ -0,0 +1,87 @@ +# argo-cd + +This chart installs [argo-cd](https://argoproj.github.io/argo-cd/), a declarative, GitOps continuous delivery tool for Kubernetes. + +The default installation is intended to be similar to the provided ArgoCD [releases](https://github.com/argoproj/argo-cd/releases). + +This chart currently installs the non-HA version of ArgoCD. + +## Prerequisites + +- Kubernetes 1.7+ + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +$ helm repo add argo https://argoproj.github.io/argo-helm +$ helm install --name my-release argo/argo-cd +``` + +## Chart Values + +| Key | Type | Default | Description | +| -------------------------------------- | ------ | ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| applicationController.containerPort | int | `8082` | Container port for application controller server and metrics | +| applicationController.image.pullPolicy | string | `"Always"` | Docker image pull policy | +| applicationController.image.repository | string | `"argoproj/argocd"` | Docker image repo | +| applicationController.image.tag | string | `"v1.2.0"` | Docker image tag | +| applicationController.servicePort | int | `8082` | Service port for applicaiton controller server | +| applicationController.volumeMounts | list | `[]` | Additional volume mounts | +| applicationController.volumes | list | `[]` | Additional volumes | +| clusterAdminAccess.enabled | bool | `true` | Standard Argo CD installation with cluster-admin access. Set this true if you plan to use Argo CD to deploy applications in the same cluster that Argo CD runs in (i.e. kubernetes.svc.default). Will still be able to deploy to external clusters with inputted credentials. | +| config.configManagementPlugins | string | `nil` | List of custom config management plugins, see [values.yaml](./values.yaml) for format | +| config.createSecret | bool | `true` | Creates the argocd-secret secret, set to false to manage externally | +| config.dexConfig | string | `nil` | Configuration for external auth and URL, see [values.yaml](./values.yaml) for format | +| config.helmRepositories | string | `nil` | Configuration for external Helm charts, see [values.yaml](./values.yaml) for format | +| config.oidcConfig | string | `nil` | Configuration for OpenID connect, see [values.yaml](./values.yaml) for format | +| config.repositories | string | `nil` | Configuration for remote Git repositories for Applications, see [values.yaml](./values.yaml) for format | +| config.resourceCustomizations | string | `nil` | resourceCustomizations can be used to create custom health checks for resources [https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/health.md#way-1-define-a-custom-health-check-in-argocd-cm-configmap] | +| config.url | string | `nil` | External URL for ArgoCD | +| config.webhook.bitbucketSecret | string | `nil` | BitBucket incoming webhook secret | +| config.webhook.githubSecret | string | `nil` | GitHub incoming webhook secret | +| config.webhook.gitlabSecret | string | `nil` | GitLab incoming webhook secret | +| dexServer.containerPortGrpc | int | `5557` | Container port for Dex Server GRPC | +| dexServer.containerPortHttp | int | `5556` | Container port for Dex Server HTTP | +| dexServer.image.pullPolicy | string | `"Always"` | Docker image pull policy | +| dexServer.image.repository | string | `"quay.io/dexidp/dex"` | Docker image repo | +| dexServer.image.tag | string | `"v2.12.0"` | Docker image tag | +| dexServer.initImage.pullPolicy | string | `"Always"` | Docker image pull policy | +| dexServer.initImage.repository | string | `"argoproj/argocd"` | Docker image repo | +| dexServer.initImage.tag | string | `"v1.2.0"` | Docker image tag | +| dexServer.servicePortGrpc | int | `5557` | Service port for Dex Server GRPC | +| dexServer.servicePortHttp | int | `5556` | Service port for Dex Server GRPC | +| dexServer.volumeMounts | list | `[]` | Additional volume mounts | +| dexServer.volumes | list | `[]` | Additional volumes | +| ingress.annotations | object | `{}` | Annotations for ingress object, set `nginx.ingress.kubernetes.io/force-ssl-redirect: "true"` and `nginx.ingress.kubernetes.io/ssl-passthrough: "true"` if serving GRPC and HTTPS on the same ingress | +| ingress.enabled | bool | `false` | Enable ingress | +| ingress.hosts[0] | string | `"argocd.example.com"` | Ingress host | +| ingress.path | string | `"/"` | Ingress path | +| rbac.policyCsv | string | `nil` | RBAC policy in CSV, see [values.yaml](./values.yaml) for format | +| rbac.policyDefault | string | `nil` | The default role Argo CD will fall back to, when authorizing API requests, ie: `role:readonly` | +| rbac.scopes | string | `nil` | Scopes controls which OIDC scopes to examine during rbac enforcement (in addition to `sub` scope). ie: `[groups]` | +| redis.containerPort | int | `6379` | Container port for Redis | +| redis.image.pullPolicy | string | `"Always"` | Docker image pull policy | +| redis.image.repository | string | `"redis"` | Docker image repo | +| redis.image.tag | string | `"5.0.3"` | Docker image tag | +| redis.servicePort | int | `6379` | Service port for Redis | +| repoServer.containerPort | int | `8081` | Container port for repo server | +| repoServer.image.pullPolicy | string | `"Always"` | Docker image pull policy | +| repoServer.image.repository | string | `"argoproj/argocd"` | Docker image repo | +| repoServer.image.tag | string | `"v1.2.0"` | Docker image tag | +| repoServer.servicePort | int | `8081` | Service port for repo server | +| repoServer.volumeMounts | list | `[]` | Additional volume mounts | +| repoServer.volumes | list | `[]` | Additional volumes | +| server.annotations | object | `{}` | Annotations for the server deployment | +| server.containerPort | int | `8080` | Container port for server | +| server.extraArgs | list | `[]` | Add additional arguments | +| server.image.pullPolicy | string | `"Always"` | Docker image pull policy | +| server.image.repository | string | `"argoproj/argocd"` | Docker image repo | +| server.image.tag | string | `"v1.2.0"` | Docker image tag | +| server.metricsPort | int | `8083` | Container port for server metrics | +| server.serviceAnnotations | object | `{}` | Annotations for server service | +| server.servicePortHttp | int | `80` | HTTP Container port for server | +| server.servicePortHttps | int | `443` | HTTPS Container port for server | +| server.volumeMounts | list | `[]` | Additional volume mounts, see [values.yaml](./values.yaml) for syntax for SSH known hosts | +| server.volumes | list | `[]` | Additional volumes, see [values.yaml](./values.yaml) for syntax for SSH known hosts | diff --git a/charts/argo-cd/templates/argocd-secret.yaml b/charts/argo-cd/templates/argocd-secret.yaml index 6085d76d..c29fa53d 100755 --- a/charts/argo-cd/templates/argocd-secret.yaml +++ b/charts/argo-cd/templates/argocd-secret.yaml @@ -1,3 +1,4 @@ +{{- if .Values.config.createSecret }} apiVersion: v1 kind: Secret metadata: @@ -21,4 +22,5 @@ data: {{- if .Values.config.webhook.bitbucketSecret }} bitbucket.webhook.uuid: {{ .Values.config.webhook.bitbucketSecret }} {{- end }} -{{- end}} +{{- end }} +{{- end }} diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index f0f784b1..5861e87c 100644 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -20,7 +20,12 @@ server: pullPolicy: Always extraArgs: [] volumeMounts: [] + # - name: ssh-known-hosts + # mountPath: /app/config/ssh volumes: [] + # - name: ssh-known-hosts + # configMap: + # name: argocd-ssh-known-hosts-cm annotations: {} repoServer: @@ -52,23 +57,18 @@ dexServer: # terminate tls at ArgoCD level ingress: enabled: false - annotations: {} + annotations: + {} # kubernetes.io/ingress.class: nginx # nginx.ingress.kubernetes.io/force-ssl-redirect: "true" # nginx.ingress.kubernetes.io/ssl-passthrough: "true" path: / hosts: - argocd.example.com - -# Standard Argo CD installation with cluster-admin access. -# Set this true if you plan to use Argo CD to deploy applications in the same cluster that -# Argo CD runs in (i.e. kubernetes.svc.default). -# Will still be able to deploy to external clusters with inputted credentials. - clusterAdminAccess: enabled: true - config: + createSecret: true helmRepositories: # - name: privateRepo # url: http://chartmuseum.privatecloud.com @@ -120,8 +120,6 @@ config: githubSecret: gitlabSecret: bitbucketSecret: - # resourceCustomizations can be used to create custom health checks for resources - # https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/health.md#way-1-define-a-custom-health-check-in-argocd-cm-configmap resourceCustomizations: # certmanager.k8s.io/Certificate: # health.lua: | @@ -138,13 +136,13 @@ config: # args: ["sample args"] rbac: -# # An RBAC policy .csv file containing additional policy and role definitions. -# # See https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md on how to write RBAC policies. -# policy.csv: | -# # Give all members of "my-org:team-alpha" the ability to sync apps in "my-project" -# p, my-org:team-alpha, applications, sync, my-project/*, allow -# # Make all members of "my-org:team-beta" admins -# g, my-org:team-beta, role:admin + # # An RBAC policy .csv file containing additional policy and role definitions. + # # See https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md on how to write RBAC policies. + # policy.csv: | + # # Give all members of "my-org:team-alpha" the ability to sync apps in "my-project" + # p, my-org:team-alpha, applications, sync, my-project/*, allow + # # Make all members of "my-org:team-beta" admins + # g, my-org:team-beta, role:admin policyCsv: #| # p, role:org-admin, applications, *, */*, allow # p, role:org-admin, clusters, get, *, allow @@ -153,9 +151,7 @@ rbac: # p, role:org-admin, repositories, update, *, allow # p, role:org-admin, repositories, delete, *, allow # g, your-github-org:your-team, role:org-admin - # The default role Argo CD will fall back to, when authorizing API requests policyDefault: #role:readonly - # Scopes controls which OIDC scopes to examine during rbac enforcement (in addition to `sub` scope). scopes: #[groups] redis: