From 08f4d84a49bb75b4bd8bc42a993ba22246738e3d Mon Sep 17 00:00:00 2001 From: "seanson@users.noreply.github.com" Date: Fri, 6 Sep 2019 16:11:42 +1000 Subject: [PATCH] Added README.md, made secret optional This commit adds a README.md with some basic docs pulled from the values.yaml. It also contains a small quality of life improvement for making the argocd-secret optional so operators can manage their secrets externally. --- charts/argo-cd/README.md | 87 +++++++++++++++++++++ charts/argo-cd/templates/argocd-secret.yaml | 4 +- charts/argo-cd/values.yaml | 34 ++++---- 3 files changed, 105 insertions(+), 20 deletions(-) create mode 100644 charts/argo-cd/README.md diff --git a/charts/argo-cd/README.md b/charts/argo-cd/README.md new file mode 100644 index 00000000..28f08c73 --- /dev/null +++ b/charts/argo-cd/README.md @@ -0,0 +1,87 @@ +# argo-cd + +This chart installs [argo-cd](https://argoproj.github.io/argo-cd/), a declarative, GitOps continuous delivery tool for Kubernetes. + +The default installation is intended to be similar to the provided ArgoCD [releases](https://github.com/argoproj/argo-cd/releases). + +This chart currently installs the non-HA version of ArgoCD. + +## Prerequisites + +- Kubernetes 1.7+ + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +$ helm repo add argo https://argoproj.github.io/argo-helm +$ helm install --name my-release argo/argo-cd +``` + +## Chart Values + +| Key | Type | Default | Description | +| -------------------------------------- | ------ | ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| applicationController.containerPort | int | `8082` | Container port for application controller server and metrics | +| applicationController.image.pullPolicy | string | `"Always"` | Docker image pull policy | +| applicationController.image.repository | string | `"argoproj/argocd"` | Docker image repo | +| applicationController.image.tag | string | `"v1.2.0"` | Docker image tag | +| applicationController.servicePort | int | `8082` | Service port for applicaiton controller server | +| applicationController.volumeMounts | list | `[]` | Additional volume mounts | +| applicationController.volumes | list | `[]` | Additional volumes | +| clusterAdminAccess.enabled | bool | `true` | Standard Argo CD installation with cluster-admin access. Set this true if you plan to use Argo CD to deploy applications in the same cluster that Argo CD runs in (i.e. kubernetes.svc.default). Will still be able to deploy to external clusters with inputted credentials. | +| config.configManagementPlugins | string | `nil` | List of custom config management plugins, see [values.yaml](./values.yaml) for format | +| config.createSecret | bool | `true` | Creates the argocd-secret secret, set to false to manage externally | +| config.dexConfig | string | `nil` | Configuration for external auth and URL, see [values.yaml](./values.yaml) for format | +| config.helmRepositories | string | `nil` | Configuration for external Helm charts, see [values.yaml](./values.yaml) for format | +| config.oidcConfig | string | `nil` | Configuration for OpenID connect, see [values.yaml](./values.yaml) for format | +| config.repositories | string | `nil` | Configuration for remote Git repositories for Applications, see [values.yaml](./values.yaml) for format | +| config.resourceCustomizations | string | `nil` | resourceCustomizations can be used to create custom health checks for resources [https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/health.md#way-1-define-a-custom-health-check-in-argocd-cm-configmap] | +| config.url | string | `nil` | External URL for ArgoCD | +| config.webhook.bitbucketSecret | string | `nil` | BitBucket incoming webhook secret | +| config.webhook.githubSecret | string | `nil` | GitHub incoming webhook secret | +| config.webhook.gitlabSecret | string | `nil` | GitLab incoming webhook secret | +| dexServer.containerPortGrpc | int | `5557` | Container port for Dex Server GRPC | +| dexServer.containerPortHttp | int | `5556` | Container port for Dex Server HTTP | +| dexServer.image.pullPolicy | string | `"Always"` | Docker image pull policy | +| dexServer.image.repository | string | `"quay.io/dexidp/dex"` | Docker image repo | +| dexServer.image.tag | string | `"v2.12.0"` | Docker image tag | +| dexServer.initImage.pullPolicy | string | `"Always"` | Docker image pull policy | +| dexServer.initImage.repository | string | `"argoproj/argocd"` | Docker image repo | +| dexServer.initImage.tag | string | `"v1.2.0"` | Docker image tag | +| dexServer.servicePortGrpc | int | `5557` | Service port for Dex Server GRPC | +| dexServer.servicePortHttp | int | `5556` | Service port for Dex Server GRPC | +| dexServer.volumeMounts | list | `[]` | Additional volume mounts | +| dexServer.volumes | list | `[]` | Additional volumes | +| ingress.annotations | object | `{}` | Annotations for ingress object, set `nginx.ingress.kubernetes.io/force-ssl-redirect: "true"` and `nginx.ingress.kubernetes.io/ssl-passthrough: "true"` if serving GRPC and HTTPS on the same ingress | +| ingress.enabled | bool | `false` | Enable ingress | +| ingress.hosts[0] | string | `"argocd.example.com"` | Ingress host | +| ingress.path | string | `"/"` | Ingress path | +| rbac.policyCsv | string | `nil` | RBAC policy in CSV, see [values.yaml](./values.yaml) for format | +| rbac.policyDefault | string | `nil` | The default role Argo CD will fall back to, when authorizing API requests, ie: `role:readonly` | +| rbac.scopes | string | `nil` | Scopes controls which OIDC scopes to examine during rbac enforcement (in addition to `sub` scope). ie: `[groups]` | +| redis.containerPort | int | `6379` | Container port for Redis | +| redis.image.pullPolicy | string | `"Always"` | Docker image pull policy | +| redis.image.repository | string | `"redis"` | Docker image repo | +| redis.image.tag | string | `"5.0.3"` | Docker image tag | +| redis.servicePort | int | `6379` | Service port for Redis | +| repoServer.containerPort | int | `8081` | Container port for repo server | +| repoServer.image.pullPolicy | string | `"Always"` | Docker image pull policy | +| repoServer.image.repository | string | `"argoproj/argocd"` | Docker image repo | +| repoServer.image.tag | string | `"v1.2.0"` | Docker image tag | +| repoServer.servicePort | int | `8081` | Service port for repo server | +| repoServer.volumeMounts | list | `[]` | Additional volume mounts | +| repoServer.volumes | list | `[]` | Additional volumes | +| server.annotations | object | `{}` | Annotations for the server deployment | +| server.containerPort | int | `8080` | Container port for server | +| server.extraArgs | list | `[]` | Add additional arguments | +| server.image.pullPolicy | string | `"Always"` | Docker image pull policy | +| server.image.repository | string | `"argoproj/argocd"` | Docker image repo | +| server.image.tag | string | `"v1.2.0"` | Docker image tag | +| server.metricsPort | int | `8083` | Container port for server metrics | +| server.serviceAnnotations | object | `{}` | Annotations for server service | +| server.servicePortHttp | int | `80` | HTTP Container port for server | +| server.servicePortHttps | int | `443` | HTTPS Container port for server | +| server.volumeMounts | list | `[]` | Additional volume mounts, see [values.yaml](./values.yaml) for syntax for SSH known hosts | +| server.volumes | list | `[]` | Additional volumes, see [values.yaml](./values.yaml) for syntax for SSH known hosts | diff --git a/charts/argo-cd/templates/argocd-secret.yaml b/charts/argo-cd/templates/argocd-secret.yaml index 6085d76d..c29fa53d 100755 --- a/charts/argo-cd/templates/argocd-secret.yaml +++ b/charts/argo-cd/templates/argocd-secret.yaml @@ -1,3 +1,4 @@ +{{- if .Values.config.createSecret }} apiVersion: v1 kind: Secret metadata: @@ -21,4 +22,5 @@ data: {{- if .Values.config.webhook.bitbucketSecret }} bitbucket.webhook.uuid: {{ .Values.config.webhook.bitbucketSecret }} {{- end }} -{{- end}} +{{- end }} +{{- end }} diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index f0f784b1..5861e87c 100644 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -20,7 +20,12 @@ server: pullPolicy: Always extraArgs: [] volumeMounts: [] + # - name: ssh-known-hosts + # mountPath: /app/config/ssh volumes: [] + # - name: ssh-known-hosts + # configMap: + # name: argocd-ssh-known-hosts-cm annotations: {} repoServer: @@ -52,23 +57,18 @@ dexServer: # terminate tls at ArgoCD level ingress: enabled: false - annotations: {} + annotations: + {} # kubernetes.io/ingress.class: nginx # nginx.ingress.kubernetes.io/force-ssl-redirect: "true" # nginx.ingress.kubernetes.io/ssl-passthrough: "true" path: / hosts: - argocd.example.com - -# Standard Argo CD installation with cluster-admin access. -# Set this true if you plan to use Argo CD to deploy applications in the same cluster that -# Argo CD runs in (i.e. kubernetes.svc.default). -# Will still be able to deploy to external clusters with inputted credentials. - clusterAdminAccess: enabled: true - config: + createSecret: true helmRepositories: # - name: privateRepo # url: http://chartmuseum.privatecloud.com @@ -120,8 +120,6 @@ config: githubSecret: gitlabSecret: bitbucketSecret: - # resourceCustomizations can be used to create custom health checks for resources - # https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/health.md#way-1-define-a-custom-health-check-in-argocd-cm-configmap resourceCustomizations: # certmanager.k8s.io/Certificate: # health.lua: | @@ -138,13 +136,13 @@ config: # args: ["sample args"] rbac: -# # An RBAC policy .csv file containing additional policy and role definitions. -# # See https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md on how to write RBAC policies. -# policy.csv: | -# # Give all members of "my-org:team-alpha" the ability to sync apps in "my-project" -# p, my-org:team-alpha, applications, sync, my-project/*, allow -# # Make all members of "my-org:team-beta" admins -# g, my-org:team-beta, role:admin + # # An RBAC policy .csv file containing additional policy and role definitions. + # # See https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md on how to write RBAC policies. + # policy.csv: | + # # Give all members of "my-org:team-alpha" the ability to sync apps in "my-project" + # p, my-org:team-alpha, applications, sync, my-project/*, allow + # # Make all members of "my-org:team-beta" admins + # g, my-org:team-beta, role:admin policyCsv: #| # p, role:org-admin, applications, *, */*, allow # p, role:org-admin, clusters, get, *, allow @@ -153,9 +151,7 @@ rbac: # p, role:org-admin, repositories, update, *, allow # p, role:org-admin, repositories, delete, *, allow # g, your-github-org:your-team, role:org-admin - # The default role Argo CD will fall back to, when authorizing API requests policyDefault: #role:readonly - # Scopes controls which OIDC scopes to examine during rbac enforcement (in addition to `sub` scope). scopes: #[groups] redis: