Merge branch 'master' into argo-rollout-dashboard

2021-08-16 17:21:42 +02:00 · 2021-08-16 17:21:42 +02:00 · 0cea36ac48
commit 0cea36ac48
parent 680d172784 d0efbc458a
10 changed files with 114 additions and 9 deletions
--- a/charts/argo-cd/Chart.yaml
+++ b/charts/argo-cd/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: 2.0.5
 description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 3.11.4
+version: 3.12.1
 home: https://github.com/argoproj/argo-helm
 icon: https://argoproj.github.io/argo-cd/assets/logo.png
 keywords:
@ -21,4 +21,4 @@ dependencies:
    condition: redis-ha.enabled
 annotations:
  artifacthub.io/changes: |
-    - "[Fixed]: Can't login when using configs.secret.argocdServerAdminPassword"
+    - "[Fixed]: redis-ha.nameOverride / redis-ha.fullnameOverride breaks the ArgoCD helm chart"
--- a/charts/argo-cd/README.md
+++ b/charts/argo-cd/README.md
@ -148,6 +148,7 @@ NAME: my-release
 | fullnameOverride | String to fully override `"argo-cd.fullname"` | `""` |
 | apiVersionOverrides.certmanager | String to override apiVersion of certmanager resources rendered by this helm chart | `""` |
 | apiVersionOverrides.ingress | String to override apiVersion of ingresses rendered by this helm chart | `""` |
+| createAggregateRoles | Create clusterroles that extend aggregated roles to use argo-cd crds | `false` |
 | configs.clusterCredentials | Provide one or multiple [external cluster credentials](https://argoproj.github.io/argo-cd/operator-manual/declarative-setup/#clusters) | `[]` (See [values.yaml](values.yaml)) |
 | configs.gpgKeysAnnotations | GnuPG key ring annotations | `{}` |
 | configs.gpgKeys | [GnuPG](https://argoproj.github.io/argo-cd/user-guide/gpg-verification/) keys to add to the key ring | `{}` (See [values.yaml](values.yaml)) |
@ -312,6 +313,7 @@ NAME: my-release
 | server.ingressGrpc.ingressClassName | Defines which ingress controller will implement the resource [gRPC-ingress] | `""` |
 | server.ingressGrpc.tls | Ingress TLS configuration for dedicated [gRPC-ingress] | `[]` |
 | server.ingressGrpc.isAWSALB | Setup up GRPC ingress to work with an AWS ALB | `false` |
+| server.ingressGrpc.awsALB.serviceType | Service type for the AWS ALB GRPC service | `NodePort` |
 | server.route.enabled | Enable a OpenShift route for the server | `false` |
 | server.route.hostname | Hostname of OpenShift route | `""` |
 | server.lifecycle | PostStart and PreStop hooks configuration | `{}` |
@ -454,5 +456,7 @@ server:
  ingressGrpc:
    enabled: true
    isAWSALB: true
+    awsALB:
+      serviceType: ClusterIP
      
 ```
--- a/charts/argo-cd/templates/_helpers.tpl
+++ b/charts/argo-cd/templates/_helpers.tpl
@ -42,10 +42,11 @@ Create dex name and version as used by the chart label.
 Create redis name and version as used by the chart label.
 */}}
 {{- define "argo-cd.redis.fullname" -}}
-{{ $redisHa := (index .Values "redis-ha") }}
+{{- $redisHa := (index .Values "redis-ha") -}}
+{{- $redisHaContext := dict "Chart" (dict "Name" "redis-ha") "Release" .Release "Values" $redisHa -}}
 {{- if $redisHa.enabled -}}
    {{- if $redisHa.haproxy.enabled -}}
-        {{- printf "%s-redis-ha-haproxy" .Release.Name | trunc 63 | trimSuffix "-" -}}
+        {{- printf "%s-haproxy" (include "redis-ha.fullname" $redisHaContext) | trunc 63 | trimSuffix "-" -}}
    {{- end -}}
 {{- else -}}
 {{- printf "%s-%s" (include "argo-cd.fullname" .) .Values.redis.name | trunc 63 | trimSuffix "-" -}}
--- a/charts/argo-cd/templates/argocd-aggregate-roles.yaml
+++ b/charts/argo-cd/templates/argocd-aggregate-roles.yaml
@ -0,0 +1,67 @@
+{{- if .Values.createAggregateRoles }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "argo-cd.fullname" . }}-aggregate-to-view
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+    {{- include "argo-cd.labels" (dict "context" .) | nindent 4 }}
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applications
+  - appprojects
+  verbs:
+  - get
+  - list
+  - watch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "argo-cd.fullname" . }}-aggregate-to-edit
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    {{- include "argo-cd.labels" (dict "context" .) | nindent 4 }}
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applications
+  - appprojects
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "argo-cd.fullname" . }}-aggregate-to-admin
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- include "argo-cd.labels" (dict "context" .) | nindent 4 }}
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applications
+  - appprojects
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+{{- end }}
--- a/charts/argo-cd/templates/argocd-server/alb-grpc-service.yaml
+++ b/charts/argo-cd/templates/argocd-server/alb-grpc-service.yaml
@ -20,5 +20,5 @@ spec:
  selector:
    {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 4 }}
  sessionAffinity: None
-  type: NodePort
+  type: {{ .Values.server.ingressGrpc.awsALB.serviceType }}
 {{- end -}}
--- a/charts/argo-cd/values.yaml
+++ b/charts/argo-cd/values.yaml
@ -31,6 +31,10 @@ apiVersionOverrides:
  certmanager: "" # cert-manager.io/v1
  ingress: "" # networking.k8s.io/v1beta1

+## Create clusterroles that extend existing clusterroles to interact with argo-cd crds
+## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
+createAggregateRoles: false
+
 ## Controller
 controller:
  name: application-controller
@ -611,6 +615,15 @@ server:
    labels: {}
    ingressClassName: ""

+    ## Service Type if isAWSALB is set to true
+    ## Can be of type NodePort or ClusterIP depending on which mode you are
+    ## are running. Instance mode needs type NodePort, IP mode needs type
+    ## ClusterIP
+    ## Ref: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/how-it-works/#ingress-traffic
+    ##
+    awsALB:
+      serviceType: NodePort
+
    ## Argo Ingress.
    ## Hostnames must be provided if Ingress is enabled.
    ## Secrets must be manually created in the namespace
--- a/charts/argocd-applicationset/Chart.yaml
+++ b/charts/argocd-applicationset/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: argocd-applicationset
 description: A Helm chart for installing ArgoCD ApplicationSet
 type: application
-version: 1.0.0
+version: 1.1.0
 appVersion: "v0.1.0"
 home: https://github.com/argoproj/argo-helm
 icon: https://argocd-applicationset.readthedocs.io/en/stable/assets/logo.png
@ -14,6 +14,5 @@ maintainers:
  - name: maruina
 annotations:
  artifacthub.io/changes: |
-    - "[Removed]: CRD installation via templates folder. CRDs are now only handled via the '/crds' folder in the same way like the ArgoCD chart."
-    - "[Removed]: Exclude '/ci' folder from being packaged into the final chart archive."
-    - "[Changed]: Fix icon url"
+    - "[Added]: /tmp is an emptyDir now (enables users to use readOnlyRootFilesystem)"
+    - "[Added]: Ability to add extraVolumes and extraVolumeMounts"
--- a/charts/argocd-applicationset/README.md
+++ b/charts/argocd-applicationset/README.md
@ -65,6 +65,8 @@ kubectl apply -k https://github.com/argoproj-labs/applicationset.git/manifests/c
 | args.policy | string | `sync` | How application is synced between the generator and the cluster |
 | args.debug | bool | `false` | Print debug logs |
 | args.dryRun | bool | `false` | Enable dry run mode |
+| extraVolumeMounts | list | `[]` | List of extra mounts to add (normally used with extraVolumes) |
+| extraVolumes | list | `[]` | List of extra volumes to add |
 | fullnameOverride | string | `""` | Override the default fully qualified app name |
 | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
 | image.repository | string | `"quay.io/argocdapplicationset/argocd-applicationset"` | If defined, a repository applied to the ApplicationSet deployment. |
--- a/charts/argocd-applicationset/templates/deployment.yaml
+++ b/charts/argocd-applicationset/templates/deployment.yaml
@ -50,6 +50,8 @@ spec:
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
          volumeMounts:
+            - mountPath: /tmp
+              name: tmp-dir
            {{- if .Values.mountSSHKnownHostsVolume }}
            - mountPath: /app/config/ssh
              name: ssh-known-hosts
@ -66,7 +68,12 @@ spec:
            - mountPath: /app/config/gpg/keys
              name: gpg-keyring
            {{- end }}
+            {{- with .Values.extraVolumeMounts }}
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
      volumes:
+      - emptyDir: {}
+        name: tmp-dir
      {{- if .Values.mountSSHKnownHostsVolume }}
      - configMap:
          name: argocd-ssh-known-hosts-cm
@ -86,6 +93,9 @@ spec:
      - emptyDir: {}
        name: gpg-keyring
      {{- end }}
+      {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
--- a/charts/argocd-applicationset/values.yaml
+++ b/charts/argocd-applicationset/values.yaml
@ -75,3 +75,12 @@ mountSSHKnownHostsVolume: true
 mountTLSCertsVolume: true
 mountGPGKeysVolume: false
 mountGPGKeyringVolume: true
+
+# -- List of extra mounts to add (normally used with extraVolumes)
+extraVolumeMounts: []
+  # - mountPath: /tmp/foobar
+  #   name: foobar
+# -- List of extra volumes to add
+extraVolumes: []
+  # - name: foobar
+  #   emptyDir: {}