DevFW-CICD/argocd-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #86 from codefresh-io/cr-24608-sync-upstream-0.4.11

Browse source 
chore: sync upstream argo-workflows 0.4.11 chart
This commit is contained in:
ilia-medvedev-codefresh 2024-07-18 09:42:40 +03:00 committed by GitHub
commit 1178b53419
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
214 changed files with 5312 additions and 1594 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.github/configs/renovate-config.js vendored Normal file
View file

@ -0,0 +1,7 @@
module.exports = {
platform: 'github',
gitAuthor: 'renovate[bot] <renovate[bot]@users.noreply.github.com>',
autodiscover: false,
allowPostUpgradeCommandTemplating: true,
allowedPostUpgradeCommands: [".*"],
};

8
.github/dependabot.yml vendored
View file

@ -6,3 +6,11 @@ updates:
schedule:
interval: weekly
day: "saturday"
commit-message:
prefix: "chore(deps)"
groups:
dependencies:
applies-to: version-updates
update-types:
- "minor"
- "patch"

57
.github/workflows/chart-version-bump.yml vendored
View file

@ -1,57 +0,0 @@
## Used on Renovate PRs to bump the chart version and add a changelog entry
## Reference: https://github.com/stefanzweifel/git-auto-commit-action
## Reference: https://github.com/marketplace/actions/changed-files
name: 'Chart Version Bump and Changelog'
on:
pull_request:
types:
- labeled
permissions:
contents: write
jobs:
helm-bumper:
if: ${{ (contains(github.event.pull_request.labels.*.name, 'renovate')) }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
token: ${{ secrets.PAT }}
fetch-depth: 0
- name: Get changed files
id: changed-files
uses: tj-actions/changed-files@ae82ed4ae04587b665efad2f206578aa6f0e8539 # v42.0.0
with:
files: charts/{argo-workflows,argo-cd,argo-events,argo-rollouts,argocd-image-updater}/Chart.yaml
- name: "Bump Version and Changelog"
run: |
chartName="$(echo \"${{ steps.changed-files.outputs.all_changed_files }}\" | cut -d '/' -f2)"
echo "Changed chart name is: $chartName"
echo "----------------------------------------"
parentDir="charts/${chartName}"
# Bump the chart version by one patch version
version=$(grep '^version:' ${parentDir}/Chart.yaml | awk '{print $2}')
major=$(echo $version | cut -d. -f1)
minor=$(echo $version | cut -d. -f2)
patch=$(echo $version | cut -d. -f3)
patch=$(expr $patch + 1)
sed -i "s/^version:.*/version: ${major}.${minor}.${patch}/g" ${parentDir}/Chart.yaml
# Add a changelog entry
appVersion=$(grep '^appVersion:' ${parentDir}/Chart.yaml | awk '{print $2}')
sed -i -e '/^ artifacthub.io\/changes: |/,$d' ${parentDir}/Chart.yaml
echo " artifacthub.io/changes: |" >> ${parentDir}/Chart.yaml
echo " - kind: changed" >> ${parentDir}/Chart.yaml
echo " description: Bump ${chartName} to ${appVersion}" >> ${parentDir}/Chart.yaml
cat ${parentDir}/Chart.yaml
- name: "Commit and push changes"
uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # v5.0.0
with:
commit_options: '--signoff'

10
.github/workflows/lint-and-test.yml vendored
View file

@ -13,7 +13,7 @@ jobs:
options: --user 1001
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Run ah lint
working-directory: ./charts
run: ah lint
@ -22,17 +22,17 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- name: Set up Helm
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
with:
version: v3.10.1 # Also update in publish.yaml
- name: Set up python
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: 3.9
@ -68,7 +68,7 @@ jobs:
echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
fi
- name: Create kind cluster
uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
if: steps.list-changed.outputs.changed == 'true'
with:
config: .github/configs/kind-config.yaml

2
.github/workflows/pr-sizing.yml vendored
View file

@ -25,6 +25,6 @@ jobs:
size-label:
runs-on: ubuntu-latest
steps:
- uses: pascalgn/size-label-action@37a5ad4ae20ea8032abf169d953bcd661fd82cd3 # v0.5.0
- uses: pascalgn/size-label-action@bbbaa0d5ccce8e2e76254560df5c64b82dac2e12 # v0.5.2
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

2
.github/workflows/pr-title.yml vendored
View file

@ -19,7 +19,7 @@ jobs:
name: Validate PR title
runs-on: ubuntu-latest
steps:
- uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0
- uses: amannn/action-semantic-pull-request@cfb60706e18bc85e8aec535e3c577abe8f70378e # v5.5.2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:

5
.github/workflows/publish.yml vendored
View file

@ -9,18 +9,19 @@ permissions:
jobs:
publish:
if: github.repository == 'argoproj/argo-helm'
permissions:
contents: write # for helm/chart-releaser-action to push chart release and create a release
packages: write # to push OCI chart package to GitHub Registry
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- name: Install Helm
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
with:
version: v3.10.1 # Also update in lint-and-test.yaml

37
.github/workflows/renovate.yaml vendored Normal file
View file

@ -0,0 +1,37 @@
name: Renovate
on:
# The "*" (#42, asterisk) character has special semantics in YAML, so this
# string has to be quoted.
schedule:
- cron: '0 * * * *'
# Manual trigger is also possible
workflow_dispatch: {}
permissions:
contents: read
jobs:
renovate:
if: github.repository == 'argoproj/argo-helm'
runs-on: ubuntu-latest
steps:
- name: Get token
uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1.10.1
id: get_token
with:
app-id: ${{ vars.RENOVATE_APP_ID }}
private-key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY }}
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Self-hosted Renovate
uses: renovatebot/github-action@21d88b0bf0183abcee15f990011cca090dfc47dd # v40.1.12
with:
configurationFile: .github/configs/renovate-config.js
# renovate: datasource=docker depName=ghcr.io/renovatebot/renovate
renovate-version: 37.384.0
token: '${{ steps.get_token.outputs.token }}'
env:
LOG_LEVEL: 'debug'
RENOVATE_REPOSITORIES: '${{ github.repository }}'

8
.github/workflows/scorecard.yml vendored
View file

@ -33,12 +33,12 @@ jobs:
steps:
- name: "Checkout code"
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
with:
results_file: results.sarif
results_format: sarif
@ -60,7 +60,7 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: SARIF file
path: results.sarif
@ -68,6 +68,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
with:
sarif_file: results.sarif

2
CONTRIBUTING.md
View file

@ -124,7 +124,7 @@ helm install charts/argo-workflows -n argo
argo version
```
Follow [these](https://argoproj.github.io/argo-workflows/quick-start/#submitting-an-example-workflow) instructions for running a hello world workflow.
Follow [these](https://argo-workflows.readthedocs.io/en/stable/quick-start/#submitting-an-example-workflow) instructions for running a hello world workflow.
### Testing Argo CD Changes

60
README.md
View file

@ -42,3 +42,63 @@ Please refer to [SECURITY.md](SECURITY.md) for details on how to report security
### Changelog
Releases are managed independently for each helm chart, and changelogs are tracked on each release. Read more about this process [here](https://github.com/argoproj/argo-helm/blob/main/CONTRIBUTING.md#changelog).
## Charts use Helm "Capabilities"
Our charts make use of the Helm built-in object "Capabilities":
> This provides information about what capabilities the Kubernetes cluster supports.
> *Source: https://helm.sh/docs/chart_template_guide/builtin_objects/*
Today we use:
- `.Capabilities.APIVersions.Has` mostly to determine whether the CRDs for ServiceMonitors (from prometheus-operator) exists inside the cluster
- `.Capabilities.KubeVersion.Version` to handle correct apiVersion of a specific resource kind (eg. "policy/v1" vs. "policy/v1beta1")
If you use the charts only to template the manifests, without installing (`helm install ..`), you need to make sure that Helm (or the Helm SDK) receives the available APIs from your Kubernetes cluster.
For this you need to pass the `--api-versions` parameter to the `helm template` command:
```bash
helm template argocd \
oci://ghcr.io/argoproj/argo-helm/argo-cd \
--api-versions monitoring.coreos.com/v1 \
--values my-argocd-values.yaml
```
If you use other tools like [Kustomize](https://kubectl.docs.kubernetes.io/references/kustomize/builtins/) or [helmfile](https://helmfile.readthedocs.io/en/latest/#configuration) to render it, there are equivalent options.
Example with Kustomize:
```yaml
# kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
helmCharts:
- name: argo-cd
repo: oci://ghcr.io/argoproj/argo-helm
version: x.y.z
releaseName: argocd
apiVersions:
- monitoring.coreos.com/v1
valuesFile: my-argocd-values.yaml
```
Example with helmfile:
```yaml
# helmfile.yaml
repositories:
- name: argo
url: https://argoproj.github.io/argo-helm
apiVersions:
- monitoring.coreos.com/v1
releases:
- name: argocd
namespace: argocd
chart: argo/argo-cd
values:
- my-argocd-values.yaml
```

6
charts/argo-cd/Chart.lock
View file

@ -1,6 +1,6 @@
dependencies:
- name: redis-ha
repository: https://dandydeveloper.github.io/charts/
version: 4.23.0
digest: sha256:589f9972fbdf36194d443c9d3be2a1747f43e03c435fc48004cc0cbe6b3c6e3c
generated: "2023-05-15T19:25:26.049618+09:00"
version: 4.26.1
digest: sha256:d72c308ab0eef4233e25bfc3f8fc97cf9b02a9c5d0186ea89e2f8fb332cb9c41
generated: "2024-02-18T19:42:53.135599+02:00"

10
charts/argo-cd/Chart.yaml
View file

@ -1,9 +1,9 @@
apiVersion: v2
appVersion: v2.9.5
appVersion: v2.11.3
kubeVersion: ">=1.23.0-0"
description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
name: argo-cd
version: 5.53.9
version: 7.1.4
home: https://github.com/argoproj/argo-helm
icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
sources:
@ -18,7 +18,7 @@ maintainers:
url: https://argoproj.github.io/
dependencies:
- name: redis-ha
version: 4.23.0
version: 4.26.1
repository: https://dandydeveloper.github.io/charts/
condition: redis-ha.enabled
annotations:
@ -26,5 +26,5 @@ annotations:
fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
url: https://argoproj.github.io/argo-helm/pgp_keys.asc
artifacthub.io/changes: |
- kind: fixed
description: Fixed labels template for ArgoCD server service account.
- kind: changed
description: add loadBalancerClass field for Service resources

462
charts/argo-cd/README.md
View file

@ -64,7 +64,180 @@ applicationSet:
replicas: 2
```
### Synchronizing Changes from Original Repository
## Ingress configuration
Please refer to the [Operator Manual](https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#ingress-configurationh) for details as the samples
below corespond to their respective sections.
### SSL-Passthrough
The `tls: true` option will expect that the `argocd-server-tls` secret exists as Argo CD server loads TLS certificates from this place.
```yaml
global:
domain: argocd.example.com
certificate:
enabled: true
server:
ingress:
enabled: true
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
tls: true
```
### SSL Termination at Ingress Controller
```yaml
global:
domain: argocd.example.com
configs:
params:
server.insecure: true
server:
ingress:
enabled: true
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
extraTls:
- hosts:
- argocd.example.com
# Based on the ingress controller used secret might be optional
secretName: wildcard-tls
```
> **Note:**
> If you don't plan on using a wildcard certificate it's also possible to use `tls: true` without `extraTls` section.
### Multiple ingress resources for gRPC protocol support
Use `ingressGrpc` section if your ingress controller supports only a single protocol per Ingress resource (i.e.: Contour).
```yaml
global:
domain: argocd.example.com
configs:
params:
server.insecure: true
server:
ingress:
enabled: true
ingressClassName: contour-internal
extraTls:
- hosts:
- argocd.example.com
secretName: wildcard-tls
ingressGrpc:
enabled: true
ingressClassName: contour-internal
extraTls:
- hosts:
- grpc.argocd.example.com
secretName: wildcard-tls
```
### Multiple ingress domains
```yaml
global:
domain: argocd.example.com
server:
ingress:
enabled: true
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: "<my-issuer>"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
tls: true
extraHosts:
- name: argocd-alias.example.com
path: /
```
### AWS Application Load Balancer
Refer to the Operator Manual for [AWS Application Load Balancer mode](https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#aws-application-load-balancers-albs-and-classic-elb-http-mode).
The provided example assumes you are using TLS off-loading via AWS ACM service.
> **Note:**
> Using `controller: aws` creates additional service for gRPC traffic and it's no longer need to use `ingressGrpc` configuration section.
```yaml
global:
domain: argocd.example.com
configs:
params:
server.insecure: true
server:
ingress:
enabled: true
controller: aws
ingressClassName: alb
annotations:
alb.ingress.kubernetes.io/scheme: internal
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/backend-protocol: HTTP
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/ssl-redirect: '443'
aws:
serviceType: ClusterIP # <- Used with target-type: ip
backendProtocolVersion: GRPC
```
### GKE Application Load Balancer
The implementation will populate `ingressClassName`, `networking.gke.io/managed-certificates` and `networking.gke.io/v1beta1.FrontendConfig` annotations
automatically if you provide configuration for GKE resources.
```yaml
global:
domain: argocd.example.com
configs:
params:
server.insecure: true
server:
service:
annotations:
cloud.google.com/neg: '{"ingress": true}'
cloud.google.com/backend-config: '{"ports": {"http":"argocd-server"}}'
ingress:
enabled: true
controller: gke
gke:
backendConfig:
healthCheck:
checkIntervalSec: 30
timeoutSec: 5
healthyThreshold: 1
unhealthyThreshold: 2
type: HTTP
requestPath: /healthz
port: 8080
frontendConfig:
redirectToHttps:
enabled: true
managedCertificate:
enabled: true
```
## Synchronizing Changes from Original Repository
In the original [Argo CD repository](https://github.com/argoproj/argo-cd/) an [`manifests/install.yaml`](https://github.com/argoproj/argo-cd/blob/master/manifests/install.yaml) is generated using `kustomize`. It's the basis for the installation as [described in the docs](https://argo-cd.readthedocs.io/en/stable/getting_started/#1-install-argo-cd).
@ -105,15 +278,87 @@ For full list of changes please check ArtifactHub [changelog].
Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version.
### 6.10.0
This version introduces authentication for Redis to mitigate GHSA-9766-5277-j5hr.
#### How to rotate Redis secret?
Upstream steps in the [FAQ] are not enough, since we chose a different approach.
(We use a Kubernetes Job with [Chart Hooks] to create the auth secret `argocd-redis`.)
Steps to roteate the secret when using the helm chart (bold step is additional to upstream):
* Delete `argocd-redis` secret in the namespace where Argo CD is installed.
```bash
kubectl delete secret argocd-redis -n <argocd namesapce>
```
* **Perform a helm upgrade**
```bash
helm upgrade argocd argo/argo-cd --reuse-values --wait
```
* If you are running Redis in HA mode, restart Redis in HA.
```bash
kubectl rollout restart deployment argocd-redis-ha-haproxy
kubectl rollout restart statefulset argocd-redis-ha-server
```
* If you are running Redis in non-HA mode, restart Redis.
```bash
kubectl rollout restart deployment argocd-redis
```
* Restart other components.
```bash
kubectl rollout restart deployment argocd-server argocd-repo-server
kubectl rollout restart statefulset argocd-application-controller
```
### 6.9.0
ApplicationSet controller is always created to follow [upstream's manifest](https://github.com/argoproj/argo-cd/blob/v2.11.0/manifests/core-install/kustomization.yaml#L9).
### 6.4.0
Added support for application controller dynamic cluster distribution.
Please refer to [the docs](https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution) for more information.
Added env variables to handle the non-standard names generated by the helm chart.
Here are the [docs](https://argo-cd.readthedocs.io/en/release-2.9/user-guide/environment-variables/)
and [code](https://github.com/argoproj/argo-cd/blob/99723143b96ceec9ef5b0a7feb7b4f4b0dce3497/common/common.go#L252)
### 6.1.0
Added support for global domain used by all components.
### 6.0.0
This version **removes support for**:
* deprecated component options `logLevel` and `logFormat`
* deprecated component arguments `<components>.args.<feature>` that were replaced with `configs.params`
* deprecated configuration `server.config` that was replaced with `configs.cm`
* deprecated configuration `server.rbacConfig` that was replaced with `configs.rbac`
Major version also contains breaking **changes related to Argo CD Ingress** resources that were hard to extend and maintain for various ingress controller implementations.
Please review your setup and adjust to new configuration options:
* catch all rule was removed for security reasons. If you need this please use `server.ingress.extraRules` to provide ingress rule without hostname
* ingress rule for `paths` changed to `path` as there is only single Argo CD backend path
* ingress rule for `hosts` changed to `hostname` as there can be only single SSO redirect for given hostname
* ingress TLS for server uses by default `argocd-server-tls` secret required by Argo CD server, additional ingresses are using `<hostname>-tls` secret when `tls: true`
* additional hostnames and routing can be provided via `extraHosts` configuration section
* additional TLS secrets can be provided via `extraTls` configuration section
Please refer to [ingress configuration](#ingress-configuration) for examples.
### 5.53.0
Argocd-repo-server can now optionally use Persistent Volumes for its mountpoints instead of only emptydir()
### 5.52.0
Because [Argo CD Extensions] is now deprecated and no further changes will be made, we switched to [Argo CD Extension Installer], adding an Argo CD Extension Installer to init-container in the Argo CD API server.
If you used old mechanism, please move to new mechanism. For more details, please refer `.Values.server.extensions` in values.yaml.
### 5.35.0
This version supports Kubernetes version `>=1.23.0-0`. The current supported version of Kubernetes is v1.24 or later and we align with the Amazon EKS calendar, because many AWS users follow a conservative approach.
Please see more information about EoL: [Amazon EKS EoL][EKS EoL].
@ -399,7 +644,7 @@ NAME: my-release
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| apiVersionOverrides.cloudgoogle | string | `""` | String to override apiVersion of GKE resources rendered by this helm chart |
| apiVersionOverrides | object | `{}` | |
| crds.additionalLabels | object | `{}` | Addtional labels to be added to all CRDs |
| crds.annotations | object | `{}` | Annotations to be added to all CRDs |
| crds.install | bool | `true` | Install and upgrade CRDs |
@ -410,6 +655,7 @@ NAME: my-release
| fullnameOverride | string | `""` | String to fully override `"argo-cd.fullname"` |
| kubeVersionOverride | string | `""` | Override the Kubernetes version, which is used to evaluate certain manifests |
| nameOverride | string | `"argocd"` | Provide a name in place of `argocd` |
| namespaceOverride | string | `.Release.Namespace` | Override the namespace |
| openshift.enabled | bool | `false` | enables using arbitrary uid for argo repo server |
## Global Configs
@ -424,6 +670,9 @@ NAME: my-release
| global.certificateAnnotations | object | `{}` | Annotations for the all deployed Certificates |
| global.deploymentAnnotations | object | `{}` | Annotations for the all deployed Deployments |
| global.deploymentStrategy | object | `{}` | Deployment strategy for the all deployed Deployments |
| global.domain | string | `"argocd.example.com"` | Default domain used by all components |
| global.dualStack.ipFamilies | list | `[]` | IP families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6. |
| global.dualStack.ipFamilyPolicy | string | `""` | IP family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services) |
| global.env | list | `[]` | Environment variables to pass to all deployed Deployments |
| global.hostAliases | list | `[]` | Mapping between IP and hostnames that will be injected as entries in the pod's hosts files |
| global.image.imagePullPolicy | string | `"IfNotPresent"` | If defined, a imagePullPolicy applied to all Argo CD deployments |
@ -448,16 +697,16 @@ NAME: my-release
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| configs.clusterCredentials | list | `[]` (See [values.yaml]) | Provide one or multiple [external cluster credentials] |
| configs.clusterCredentials | object | `{}` (See [values.yaml]) | Provide one or multiple [external cluster credentials] |
| configs.cm."admin.enabled" | bool | `true` | Enable local admin user |
| configs.cm."application.instanceLabelKey" | string | `"argocd.argoproj.io/instance"` | The name of tracking label used by Argo CD for resource pruning |
| configs.cm."exec.enabled" | bool | `false` | Enable exec feature in Argo UI |
| configs.cm."server.rbac.log.enforce.enable" | bool | `false` | Enable logs RBAC enforcement |
| configs.cm."statusbadge.enabled" | bool | `false` | Enable Status Badge |
| configs.cm."timeout.hard.reconciliation" | string | `"0s"` | Timeout to refresh application data as well as target manifests cache |
| configs.cm."timeout.reconciliation" | string | `"180s"` | Timeout to discover if a new manifests version got published to the repository |
| configs.cm.annotations | object | `{}` | Annotations to be added to argocd-cm configmap |
| configs.cm.create | bool | `true` | Create the argocd-cm configmap for [declarative setup] |
| configs.cm.url | string | `""` | Argo CD's externally facing base URL (optional). Required when configuring SSO |
| configs.cmp.annotations | object | `{}` | Annotations to be added to argocd-cmp-cm configmap |
| configs.cmp.create | bool | `false` | Create the argocd-cmp-cm configmap |
| configs.cmp.plugins | object | `{}` | Plugin yaml files to be added to argocd-cmp-cm |
@ -468,6 +717,7 @@ NAME: my-release
| configs.params."application.namespaces" | string | `""` | Enables [Applications in any namespace] |
| configs.params."applicationsetcontroller.enable.progressive.syncs" | bool | `false` | Enables use of the Progressive Syncs capability |
| configs.params."applicationsetcontroller.policy" | string | `"sync"` | Modify how application is synced between the generator and the cluster. One of: `sync`, `create-only`, `create-update`, `create-delete` |
| configs.params."controller.ignore.normalizer.jq.timeout" | string | `"1s"` | JQ Path expression timeout |
| configs.params."controller.operation.processors" | int | `10` | Number of application operation processors |
| configs.params."controller.repo.server.timeout.seconds" | int | `60` | Repo server RPC call timeout seconds. |
| configs.params."controller.self.heal.timeout.seconds" | int | `5` | Specifies timeout between application self heal attempts |
@ -516,17 +766,21 @@ NAME: my-release
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| controller.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules to the deployment |
| controller.args | object | `{}` | DEPRECATED - Application controller commandline flags |
| controller.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account into the pod. |
| controller.clusterRoleRules.enabled | bool | `false` | Enable custom rules for the application controller's ClusterRole resource |
| controller.clusterRoleRules.rules | list | `[]` | List of custom rules for the application controller's ClusterRole resource |
| controller.containerPorts.metrics | int | `8082` | Metrics container port |
| controller.containerSecurityContext | object | See [values.yaml] | Application controller container-level security context |
| controller.deploymentAnnotations | object | `{}` | Annotations for the application controller Deployment |
| controller.dnsConfig | object | `{}` | [DNS configuration] |
| controller.dnsPolicy | string | `"ClusterFirst"` | Alternative DNS policy for application controller pods |
| controller.dynamicClusterDistribution | bool | `false` | Enable dynamic cluster distribution (alpha) Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution |
| controller.emptyDir.sizeLimit | string | `""` (defaults not set if not specified i.e. no size limit) | EmptyDir size limit for application controller |
| controller.env | list | `[]` | Environment variables to pass to application controller |
| controller.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to application controller |
| controller.extraArgs | list | `[]` | Additional command line arguments to pass to application controller |
| controller.extraContainers | list | `[]` | Additional containers to be added to the application controller pod |
| controller.heartbeatTime | int | `10` | Application controller heartbeat time Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution/#working-of-dynamic-distribution |
| controller.hostNetwork | bool | `false` | Host Network for application controller pods |
| controller.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the application controller |
| controller.image.repository | string | `""` (defaults to global.image.repository) | Repository to use for the application controller |
@ -542,6 +796,7 @@ NAME: my-release
| controller.metrics.rules.namespace | string | `""` | PrometheusRule namespace |
| controller.metrics.rules.selector | object | `{}` | PrometheusRule selector |
| controller.metrics.rules.spec | list | `[]` | PrometheusRule.Spec for the application controller |
| controller.metrics.scrapeTimeout | string | `""` | Prometheus ServiceMonitor scrapeTimeout. If empty, Prometheus uses the global scrape timeout unless it is less than the target's scrape interval value in which the latter is used. |
| controller.metrics.service.annotations | object | `{}` | Metrics service annotations |
| controller.metrics.service.clusterIP | string | `""` | Metrics service clusterIP. `None` makes a "headless service" (no virtual IP) |
| controller.metrics.service.labels | object | `{}` | Metrics service labels |
@ -575,6 +830,7 @@ NAME: my-release
| controller.readinessProbe.timeoutSeconds | int | `1` | Number of seconds after which the [probe] times out |
| controller.replicas | int | `1` | The number of application controller pods to run. Additional replicas will cause sharding of managed clusters across number of replicas. |
| controller.resources | object | `{}` | Resource limits and requests for the application controller pods |
| controller.revisionHistoryLimit | int | `5` | Maximum number of controller revisions that will be maintained in StatefulSet history |
| controller.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
| controller.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
| controller.serviceAccount.create | bool | `true` | Create a service account for the application controller |
@ -592,6 +848,7 @@ NAME: my-release
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| repoServer.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules to the deployment |
| repoServer.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account into the pod. |
| repoServer.autoscaling.behavior | object | `{}` | Configures the scaling behavior of the target in both Up and Down directions. |
| repoServer.autoscaling.enabled | bool | `false` | Enable Horizontal Pod Autoscaler ([HPA]) for the repo server |
| repoServer.autoscaling.maxReplicas | int | `5` | Maximum number of replicas for the repo server [HPA] |
@ -614,6 +871,7 @@ NAME: my-release
| repoServer.deploymentStrategy | object | `{}` | Deployment strategy to be added to the repo server Deployment |
| repoServer.dnsConfig | object | `{}` | [DNS configuration] |
| repoServer.dnsPolicy | string | `"ClusterFirst"` | Alternative DNS policy for Repo server pods |
| repoServer.emptyDir.sizeLimit | string | `""` (defaults not set if not specified i.e. no size limit) | EmptyDir size limit for repo server |
| repoServer.env | list | `[]` | Environment variables to pass to repo server |
| repoServer.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to repo server |
| repoServer.existingVolumes | object | `{}` | Volumes to be used in replacement of emptydir on default volumes |
@ -646,6 +904,7 @@ NAME: my-release
| repoServer.metrics.serviceMonitor.namespace | string | `""` | Prometheus ServiceMonitor namespace |
| repoServer.metrics.serviceMonitor.relabelings | list | `[]` | Prometheus [RelabelConfigs] to apply to samples before scraping |
| repoServer.metrics.serviceMonitor.scheme | string | `""` | Prometheus ServiceMonitor scheme |
| repoServer.metrics.serviceMonitor.scrapeTimeout | string | `""` | Prometheus ServiceMonitor scrapeTimeout. If empty, Prometheus uses the global scrape timeout unless it is less than the target's scrape interval value in which the latter is used. |
| repoServer.metrics.serviceMonitor.selector | object | `{}` | Prometheus ServiceMonitor selector |
| repoServer.metrics.serviceMonitor.tlsConfig | object | `{}` | Prometheus ServiceMonitor tlsConfig |
| repoServer.name | string | `"repo-server"` | Repo server name |
@ -669,7 +928,7 @@ NAME: my-release
| repoServer.service.annotations | object | `{}` | Repo server service annotations |
| repoServer.service.labels | object | `{}` | Repo server service labels |
| repoServer.service.port | int | `8081` | Repo server service port |
| repoServer.service.portName | string | `"https-repo-server"` | Repo server service port name |
| repoServer.service.portName | string | `"tcp-repo-server"` | Repo server service port name |
| repoServer.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
| repoServer.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
| repoServer.serviceAccount.create | bool | `true` | Create repo server service account |
@ -686,13 +945,8 @@ NAME: my-release
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| server.GKEbackendConfig.enabled | bool | `false` | Enable BackendConfig custom resource for Google Kubernetes Engine |
| server.GKEbackendConfig.spec | object | `{}` | [BackendConfigSpec] |
| server.GKEfrontendConfig.enabled | bool | `false` | Enable FrontConfig custom resource for Google Kubernetes Engine |
| server.GKEfrontendConfig.spec | object | `{}` | [FrontendConfigSpec] |
| server.GKEmanagedCertificate.domains | list | `["argocd.example.com"]` | Domains for the Google Managed Certificate |
| server.GKEmanagedCertificate.enabled | bool | `false` | Enable ManagedCertificate custom resource for Google Kubernetes Engine. |
| server.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules to the deployment |
| server.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account into the pod. |
| server.autoscaling.behavior | object | `{}` | Configures the scaling behavior of the target in both Up and Down directions. |
| server.autoscaling.enabled | bool | `false` | Enable Horizontal Pod Autoscaler ([HPA]) for the Argo CD server |
| server.autoscaling.maxReplicas | int | `5` | Maximum number of replicas for the Argo CD server [HPA] |
@ -702,7 +956,7 @@ NAME: my-release
| server.autoscaling.targetMemoryUtilizationPercentage | int | `50` | Average memory utilization percentage for the Argo CD server [HPA] |
| server.certificate.additionalHosts | list | `[]` | Certificate Subject Alternate Names (SANs) |
| server.certificate.annotations | object | `{}` | Annotations to be applied to the Server Certificate |
| server.certificate.domain | string | `"argocd.example.com"` | Certificate primary domain (commonName) |
| server.certificate.domain | string | `""` (defaults to global.domain) | Certificate primary domain (commonName) |
| server.certificate.duration | string | `""` (defaults to 2160h = 90d if not specified) | The requested 'duration' (i.e. lifetime) of the certificate. |
| server.certificate.enabled | bool | `false` | Deploy a Certificate resource (requires cert-manager) |
| server.certificate.issuer.group | string | `""` | Certificate issuer group. Set if using an external issuer. Eg. `cert-manager.io` |
@ -720,6 +974,8 @@ NAME: my-release
| server.certificateSecret.enabled | bool | `false` | Create argocd-server-tls secret |
| server.certificateSecret.key | string | `""` | Private Key of the certificate |
| server.certificateSecret.labels | object | `{}` | Labels to be added to argocd-server-tls secret |
| server.clusterRoleRules.enabled | bool | `false` | Enable custom rules for the server's ClusterRole resource |
| server.clusterRoleRules.rules | list | `[]` | List of custom rules for the server's ClusterRole resource |
| server.containerPorts.metrics | int | `8083` | Metrics container port |
| server.containerPorts.server | int | `8080` | Server container port |
| server.containerSecurityContext | object | See [values.yaml] | Server container-level security context |
@ -727,6 +983,7 @@ NAME: my-release
| server.deploymentStrategy | object | `{}` | Deployment strategy to be added to the server Deployment |
| server.dnsConfig | object | `{}` | [DNS configuration] |
| server.dnsPolicy | string | `"ClusterFirst"` | Alternative DNS policy for Server pods |
| server.emptyDir.sizeLimit | string | `""` (defaults not set if not specified i.e. no size limit) | EmptyDir size limit for the Argo CD server |
| server.env | list | `[]` | Environment variables to pass to Argo CD server |
| server.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to Argo CD server |
| server.extensions.containerSecurityContext | object | See [values.yaml] | Server UI extensions container-level security context |
@ -734,7 +991,7 @@ NAME: my-release
| server.extensions.extensionList | list | `[]` (See [values.yaml]) | Extensions for Argo CD |
| server.extensions.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for extensions |
| server.extensions.image.repository | string | `"quay.io/argoprojlabs/argocd-extension-installer"` | Repository to use for extension installer image |
| server.extensions.image.tag | string | `"v0.0.1"` | Tag to use for extension installer image |
| server.extensions.image.tag | string | `"v0.0.5"` | Tag to use for extension installer image |
| server.extensions.resources | object | `{}` | Resource limits and requests for the argocd-extensions container |
| server.extraArgs | list | `[]` | Additional command line arguments to pass to Argo CD server |
| server.extraContainers | list | `[]` | Additional containers to be added to the server pod |
@ -744,28 +1001,36 @@ NAME: my-release
| server.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the Argo CD server |
| server.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry |
| server.ingress.annotations | object | `{}` | Additional ingress annotations |
| server.ingress.aws.backendProtocolVersion | string | `"GRPC"` | Backend protocol version for the AWS ALB gRPC service |
| server.ingress.aws.serviceType | string | `"NodePort"` | Service type for the AWS ALB gRPC service |
| server.ingress.controller | string | `"generic"` | Specific implementation for ingress controller. One of `generic`, `aws` or `gke` |
| server.ingress.enabled | bool | `false` | Enable an ingress resource for the Argo CD server |
| server.ingress.extraPaths | list | `[]` | Additional ingress paths |
| server.ingress.hosts | list | `[]` | List of ingress hosts |
| server.ingress.https | bool | `false` | Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp` |
| server.ingress.extraHosts | list | `[]` (See [values.yaml]) | The list of additional hostnames to be covered by ingress record |
| server.ingress.extraPaths | list | `[]` (See [values.yaml]) | Additional ingress paths |
| server.ingress.extraRules | list | `[]` (See [values.yaml]) | Additional ingress rules |
| server.ingress.extraTls | list | `[]` (See [values.yaml]) | Additional TLS configuration |
| server.ingress.gke.backendConfig | object | `{}` (See [values.yaml]) | Google [BackendConfig] resource, for use with the GKE Ingress Controller |
| server.ingress.gke.frontendConfig | object | `{}` (See [values.yaml]) | Google [FrontendConfig] resource, for use with the GKE Ingress Controller |
| server.ingress.gke.managedCertificate.create | bool | `true` | Create ManagedCertificate resource and annotations for Google Load balancer |
| server.ingress.gke.managedCertificate.extraDomains | list | `[]` | Additional domains for ManagedCertificate resource |
| server.ingress.hostname | string | `""` (defaults to global.domain) | Argo CD server hostname |
| server.ingress.ingressClassName | string | `""` | Defines which ingress controller will implement the resource |
| server.ingress.labels | object | `{}` | Additional ingress labels |
| server.ingress.path | string | `"/"` | The path to Argo CD server |
| server.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` |
| server.ingress.paths | list | `["/"]` | List of ingress paths |
| server.ingress.tls | list | `[]` | Ingress TLS configuration |
| server.ingress.tls | bool | `false` | Enable TLS configuration for the hostname defined at `server.ingress.hostname` |
| server.ingressGrpc.annotations | object | `{}` | Additional ingress annotations for dedicated [gRPC-ingress] |
| server.ingressGrpc.awsALB.backendProtocolVersion | string | `"HTTP2"` | Backend protocol version for the AWS ALB gRPC service |
| server.ingressGrpc.awsALB.serviceType | string | `"NodePort"` | Service type for the AWS ALB gRPC service |
| server.ingressGrpc.enabled | bool | `false` | Enable an ingress resource for the Argo CD server for dedicated [gRPC-ingress] |
| server.ingressGrpc.extraPaths | list | `[]` | Additional ingress paths for dedicated [gRPC-ingress] |
| server.ingressGrpc.hosts | list | `[]` | List of ingress hosts for dedicated [gRPC-ingress] |
| server.ingressGrpc.https | bool | `false` | Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp` |
| server.ingressGrpc.extraHosts | list | `[]` (See [values.yaml]) | The list of additional hostnames to be covered by ingress record |
| server.ingressGrpc.extraPaths | list | `[]` (See [values.yaml]) | Additional ingress paths for dedicated [gRPC-ingress] |
| server.ingressGrpc.extraRules | list | `[]` (See [values.yaml]) | Additional ingress rules |
| server.ingressGrpc.extraTls | list | `[]` (See [values.yaml]) | Additional TLS configuration for dedicated [gRPC-ingress] |
| server.ingressGrpc.hostname | string | `""` (defaults to grpc.`server.ingress.hostname`) | Argo CD server hostname for dedicated [gRPC-ingress] |
| server.ingressGrpc.ingressClassName | string | `""` | Defines which ingress controller will implement the resource [gRPC-ingress] |
| server.ingressGrpc.isAWSALB | bool | `false` | Setup up gRPC ingress to work with an AWS ALB |
| server.ingressGrpc.labels | object | `{}` | Additional ingress labels for dedicated [gRPC-ingress] |
| server.ingressGrpc.path | string | `"/"` | Argo CD server ingress path for dedicated [gRPC-ingress] |
| server.ingressGrpc.pathType | string | `"Prefix"` | Ingress path type for dedicated [gRPC-ingress]. One of `Exact`, `Prefix` or `ImplementationSpecific` |
| server.ingressGrpc.paths | list | `["/"]` | List of ingress paths for dedicated [gRPC-ingress] |
| server.ingressGrpc.tls | list | `[]` | Ingress TLS configuration for dedicated [gRPC-ingress] |
| server.ingressGrpc.tls | bool | `false` | Enable TLS configuration for the hostname defined at `server.ingressGrpc.hostname` |
| server.initContainers | list | `[]` | Init containers to add to the server pod |
| server.lifecycle | object | `{}` | Specify postStart and preStop lifecycle hooks for your argo-cd-server container |
| server.livenessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
@ -788,6 +1053,7 @@ NAME: my-release
| server.metrics.serviceMonitor.namespace | string | `""` | Prometheus ServiceMonitor namespace |
| server.metrics.serviceMonitor.relabelings | list | `[]` | Prometheus [RelabelConfigs] to apply to samples before scraping |
| server.metrics.serviceMonitor.scheme | string | `""` | Prometheus ServiceMonitor scheme |
| server.metrics.serviceMonitor.scrapeTimeout | string | `""` | Prometheus ServiceMonitor scrapeTimeout. If empty, Prometheus uses the global scrape timeout unless it is less than the target's scrape interval value in which the latter is used. |
| server.metrics.serviceMonitor.selector | object | `{}` | Prometheus ServiceMonitor selector |
| server.metrics.serviceMonitor.tlsConfig | object | `{}` | Prometheus ServiceMonitor tlsConfig |
| server.name | string | `"server"` | Argo CD server name |
@ -814,8 +1080,9 @@ NAME: my-release
| server.route.termination_type | string | `"passthrough"` | Termination type of Openshift Route |
| server.service.annotations | object | `{}` | Server service annotations |
| server.service.externalIPs | list | `[]` | Server service external IPs |
| server.service.externalTrafficPolicy | string | `""` | Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints |
| server.service.externalTrafficPolicy | string | `"Cluster"` | Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints |
| server.service.labels | object | `{}` | Server service labels |
| server.service.loadBalancerClass | string | `""` | The class of the load balancer implementation |
| server.service.loadBalancerIP | string | `""` | LoadBalancer will get created with the IP specified in this field |
| server.service.loadBalancerSourceRanges | list | `[]` | Source IP ranges to allow access to service from |
| server.service.nodePortHttp | int | `30080` | Server service http port for NodePort service type (only if `server.service.type` is set to "NodePort") |
@ -823,8 +1090,9 @@ NAME: my-release
| server.service.servicePortHttp | int | `80` | Server service http port |
| server.service.servicePortHttpName | string | `"http"` | Server service http port name, can be used to route traffic via istio |
| server.service.servicePortHttps | int | `443` | Server service https port |
| server.service.servicePortHttpsAppProtocol | string | `""` | Server service https port appProtocol |
| server.service.servicePortHttpsName | string | `"https"` | Server service https port name, can be used to route traffic via istio |
| server.service.sessionAffinity | string | `""` | Used to maintain session affinity. Supports `ClientIP` and `None` |
| server.service.sessionAffinity | string | `"None"` | Used to maintain session affinity. Supports `ClientIP` and `None` |
| server.service.type | string | `"ClusterIP"` | Server service type |
| server.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
| server.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
@ -837,33 +1105,12 @@ NAME: my-release
| server.volumeMounts | list | `[]` | Additional volumeMounts to the server main container |
| server.volumes | list | `[]` | Additional volumes to the server pod |
### Using AWS ALB Ingress Controller With GRPC
If you are using an AWS ALB Ingress controller, you will need to set `server.ingressGrpc.isAWSALB` to `true`. This will create a second service with the annotation `alb.ingress.kubernetes.io/backend-protocol-version: HTTP2` and modify the server ingress to add a condition annotation to route GRPC traffic to the new service.
Example:
```yaml
server:
ingress:
enabled: true
annotations:
alb.ingress.kubernetes.io/backend-protocol: HTTPS
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
alb.ingress.kubernetes.io/scheme: internal
alb.ingress.kubernetes.io/target-type: ip
ingressGrpc:
enabled: true
isAWSALB: true
awsALB:
serviceType: ClusterIP
```
## Dex
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| dex.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules to the deployment |
| dex.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account into the pod. |
| dex.certificateSecret.annotations | object | `{}` | Annotations to be added to argocd-dex-server-tls secret |
| dex.certificateSecret.ca | string | `""` | Certificate authority. Required for self-signed certificates. |
| dex.certificateSecret.crt | string | `""` | Certificate data. Must contain SANs of Dex service (ie: argocd-dex-server, argocd-dex-server.argo-cd.svc) |
@ -878,6 +1125,7 @@ server:
| dex.deploymentStrategy | object | `{}` | Deployment strategy to be added to the Dex server Deployment |
| dex.dnsConfig | object | `{}` | [DNS configuration] |
| dex.dnsPolicy | string | `"ClusterFirst"` | Alternative DNS policy for Dex server pods |
| dex.emptyDir.sizeLimit | string | `""` (defaults not set if not specified i.e. no size limit) | EmptyDir size limit for Dex server |
| dex.enabled | bool | `true` | Enable dex |
| dex.env | list | `[]` | Environment variables to pass to the Dex server |
| dex.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to the Dex server |
@ -885,7 +1133,7 @@ server:
| dex.extraContainers | list | `[]` | Additional containers to be added to the dex pod |
| dex.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Dex imagePullPolicy |
| dex.image.repository | string | `"ghcr.io/dexidp/dex"` | Dex image repository |
| dex.image.tag | string | `"v2.37.0"` | Dex image tag |
| dex.image.tag | string | `"v2.38.0"` | Dex image tag |
| dex.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry |
| dex.initContainers | list | `[]` | Init containers to add to the dex pod |
| dex.initImage.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Argo CD init image imagePullPolicy |
@ -894,6 +1142,9 @@ server:
| dex.initImage.tag | string | `""` (defaults to global.image.tag) | Argo CD init image tag |
| dex.livenessProbe.enabled | bool | `false` | Enable Kubernetes liveness probe for Dex >= 2.28.0 |
| dex.livenessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
| dex.livenessProbe.httpPath | string | `"/healthz/live"` | Http path to use for the liveness probe |
| dex.livenessProbe.httpPort | string | `"metrics"` | Http port to use for the liveness probe |
| dex.livenessProbe.httpScheme | string | `"HTTP"` | Scheme to use for for the liveness probe (can be HTTP or HTTPS) |
| dex.livenessProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before [probe] is initiated |
| dex.livenessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] |
| dex.livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed |
@ -926,6 +1177,9 @@ server:
| dex.priorityClassName | string | `""` (defaults to global.priorityClassName) | Priority class for the dex pods |
| dex.readinessProbe.enabled | bool | `false` | Enable Kubernetes readiness probe for Dex >= 2.28.0 |
| dex.readinessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
| dex.readinessProbe.httpPath | string | `"/healthz/ready"` | Http path to use for the readiness probe |
| dex.readinessProbe.httpPort | string | `"metrics"` | Http port to use for the readiness probe |
| dex.readinessProbe.httpScheme | string | `"HTTP"` | Scheme to use for for the liveness probe (can be HTTP or HTTPS) |
| dex.readinessProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before [probe] is initiated |
| dex.readinessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] |
| dex.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed |
@ -953,6 +1207,7 @@ server:
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| redis.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules to the deployment |
| redis.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account into the pod. |
| redis.containerPorts.metrics | int | `9121` | Metrics container port |
| redis.containerPorts.redis | int | `6379` | Redis container port |
| redis.containerSecurityContext | object | See [values.yaml] | Redis container-level security context |
@ -967,15 +1222,33 @@ server:
| redis.exporter.env | list | `[]` | Environment variables to pass to the Redis exporter |
| redis.exporter.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the redis-exporter |
| redis.exporter.image.repository | string | `"public.ecr.aws/bitnami/redis-exporter"` | Repository to use for the redis-exporter |
| redis.exporter.image.tag | string | `"1.53.0"` | Tag to use for the redis-exporter |
| redis.exporter.image.tag | string | `"1.58.0"` | Tag to use for the redis-exporter |
| redis.exporter.livenessProbe.enabled | bool | `false` | Enable Kubernetes liveness probe for Redis exporter |
| redis.exporter.livenessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
| redis.exporter.livenessProbe.initialDelaySeconds | int | `30` | Number of seconds after the container has started before [probe] is initiated |
| redis.exporter.livenessProbe.periodSeconds | int | `15` | How often (in seconds) to perform the [probe] |
| redis.exporter.livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed |
| redis.exporter.livenessProbe.timeoutSeconds | int | `15` | Number of seconds after which the [probe] times out |
| redis.exporter.readinessProbe.enabled | bool | `false` | Enable Kubernetes liveness probe for Redis exporter (optional) |
| redis.exporter.readinessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
| redis.exporter.readinessProbe.initialDelaySeconds | int | `30` | Number of seconds after the container has started before [probe] is initiated |
| redis.exporter.readinessProbe.periodSeconds | int | `15` | How often (in seconds) to perform the [probe] |
| redis.exporter.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed |
| redis.exporter.readinessProbe.timeoutSeconds | int | `15` | Number of seconds after which the [probe] times out |
| redis.exporter.resources | object | `{}` | Resource limits and requests for redis-exporter sidecar |
| redis.extraArgs | list | `[]` | Additional command line arguments to pass to redis-server |
| redis.extraContainers | list | `[]` | Additional containers to be added to the redis pod |
| redis.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Redis image pull policy |
| redis.image.repository | string | `"public.ecr.aws/docker/library/redis"` | Redis repository |
| redis.image.tag | string | `"7.0.13-alpine"` | Redis tag |
| redis.image.tag | string | `"7.2.4-alpine"` | Redis tag |
| redis.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry |
| redis.initContainers | list | `[]` | Init containers to add to the redis pod |
| redis.livenessProbe.enabled | bool | `false` | Enable Kubernetes liveness probe for Redis server |
| redis.livenessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
| redis.livenessProbe.initialDelaySeconds | int | `30` | Number of seconds after the container has started before [probe] is initiated |
| redis.livenessProbe.periodSeconds | int | `15` | How often (in seconds) to perform the [probe] |
| redis.livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed |
| redis.livenessProbe.timeoutSeconds | int | `15` | Number of seconds after which the [probe] times out |
| redis.metrics.enabled | bool | `false` | Deploy metrics service |
| redis.metrics.service.annotations | object | `{}` | Metrics service annotations |
| redis.metrics.service.clusterIP | string | `"None"` | Metrics service clusterIP. `None` makes a "headless service" (no virtual IP) |
@ -1003,6 +1276,12 @@ server:
| redis.podAnnotations | object | `{}` | Annotations to be added to the Redis server pods |
| redis.podLabels | object | `{}` | Labels to be added to the Redis server pods |
| redis.priorityClassName | string | `""` (defaults to global.priorityClassName) | Priority class for redis pods |
| redis.readinessProbe.enabled | bool | `false` | Enable Kubernetes liveness probe for Redis server |
| redis.readinessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
| redis.readinessProbe.initialDelaySeconds | int | `30` | Number of seconds after the container has started before [probe] is initiated |
| redis.readinessProbe.periodSeconds | int | `15` | How often (in seconds) to perform the [probe] |
| redis.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed |
| redis.readinessProbe.timeoutSeconds | int | `15` | Number of seconds after which the [probe] times out |
| redis.resources | object | `{}` | Resource limits and requests for redis |
| redis.securityContext | object | See [values.yaml] | Redis pod-level security context |
| redis.service.annotations | object | `{}` | Redis service annotations |
@ -1028,21 +1307,24 @@ The main options are listed here:
|-----|------|---------|-------------|
| redis-ha.additionalAffinities | object | `{}` | Additional affinities to add to the Redis server pods. |
| redis-ha.affinity | string | `""` | Assign custom [affinity] rules to the Redis pods. |
| redis-ha.auth | bool | `true` | Configures redis-ha with AUTH |
| redis-ha.containerSecurityContext | object | See [values.yaml] | Redis HA statefulset container-level security context |
| redis-ha.enabled | bool | `false` | Enables the Redis HA subchart and disables the custom Redis single node deployment |
| redis-ha.existingSecret | string | `"argocd-redis"` | Existing Secret to use for redis-ha authentication. By default the redis-secret-init Job is generating this Secret. |
| redis-ha.exporter.enabled | bool | `false` | Enable Prometheus redis-exporter sidecar |
| redis-ha.exporter.image | string | `"public.ecr.aws/bitnami/redis-exporter"` | Repository to use for the redis-exporter |
| redis-ha.exporter.tag | string | `"1.53.0"` | Tag to use for the redis-exporter |
| redis-ha.exporter.tag | string | `"1.58.0"` | Tag to use for the redis-exporter |
| redis-ha.haproxy.additionalAffinities | object | `{}` | Additional affinities to add to the haproxy pods. |
| redis-ha.haproxy.affinity | string | `""` | Assign custom [affinity] rules to the haproxy pods. |
| redis-ha.haproxy.containerSecurityContext | object | See [values.yaml] | HAProxy container-level security context |
| redis-ha.haproxy.enabled | bool | `true` | Enabled HAProxy LoadBalancing/Proxy |
| redis-ha.haproxy.hardAntiAffinity | bool | `true` | Whether the haproxy pods should be forced to run on separate nodes. |
| redis-ha.haproxy.labels | object | `{"app.kubernetes.io/name":"argocd-redis-ha-haproxy"}` | Custom labels for the haproxy pod. This is relevant for Argo CD CLI. |
| redis-ha.haproxy.metrics.enabled | bool | `true` | HAProxy enable prometheus metric scraping |
| redis-ha.haproxy.tolerations | list | `[]` | [Tolerations] for use with node taints for haproxy pods. |
| redis-ha.hardAntiAffinity | bool | `true` | Whether the Redis server pods should be forced to run on separate nodes. |
| redis-ha.image.repository | string | `"public.ecr.aws/docker/library/redis"` | Redis repository |
| redis-ha.image.tag | string | `"7.0.13-alpine"` | Redis tag |
| redis-ha.image.tag | string | `"7.2.4-alpine"` | Redis tag |
| redis-ha.persistentVolume.enabled | bool | `false` | Configures persistence on Redis nodes |
| redis-ha.redis.config | object | See [values.yaml] | Any valid redis config options in this section will be applied to each server (see `redis-ha` chart) |
| redis-ha.redis.config.save | string | `'""'` | Will save the DB if both the given number of seconds and the given number of write operations against the DB occurred. `""` is disabled |
@ -1072,15 +1354,43 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
| externalRedis.secretAnnotations | object | `{}` | External Redis Secret annotations |
| externalRedis.username | string | `""` | External Redis username |
### Redis secret-init
The helm chart deploys a Job to setup a random password which is used to secure the Redis. The Redis password is stored in Kubernetes secret `argocd-redis` with key `auth` in the namespace where Argo CD is installed.
If you use an External Redis (See Option 3 above), this Job is not deployed.
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| redisSecretInit.containerSecurityContext | object | See [values.yaml] | Application controller container-level security context |
| redisSecretInit.enabled | bool | `true` | Enable Redis secret initialization. If disabled, secret must be provisioned by alternative methods |
| redisSecretInit.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the Redis secret-init Job |
| redisSecretInit.image.repository | string | `""` (defaults to global.image.repository) | Repository to use for the Redis secret-init Job |
| redisSecretInit.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the Redis secret-init Job |
| redisSecretInit.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry |
| redisSecretInit.jobAnnotations | object | `{}` | Annotations to be added to the Redis secret-init Job |
| redisSecretInit.name | string | `"redis-secret-init"` | Redis secret-init name |
| redisSecretInit.nodeSelector | object | `{}` (defaults to global.nodeSelector) | Node selector to be added to the Redis secret-init Job |
| redisSecretInit.podAnnotations | object | `{}` | Annotations to be added to the Redis secret-init Job |
| redisSecretInit.podLabels | object | `{}` | Labels to be added to the Redis secret-init Job |
| redisSecretInit.priorityClassName | string | `""` (defaults to global.priorityClassName) | Priority class for Redis secret-init Job |
| redisSecretInit.resources | object | `{}` | Resource limits and requests for Redis secret-init Job |
| redisSecretInit.securityContext | object | `{}` | Redis secret-init Job pod-level security context |
| redisSecretInit.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
| redisSecretInit.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
| redisSecretInit.serviceAccount.create | bool | `true` | Create a service account for the redis pod |
| redisSecretInit.serviceAccount.name | string | `""` | Service account name for redis pod |
| redisSecretInit.tolerations | list | `[]` (defaults to global.tolerations) | Tolerations to be added to the Redis secret-init Job |
## ApplicationSet
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| applicationSet.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules |
| applicationSet.args | object | `{}` | DEPRECATED - ApplicationSet controller command line flags |
| applicationSet.allowAnyNamespace | bool | `false` | Enable ApplicationSet in any namespace feature |
| applicationSet.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account into the pod. |
| applicationSet.certificate.additionalHosts | list | `[]` | Certificate Subject Alternate Names (SANs) |
| applicationSet.certificate.annotations | object | `{}` | Annotations to be applied to the ApplicationSet Certificate |
| applicationSet.certificate.domain | string | `"argocd.example.com"` | Certificate primary domain (commonName) |
| applicationSet.certificate.domain | string | `""` (defaults to global.domain) | Certificate primary domain (commonName) |
| applicationSet.certificate.duration | string | `""` (defaults to 2160h = 90d if not specified) | The requested 'duration' (i.e. lifetime) of the certificate. |
| applicationSet.certificate.enabled | bool | `false` | Deploy a Certificate resource (requires cert-manager) |
| applicationSet.certificate.issuer.group | string | `""` | Certificate issuer group. Set if using an external issuer. Eg. `cert-manager.io` |
@ -1091,7 +1401,7 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
| applicationSet.certificate.privateKey.rotationPolicy | string | `"Never"` | Rotation policy of private key when certificate is re-issued. Either: `Never` or `Always` |
| applicationSet.certificate.privateKey.size | int | `2048` | Key bit size of the private key. If algorithm is set to `Ed25519`, size is ignored. |
| applicationSet.certificate.renewBefore | string | `""` (defaults to 360h = 15d if not specified) | How long before the expiry a certificate should be renewed. |
| applicationSet.certificate.secretName | string | `"argocd-application-controller-tls"` | The name of the Secret that will be automatically created and managed by this Certificate resource |
| applicationSet.certificate.secretName | string | `"argocd-applicationset-controller-tls"` | The name of the Secret that will be automatically created and managed by this Certificate resource |
| applicationSet.containerPorts.metrics | int | `8080` | Metrics container port |
| applicationSet.containerPorts.probe | int | `8081` | Probe container port |
| applicationSet.containerPorts.webhook | int | `7000` | Webhook container port |
@ -1100,8 +1410,8 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
| applicationSet.deploymentStrategy | object | `{}` | Deployment strategy to be added to the ApplicationSet controller Deployment |
| applicationSet.dnsConfig | object | `{}` | [DNS configuration] |
| applicationSet.dnsPolicy | string | `"ClusterFirst"` | Alternative DNS policy for ApplicationSet controller pods |
| applicationSet.enabled | bool | `true` | Enable ApplicationSet controller |
| applicationSet.extraArgs | list | `[]` | List of extra cli args to add |
| applicationSet.emptyDir.sizeLimit | string | `""` (defaults not set if not specified i.e. no size limit) | EmptyDir size limit for applicationSet controller |
| applicationSet.extraArgs | list | `[]` | ApplicationSet controller command line flags |
| applicationSet.extraContainers | list | `[]` | Additional containers to be added to the ApplicationSet controller pod |
| applicationSet.extraEnv | list | `[]` | Environment variables to pass to the ApplicationSet controller |
| applicationSet.extraEnvFrom | list | `[]` (See [values.yaml]) | envFrom to pass to the ApplicationSet controller |
@ -1111,6 +1421,18 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
| applicationSet.image.repository | string | `""` (defaults to global.image.repository) | Repository to use for the ApplicationSet controller |
| applicationSet.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the ApplicationSet controller |
| applicationSet.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | If defined, uses a Secret to pull an image from a private Docker registry or repository. |
| applicationSet.ingress.annotations | object | `{}` | Additional ingress annotations |
| applicationSet.ingress.enabled | bool | `false` | Enable an ingress resource for ApplicationSet webhook |
| applicationSet.ingress.extraHosts | list | `[]` (See [values.yaml]) | The list of additional hostnames to be covered by ingress record |
| applicationSet.ingress.extraPaths | list | `[]` (See [values.yaml]) | Additional ingress paths |
| applicationSet.ingress.extraRules | list | `[]` (See [values.yaml]) | Additional ingress rules |
| applicationSet.ingress.extraTls | list | `[]` (See [values.yaml]) | Additional ingress TLS configuration |
| applicationSet.ingress.hostname | string | `""` (defaults to global.domain) | Argo CD ApplicationSet hostname |
| applicationSet.ingress.ingressClassName | string | `""` | Defines which ingress ApplicationSet controller will implement the resource |
| applicationSet.ingress.labels | object | `{}` | Additional ingress labels |
| applicationSet.ingress.path | string | `"/api/webhook"` | List of ingress paths |
| applicationSet.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` |
| applicationSet.ingress.tls | bool | `false` | Enable TLS configuration for the hostname defined at `applicationSet.webhook.ingress.hostname` |
| applicationSet.initContainers | list | `[]` | Init containers to add to the ApplicationSet controller pod |
| applicationSet.livenessProbe.enabled | bool | `false` | Enable Kubernetes liveness probe for ApplicationSet controller |
| applicationSet.livenessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
@ -1133,6 +1455,7 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
| applicationSet.metrics.serviceMonitor.namespace | string | `""` | Prometheus ServiceMonitor namespace |
| applicationSet.metrics.serviceMonitor.relabelings | list | `[]` | Prometheus [RelabelConfigs] to apply to samples before scraping |
| applicationSet.metrics.serviceMonitor.scheme | string | `""` | Prometheus ServiceMonitor scheme |
| applicationSet.metrics.serviceMonitor.scrapeTimeout | string | `""` | Prometheus ServiceMonitor scrapeTimeout. If empty, Prometheus uses the global scrape timeout unless it is less than the target's scrape interval value in which the latter is used. |
| applicationSet.metrics.serviceMonitor.selector | object | `{}` | Prometheus ServiceMonitor selector |
| applicationSet.metrics.serviceMonitor.tlsConfig | object | `{}` | Prometheus ServiceMonitor tlsConfig |
| applicationSet.name | string | `"applicationset-controller"` | ApplicationSet controller name string |
@ -1156,7 +1479,7 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
| applicationSet.service.annotations | object | `{}` | ApplicationSet service annotations |
| applicationSet.service.labels | object | `{}` | ApplicationSet service labels |
| applicationSet.service.port | int | `7000` | ApplicationSet service port |
| applicationSet.service.portName | string | `"webhook"` | ApplicationSet service port name |
| applicationSet.service.portName | string | `"http-webhook"` | ApplicationSet service port name |
| applicationSet.service.type | string | `"ClusterIP"` | ApplicationSet service type |
| applicationSet.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
| applicationSet.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
@ -1166,22 +1489,14 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
| applicationSet.terminationGracePeriodSeconds | int | `30` | terminationGracePeriodSeconds for container lifecycle hook |
| applicationSet.tolerations | list | `[]` (defaults to global.tolerations) | [Tolerations] for use with node taints |
| applicationSet.topologySpreadConstraints | list | `[]` (defaults to global.topologySpreadConstraints) | Assign custom [TopologySpreadConstraints] rules to the ApplicationSet controller |
| applicationSet.webhook.ingress.annotations | object | `{}` | Additional ingress annotations |
| applicationSet.webhook.ingress.enabled | bool | `false` | Enable an ingress resource for Webhooks |
| applicationSet.webhook.ingress.extraPaths | list | `[]` | Additional ingress paths |
| applicationSet.webhook.ingress.hosts | list | `[]` | List of ingress hosts |
| applicationSet.webhook.ingress.ingressClassName | string | `""` | Defines which ingress ApplicationSet controller will implement the resource |
| applicationSet.webhook.ingress.labels | object | `{}` | Additional ingress labels |
| applicationSet.webhook.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` |
| applicationSet.webhook.ingress.paths | list | `["/api/webhook"]` | List of ingress paths |
| applicationSet.webhook.ingress.tls | list | `[]` | Ingress TLS configuration |
## Notifications
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| notifications.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules |
| notifications.argocdUrl | string | `nil` | Argo CD dashboard url; used in place of {{.context.argocdUrl}} in templates |
| notifications.argocdUrl | string | `""` (defaults to https://`global.domain`) | Argo CD dashboard url; used in place of {{.context.argocdUrl}} in templates |
| notifications.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account into the pod. |
| notifications.clusterRoleRules.rules | list | `[]` | List of custom rules for the notifications controller's ClusterRole resource |
| notifications.cm.create | bool | `true` | Whether helm chart creates notifications controller config map |
| notifications.containerPorts.metrics | int | `9001` | Metrics container port |
@ -1236,6 +1551,7 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
| notifications.secret.create | bool | `true` | Whether helm chart creates notifications controller secret |
| notifications.secret.items | object | `{}` | Generic key:value pairs to be inserted into the secret |
| notifications.secret.labels | object | `{}` | key:value pairs of labels to be added to the secret |
| notifications.secret.name | string | `"argocd-notifications-secret"` | notifications controller Secret name |
| notifications.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
| notifications.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
| notifications.serviceAccount.create | bool | `true` | Create notifications controller service account |
@ -1256,8 +1572,10 @@ Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/
[BackendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig#backendconfigspec_v1beta1_cloudgooglecom
[CSS styles]: https://argo-cd.readthedocs.io/en/stable/operator-manual/custom-styles/
[changelog]: https://artifacthub.io/packages/helm/argo/argo-cd?modal=changelog
[Chart Hooks]: https://helm.sh/docs/topics/charts_hooks/
[DNS configuration]: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
[external cluster credentials]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#clusters
[FAQ]: https://argo-cd.readthedocs.io/en/stable/faq/
[FrontendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
[declarative setup]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup
[gRPC-ingress]: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/

285
charts/argo-cd/README.md.gotmpl
View file

@ -63,7 +63,181 @@ applicationSet:
replicas: 2
```
### Synchronizing Changes from Original Repository
## Ingress configuration
Please refer to the [Operator Manual](https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#ingress-configurationh) for details as the samples
below corespond to their respective sections.
### SSL-Passthrough
The `tls: true` option will expect that the `argocd-server-tls` secret exists as Argo CD server loads TLS certificates from this place.
```yaml
global:
domain: argocd.example.com
certificate:
enabled: true
server:
ingress:
enabled: true
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
tls: true
```
### SSL Termination at Ingress Controller
```yaml
global:
domain: argocd.example.com
configs:
params:
server.insecure: true
server:
ingress:
enabled: true
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
extraTls:
- hosts:
- argocd.example.com
# Based on the ingress controller used secret might be optional
secretName: wildcard-tls
```
> **Note:**
> If you don't plan on using a wildcard certificate it's also possible to use `tls: true` without `extraTls` section.
### Multiple ingress resources for gRPC protocol support
Use `ingressGrpc` section if your ingress controller supports only a single protocol per Ingress resource (i.e.: Contour).
```yaml
global:
domain: argocd.example.com
configs:
params:
server.insecure: true
server:
ingress:
enabled: true
ingressClassName: contour-internal
extraTls:
- hosts:
- argocd.example.com
secretName: wildcard-tls
ingressGrpc:
enabled: true
ingressClassName: contour-internal
extraTls:
- hosts:
- grpc.argocd.example.com
secretName: wildcard-tls
```
### Multiple ingress domains
```yaml
global:
domain: argocd.example.com
server:
ingress:
enabled: true
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: "<my-issuer>"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
tls: true
extraHosts:
- name: argocd-alias.example.com
path: /
```
### AWS Application Load Balancer
Refer to the Operator Manual for [AWS Application Load Balancer mode](https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#aws-application-load-balancers-albs-and-classic-elb-http-mode).
The provided example assumes you are using TLS off-loading via AWS ACM service.
> **Note:**
> Using `controller: aws` creates additional service for gRPC traffic and it's no longer need to use `ingressGrpc` configuration section.
```yaml
global:
domain: argocd.example.com
configs:
params:
server.insecure: true
server:
ingress:
enabled: true
controller: aws
ingressClassName: alb
annotations:
alb.ingress.kubernetes.io/scheme: internal
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/backend-protocol: HTTP
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/ssl-redirect: '443'
aws:
serviceType: ClusterIP # <- Used with target-type: ip
backendProtocolVersion: GRPC
```
### GKE Application Load Balancer
The implementation will populate `ingressClassName`, `networking.gke.io/managed-certificates` and `networking.gke.io/v1beta1.FrontendConfig` annotations
automatically if you provide configuration for GKE resources.
```yaml
global:
domain: argocd.example.com
configs:
params:
server.insecure: true
server:
service:
annotations:
cloud.google.com/neg: '{"ingress": true}'
cloud.google.com/backend-config: '{"ports": {"http":"argocd-server"}}'
ingress:
enabled: true
controller: gke
gke:
backendConfig:
healthCheck:
checkIntervalSec: 30
timeoutSec: 5
healthyThreshold: 1
unhealthyThreshold: 2
type: HTTP
requestPath: /healthz
port: 8080
frontendConfig:
redirectToHttps:
enabled: true
managedCertificate:
enabled: true
```
## Synchronizing Changes from Original Repository
In the original [Argo CD repository](https://github.com/argoproj/argo-cd/) an [`manifests/install.yaml`](https://github.com/argoproj/argo-cd/blob/master/manifests/install.yaml) is generated using `kustomize`. It's the basis for the installation as [described in the docs](https://argo-cd.readthedocs.io/en/stable/getting_started/#1-install-argo-cd).
@ -104,15 +278,87 @@ For full list of changes please check ArtifactHub [changelog].
Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version.
### 6.10.0
This version introduces authentication for Redis to mitigate GHSA-9766-5277-j5hr.
#### How to rotate Redis secret?
Upstream steps in the [FAQ] are not enough, since we chose a different approach.
(We use a Kubernetes Job with [Chart Hooks] to create the auth secret `argocd-redis`.)
Steps to roteate the secret when using the helm chart (bold step is additional to upstream):
* Delete `argocd-redis` secret in the namespace where Argo CD is installed.
```bash
kubectl delete secret argocd-redis -n <argocd namesapce>
```
* **Perform a helm upgrade**
```bash
helm upgrade argocd argo/argo-cd --reuse-values --wait
```
* If you are running Redis in HA mode, restart Redis in HA.
```bash
kubectl rollout restart deployment argocd-redis-ha-haproxy
kubectl rollout restart statefulset argocd-redis-ha-server
```
* If you are running Redis in non-HA mode, restart Redis.
```bash
kubectl rollout restart deployment argocd-redis
```
* Restart other components.
```bash
kubectl rollout restart deployment argocd-server argocd-repo-server
kubectl rollout restart statefulset argocd-application-controller
```
### 6.9.0
ApplicationSet controller is always created to follow [upstream's manifest](https://github.com/argoproj/argo-cd/blob/v2.11.0/manifests/core-install/kustomization.yaml#L9).
### 6.4.0
Added support for application controller dynamic cluster distribution.
Please refer to [the docs](https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution) for more information.
Added env variables to handle the non-standard names generated by the helm chart.
Here are the [docs](https://argo-cd.readthedocs.io/en/release-2.9/user-guide/environment-variables/)
and [code](https://github.com/argoproj/argo-cd/blob/99723143b96ceec9ef5b0a7feb7b4f4b0dce3497/common/common.go#L252)
### 6.1.0
Added support for global domain used by all components.
### 6.0.0
This version **removes support for**:
* deprecated component options `logLevel` and `logFormat`
* deprecated component arguments `<components>.args.<feature>` that were replaced with `configs.params`
* deprecated configuration `server.config` that was replaced with `configs.cm`
* deprecated configuration `server.rbacConfig` that was replaced with `configs.rbac`
Major version also contains breaking **changes related to Argo CD Ingress** resources that were hard to extend and maintain for various ingress controller implementations.
Please review your setup and adjust to new configuration options:
* catch all rule was removed for security reasons. If you need this please use `server.ingress.extraRules` to provide ingress rule without hostname
* ingress rule for `paths` changed to `path` as there is only single Argo CD backend path
* ingress rule for `hosts` changed to `hostname` as there can be only single SSO redirect for given hostname
* ingress TLS for server uses by default `argocd-server-tls` secret required by Argo CD server, additional ingresses are using `<hostname>-tls` secret when `tls: true`
* additional hostnames and routing can be provided via `extraHosts` configuration section
* additional TLS secrets can be provided via `extraTls` configuration section
Please refer to [ingress configuration](#ingress-configuration) for examples.
### 5.53.0
Argocd-repo-server can now optionally use Persistent Volumes for its mountpoints instead of only emptydir()
### 5.52.0
Because [Argo CD Extensions] is now deprecated and no further changes will be made, we switched to [Argo CD Extension Installer], adding an Argo CD Extension Installer to init-container in the Argo CD API server.
If you used old mechanism, please move to new mechanism. For more details, please refer `.Values.server.extensions` in values.yaml.
### 5.35.0
This version supports Kubernetes version `>=1.23.0-0`. The current supported version of Kubernetes is v1.24 or later and we align with the Amazon EKS calendar, because many AWS users follow a conservative approach.
Please see more information about EoL: [Amazon EKS EoL][EKS EoL].
@ -456,28 +702,6 @@ NAME: my-release
{{- end }}
{{- end }}
### Using AWS ALB Ingress Controller With GRPC
If you are using an AWS ALB Ingress controller, you will need to set `server.ingressGrpc.isAWSALB` to `true`. This will create a second service with the annotation `alb.ingress.kubernetes.io/backend-protocol-version: HTTP2` and modify the server ingress to add a condition annotation to route GRPC traffic to the new service.
Example:
```yaml
server:
ingress:
enabled: true
annotations:
alb.ingress.kubernetes.io/backend-protocol: HTTPS
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
alb.ingress.kubernetes.io/scheme: internal
alb.ingress.kubernetes.io/target-type: ip
ingressGrpc:
enabled: true
isAWSALB: true
awsALB:
serviceType: ClusterIP
```
## Dex
| Key | Type | Default | Description |
@ -531,6 +755,19 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
{{- end }}
{{- end }}
### Redis secret-init
The helm chart deploys a Job to setup a random password which is used to secure the Redis. The Redis password is stored in Kubernetes secret `argocd-redis` with key `auth` in the namespace where Argo CD is installed.
If you use an External Redis (See Option 3 above), this Job is not deployed.
| Key | Type | Default | Description |
|-----|------|---------|-------------|
{{- range .Values }}
{{- if hasPrefix "redisSecretInit" .Key }}
| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
{{- end }}
{{- end }}
## ApplicationSet
| Key | Type | Default | Description |
@ -559,8 +796,10 @@ Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/
[BackendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig#backendconfigspec_v1beta1_cloudgooglecom
[CSS styles]: https://argo-cd.readthedocs.io/en/stable/operator-manual/custom-styles/
[changelog]: https://artifacthub.io/packages/helm/argo/argo-cd?modal=changelog
[Chart Hooks]: https://helm.sh/docs/topics/charts_hooks/
[DNS configuration]: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
[external cluster credentials]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#clusters
[FAQ]: https://argo-cd.readthedocs.io/en/stable/faq/
[FrontendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
[declarative setup]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup
[gRPC-ingress]: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/

6
charts/argo-cd/ci/dynamic-sharding-values.yaml Normal file
View file

@ -0,0 +1,6 @@
# Test application controller dynamic cluster distribution
crds:
keep: false
controller:
dynamicClusterDistribution: true

132
charts/argo-cd/templates/NOTES.txt
View file

@ -1,133 +1,3 @@
{{- if .Values.controller.args.statusProcessors }}
DEPRECATED option controller.args.statusProcessors - Use configs.params.controller.status.processors
{{- end }}
{{- if .Values.controller.args.operationProcessors }}
DEPRECATED option controller.args.operationProcessors - Use configs.params.controller.operation.processors
{{- end }}
{{- if .Values.controller.args.appResyncPeriod }}
DEPRECATED option controller.args.appResyncPeriod - Use server.config.timeout.reconciliation
{{- end }}
{{- if .Values.controller.args.appHardResyncPeriod }}
DEPRECATED option controller.args.appHardResyncPeriod - Use server.config.timeout.hard.reconciliation
{{- end }}
{{- if .Values.controller.args.selfHealTimeout }}
DEPRECATED option controller.args.selfHealTimeout - Use configs.params.controller.self.heal.timeout.seconds
{{- end }}
{{- if .Values.controller.args.repoServerTimeoutSeconds }}
DEPRECATED option controller.args.repoServerTimeoutSeconds - Use configs.params.controller.repo.server.timeout.seconds
{{- end }}
{{- if .Values.controller.logFormat }}
DEPRECATED option controller.logFormat - Use configs.params.controller.log.format
{{- end }}
{{- if .Values.controller.logLevel }}
DEPRECATED option controller.logLevel - Use configs.params.controller.log.level
{{- end }}
{{- if .Values.server.logFormat }}
DEPRECATED option server.logFormat - Use configs.params.server.log.format
{{- end }}
{{- if .Values.server.logLevel }}
DEPRECATED option server.logLevel - Use configs.params.server.log.level
{{- end }}
{{- if has "--insecure" .Values.server.extraArgs }}
DEPRECATED option server.extraArgs."--insecure" - Use configs.params.server.insecure
{{- end }}
{{- if .Values.repoServer.logFormat }}
DEPRECATED option repoServer.logFormat - Use configs.params.repoServer.log.format
{{- end }}
{{- if .Values.repoServer.logLevel }}
DEPRECATED option repoServer.logLevel - Use configs.params.repoServer.log.level
{{- end }}
{{- if or .Values.server.config (hasKey .Values.server "configEnabled") .Values.server.configAnnotations }}
DEPRECATED option server.config - Use configs.cm
{{- end }}
{{- if or .Values.server.rbacConfig (hasKey .Values.server "rbacConfigCreate") .Values.server.rbacConfigAnnotations }}
DEPRECATED option server.rbacConfig - Use configs.rbac
{{- end }}
{{- if .Values.configs.secret.argocdServerTlsConfig }}
DEPRECATED option config.secret.argocdServerTlsConfig - Use server.certificate or server.certificateSecret
{{- end }}
{{- if .Values.configs.gpgKeys }}
DEPRECATED option configs.gpgKeys - Use config.gpg.keys
{{- end }}
{{- if .Values.configs.gpgKeysAnnotations }}
DEPRECATED option configs.gpgKeysAnnotations - Use config.gpg.annotations
{{- end }}
{{- if hasKey (.Values.controller.clusterAdminAccess | default dict) "enabled" }}
DEPRECATED option .controller.clusterAdminAccess.enabled - Use createClusterRoles
{{- end }}
{{- if hasKey (.Values.server.clusterAdminAccess | default dict) "enabled" }}
DEPRECATED option .server.clusterAdminAccess.enabled - Use createClusterRoles
{{- end }}
{{- if hasKey (.Values.repoServer.clusterAdminAccess | default dict) "enabled" }}
DEPRECATED option .server.clusterAdminAccess.enabled - Use createClusterRoles
{{- end }}
{{- if .Values.configs.knownHostsAnnotations }}
DEPRECATED option configs.knownHostsAnnotations - Use configs.ssh.annotations
{{- end }}
{{- if hasKey .Values.configs "knownHosts" }}
DEPRECATED option configs.knownHosts.data.ssh_known_hosts - Use configs.ssh.knownHosts
{{- end }}
{{- if .Values.configs.tlsCertsAnnotations }}
DEPRECATED option configs.tlsCertsAnnotations - Use configs.tls.annotations
{{- end }}
{{- if hasKey .Values.configs "tlsCerts" }}
DEPRECATED option configs.tlsCerts.data - Use configs.tls.certificates
{{- end }}
{{- if .Values.applicationSet.replicaCount }}
DEPRECATED option applicationSet.replicaCount - Use applicationSet.replicas
{{- end }}
{{- if .Values.applicationSet.logFormat }}
DEPRECATED option applicationSet.logFormat - Use configs.params.applicationsetcontroller.log.format
{{- end }}
{{- if .Values.applicationSet.logLevel }}
DEPRECATED option applicationSet.logLevel - Use configs.params.applicationsetcontroller.log.level
{{- end }}
{{- if .Values.applicationSet.args.policy }}
DEPRECATED option applicationSet.args.policy - Use configs.params.applicationsetcontroller.policy
{{- end }}
{{- if .Values.applicationSet.args.dryRun }}
DEPRECATED option applicationSet.args.dryRun - Use configs.params.applicationsetcontroller.dryRun
{{- end }}
{{- if .Values.controller.service }}
REMOVED option controller.service - Use controller.metrics
{{- end }}
{{- if .Values.repoServer.copyutil }}
REMOVED option repoSever.copyutil.resources - Use repoServer.resources
{{- end }}
{{- if .Values.applicationSet.args.debug }}
REMOVED option applicationSet.args.debug - Use applicationSet.logLevel: debug
{{- end }}
{{- if .Values.applicationSet.args.enableLeaderElection }}
REMOVED option applicationSet.args.enableLeaderElection - Value determined based on replicas
{{- end }}
{{- if .Values.controller.containerPort }}
REMOVED option controller.containerPort - Use controller.containerPorts
{{- end }}
{{- if .Values.server.containerPort }}
REMOVED option server.containerPort - Use server.containerPorts
{{- end }}
{{- if .Values.repoServer.containerPort }}
REMOVED option repoServer.containerPort - Use repoServer.containerPorts
{{- end }}
{{- if .Values.applicationSet.args.metricsAddr }}
REMOVED option applicationSet.args.metricsAddr - Use applicationSet.containerPorts
{{- end }}
{{- if .Values.applicationSet.args.probeBindAddr }}
REMOVED option applicationSet.args.probeBindAddr - Use applicationSet.containerPorts
{{- end }}
{{- if .Values.redis.containerPort }}
REMOVED option redis.containerPort - Use redis.containerPorts
{{- end }}
{{- if .Values.redis.metrics.containerPort }}
REMOVED option redis.metrics.containerPort - Use redis.containerPorts
{{- end }}
{{- if .Values.apiVersionOverrides.autoscaling }}
REMOVED option apiVersionOverrides.autoscaling - API autoscaling/v2 is GA from 1.23
{{- end }}
{{- if .Values.apiVersionOverrides.certmanager }}
REMOVED option apiVersionOverrides.certmanager - API v1 is only possible option after K8s 1.22
{{- end }}
In order to access the server UI you have the following options:
1. kubectl port-forward service/{{ include "argo-cd.fullname" . }}-server -n {{ .Release.Namespace }} 8080:443
@ -139,7 +9,7 @@ In order to access the server UI you have the following options:
- Set the `configs.params."server.insecure"` in the values file and terminate SSL at your ingress: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-2-multiple-ingress-objects-and-hosts
{{ if eq (toString (index (coalesce .Values.server.config .Values.configs.cm) "admin.enabled")) "true" -}}
{{ if eq (toString (index .Values.configs.cm "admin.enabled")) "true" -}}
After reaching the UI the first time you can login with username: admin and the random password generated during the installation. You can find the password by running:
kubectl -n {{ .Release.Namespace }} get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

51
charts/argo-cd/templates/_helpers.tpl
View file

@ -86,6 +86,25 @@ Create the name of the redis service account to use
{{- end -}}
{{- end -}}
{{/*
Create Redis secret-init name
*/}}
{{- define "argo-cd.redisSecretInit.fullname" -}}
{{- printf "%s-%s" (include "argo-cd.fullname" .) .Values.redisSecretInit.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the Redis secret-init service account to use
*/}}
{{- define "argo-cd.redisSecretInit.serviceAccountName" -}}
{{- if .Values.redisSecretInit.serviceAccount.create -}}
{{ default (include "argo-cd.redisSecretInit.fullname" .) .Values.redis.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.redisSecretInit.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create argocd server name and version as used by the chart label.
*/}}
@ -159,10 +178,14 @@ Create the name of the notifications service account to use
{{- end -}}
{{/*
Argo Configuration Preset Values (Incluenced by Values configuration)
Argo Configuration Preset Values (Influenced by Values configuration)
*/}}
{{- define "argo-cd.config.cm.presets" -}}
{{- $presets := dict -}}
{{- $_ := set $presets "url" (printf "https://%s" .Values.global.domain) -}}
{{- if index .Values.configs.cm "statusbadge.enabled" | eq true -}}
{{- $_ := set $presets "statusbadge.url" (printf "https://%s/" .Values.global.domain) -}}
{{- end -}}
{{- if .Values.configs.styles -}}
{{- $_ := set $presets "ui.cssurl" "./custom/custom.styles.css" -}}
{{- end -}}
@ -173,7 +196,7 @@ Argo Configuration Preset Values (Incluenced by Values configuration)
Merge Argo Configuration with Preset Configuration
*/}}
{{- define "argo-cd.config.cm" -}}
{{- $config := (mergeOverwrite (deepCopy (omit .Values.configs.cm "create" "annotations")) (.Values.server.config | default dict)) -}}
{{- $config := omit .Values.configs.cm "create" "annotations" -}}
{{- $preset := include "argo-cd.config.cm.presets" . | fromYaml | default dict -}}
{{- range $key, $value := mergeOverwrite $preset $config }}
{{- $fmted := $value | toString }}
@ -192,6 +215,7 @@ NOTE: Configuration keys must be stored as dict because YAML treats dot as separ
{{- $_ := set $presets "repo.server" (printf "%s:%s" (include "argo-cd.repoServer.fullname" .) (.Values.repoServer.service.port | toString)) -}}
{{- $_ := set $presets "server.repo.server.strict.tls" (.Values.repoServer.certificateSecret.enabled | toString ) -}}
{{- $_ := set $presets "redis.server" (include "argo-cd.redis.server" .) -}}
{{- $_ := set $presets "applicationsetcontroller.enable.leader.election" (gt ((.Values.applicationSet.replicas | default .Values.applicationSet.replicaCount) | int64) 1) -}}
{{- if .Values.dex.enabled -}}
{{- $_ := set $presets "server.dex.server" (include "argo-cd.dex.server" .) -}}
{{- $_ := set $presets "server.dex.server.strict.tls" .Values.dex.certificateSecret.enabled -}}
@ -200,9 +224,6 @@ NOTE: Configuration keys must be stored as dict because YAML treats dot as separ
{{- $_ := set $presets (printf "%s.log.format" $component) $.Values.global.logging.format -}}
{{- $_ := set $presets (printf "%s.log.level" $component) $.Values.global.logging.level -}}
{{- end -}}
{{- if .Values.applicationSet.enabled -}}
{{- $_ := set $presets "applicationsetcontroller.enable.leader.election" (gt ((.Values.applicationSet.replicas | default .Values.applicationSet.replicaCount) | int64) 1) -}}
{{- end -}}
{{- toYaml $presets }}
{{- end -}}
@ -216,3 +237,23 @@ Merge Argo Params Configuration with Preset Configuration
{{ $key }}: {{ toString $value | toYaml }}
{{- end }}
{{- end -}}
{{/*
Expand the namespace of the release.
Allows overriding it for multi-namespace deployments in combined charts.
*/}}
{{- define "argo-cd.namespace" -}}
{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
{{- end }}
{{/*
Dual stack definition
*/}}
{{- define "argo-cd.dualStack" -}}
{{- with .Values.global.dualStack.ipFamilyPolicy }}
ipFamilyPolicy: {{ . }}
{{- end }}
{{- with .Values.global.dualStack.ipFamilies }}
ipFamilies: {{ toYaml . | nindent 4 }}
{{- end }}
{{- end }}

13
charts/argo-cd/templates/_versions.tpl
View file

@ -5,16 +5,3 @@ Return the target Kubernetes version
{{- define "argo-cd.kubeVersion" -}}
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride }}
{{- end }}
{{/*
Return the appropriate apiVersion for GKE resources
*/}}
{{- define "argo-cd.apiVersions.cloudgoogle" -}}
{{- if .Values.apiVersionOverrides.cloudgoogle -}}
{{- print .Values.apiVersionOverrides.cloudgoogle -}}
{{- else if .Capabilities.APIVersions.Has "cloud.google.com/v1" -}}
{{- print "cloud.google.com/v1" -}}
{{- else -}}
{{- print "cloud.google.com/v1beta1" -}}
{{- end -}}
{{- end -}}

6
charts/argo-cd/templates/aggregate-roles.yaml
View file

@ -11,9 +11,7 @@ rules:
- argoproj.io
resources:
- applications
{{- if .Values.applicationSet.enabled }}
- applicationsets
{{- end }}
- appprojects
verbs:
- get
@ -33,9 +31,7 @@ rules:
- argoproj.io
resources:
- applications
{{- if .Values.applicationSet.enabled }}
- applicationsets
{{- end }}
- appprojects
verbs:
- create
@ -60,9 +56,7 @@ rules:
- argoproj.io
resources:
- applications
{{- if .Values.applicationSet.enabled }}
- applicationsets
{{- end }}
- appprojects
verbs:
- create

3
charts/argo-cd/templates/argocd-application-controller/clusterrole.yaml
View file

@ -1,5 +1,4 @@
{{- $config := .Values.controller.clusterAdminAccess | default dict -}}
{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
{{- if .Values.createClusterRoles }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:

5
charts/argo-cd/templates/argocd-application-controller/clusterrolebinding.yaml
View file

@ -1,5 +1,4 @@
{{- $config := .Values.controller.clusterAdminAccess | default dict -}}
{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
{{- if .Values.createClusterRoles }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
@ -13,5 +12,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ include "argo-cd.controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "argo-cd.namespace" . }}
{{- end }}

374
charts/argo-cd/templates/argocd-application-controller/deployment.yaml Normal file
View file

@ -0,0 +1,374 @@
{{- if .Values.controller.dynamicClusterDistribution }}
apiVersion: apps/v1
kind: Deployment
metadata:
{{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.controller.deploymentAnnotations) }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
name: {{ template "argo-cd.controller.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
spec:
replicas: {{ .Values.controller.replicas }}
revisionHistoryLimit: {{ .Values.controller.revisionHistoryLimit | default .Values.global.revisionHistoryLimit }}
selector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }}
template:
metadata:
annotations:
checksum/cmd-params: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmd-params-cm.yaml") . | sha256sum }}
{{- if .Values.configs.cm.create }}
checksum/cm: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cm.yaml") . | sha256sum }}
{{- end }}
{{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.controller.podAnnotations) }}
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 8 }}
{{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.controller.podLabels) }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.controller.imagePullSecrets | default .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.global.hostAliases }}
hostAliases:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.global.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.priorityClassName | default .Values.global.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- if .Values.controller.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
{{- end }}
serviceAccountName: {{ include "argo-cd.controller.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.controller.automountServiceAccountToken }}
containers:
- args:
- /usr/local/bin/argocd-application-controller
- --metrics-port={{ .Values.controller.containerPorts.metrics }}
{{- if .Values.controller.metrics.applicationLabels.enabled }}
{{- range .Values.controller.metrics.applicationLabels.labels }}
- --metrics-application-labels
- {{ . }}
{{- end }}
{{- end }}
{{- with .Values.controller.extraArgs }}
{{- toYaml . | nindent 8 }}
{{- end }}
image: {{ default .Values.global.image.repository .Values.controller.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.controller.image.tag }}
imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.controller.image.imagePullPolicy }}
name: {{ .Values.controller.name }}
env:
{{- with (concat .Values.global.env .Values.controller.env) }}
{{- toYaml . | nindent 10 }}
{{- end }}
- name: ARGOCD_ENABLE_DYNAMIC_CLUSTER_DISTRIBUTION
value: "true"
- name: ARGOCD_CONTROLLER_HEARTBEAT_TIME
value: {{ .Values.controller.heartbeatTime | quote }}
- name: ARGOCD_APPLICATION_CONTROLLER_NAME
value: {{ template "argo-cd.controller.fullname" . }}
- name: ARGOCD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
name: argocd-cm
key: timeout.reconciliation
optional: true
- name: ARGOCD_HARD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
name: argocd-cm
key: timeout.hard.reconciliation
optional: true
- name: ARGOCD_RECONCILIATION_JITTER
valueFrom:
configMapKeyRef:
key: timeout.reconciliation.jitter
name: argocd-cm
optional: true
- name: ARGOCD_REPO_ERROR_GRACE_PERIOD_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.repo.error.grace.period.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: repo.server
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.repo.server.timeout.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.status.processors
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.operation.processors
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.log.format
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.log.level
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.metrics.cache.expiration
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.self.heal.timeout.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.repo.server.plaintext
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.repo.server.strict.tls
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_PERSIST_RESOURCE_HEALTH
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.resource.health.persist
optional: true
- name: ARGOCD_APP_STATE_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.app.state.cache.expiration
optional: true
- name: REDIS_SERVER
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.server
optional: true
- name: REDIS_COMPRESSION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.compression
optional: true
- name: REDISDB
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.db
optional: true
- name: REDIS_USERNAME
valueFrom:
secretKeyRef:
name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
key: redis-username
optional: true
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
{{- if .Values.externalRedis.host }}
key: redis-password
optional: true
{{- else }}
key: auth
{{- end }}
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.default.cache.expiration
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ADDRESS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.address
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_INSECURE
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.insecure
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_HEADERS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.headers
optional: true
- name: ARGOCD_APPLICATION_NAMESPACES
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: application.namespaces
optional: true
- name: ARGOCD_CONTROLLER_SHARDING_ALGORITHM
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.sharding.algorithm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_KUBECTL_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.kubectl.parallelism.limit
optional: true
- name: ARGOCD_K8SCLIENT_RETRY_MAX
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.k8sclient.retry.max
optional: true
- name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.k8sclient.retry.base.backoff
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.diff.server.side
optional: true
- name: ARGOCD_IGNORE_NORMALIZER_JQ_TIMEOUT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.ignore.normalizer.jq.timeout
optional: true
{{- with .Values.controller.envFrom }}
envFrom:
{{- toYaml . | nindent 10 }}
{{- end }}
ports:
- name: metrics
containerPort: {{ .Values.controller.containerPorts.metrics }}
protocol: TCP
readinessProbe:
httpGet:
path: /healthz
port: metrics
initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.controller.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }}
resources:
{{- toYaml .Values.controller.resources | nindent 10 }}
{{- with .Values.controller.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
workingDir: /home/argocd
volumeMounts:
{{- with .Values.controller.volumeMounts }}
{{- toYaml . | nindent 8 }}
{{- end }}
- mountPath: /app/config/controller/tls
name: argocd-repo-server-tls
- mountPath: /home/argocd
name: argocd-home
{{- with .Values.controller.extraContainers }}
{{- tpl (toYaml .) $ | nindent 6 }}
{{- end }}
{{- with .Values.controller.initContainers }}
initContainers:
{{- tpl (toYaml .) $ | nindent 6 }}
{{- end }}
{{- with include "argo-cd.affinity" (dict "context" . "component" .Values.controller) }}
affinity:
{{- trim . | nindent 8 }}
{{- end }}
{{- with .Values.controller.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.tolerations | default .Values.global.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
topologySpreadConstraints:
{{- range $constraint := . }}
- {{ toYaml $constraint | nindent 8 | trim }}
{{- if not $constraint.labelSelector }}
labelSelector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" $ "name" $.Values.controller.name) | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
volumes:
{{- with .Values.controller.volumes }}
{{- toYaml . | nindent 6 }}
{{- end }}
- name: argocd-home
{{- if .Values.controller.emptyDir.sizeLimit }}
emptyDir:
sizeLimit: {{ .Values.controller.emptyDir.sizeLimit }}
{{- else }}
emptyDir: {}
{{- end }}
- name: argocd-repo-server-tls
secret:
secretName: argocd-repo-server-tls
optional: true
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
{{- if .Values.controller.hostNetwork }}
hostNetwork: {{ .Values.controller.hostNetwork }}
{{- end }}
{{- with .Values.controller.dnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.controller.dnsPolicy }}
{{- end }}

3
charts/argo-cd/templates/argocd-application-controller/metrics.yaml
View file

@ -3,7 +3,7 @@ apiVersion: v1
kind: Service
metadata:
name: {{ include "argo-cd.controller.fullname" . }}-metrics
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" "metrics") | nindent 4 }}
{{- with .Values.controller.metrics.service.labels }}
@ -24,6 +24,7 @@ spec:
{{- if and .Values.controller.metrics.service.clusterIP (eq .Values.controller.metrics.service.type "ClusterIP") }}
clusterIP: {{ .Values.controller.metrics.service.clusterIP }}
{{- end }}
{{- include "argo-cd.dualStack" . | indent 2 }}
ports:
- name: {{ .Values.controller.metrics.service.portName }}
protocol: TCP

2
charts/argo-cd/templates/argocd-application-controller/networkpolicy.yaml
View file

@ -5,7 +5,7 @@ metadata:
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
name: {{ template "argo-cd.controller.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
spec:
ingress:
- from:

2
charts/argo-cd/templates/argocd-application-controller/pdb.yaml
View file

@ -3,7 +3,7 @@ apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "argo-cd.controller.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
{{- with .Values.controller.pdb.labels }}

16
charts/argo-cd/templates/argocd-application-controller/role.yaml
View file

@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "argo-cd.controller.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
rules:
@ -43,3 +43,17 @@ rules:
- get
- list
- watch
{{- if and (not .Values.createClusterRoles) .Values.controller.dynamicClusterDistribution }}
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- argocd-app-controller-shard-cm
verbs:
- get
- list
- watch
- create
- update
{{- end }}

8
charts/argo-cd/templates/argocd-application-controller/rolebinding.yaml
View file

@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "argo-cd.controller.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
roleRef:
@ -10,6 +10,6 @@ roleRef:
kind: Role
name: {{ include "argo-cd.controller.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "argo-cd.controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
- kind: ServiceAccount
name: {{ include "argo-cd.controller.serviceAccountName" . }}
namespace: {{ include "argo-cd.namespace" . }}

2
charts/argo-cd/templates/argocd-application-controller/serviceaccount.yaml
View file

@ -4,7 +4,7 @@ kind: ServiceAccount
automountServiceAccountToken: {{ .Values.controller.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "argo-cd.controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
{{- with .Values.controller.serviceAccount.annotations }}
annotations:
{{- range $key, $value := . }}

5
charts/argo-cd/templates/argocd-application-controller/servicemonitor.yaml
View file

@ -22,6 +22,9 @@ spec:
{{- with .Values.controller.metrics.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.controller.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
path: /metrics
{{- with .Values.controller.metrics.serviceMonitor.relabelings }}
relabelings:
@ -40,7 +43,7 @@ spec:
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
- {{ include "argo-cd.namespace" . }}
selector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "component" .Values.controller.name "name" "metrics") | nindent 6 }}

105
charts/argo-cd/templates/argocd-application-controller/statefulset.yaml
View file

@ -1,3 +1,4 @@
{{- if not .Values.controller.dynamicClusterDistribution | default false }}
apiVersion: apps/v1
kind: StatefulSet
metadata:
@ -8,13 +9,12 @@ metadata:
{{- end }}
{{- end }}
name: {{ template "argo-cd.controller.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
spec:
replicas: {{ .Values.controller.replicas }}
# TODO: Remove for breaking release as history limit cannot be patched
revisionHistoryLimit: 5
revisionHistoryLimit: {{ .Values.controller.revisionHistoryLimit | default .Values.global.revisionHistoryLimit }}
serviceName: {{ include "argo-cd.controller.fullname" . }}
selector:
matchLabels:
@ -23,7 +23,7 @@ spec:
metadata:
annotations:
checksum/cmd-params: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmd-params-cm.yaml") . | sha256sum }}
{{- if (hasKey .Values.server "configEnabled") | ternary .Values.server.configEnabled .Values.configs.cm.create }}
{{- if .Values.configs.cm.create }}
checksum/cm: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cm.yaml") . | sha256sum }}
{{- end }}
{{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.controller.podAnnotations) }}
@ -56,6 +56,7 @@ spec:
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
{{- end }}
serviceAccountName: {{ include "argo-cd.controller.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.controller.automountServiceAccountToken }}
containers:
- args:
- /usr/local/bin/argocd-application-controller
@ -66,38 +67,6 @@ spec:
- {{ . }}
{{- end }}
{{- end }}
{{- with .Values.controller.args.statusProcessors }}
- --status-processors
- {{ . | quote }}
{{- end }}
{{- with .Values.controller.args.operationProcessors }}
- --operation-processors
- {{ . | quote }}
{{- end }}
{{- with .Values.controller.args.appResyncPeriod }}
- --app-resync
- {{ . | quote }}
{{- end }}
{{- with .Values.controller.args.appHardResyncPeriod }}
- --app-hard-resync
- {{ . | quote }}
{{- end }}
{{- with .Values.controller.args.selfHealTimeout }}
- --self-heal-timeout-seconds
- {{ . | quote }}
{{- end }}
{{- with .Values.controller.args.repoServerTimeoutSeconds }}
- --repo-server-timeout-seconds
- {{ . | quote }}
{{- end }}
{{- with .Values.controller.logFormat }}
- --logformat
- {{ . | quote }}
{{- end }}
{{- with .Values.controller.logLevel }}
- --loglevel
- {{ . | quote }}
{{- end }}
{{- with .Values.controller.extraArgs }}
{{- toYaml . | nindent 8 }}
{{- end }}
@ -110,6 +79,8 @@ spec:
{{- end }}
- name: ARGOCD_CONTROLLER_REPLICAS
value: {{ .Values.controller.replicas | quote }}
- name: ARGOCD_APPLICATION_CONTROLLER_NAME
value: {{ template "argo-cd.controller.fullname" . }}
- name: ARGOCD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
@ -122,6 +93,18 @@ spec:
name: argocd-cm
key: timeout.hard.reconciliation
optional: true
- name: ARGOCD_RECONCILIATION_JITTER
valueFrom:
configMapKeyRef:
key: timeout.reconciliation.jitter
name: argocd-cm
optional: true
- name: ARGOCD_REPO_ERROR_GRACE_PERIOD_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.repo.error.grace.period.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER
valueFrom:
configMapKeyRef:
@ -215,15 +198,19 @@ spec:
- name: REDIS_USERNAME
valueFrom:
secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
key: redis-username
optional: true
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
{{- if .Values.externalRedis.host }}
key: redis-password
optional: true
{{- else }}
key: auth
{{- end }}
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
@ -236,6 +223,18 @@ spec:
name: argocd-cmd-params-cm
key: otlp.address
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_INSECURE
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.insecure
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_HEADERS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.headers
optional: true
- name: ARGOCD_APPLICATION_NAMESPACES
valueFrom:
configMapKeyRef:
@ -254,6 +253,30 @@ spec:
name: argocd-cmd-params-cm
key: controller.kubectl.parallelism.limit
optional: true
- name: ARGOCD_K8SCLIENT_RETRY_MAX
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.k8sclient.retry.max
optional: true
- name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.k8sclient.retry.base.backoff
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.diff.server.side
optional: true
- name: ARGOCD_IGNORE_NORMALIZER_JQ_TIMEOUT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.ignore.normalizer.jq.timeout
optional: true
{{- with .Values.controller.envFrom }}
envFrom:
{{- toYaml . | nindent 10 }}
@ -321,7 +344,12 @@ spec:
{{- toYaml . | nindent 6 }}
{{- end }}
- name: argocd-home
{{- if .Values.controller.emptyDir.sizeLimit }}
emptyDir:
sizeLimit: {{ .Values.controller.emptyDir.sizeLimit }}
{{- else }}
emptyDir: {}
{{- end }}
- name: argocd-repo-server-tls
secret:
secretName: argocd-repo-server-tls
@ -341,3 +369,4 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.controller.dnsPolicy }}
{{- end }}

6
charts/argo-cd/templates/argocd-applicationset/certificate.yaml
View file

@ -9,14 +9,14 @@ metadata:
{{- end }}
{{- end }}
name: {{ template "argo-cd.applicationSet.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
spec:
secretName: {{ .Values.applicationSet.certificate.secretName }}
commonName: {{ .Values.applicationSet.certificate.domain | quote }}
commonName: {{ .Values.applicationSet.certificate.domain | default .Values.global.domain }}
dnsNames:
- {{ .Values.applicationSet.certificate.domain | quote }}
- {{ .Values.applicationSet.certificate.domain | default .Values.global.domain }}
{{- range .Values.applicationSet.certificate.additionalHosts }}
- {{ . | quote }}
{{- end }}

89
charts/argo-cd/templates/argocd-applicationset/clusterrole.yaml Normal file
View file

@ -0,0 +1,89 @@
{{- if .Values.applicationSet.allowAnyNamespace }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "argo-cd.applicationSet.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
rules:
- apiGroups:
- argoproj.io
resources:
- applications
- applicationsets
- applicationsets/finalizers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- argoproj.io
resources:
- applicationsets/status
verbs:
- get
- patch
- update
- apiGroups:
- argoproj.io
resources:
- appprojects
verbs:
- get
- apiGroups:
- ""
resources:
- events
verbs:
- create
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- update
- delete
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- apps
- extensions
resources:
- deployments
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
{{- end }}

17
charts/argo-cd/templates/argocd-applicationset/clusterrolebinding.yaml Normal file
View file

@ -0,0 +1,17 @@
{{- if .Values.applicationSet.allowAnyNamespace }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "argo-cd.applicationSet.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "argo-cd.applicationSet.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "argo-cd.applicationSet.serviceAccountName" . }}
namespace: {{ include "argo-cd.namespace" . }}
{{- end }}

37
charts/argo-cd/templates/argocd-applicationset/deployment.yaml
View file

@ -1,4 +1,3 @@
{{- if .Values.applicationSet.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
@ -9,7 +8,7 @@ metadata:
{{- end }}
{{- end }}
name: {{ include "argo-cd.applicationSet.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
spec:
@ -17,7 +16,7 @@ spec:
strategy:
{{- trim . | nindent 4 }}
{{- end }}
replicas: {{ .Values.applicationSet.replicas | default .Values.applicationSet.replicaCount }}
replicas: {{ .Values.applicationSet.replicas }}
revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
selector:
matchLabels:
@ -56,6 +55,7 @@ spec:
terminationGracePeriodSeconds: {{ .Values.applicationSet.terminationGracePeriodSeconds }}
{{- end }}
serviceAccountName: {{ include "argo-cd.applicationSet.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.applicationSet.automountServiceAccountToken }}
containers:
- name: {{ .Values.applicationSet.name }}
image: {{ default .Values.global.image.repository .Values.applicationSet.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.applicationSet.image.tag }}
@ -65,20 +65,6 @@ spec:
- --metrics-addr=:{{ .Values.applicationSet.containerPorts.metrics }}
- --probe-addr=:{{ .Values.applicationSet.containerPorts.probe }}
- --webhook-addr=:{{ .Values.applicationSet.containerPorts.webhook }}
{{- with .Values.applicationSet.args.policy }}
- --policy={{ . }}
{{- end }}
{{- with .Values.applicationSet.args.dryRun }}
- --dry-run={{ . }}
{{- end }}
{{- with .Values.applicationSet.logFormat }}
- --logformat
- {{ . }}
{{- end }}
{{- with .Values.applicationSet.logLevel }}
- --loglevel
- {{ . }}
{{- end }}
{{- with .Values.applicationSet.extraArgs }}
{{- toYaml . | nindent 12 }}
{{- end }}
@ -210,6 +196,12 @@ spec:
name: argocd-cmd-params-cm
key: applicationsetcontroller.allowed.scm.providers
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_SCM_PROVIDERS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: applicationsetcontroller.enable.scm.providers
optional: true
{{- with .Values.applicationSet.extraEnvFrom }}
envFrom:
{{- toYaml . | nindent 12 }}
@ -310,9 +302,19 @@ spec:
configMap:
name: argocd-gpg-keys-cm
- name: gpg-keyring
{{- if .Values.applicationSet.emptyDir.sizeLimit }}
emptyDir:
sizeLimit: {{ .Values.applicationSet.emptyDir.sizeLimit }}
{{- else }}
emptyDir: {}
{{- end }}
- name: tmp
{{- if .Values.applicationSet.emptyDir.sizeLimit }}
emptyDir:
sizeLimit: {{ .Values.applicationSet.emptyDir.sizeLimit }}
{{- else }}
emptyDir: {}
{{- end }}
- name: argocd-repo-server-tls
secret:
secretName: argocd-repo-server-tls
@ -329,4 +331,3 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.applicationSet.dnsPolicy }}
{{- end }}

62
charts/argo-cd/templates/argocd-applicationset/ingress.yaml Normal file
View file

@ -0,0 +1,62 @@
{{- if .Values.applicationSet.ingress.enabled -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "argo-cd.applicationSet.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
{{- with .Values.applicationSet.ingress.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.applicationSet.ingress.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{- with .Values.applicationSet.ingress.ingressClassName }}
ingressClassName: {{ . }}
{{- end }}
rules:
- host: {{ .Values.applicationSet.ingress.hostname | default .Values.global.domain }}
http:
paths:
{{- with .Values.applicationSet.ingress.extraPaths }}
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
- path: {{ .Values.applicationSet.ingress.path }}
pathType: {{ .Values.applicationSet.ingress.pathType }}
backend:
service:
name: {{ include "argo-cd.applicationSet.fullname" . }}
port:
number: {{ .Values.applicationSet.service.port }}
{{- range .Values.applicationSet.ingress.extraHosts }}
- host: {{ .name | quote }}
http:
paths:
- path: {{ default $.Values.applicationSet.ingress.path .path }}
pathType: {{ default $.Values.applicationSet.ingress.pathType .pathType }}
backend:
service:
name: {{ include "argo-cd.applicationSet.fullname" $ }}
port:
number: {{ $.Values.applicationSet.service.port }}
{{- end }}
{{- with .Values.applicationSet.ingress.extraRules }}
{{- tpl (toYaml .) $ | nindent 4 }}
{{- end }}
{{- if or .Values.applicationSet.ingress.tls .Values.applicationSet.ingress.extraTls }}
tls:
{{- if .Values.applicationSet.ingress.tls }}
- hosts:
- {{ .Values.applicationSet.ingress.hostname | default .Values.global.domain }}
secretName: argocd-applicationset-controller-tls
{{- end }}
{{- with .Values.applicationSet.ingress.extraTls }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

5
charts/argo-cd/templates/argocd-applicationset/metrics.yaml
View file

@ -1,9 +1,9 @@
{{- if and .Values.applicationSet.enabled .Values.applicationSet.metrics.enabled }}
{{- if .Values.applicationSet.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "argo-cd.applicationSet.fullname" . }}-metrics
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" "metrics") | nindent 4 }}
{{- with .Values.applicationSet.metrics.service.labels }}
@ -24,6 +24,7 @@ spec:
{{- if and .Values.applicationSet.metrics.service.clusterIP (eq .Values.applicationSet.metrics.service.type "ClusterIP") }}
clusterIP: {{ .Values.applicationSet.metrics.service.clusterIP }}
{{- end }}
{{- include "argo-cd.dualStack" . | indent 2 }}
ports:
- name: {{ .Values.applicationSet.metrics.service.portName }}
protocol: TCP

6
charts/argo-cd/templates/argocd-applicationset/networkpolicy.yaml
View file

@ -1,14 +1,14 @@
{{- if and .Values.applicationSet.enabled .Values.global.networkPolicy.create (or .Values.applicationSet.metrics.enabled .Values.applicationSet.webhook.ingress.enabled) }}
{{- if and .Values.global.networkPolicy.create (or .Values.applicationSet.metrics.enabled .Values.applicationSet.ingress.enabled) }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "argo-cd.applicationSet.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
spec:
ingress:
{{- if .Values.applicationSet.webhook.ingress.enabled }}
{{- if .Values.applicationSet.ingress.enabled }}
- ports:
- port: webhook
{{- end }}

4
charts/argo-cd/templates/argocd-applicationset/pdb.yaml
View file

@ -1,9 +1,9 @@
{{- if and .Values.applicationSet.enabled .Values.applicationSet.pdb.enabled }}
{{- if .Values.applicationSet.pdb.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "argo-cd.applicationSet.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
{{- with .Values.applicationSet.pdb.labels }}

4
charts/argo-cd/templates/argocd-applicationset/role.yaml
View file

@ -1,9 +1,8 @@
{{- if .Values.applicationSet.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "argo-cd.applicationSet.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
rules:
@ -86,4 +85,3 @@ rules:
- patch
- update
- watch
{{- end }}

6
charts/argo-cd/templates/argocd-applicationset/rolebinding.yaml
View file

@ -1,9 +1,8 @@
{{- if .Values.applicationSet.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "argo-cd.applicationSet.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
roleRef:
@ -13,5 +12,4 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ include "argo-cd.applicationSet.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
namespace: {{ include "argo-cd.namespace" . }}

5
charts/argo-cd/templates/argocd-applicationset/service.yaml
View file

@ -1,4 +1,3 @@
{{- if .Values.applicationSet.enabled }}
apiVersion: v1
kind: Service
metadata:
@ -9,7 +8,7 @@ metadata:
{{- end }}
{{- end }}
name: {{ template "argo-cd.applicationSet.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
{{- with .Values.applicationSet.service.labels }}
@ -17,10 +16,10 @@ metadata:
{{- end }}
spec:
type: {{ .Values.applicationSet.service.type }}
{{- include "argo-cd.dualStack" . | indent 2 }}
ports:
- name: {{ .Values.applicationSet.service.portName }}
port: {{ .Values.applicationSet.service.port }}
targetPort: webhook
selector:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.applicationSet.name) | nindent 4 }}
{{- end }}

4
charts/argo-cd/templates/argocd-applicationset/serviceaccount.yaml
View file

@ -1,10 +1,10 @@
{{- if and .Values.applicationSet.enabled .Values.applicationSet.serviceAccount.create }}
{{- if .Values.applicationSet.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: {{ .Values.applicationSet.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "argo-cd.applicationSet.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
{{- with .Values.applicationSet.serviceAccount.annotations }}
annotations:
{{- range $key, $value := . }}

7
charts/argo-cd/templates/argocd-applicationset/servicemonitor.yaml
View file

@ -1,4 +1,3 @@
{{- if .Values.applicationSet.enabled }}
{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.applicationSet.metrics.enabled .Values.applicationSet.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
@ -23,6 +22,9 @@ spec:
{{- with .Values.applicationSet.metrics.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.applicationSet.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
path: /metrics
{{- with .Values.applicationSet.metrics.serviceMonitor.relabelings }}
relabelings:
@ -41,9 +43,8 @@ spec:
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
- {{ include "argo-cd.namespace" . }}
selector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "component" .Values.applicationSet.name "name" "metrics") | nindent 6 }}
{{- end }}
{{- end }}

73
charts/argo-cd/templates/argocd-applicationset/webhook-ingress.yaml
View file

@ -1,73 +0,0 @@
{{- if and .Values.applicationSet.enabled .Values.applicationSet.webhook.ingress.enabled -}}
{{- $servicePort := .Values.applicationSet.service.portName -}}
{{- $paths := .Values.applicationSet.webhook.ingress.paths -}}
{{- $extraPaths := .Values.applicationSet.webhook.ingress.extraPaths -}}
{{- $pathType := .Values.applicationSet.webhook.ingress.pathType -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "argo-cd.applicationSet.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
{{- with .Values.applicationSet.webhook.ingress.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.applicationSet.webhook.ingress.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{- with .Values.applicationSet.webhook.ingress.ingressClassName }}
ingressClassName: {{ . }}
{{- end }}
rules:
{{- if .Values.applicationSet.webhook.ingress.hosts }}
{{- range $host := .Values.applicationSet.webhook.ingress.hosts }}
- host: {{ $host }}
http:
paths:
{{- with $extraPaths }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- range $p := $paths }}
- path: {{ $p }}
pathType: {{ $pathType }}
backend:
service:
name: {{ include "argo-cd.applicationSet.fullname" $ }}
port:
{{- if kindIs "float64" $servicePort }}
number: {{ $servicePort }}
{{- else }}
name: {{ $servicePort }}
{{- end }}
{{- end -}}
{{- end -}}
{{- else }}
- http:
paths:
{{- with $extraPaths }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- range $p := $paths }}
- path: {{ $p }}
pathType: {{ $pathType }}
backend:
service:
name: {{ include "argo-cd.applicationSet.fullname" $ }}
port:
{{- if kindIs "float64" $servicePort }}
number: {{ $servicePort }}
{{- else }}
name: {{ $servicePort }}
{{- end }}
{{- end -}}
{{- end -}}
{{- with .Values.applicationSet.webhook.ingress.tls }}
tls:
{{- toYaml . | nindent 4 }}
{{- end -}}
{{- end -}}

6
charts/argo-cd/templates/argocd-configs/argocd-cm.yaml
View file

@ -1,12 +1,12 @@
{{- if (hasKey .Values.server "configEnabled") | ternary .Values.server.configEnabled .Values.configs.cm.create }}
{{- if .Values.configs.cm.create }}
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "cm") | nindent 4 }}
{{- with (mergeOverwrite (deepCopy .Values.configs.cm.annotations) (.Values.server.configAnnotations | default dict)) }}
{{- with .Values.configs.cm.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}

2
charts/argo-cd/templates/argocd-configs/argocd-cmd-params-cm.yaml
View file

@ -3,7 +3,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cmd-params-cm
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "cmd-params-cm") | nindent 4 }}
{{- if .Values.configs.params.annotations }}

2
charts/argo-cd/templates/argocd-configs/argocd-cmp-cm.yaml
View file

@ -3,7 +3,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cmp-cm
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" "cmp-cm") | nindent 4 }}
{{- with .Values.configs.cmp.annotations }}

2
charts/argo-cd/templates/argocd-configs/argocd-dex-server-tls-secret.yaml
View file

@ -3,7 +3,7 @@ apiVersion: v1
kind: Secret
metadata:
name: argocd-dex-server-tls
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.dex.name "name" "dex-server-tls") | nindent 4 }}
{{- with .Values.dex.certificateSecret.labels }}

6
charts/argo-cd/templates/argocd-configs/argocd-gpg-keys-cm.yaml
View file

@ -2,16 +2,16 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-gpg-keys-cm
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "name" "gpg-keys-cm") | nindent 4 }}
{{ with (mergeOverwrite (deepCopy .Values.configs.gpg.annotations) (.Values.configs.gpgKeysAnnotations | default dict)) -}}
{{- with .Values.configs.gpg.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{ with (mergeOverwrite (deepCopy .Values.configs.gpg.keys) (.Values.configs.gpgKeys | default dict)) -}}
{{- with .Values.configs.gpg.keys }}
data:
{{- toYaml . | nindent 2 }}
{{- end }}

4
charts/argo-cd/templates/argocd-configs/argocd-notifications-cm.yaml
View file

@ -3,12 +3,12 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-notifications-cm
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
data:
context: |
argocdUrl: {{ .Values.notifications.argocdUrl | quote }}
argocdUrl: {{ .Values.notifications.argocdUrl | default (printf "https://%s" .Values.global.domain) }}
{{- with .Values.notifications.context }}
{{- toYaml . | nindent 4 }}
{{- end }}

4
charts/argo-cd/templates/argocd-configs/argocd-notifications-secret.yaml
View file

@ -2,8 +2,8 @@
apiVersion: v1
kind: Secret
metadata:
name: argocd-notifications-secret
namespace: {{ .Release.Namespace | quote }}
name: {{ .Values.notifications.secret.name }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
{{- with .Values.notifications.secret.labels }}

8
charts/argo-cd/templates/argocd-configs/argocd-rbac-cm.yaml
View file

@ -1,18 +1,18 @@
{{- if (hasKey .Values.server "rbacConfigCreate") | ternary .Values.server.rbacConfigCreate .Values.configs.rbac.create }}
{{- if .Values.configs.rbac.create }}
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "rbac-cm") | nindent 4 }}
{{- with (mergeOverwrite (deepCopy .Values.configs.rbac.annotations) (.Values.server.rbacConfigAnnotations | default dict)) }}
{{- with .Values.configs.rbac.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- with (mergeOverwrite (deepCopy (omit .Values.configs.rbac "create" "annotations")) (.Values.server.rbacConfig | default dict)) }}
{{- with (omit .Values.configs.rbac "create" "annotations") }}
data:
{{- toYaml . | nindent 2 }}
{{- end }}

2
charts/argo-cd/templates/argocd-configs/argocd-repo-server-tls-secret.yaml
View file

@ -3,7 +3,7 @@ apiVersion: v1
kind: Secret
metadata:
name: argocd-repo-server-tls
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" "repo-server-tls") | nindent 4 }}
{{- with .Values.repoServer.certificateSecret.labels }}

8
charts/argo-cd/templates/argocd-configs/argocd-secret.yaml
View file

@ -3,7 +3,7 @@ apiVersion: v1
kind: Secret
metadata:
name: argocd-secret
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "secret") | nindent 4 }}
{{- with .Values.configs.secret.labels }}
@ -16,7 +16,7 @@ metadata:
{{- end }}
{{- end }}
type: Opaque
{{- if or .Values.configs.secret.githubSecret (or .Values.configs.secret.gitlabSecret .Values.configs.secret.bitbucketUUID .Values.configs.secret.bitbucketServerSecret .Values.configs.secret.gogsSecret (and .Values.configs.secret.azureDevops.username .Values.configs.secret.azureDevops.password) .Values.configs.secret.argocdServerAdminPassword .Values.configs.secret.argocdServerTlsConfig .Values.configs.secret.extra) }}
{{- if or .Values.configs.secret.githubSecret (or .Values.configs.secret.gitlabSecret .Values.configs.secret.bitbucketUUID .Values.configs.secret.bitbucketServerSecret .Values.configs.secret.gogsSecret (and .Values.configs.secret.azureDevops.username .Values.configs.secret.azureDevops.password) .Values.configs.secret.argocdServerAdminPassword .Values.configs.secret.extra) }}
# Setting a blank data again will wipe admin password/key/cert
data:
{{- with .Values.configs.secret.githubSecret }}
@ -38,10 +38,6 @@ data:
webhook.azuredevops.username: {{ .Values.configs.secret.azureDevops.username | b64enc }}
webhook.azuredevops.password: {{ .Values.configs.secret.azureDevops.password | b64enc }}
{{- end }}
{{- with .Values.configs.secret.argocdServerTlsConfig }}
tls.key: {{ .key | b64enc }}
tls.crt: {{ .crt | b64enc }}
{{- end }}
{{- if .Values.configs.secret.argocdServerAdminPassword }}
admin.password: {{ .Values.configs.secret.argocdServerAdminPassword | b64enc }}
admin.passwordMtime: {{ default (dateInZone "2006-01-02T15:04:05Z" (now) "UTC") .Values.configs.secret.argocdServerAdminPasswordMtime | b64enc }}

2
charts/argo-cd/templates/argocd-configs/argocd-server-tls-secret.yaml
View file

@ -3,7 +3,7 @@ apiVersion: v1
kind: Secret
metadata:
name: argocd-server-tls
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "server-tls") | nindent 4 }}
{{- with .Values.server.certificateSecret.labels }}

10
charts/argo-cd/templates/argocd-configs/argocd-ssh-known-hosts-cm.yaml
View file

@ -2,10 +2,10 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-ssh-known-hosts-cm
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "name" "ssh-known-hosts-cm") | nindent 4 }}
{{- with (mergeOverwrite (deepCopy .Values.configs.ssh.annotations) (.Values.configs.knownHostsAnnotations | default dict)) }}
{{- with .Values.configs.ssh.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
@ -13,11 +13,7 @@ metadata:
{{- end }}
data:
ssh_known_hosts: |
{{- if hasKey .Values.configs "knownHosts" }}
{{- .Values.configs.knownHosts.data.ssh_known_hosts | nindent 4 }}
{{- else }}
{{- .Values.configs.ssh.knownHosts | nindent 4 }}
{{- end }}
{{- .Values.configs.ssh.knownHosts | nindent 4 }}
{{- with .Values.configs.ssh.extraHosts }}
{{- . | nindent 4 }}
{{- end }}

2
charts/argo-cd/templates/argocd-configs/argocd-styles-cm.yaml
View file

@ -3,7 +3,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-styles-cm
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
data:

10
charts/argo-cd/templates/argocd-configs/argocd-tls-certs-cm.yaml
View file

@ -2,22 +2,16 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-tls-certs-cm
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "name" "tls-certs-cm") | nindent 4 }}
{{- with (mergeOverwrite (deepCopy .Values.configs.tls.annotations) (.Values.configs.tlsCertsAnnotations | default dict)) }}
{{- with .Values.configs.tls.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- if hasKey .Values.configs "tlsCerts" }}
{{- with .Values.configs.tlsCerts }}
{{- toYaml . | nindent 0 }}
{{- end }}
{{- else }}
{{- with .Values.configs.tls.certificates }}
data:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}

26
charts/argo-cd/templates/argocd-configs/cluster-secrets.yaml
View file

@ -1,17 +1,17 @@
{{- range .Values.configs.clusterCredentials }}
{{- range $cluster_key, $cluster_value := .Values.configs.clusterCredentials }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "argo-cd.name" $ }}-cluster-{{ .name }}
name: {{ include "argo-cd.name" $ }}-cluster-{{ $cluster_key }}
namespace: {{ $.Release.Namespace | quote }}
labels:
{{- include "argo-cd.labels" (dict "context" $) | nindent 4 }}
{{- with .labels }}
{{- with $cluster_value.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
argocd.argoproj.io/secret-type: cluster
{{- with .annotations }}
{{- with $cluster_value.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
@ -19,17 +19,17 @@ metadata:
{{- end }}
type: Opaque
stringData:
name: {{ required "A valid .Values.configs.clusterCredentials[].name entry is required!" .name }}
server: {{ required "A valid .Values.configs.clusterCredentials[].server entry is required!" .server }}
{{- if .namespaces }}
namespaces: {{ .namespaces }}
{{- if .clusterResources }}
clusterResources: {{ .clusterResources | quote }}
name: {{ required "A valid .Values.configs.clusterCredentials.CLUSTERNAME.name entry is required!" $cluster_key }}
server: {{ required "A valid .Values.configs.clusterCredentials.CLUSTERNAME.server entry is required!" $cluster_value.server }}
{{- if $cluster_value.namespaces }}
namespaces: {{ $cluster_value.namespaces }}
{{- if $cluster_value.clusterResources }}
clusterResources: {{ $cluster_value.clusterResources | quote }}
{{- end }}
{{- end }}
{{- if .project }}
project: {{ .project | quote }}
{{- if $cluster_value.project }}
project: {{ $cluster_value.project | quote }}
{{- end }}
config: |
{{- required "A valid .Values.configs.clusterCredentials[].config entry is required!" .config | toRawJson | nindent 4 }}
{{- required "A valid .Values.configs.clusterCredentials.CLUSTERNAME.config entry is required!" $cluster_value.config | toRawJson | nindent 4 }}
{{- end }}

4
charts/argo-cd/templates/argocd-configs/externalredis-secret.yaml
View file

@ -2,8 +2,8 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ include "argo-cd.redis.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
name: argocd-redis
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" $) | nindent 4 }}
{{- with .Values.externalRedis.secretAnnotations }}

34
charts/argo-cd/templates/argocd-notifications/clusterrole.yaml
View file

@ -10,13 +10,43 @@ rules:
{{- toYaml . | nindent 2 }}
{{- end }}
- apiGroups:
- "argoproj.io"
- argoproj.io
resources:
- "applications"
- applications
- appprojects
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- ""
resources:
- configmaps
- secrets
verbs:
- list
- watch
{{- if (index .Values.configs.params "application.namespaces") }}
- create
{{- end }}
{{- if .Values.notifications.cm.create }}
- apiGroups:
- ""
resourceNames:
- argocd-notifications-cm
resources:
- configmaps
verbs:
- get
{{- end }}
- apiGroups:
- ""
resourceNames:
- {{ .Values.notifications.secret.name }}
resources:
- secrets
verbs:
- get
{{- end }}

2
charts/argo-cd/templates/argocd-notifications/clusterrolebinding.yaml
View file

@ -12,5 +12,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ include "argo-cd.notifications.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "argo-cd.namespace" . }}
{{- end }}

12
charts/argo-cd/templates/argocd-notifications/deployment.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- end }}
{{- end }}
name: {{ include "argo-cd.notifications.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
spec:
@ -55,6 +55,7 @@ spec:
terminationGracePeriodSeconds: {{ .Values.notifications.terminationGracePeriodSeconds }}
{{- end }}
serviceAccountName: {{ include "argo-cd.notifications.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.notifications.automountServiceAccountToken }}
containers:
- name: {{ .Values.notifications.name }}
image: {{ default .Values.global.image.repository .Values.notifications.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.notifications.image.tag }}
@ -64,8 +65,9 @@ spec:
- --metrics-port={{ .Values.notifications.containerPorts.metrics }}
- --loglevel={{ default .Values.global.logging.level .Values.notifications.logLevel }}
- --logformat={{ default .Values.global.logging.format .Values.notifications.logFormat }}
- --namespace={{ .Release.Namespace }}
- --namespace={{ include "argo-cd.namespace" . }}
- --argocd-repo-server={{ template "argo-cd.repoServer.fullname" . }}:{{ .Values.repoServer.service.port }}
- --secret-name={{ .Values.notifications.secret.name }}
{{- range .Values.notifications.extraArgs }}
- {{ . | squote }}
{{- end }}
@ -91,6 +93,12 @@ spec:
key: application.namespaces
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED
valueFrom:
configMapKeyRef:
key: notificationscontroller.selfservice.enabled
name: argocd-cmd-params-cm
optional: true
{{- with .Values.notifications.extraEnvFrom }}
envFrom:
{{- toYaml . | nindent 12 }}

3
charts/argo-cd/templates/argocd-notifications/metrics.yaml
View file

@ -3,7 +3,7 @@ apiVersion: v1
kind: Service
metadata:
name: {{ include "argo-cd.notifications.fullname" . }}-metrics
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" "metrics") | nindent 4 }}
{{- with .Values.notifications.metrics.service.labels }}
@ -24,6 +24,7 @@ spec:
{{- if and .Values.notifications.metrics.service.clusterIP (eq .Values.notifications.metrics.service.type "ClusterIP") }}
clusterIP: {{ .Values.notifications.metrics.service.clusterIP }}
{{- end }}
{{- include "argo-cd.dualStack" . | indent 2 }}
selector:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.notifications.name) | nindent 6 }}
ports:

2
charts/argo-cd/templates/argocd-notifications/networkpolicy.yaml
View file

@ -3,7 +3,7 @@ apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "argo-cd.notifications.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
spec:

2
charts/argo-cd/templates/argocd-notifications/pdb.yaml
View file

@ -3,7 +3,7 @@ apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "argo-cd.notifications.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
{{- with .Values.notifications.pdb.labels }}

4
charts/argo-cd/templates/argocd-notifications/role.yaml
View file

@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "argo-cd.notifications.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
rules:
@ -37,7 +37,7 @@ rules:
- apiGroups:
- ""
resourceNames:
- argocd-notifications-secret
- {{ .Values.notifications.secret.name }}
resources:
- secrets
verbs:

4
charts/argo-cd/templates/argocd-notifications/rolebinding.yaml
View file

@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "argo-cd.notifications.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
roleRef:
@ -13,5 +13,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ include "argo-cd.notifications.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "argo-cd.namespace" . }}
{{- end }}

2
charts/argo-cd/templates/argocd-notifications/serviceaccount.yaml
View file

@ -4,7 +4,7 @@ kind: ServiceAccount
automountServiceAccountToken: {{ .Values.notifications.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "argo-cd.notifications.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
{{- with .Values.notifications.serviceAccount.annotations }}
annotations:
{{- range $key, $value := . }}

2
charts/argo-cd/templates/argocd-notifications/servicemonitor.yaml
View file

@ -43,7 +43,7 @@ spec:
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
- {{ include "argo-cd.namespace" . }}
selector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "component" .Values.notifications.name "name" "metrics") | nindent 6 }}

7
charts/argo-cd/templates/argocd-repo-server/clusterrole.yaml
View file

@ -1,5 +1,4 @@
{{- $config := .Values.repoServer.clusterAdminAccess | default dict -}}
{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
{{- if and .Values.createClusterRoles .Values.repoServer.clusterRoleRules.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
@ -7,8 +6,8 @@ metadata:
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
rules:
{{- if .Values.repoServer.clusterRoleRules.enabled }}
{{- toYaml .Values.repoServer.clusterRoleRules.rules | nindent 2 }}
{{- with .Values.repoServer.clusterRoleRules.rules }}
{{- toYaml . | nindent 2 }}
{{- else }}
- apiGroups:
- '*'

5
charts/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml
View file

@ -1,5 +1,4 @@
{{- $config := .Values.repoServer.clusterAdminAccess | default dict -}}
{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
{{- if and .Values.createClusterRoles .Values.repoServer.clusterRoleRules.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
@ -13,5 +12,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ include "argo-cd.repoServer.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "argo-cd.namespace" . }}
{{- end }}

78
charts/argo-cd/templates/argocd-repo-server/deployment.yaml
View file

@ -8,7 +8,7 @@ metadata:
{{- end }}
{{- end }}
name: {{ template "argo-cd.repoServer.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
spec:
@ -30,7 +30,7 @@ spec:
{{- if .Values.repoServer.certificateSecret.enabled }}
checksum/repo-server-tls: {{ include (print $.Template.BasePath "/argocd-configs/argocd-repo-server-tls-secret.yaml") . | sha256sum }}
{{- end }}
{{- if (hasKey .Values.server "configEnabled") | ternary .Values.server.configEnabled .Values.configs.cm.create }}
{{- if .Values.configs.cm.create }}
checksum/cm: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cm.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.configs.cmp.create }}
@ -66,6 +66,7 @@ spec:
terminationGracePeriodSeconds: {{ .Values.repoServer.terminationGracePeriodSeconds }}
{{- end }}
serviceAccountName: {{ include "argo-cd.repoServer.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.repoServer.automountServiceAccountToken }}
containers:
- name: {{ .Values.repoServer.name }}
image: {{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag }}
@ -74,14 +75,6 @@ spec:
- /usr/local/bin/argocd-repo-server
- --port={{ .Values.repoServer.containerPorts.server }}
- --metrics-port={{ .Values.repoServer.containerPorts.metrics }}
{{- with .Values.repoServer.logFormat }}
- --logformat
- {{ . | quote }}
{{- end }}
{{- with .Values.repoServer.logLevel }}
- --loglevel
- {{ . | quote }}
{{- end }}
{{- with .Values.repoServer.extraArgs }}
{{- toYaml . | nindent 8 }}
{{- end }}
@ -93,6 +86,8 @@ spec:
- name: USER_NAME
value: argocd
{{- end }}
- name: ARGOCD_REPO_SERVER_NAME
value: {{ template "argo-cd.repoServer.fullname" . }}
- name: ARGOCD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
@ -180,15 +175,19 @@ spec:
- name: REDIS_USERNAME
valueFrom:
secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
key: redis-username
optional: true
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
{{- if .Values.externalRedis.host }}
key: redis-password
optional: true
{{- else }}
key: auth
{{- end }}
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
@ -201,6 +200,18 @@ spec:
name: argocd-cmd-params-cm
key: otlp.address
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_INSECURE
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.insecure
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_HEADERS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.headers
optional: true
- name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
valueFrom:
configMapKeyRef:
@ -249,6 +260,24 @@ spec:
key: reposerver.enable.git.submodule
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
key: reposerver.git.lsremote.parallelism.limit
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_REQUEST_TIMEOUT
valueFrom:
configMapKeyRef:
key: reposerver.git.request.timeout
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REVISION_CACHE_LOCK_TIMEOUT
valueFrom:
configMapKeyRef:
key: reposerver.revision.cache.lock.timeout
name: argocd-cmd-params-cm
optional: true
{{- if .Values.repoServer.useEphemeralHelmWorkingDir }}
- name: HELM_CACHE_HOME
value: /helm-working-dir
@ -376,26 +405,46 @@ spec:
{{- if .Values.repoServer.existingVolumes.helmWorkingDir -}}
{{ toYaml .Values.repoServer.existingVolumes.helmWorkingDir | nindent 8 }}
{{- else }}
{{- if .Values.repoServer.emptyDir.sizeLimit }}
emptyDir:
sizeLimit: {{ .Values.repoServer.emptyDir.sizeLimit }}
{{- else }}
emptyDir: {}
{{- end }}
{{- end }}
{{- end }}
- name: plugins
{{- if .Values.repoServer.existingVolumes.plugins -}}
{{ toYaml .Values.repoServer.existingVolumes.plugins | nindent 8 }}
{{- else }}
{{- if .Values.repoServer.emptyDir.sizeLimit }}
emptyDir:
sizeLimit: {{ .Values.repoServer.emptyDir.sizeLimit }}
{{- else }}
emptyDir: {}
{{- end }}
{{- end }}
- name: var-files
{{- if .Values.repoServer.existingVolumes.varFiles -}}
{{ toYaml .Values.repoServer.existingVolumes.varFiles | nindent 8 }}
{{- else }}
{{- if .Values.repoServer.emptyDir.sizeLimit }}
emptyDir:
sizeLimit: {{ .Values.repoServer.emptyDir.sizeLimit }}
{{- else }}
emptyDir: {}
{{- end }}
{{- end }}
- name: tmp
{{- if .Values.repoServer.existingVolumes.tmp -}}
{{ toYaml .Values.repoServer.existingVolumes.tmp | nindent 8 }}
{{- else }}
{{- if .Values.repoServer.emptyDir.sizeLimit }}
emptyDir:
sizeLimit: {{ .Values.repoServer.emptyDir.sizeLimit }}
{{- else }}
emptyDir: {}
{{- end }}
{{- end }}
- name: ssh-known-hosts
configMap:
@ -410,7 +459,12 @@ spec:
{{- if .Values.repoServer.existingVolumes.gpgKeyring -}}
{{ toYaml .Values.repoServer.existingVolumes.gpgKeyring | nindent 8 }}
{{- else }}
{{- if .Values.repoServer.emptyDir.sizeLimit }}
emptyDir:
sizeLimit: {{ .Values.repoServer.emptyDir.sizeLimit }}
{{- else }}
emptyDir: {}
{{- end }}
{{- end }}
- name: argocd-repo-server-tls
secret:

2
charts/argo-cd/templates/argocd-repo-server/hpa.yaml
View file

@ -3,7 +3,7 @@ apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "argo-cd.repoServer.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
spec:

3
charts/argo-cd/templates/argocd-repo-server/metrics.yaml
View file

@ -3,7 +3,7 @@ apiVersion: v1
kind: Service
metadata:
name: {{ include "argo-cd.repoServer.fullname" . }}-metrics
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" (printf "%s-metrics" .Values.repoServer.name)) | nindent 4 }}
{{- with .Values.repoServer.metrics.service.labels }}
@ -24,6 +24,7 @@ spec:
{{- if and .Values.repoServer.metrics.service.clusterIP (eq .Values.repoServer.metrics.service.type "ClusterIP") }}
clusterIP: {{ .Values.repoServer.metrics.service.clusterIP }}
{{- end }}
{{- include "argo-cd.dualStack" . | indent 2 }}
ports:
- name: {{ .Values.repoServer.metrics.service.portName }}
protocol: TCP

4
charts/argo-cd/templates/argocd-repo-server/networkpolicy.yaml
View file

@ -5,7 +5,7 @@ metadata:
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
name: {{ template "argo-cd.repoServer.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
spec:
ingress:
- from:
@ -20,11 +20,9 @@ spec:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.notifications.name) | nindent 10 }}
{{- end }}
{{- if .Values.applicationSet.enabled }}
- podSelector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.applicationSet.name) | nindent 10 }}
{{- end }}
ports:
- port: repo-server
protocol: TCP

2
charts/argo-cd/templates/argocd-repo-server/pdb.yaml
View file

@ -3,7 +3,7 @@ apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "argo-cd.repoServer.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
{{- with .Values.repoServer.pdb.labels }}

2
charts/argo-cd/templates/argocd-repo-server/role.yaml
View file

@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "argo-cd.repoServer.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
rules:

4
charts/argo-cd/templates/argocd-repo-server/rolebinding.yaml
View file

@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "argo-cd.repoServer.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
roleRef:
@ -13,5 +13,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ include "argo-cd.repoServer.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "argo-cd.namespace" . }}
{{- end }}

5
charts/argo-cd/templates/argocd-repo-server/service.yaml
View file

@ -13,12 +13,13 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ template "argo-cd.repoServer.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
spec:
{{- include "argo-cd.dualStack" . | indent 2 }}
ports:
- name: {{ .Values.repoServer.service.portName }}
protocol: TCP
port: {{ .Values.repoServer.service.port }}
targetPort: repo-server
selector:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.repoServer.name) | nindent 4 }}
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.repoServer.name) | nindent 4 }}

4
charts/argo-cd/templates/argocd-repo-server/serviceaccount.yaml
View file

@ -4,7 +4,7 @@ kind: ServiceAccount
automountServiceAccountToken: {{ .Values.repoServer.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "argo-cd.repoServer.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
{{- with .Values.repoServer.serviceAccount.annotations }}
annotations:
{{- range $key, $value := . }}
@ -13,7 +13,7 @@ metadata:
{{- end }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
{{- range $key, $value := .Values.repoServer.serviceAccount.labels }}
{{- with .Values.repoServer.serviceAccount.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

5
charts/argo-cd/templates/argocd-repo-server/servicemonitor.yaml
View file

@ -22,6 +22,9 @@ spec:
{{- with .Values.repoServer.metrics.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.repoServer.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
path: /metrics
{{- with .Values.repoServer.metrics.serviceMonitor.relabelings }}
relabelings:
@ -40,7 +43,7 @@ spec:
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
- {{ include "argo-cd.namespace" . }}
selector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "component" .Values.repoServer.name "name" (printf "%s-metrics" .Values.repoServer.name)) | nindent 6 }}

71
charts/argo-cd/templates/argocd-server/aws/ingress.yaml Normal file
View file

@ -0,0 +1,71 @@
{{- if and .Values.server.ingress.enabled (eq .Values.server.ingress.controller "aws") }}
{{- $insecure := index .Values.configs.params "server.insecure" | toString -}}
{{- $servicePort := eq $insecure "true" | ternary .Values.server.service.servicePortHttp .Values.server.service.servicePortHttps -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "argo-cd.server.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
{{- with .Values.server.ingress.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
alb.ingress.kubernetes.io/conditions.{{ include "argo-cd.server.fullname" . }}-grpc: |
[{"field":"http-header","httpHeaderConfig":{"httpHeaderName": "Content-Type", "values":["application/grpc"]}}]
{{- range $key, $value := .Values.server.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
{{- with .Values.server.ingress.ingressClassName }}
ingressClassName: {{ . }}
{{- end }}
rules:
- host: {{ .Values.server.ingress.hostname | default .Values.global.domain }}
http:
paths:
{{- with .Values.server.ingress.extraPaths }}
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
- path: {{ .Values.server.ingress.path }}
pathType: {{ $.Values.server.ingressGrpc.pathType }}
backend:
service:
name: {{ include "argo-cd.server.fullname" $ }}-grpc
port:
number: {{ $servicePort }}
- path: {{ .Values.server.ingress.path }}
pathType: {{ $.Values.server.ingress.pathType }}
backend:
service:
name: {{ include "argo-cd.server.fullname" . }}
port:
number: {{ $servicePort }}
{{- range .Values.server.ingress.extraHosts }}
- host: {{ .name | quote }}
http:
paths:
- path: {{ default $.Values.server.ingress.path .path }}
pathType: {{ default $.Values.server.ingress.pathType .pathType }}
backend:
service:
name: {{ include "argo-cd.server.fullname" $ }}
port:
number: {{ $servicePort }}
{{- end }}
{{- with .Values.server.ingress.extraRules }}
{{- tpl (toYaml .) $ | nindent 4 }}
{{- end }}
{{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }}
tls:
{{- if .Values.server.ingress.tls }}
- hosts:
- {{ .Values.server.ingress.hostname | default .Values.global.domain }}
secretName: argocd-server-tls
{{- end }}
{{- with .Values.server.ingress.extraTls }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

9
charts/argo-cd/templates/argocd-server/aws/service.yaml
View file

@ -1,14 +1,15 @@
{{- if and .Values.server.ingressGrpc.enabled .Values.server.ingressGrpc.isAWSALB -}}
{{- if and .Values.server.ingress.enabled (eq .Values.server.ingress.controller "aws") }}
apiVersion: v1
kind: Service
metadata:
annotations:
alb.ingress.kubernetes.io/backend-protocol-version: {{ .Values.server.ingressGrpc.awsALB.backendProtocolVersion }}
alb.ingress.kubernetes.io/backend-protocol-version: {{ .Values.server.ingress.aws.backendProtocolVersion }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" (print .Values.server.name "-gprc") "name" (print .Values.server.name "-grpc")) | nindent 4 }}
name: {{ template "argo-cd.server.fullname" . }}-grpc
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
spec:
{{- include "argo-cd.dualStack" . | indent 2 }}
ports:
- name: {{ .Values.server.service.servicePortHttpName }}
protocol: TCP
@ -21,5 +22,5 @@ spec:
selector:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 4 }}
sessionAffinity: None
type: {{ .Values.server.ingressGrpc.awsALB.serviceType }}
type: {{ .Values.server.ingress.aws.serviceType }}
{{- end -}}

6
charts/argo-cd/templates/argocd-server/certificate.yaml
View file

@ -9,14 +9,14 @@ metadata:
{{- end }}
{{- end }}
name: {{ include "argo-cd.server.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
spec:
secretName: {{ .Values.server.certificate.secretName }}
commonName: {{ .Values.server.certificate.domain | quote }}
commonName: {{ .Values.server.certificate.domain | default .Values.global.domain }}
dnsNames:
- {{ .Values.server.certificate.domain | quote }}
- {{ .Values.server.certificate.domain | default .Values.global.domain }}
{{- range .Values.server.certificate.additionalHosts }}
- {{ . | quote }}
{{- end }}

20
charts/argo-cd/templates/argocd-server/clusterrole.yaml
View file

@ -1,5 +1,4 @@
{{- $config := .Values.server.clusterAdminAccess | default dict -}}
{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
{{- if .Values.createClusterRoles }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
@ -7,6 +6,9 @@ metadata:
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
rules:
{{- if .Values.server.clusterRoleRules.enabled }}
{{- toYaml .Values.server.clusterRoleRules.rules | nindent 2 }}
{{- else }}
- apiGroups:
- '*'
resources:
@ -31,7 +33,7 @@ rules:
- pods/log
verbs:
- get
{{- if eq (toString (index (coalesce .Values.server.config .Values.configs.cm) "exec.enabled")) "true" }}
{{- if eq (toString (index .Values.configs.cm "exec.enabled")) "true" }}
- apiGroups:
- ""
resources:
@ -49,6 +51,17 @@ rules:
- list
- update
- watch
{{- if (index .Values.configs.params "application.namespaces") }}
- apiGroups:
- "argoproj.io"
resources:
- "applications"
verbs:
- create
- delete
- update
- patch
{{- end }}
- apiGroups:
- batch
resources:
@ -63,4 +76,5 @@ rules:
verbs:
{{/* supports triggering workflows from UI */}}
- create
{{- end }}
{{- end }}

5
charts/argo-cd/templates/argocd-server/clusterrolebinding.yaml
View file

@ -1,5 +1,4 @@
{{- $config := .Values.server.clusterAdminAccess | default dict -}}
{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
{{- if .Values.createClusterRoles }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
@ -13,5 +12,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ include "argo-cd.server.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "argo-cd.namespace" . }}
{{- end }}

69
charts/argo-cd/templates/argocd-server/deployment.yaml
View file

@ -8,7 +8,7 @@ metadata:
{{- end }}
{{- end }}
name: {{ template "argo-cd.server.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
spec:
@ -27,6 +27,9 @@ spec:
metadata:
annotations:
checksum/cmd-params: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmd-params-cm.yaml") . | sha256sum }}
{{- if .Values.configs.cm.create }}
checksum/cm: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cm.yaml") . | sha256sum }}
{{- end }}
{{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.server.podAnnotations) }}
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
@ -57,6 +60,7 @@ spec:
terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }}
{{- end }}
serviceAccountName: {{ include "argo-cd.server.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.server.automountServiceAccountToken }}
containers:
- name: {{ .Values.server.name }}
image: {{ default .Values.global.image.repository .Values.server.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.server.image.tag }}
@ -65,14 +69,6 @@ spec:
- /usr/local/bin/argocd-server
- --port={{ .Values.server.containerPorts.server }}
- --metrics-port={{ .Values.server.containerPorts.metrics }}
{{- with .Values.server.logFormat }}
- --logformat
- {{ . | quote }}
{{- end }}
{{- with .Values.server.logLevel }}
- --loglevel
- {{ . | quote }}
{{- end }}
{{- with .Values.server.extraArgs }}
{{- toYaml . | nindent 8 }}
{{- end }}
@ -80,6 +76,8 @@ spec:
{{- with (concat .Values.global.env .Values.server.env) }}
{{- toYaml . | nindent 10 }}
{{- end }}
- name: ARGOCD_SERVER_NAME
value: {{ template "argo-cd.server.fullname" . }}
- name: ARGOCD_SERVER_INSECURE
valueFrom:
configMapKeyRef:
@ -245,15 +243,19 @@ spec:
- name: REDIS_USERNAME
valueFrom:
secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
key: redis-username
optional: true
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
{{- if .Values.externalRedis.host }}
key: redis-password
optional: true
{{- else }}
key: auth
{{- end }}
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
@ -284,6 +286,18 @@ spec:
name: argocd-cmd-params-cm
key: otlp.address
optional: true
- name: ARGOCD_SERVER_OTLP_INSECURE
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.insecure
optional: true
- name: ARGOCD_SERVER_OTLP_HEADERS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.headers
optional: true
- name: ARGOCD_APPLICATION_NAMESPACES
valueFrom:
configMapKeyRef:
@ -296,6 +310,24 @@ spec:
name: argocd-cmd-params-cm
key: server.enable.proxy.extension
optional: true
- name: ARGOCD_K8SCLIENT_RETRY_MAX
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.k8sclient.retry.max
optional: true
- name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.k8sclient.retry.base.backoff
optional: true
- name: ARGOCD_API_CONTENT_TYPES
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: server.api.content.types
optional: true
{{- with .Values.server.envFrom }}
envFrom:
{{- toYaml . | nindent 10 }}
@ -415,12 +447,27 @@ spec:
{{- end }}
{{- if .Values.server.extensions.enabled }}
- name: extensions
{{- if .Values.server.emptyDir.sizeLimit }}
emptyDir:
sizeLimit: {{ .Values.server.emptyDir.sizeLimit }}
{{- else }}
emptyDir: {}
{{- end }}
{{- end }}
- name: plugins-home
{{- if .Values.server.emptyDir.sizeLimit }}
emptyDir:
sizeLimit: {{ .Values.server.emptyDir.sizeLimit }}
{{- else }}
emptyDir: {}
{{- end }}
- name: tmp
{{- if .Values.server.emptyDir.sizeLimit }}
emptyDir:
sizeLimit: {{ .Values.server.emptyDir.sizeLimit }}
{{- else }}
emptyDir: {}
{{- end }}
- name: ssh-known-hosts
configMap:
name: argocd-ssh-known-hosts-cm

12
charts/argo-cd/templates/argocd-server/gke/backendconfig.yaml
View file

@ -1,11 +1,13 @@
{{- if .Values.server.GKEbackendConfig.enabled }}
apiVersion: {{ include "argo-cd.apiVersions.cloudgoogle" . }}
{{- if and .Values.server.ingress.enabled (eq .Values.server.ingress.controller "gke") .Values.server.ingress.gke.backendConfig }}
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: {{ template "argo-cd.server.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
name: {{ include "argo-cd.server.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
{{- with .Values.server.ingress.gke.backendConfig }}
spec:
{{- toYaml .Values.server.GKEbackendConfig.spec | nindent 2 }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}

10
charts/argo-cd/templates/argocd-server/gke/frontendconfig.yaml
View file

@ -1,11 +1,13 @@
{{- if .Values.server.GKEfrontendConfig.enabled }}
{{- if and .Values.server.ingress.enabled (eq .Values.server.ingress.controller "gke") .Values.server.ingress.gke.frontendConfig }}
apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
name: {{ template "argo-cd.server.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
name: {{ include "argo-cd.server.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
{{- with .Values.server.ingress.gke.frontendConfig }}
spec:
{{- toYaml .Values.server.GKEfrontendConfig.spec | nindent 2 }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}

69
charts/argo-cd/templates/argocd-server/gke/ingress.yaml Normal file
View file

@ -0,0 +1,69 @@
{{- if and .Values.server.ingress.enabled (eq .Values.server.ingress.controller "gke") }}
{{- $insecure := index .Values.configs.params "server.insecure" | toString -}}
{{- $servicePort := eq $insecure "true" | ternary .Values.server.service.servicePortHttp .Values.server.service.servicePortHttps -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "argo-cd.server.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
{{- with .Values.server.ingress.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
ingressClassName: "gce"
{{- if .Values.server.ingress.gke.managedCertificate.create }}
networking.gke.io/managed-certificates: {{ include "argo-cd.server.fullname" . }}
{{- end }}
{{- if .Values.server.ingress.gke.frontendConfig }}
networking.gke.io/v1beta1.FrontendConfig: {{ include "argo-cd.server.fullname" . }}
{{- end }}
{{- range $key, $value := .Values.server.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
{{- with .Values.server.ingress.ingressClassName }}
ingressClassName: {{ . }}
{{- end }}
rules:
- host: {{ .Values.server.ingress.hostname | default .Values.global.domain }}
http:
paths:
{{- with .Values.server.ingress.extraPaths }}
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
- path: {{ .Values.server.ingress.path }}
pathType: {{ .Values.server.ingress.pathType }}
backend:
service:
name: {{ include "argo-cd.server.fullname" . }}
port:
number: {{ $servicePort }}
{{- range .Values.server.ingress.extraHosts }}
- host: {{ .name | quote }}
http:
paths:
- path: {{ default $.Values.server.ingress.path .path }}
pathType: {{ default $.Values.server.ingress.pathType .pathType }}
backend:
service:
name: {{ include "argo-cd.server.fullname" $ }}
port:
number: {{ $servicePort }}
{{- end }}
{{- with .Values.server.ingress.extraRules }}
{{- tpl (toYaml .) $ | nindent 4 }}
{{- end }}
{{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }}
tls:
{{- if .Values.server.ingress.tls }}
- hosts:
- {{ .Values.server.ingress.hostname | default .Values.global.domain }}
secretName: argocd-server-tls
{{- end }}
{{- with .Values.server.ingress.extraTls }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

13
charts/argo-cd/templates/argocd-server/gke/managedcertificate.yaml
View file

@ -1,12 +1,15 @@
{{- if .Values.server.GKEmanagedCertificate.enabled }}
{{- if and .Values.server.ingress.enabled (eq .Values.server.ingress.controller "gke") .Values.server.ingress.gke.managedCertificate.create }}
apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
name: {{ template "argo-cd.server.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
name: {{ include "argo-cd.server.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
spec:
domains:
{{- with .Values.server.GKEmanagedCertificate.domains }}
{{- toYaml . | nindent 4 }}
- {{ .Values.server.ingress.hostname | default .Values.global.domain }}
{{- with .Values.server.ingress.gke.managedCertificate.extraDomains }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

2
charts/argo-cd/templates/argocd-server/hpa.yaml
View file

@ -3,7 +3,7 @@ apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "argo-cd.server.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
spec:

72
charts/argo-cd/templates/argocd-server/ingress-grpc.yaml
View file

@ -1,13 +1,10 @@
{{- if and .Values.server.ingressGrpc.enabled (not .Values.server.ingressGrpc.isAWSALB) -}}
{{- $servicePort := ternary .Values.server.service.servicePortHttps .Values.server.service.servicePortHttp .Values.server.ingressGrpc.https -}}
{{- $paths := .Values.server.ingressGrpc.paths -}}
{{- $extraPaths := .Values.server.ingressGrpc.extraPaths -}}
{{- $pathType := .Values.server.ingressGrpc.pathType -}}
{{- if .Values.server.ingressGrpc.enabled -}}
{{- $hostname := printf "grpc.%s" (.Values.server.ingress.hostname | default .Values.global.domain) -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "argo-cd.server.fullname" . }}-grpc
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
{{- with .Values.server.ingressGrpc.labels }}
@ -24,50 +21,43 @@ spec:
ingressClassName: {{ . }}
{{- end }}
rules:
{{- if .Values.server.ingressGrpc.hosts }}
{{- range $host := .Values.server.ingressGrpc.hosts }}
- host: {{ $host }}
- host: {{ .Values.server.ingressGrpc.hostname | default $hostname }}
http:
paths:
{{- with $extraPaths }}
{{- toYaml . | nindent 10 }}
{{- with .Values.server.ingressGrpc.extraPaths }}
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- range $p := $paths }}
- path: {{ $p }}
pathType: {{ $pathType }}
- path: {{ .Values.server.ingressGrpc.path }}
pathType: {{ .Values.server.ingressGrpc.pathType }}
backend:
service:
name: {{ include "argo-cd.server.fullname" $ }}
name: {{ include "argo-cd.server.fullname" . }}
port:
{{- if kindIs "float64" $servicePort }}
number: {{ $servicePort }}
{{- else }}
name: {{ $servicePort }}
{{- end }}
{{- end -}}
{{- end -}}
{{- else }}
- http:
number: {{ .Values.server.service.servicePortHttps }}
{{- range .Values.server.ingressGrpc.extraHosts }}
- host: {{ .name | quote }}
http:
paths:
{{- with $extraPaths }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- range $p := $paths }}
- path: {{ $p }}
pathType: {{ $pathType }}
- path: {{ default $.Values.server.ingressGrpc.path .path }}
pathType: {{ default $.Values.server.ingressGrpc.pathType .pathType }}
backend:
service:
name: {{ include "argo-cd.server.fullname" $ }}
port:
{{- if kindIs "float64" $servicePort }}
number: {{ $servicePort }}
{{- else }}
name: {{ $servicePort }}
{{- end }}
{{- end -}}
{{- end -}}
{{- with .Values.server.ingressGrpc.tls }}
number: {{ $.Values.server.service.servicePortHttps }}
{{- end }}
{{- with .Values.server.ingressGrpc.extraRules }}
{{- tpl (toYaml .) $ | nindent 4 }}
{{- end }}
{{- if or .Values.server.ingressGrpc.tls .Values.server.ingressGrpc.extraTls }}
tls:
{{- toYaml . | nindent 4 }}
{{- end -}}
{{- end -}}
{{- if .Values.server.ingressGrpc.tls }}
- hosts:
- {{ .Values.server.ingressGrpc.hostname | default $hostname }}
secretName: argocd-server-grpc-tls
{{- end }}
{{- with .Values.server.ingressGrpc.extraTls }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

95
charts/argo-cd/templates/argocd-server/ingress.yaml
View file

@ -1,90 +1,69 @@
{{- if .Values.server.ingress.enabled -}}
{{- $servicePort := ternary .Values.server.service.servicePortHttps .Values.server.service.servicePortHttp .Values.server.ingress.https -}}
{{- $paths := .Values.server.ingress.paths -}}
{{- $extraPaths := .Values.server.ingress.extraPaths -}}
{{- $pathType := .Values.server.ingress.pathType -}}
{{- if and .Values.server.ingress.enabled (eq .Values.server.ingress.controller "generic") }}
{{- $insecure := index .Values.configs.params "server.insecure" | toString -}}
{{- $servicePort := eq $insecure "true" | ternary .Values.server.service.servicePortHttp .Values.server.service.servicePortHttps -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "argo-cd.server.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
{{- with .Values.server.ingress.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if .Values.server.ingress.annotations }}
{{- with .Values.server.ingress.annotations }}
annotations:
{{- range $key, $value := .Values.server.ingress.annotations }}
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if and .Values.server.ingressGrpc.isAWSALB .Values.server.ingressGrpc.enabled }}
alb.ingress.kubernetes.io/conditions.{{ template "argo-cd.server.fullname" . }}-grpc: |
[{"field":"http-header","httpHeaderConfig":{"httpHeaderName": "Content-Type", "values":["application/grpc"]}}]
{{- end }}
{{- end }}
spec:
{{- with .Values.server.ingress.ingressClassName }}
ingressClassName: {{ . }}
{{- end }}
rules:
{{- if .Values.server.ingress.hosts }}
{{- range $host := .Values.server.ingress.hosts }}
- host: {{ $host | quote }}
- host: {{ .Values.server.ingress.hostname | default .Values.global.domain }}
http:
paths:
{{- with $extraPaths }}
{{- toYaml . | nindent 10 }}
{{- with .Values.server.ingress.extraPaths }}
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- range $p := $paths }}
{{- if and $.Values.server.ingressGrpc.isAWSALB $.Values.server.ingressGrpc.enabled }}
- path: {{ $p }}
pathType: {{ $.Values.server.ingressGrpc.pathType }}
- path: {{ .Values.server.ingress.path }}
pathType: {{ $.Values.server.ingress.pathType }}
backend:
service:
name: {{ template "argo-cd.server.fullname" $ }}-grpc
name: {{ include "argo-cd.server.fullname" . }}
port:
{{- if kindIs "float64" $servicePort }}
number: {{ $servicePort }}
{{- else }}
name: {{ $servicePort }}
{{- end }}
{{- end }}
- path: {{ $p }}
pathType: {{ $pathType }}
backend:
service:
name: {{ include "argo-cd.server.fullname" $ }}
port:
{{- if kindIs "float64" $servicePort }}
number: {{ $servicePort }}
{{- else }}
name: {{ $servicePort }}
{{- end }}
{{- end -}}
{{- end -}}
{{- else }}
- http:
{{- range .Values.server.ingress.extraHosts }}
- host: {{ .name | quote }}
http:
paths:
{{- with $extraPaths }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- range $p := $paths }}
- path: {{ $p }}
pathType: {{ $pathType }}
- path: {{ default $.Values.server.ingress.path .path }}
pathType: {{ default $.Values.server.ingress.pathType .pathType }}
backend:
service:
name: {{ include "argo-cd.server.fullname" $ }}
port:
{{- if kindIs "float64" $servicePort }}
number: {{ $servicePort }}
{{- else }}
name: {{ $servicePort }}
{{- end }}
{{- end -}}
{{- end -}}
{{- with .Values.server.ingress.tls }}
{{- end }}
{{- with .Values.server.ingress.extraRules }}
{{- tpl (toYaml .) $ | nindent 4 }}
{{- end }}
{{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }}
tls:
{{- toYaml . | nindent 4 }}
{{- end -}}
{{- end -}}
{{- if .Values.server.ingress.tls }}
- hosts:
- {{ .Values.server.ingress.hostname | default .Values.global.domain }}
{{- range .Values.server.ingress.extraHosts }}
{{- if .name }}
- {{ .name }}
{{- end }}
{{- end }}
secretName: argocd-server-tls
{{- end }}
{{- with .Values.server.ingress.extraTls }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

3
charts/argo-cd/templates/argocd-server/metrics.yaml
View file

@ -3,7 +3,7 @@ apiVersion: v1
kind: Service
metadata:
name: {{ include "argo-cd.server.fullname" . }}-metrics
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" (printf "%s-metrics" .Values.server.name)) | nindent 4 }}
{{- with .Values.server.metrics.service.labels }}
@ -24,6 +24,7 @@ spec:
{{- if and .Values.server.metrics.service.clusterIP (eq .Values.server.metrics.service.type "ClusterIP") }}
clusterIP: {{ .Values.server.metrics.service.clusterIP }}
{{- end }}
{{- include "argo-cd.dualStack" . | indent 2 }}
ports:
- name: {{ .Values.server.metrics.service.portName }}
protocol: TCP

2
charts/argo-cd/templates/argocd-server/networkpolicy.yaml
View file

@ -5,7 +5,7 @@ metadata:
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
name: {{ template "argo-cd.server.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
spec:
ingress:
- {}

4
charts/argo-cd/templates/argocd-server/openshift/route.yaml
View file

@ -3,7 +3,7 @@ apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: {{ template "argo-cd.server.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
{{- with .Values.server.route.annotations }}
@ -13,7 +13,7 @@ metadata:
{{- end }}
{{- end }}
spec:
host: {{ .Values.server.route.hostname | quote }}
host: {{ .Values.server.route.hostname | default .Values.global.domain | quote }}
to:
kind: Service
name: {{ template "argo-cd.server.fullname" . }}

2
charts/argo-cd/templates/argocd-server/pdb.yaml
View file

@ -3,7 +3,7 @@ apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "argo-cd.server.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
{{- with .Values.server.pdb.labels }}

Some files were not shown because too many files have changed in this diff Show more