diff --git a/.circleci/chart-testing.yaml b/.circleci/chart-testing.yaml index f9b5e85a..88308c21 100644 --- a/.circleci/chart-testing.yaml +++ b/.circleci/chart-testing.yaml @@ -1,2 +1,3 @@ chart-repos: - argo=https://argoproj.github.io/argo-helm + - minio=https://helm.min.io/ diff --git a/.circleci/config.yml b/.circleci/config.yml index 4156df56..eef2b982 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -2,23 +2,25 @@ version: 2.1 jobs: lint: docker: - - image: gcr.io/kubernetes-charts-ci/test-image:v3.1.0 + - image: quay.io/helmpack/chart-testing:v3.3.1 steps: - checkout + - run: helm repo add stable https://charts.helm.sh/stable - run: ct lint --config .circleci/chart-testing.yaml --lint-conf .circleci/lintconf.yaml # Technically this only needs to be run on master, but it's good to have it run on every PR # so that it is regularly tested. publish: docker: # We just need an image with `helm` on it. Handily we know of one already. - - image: gcr.io/kubernetes-charts-ci/test-image:v3.1.0 + - image: quay.io/helmpack/chart-testing:v3.3.1 steps: # install the additional keys needed to push to Github. Alex Collins owns these keys. - add_ssh_keys - run: git config --global user.email "nobody@circleci.com" - run: git config --global user.name "Circle CI Build" - checkout - - run: helm init --client-only + - run: helm repo add stable https://charts.helm.sh/stable + - run: helm repo add minio https://helm.min.io/ # Only actually publish charts on master. - run: | set -x @@ -35,4 +37,4 @@ workflows: - lint - publish: requires: - - lint \ No newline at end of file + - lint diff --git a/charts/argo-cd/README.md b/charts/argo-cd/README.md index 07b72e20..cebd0923 100644 --- a/charts/argo-cd/README.md +++ b/charts/argo-cd/README.md @@ -14,6 +14,10 @@ This chart currently installs the non-HA version of ArgoCD. ## Upgrading +### 2.10.x to 2.11.0 + +The application controller is now available as a `StatefulSet` when the `controller.enableStatefulSet` flag is set to true. Depending on your Helm deployment this may be a downtime or breaking change if enabled when using HA and will become the default in 3.x. + ### 1.8.7 to 2.x.x `controller.extraArgs`, `repoServer.extraArgs` and `server.extraArgs` are now arrays of strings intead of a map @@ -93,6 +97,7 @@ Helm v3 has removed the `install-crds` hook so CRDs are now populated by files i | controller.clusterAdminAccess.enabled | Enable RBAC for local cluster deployments. | `true` | | controller.containerPort | Controller listening port. | `8082` | | controller.extraArgs | Additional arguments for the controller. A list of flags | `[]` | +| controller.enableStatefulSet | Enable deploying the controller as a StatefulSet instead of a Deployment. Used for HA installations. | `false` | | controller.env | Environment variables for the controller. | `[]` | | controller.image.repository | Repository to use for the controller | `global.image.repository` | | controller.image.imagePullPolicy | Image pull policy for the controller | `global.image.imagePullPolicy` | diff --git a/charts/argo-cd/crds/crd-application.yaml b/charts/argo-cd/crds/crd-application.yaml index 5a08d884..9a708978 100644 --- a/charts/argo-cd/crds/crd-application.yaml +++ b/charts/argo-cd/crds/crd-application.yaml @@ -1,4 +1,4 @@ -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: @@ -1654,4 +1654,4 @@ spec: versions: - name: v1alpha1 served: true - storage: true \ No newline at end of file + storage: true diff --git a/charts/argo-cd/crds/crd-project.yaml b/charts/argo-cd/crds/crd-project.yaml index 35d9dde9..a911370c 100644 --- a/charts/argo-cd/crds/crd-project.yaml +++ b/charts/argo-cd/crds/crd-project.yaml @@ -1,4 +1,4 @@ -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: @@ -228,4 +228,4 @@ spec: versions: - name: v1alpha1 served: true - storage: true \ No newline at end of file + storage: true diff --git a/charts/argo-cd/requirements.lock b/charts/argo-cd/requirements.lock index 61752ccb..6b9da354 100644 --- a/charts/argo-cd/requirements.lock +++ b/charts/argo-cd/requirements.lock @@ -1,6 +1,6 @@ dependencies: - name: redis-ha - repository: https://kubernetes-charts.storage.googleapis.com + repository: https://charts.helm.sh/stable version: 4.4.2 -digest: sha256:70fdd035c3aa3b7185882f12a73143c58ab32f04262dda2cf34a2b1a52116d96 -generated: "2020-03-29T14:37:59.349371452+01:00" +digest: sha256:21780522f7047d49ccad6d79f79ee3e28b4839df044beea293e2e4fd69610f52 +generated: "2021-01-11T16:15:21.274802-08:00" diff --git a/charts/argo-cd/requirements.yaml b/charts/argo-cd/requirements.yaml index eb6313dd..64a897e3 100644 --- a/charts/argo-cd/requirements.yaml +++ b/charts/argo-cd/requirements.yaml @@ -1,5 +1,5 @@ dependencies: - name: redis-ha version: 4.4.2 - repository: https://kubernetes-charts.storage.googleapis.com - condition: redis-ha.enabled \ No newline at end of file + repository: https://charts.helm.sh/stable + condition: redis-ha.enabled diff --git a/charts/argo-cd/templates/argocd-application-controller/deployment.yaml b/charts/argo-cd/templates/argocd-application-controller/deployment.yaml index 3dde5e51..c2260c78 100755 --- a/charts/argo-cd/templates/argocd-application-controller/deployment.yaml +++ b/charts/argo-cd/templates/argocd-application-controller/deployment.yaml @@ -1,6 +1,6 @@ {{- $redisHa := (index .Values "redis-ha") -}} apiVersion: apps/v1 -kind: Deployment +kind: {{ .Values.controller.enableStatefulSet | ternary "StatefulSet" "Deployment" }} metadata: name: {{ template "argo-cd.controller.fullname" . }} labels: @@ -16,6 +16,9 @@ spec: matchLabels: app.kubernetes.io/name: {{ include "argo-cd.name" . }}-application-controller app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.enableStatefulSet }} + serviceName: {{ template "argo-cd.controller.fullname" . }} + {{- end }} revisionHistoryLimit: 5 replicas: {{ .Values.controller.replicas }} template: diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index 745b270b..5331d96b 100755 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -34,6 +34,9 @@ controller: # If changing the number of replicas you must pass the number as ARGOCD_CONTROLLER_REPLICAS as an environment variable replicas: 1 + # Deploy the application as a StatefulSet instead of a Deployment, this is required for HA capability. + # This is a feature flag that will become the default in chart version 3.x + enableStatefulSet: false ## Argo controller commandline flags args: @@ -52,10 +55,10 @@ controller: ## Environment variables to pass to argocd-controller ## - env: [] - # - name: "ARGOCD_CONTROLLER_REPLICAS" - # value: "" - + env: + [] + # - name: "ARGOCD_CONTROLLER_REPLICAS" + # value: "" ## Annotations to be added to controller pods ## @@ -66,7 +69,8 @@ controller: podLabels: {} ## Labels to set container specific security contexts - containerSecurityContext: {} + containerSecurityContext: + {} # capabilities: # drop: # - all @@ -242,12 +246,12 @@ dex: priorityClassName: "" ## Labels to set container specific security contexts - containerSecurityContext: {} + containerSecurityContext: + {} # capabilities: # drop: # - all - resources: {} # limits: # cpu: 50m @@ -291,7 +295,8 @@ redis: priorityClassName: "" ## Labels to set container specific security contexts - containerSecurityContext: {} + containerSecurityContext: + {} # capabilities: # drop: # - all @@ -326,7 +331,7 @@ redis-ha: redis: masterGroupName: argocd config: - save: "\"\"" + save: '""' haproxy: enabled: true metrics: @@ -409,7 +414,8 @@ server: priorityClassName: "" ## Labels to set container specific security contexts - containerSecurityContext: {} + containerSecurityContext: + {} # capabilities: # drop: # - all @@ -759,7 +765,8 @@ repoServer: priorityClassName: "" ## Labels to set container specific security contexts - containerSecurityContext: {} + containerSecurityContext: + {} # capabilities: # drop: # - all @@ -815,24 +822,24 @@ repoServer: ## Use init containers to configure custom tooling ## https://argoproj.github.io/argo-cd/operator-manual/custom_tools/ ## When using the volumes & volumeMounts section bellow, please comment out those above. - # volumes: - # - name: custom-tools - # emptyDir: {} - # - # initContainers: - # - name: download-tools - # image: alpine:3.8 - # command: [sh, -c] - # args: - # - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - && - # mv linux-amd64/helm /custom-tools/ - # volumeMounts: - # - mountPath: /custom-tools - # name: custom-tools - # volumeMounts: - # - mountPath: /usr/local/bin/helm - # name: custom-tools - # subPath: helm + # volumes: + # - name: custom-tools + # emptyDir: {} + # + # initContainers: + # - name: download-tools + # image: alpine:3.8 + # command: [sh, -c] + # args: + # - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - && + # mv linux-amd64/helm /custom-tools/ + # volumeMounts: + # - mountPath: /custom-tools + # name: custom-tools + # volumeMounts: + # - mountPath: /usr/local/bin/helm + # name: custom-tools + # subPath: helm ## Argo Configs configs: @@ -921,10 +928,11 @@ configs: # Custom secrets. Useful for injecting SSO secrets into environment variables. # Ref: https://argoproj.github.io/argo-cd/operator-manual/sso/ # Note that all values must be non-empty. - extra: {} + extra: + {} # LDAP_PASSWORD: "mypassword" - # Argo TLS Data. + # Argo TLS Data. argocdServerTlsConfig: {} # key: diff --git a/charts/argo/Chart.yaml b/charts/argo/Chart.yaml index 76a5299a..340dc1d4 100644 --- a/charts/argo/Chart.yaml +++ b/charts/argo/Chart.yaml @@ -1,8 +1,8 @@ -apiVersion: v1 -appVersion: v2.11.7 +apiVersion: v2 +appVersion: v2.12.3 description: A Helm chart for Argo Workflows name: argo -version: 0.13.10 +version: 0.15.1 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png home: https://github.com/argoproj/argo-helm maintainers: diff --git a/charts/argo/requirements.lock b/charts/argo/requirements.lock index 39f5ecae..37a55e66 100644 --- a/charts/argo/requirements.lock +++ b/charts/argo/requirements.lock @@ -1,6 +1,6 @@ dependencies: - name: minio - repository: https://kubernetes-charts.storage.googleapis.com/ - version: 5.0.6 -digest: sha256:373b459c6232e9fd4dd86fa0af01e024372f686a0cdfbfed69d3cd41859e8ad4 -generated: "2020-02-06T00:16:52.211425292Z" + repository: https://helm.min.io/ + version: 8.0.9 +digest: sha256:0f43ad0a4b4e9af47615ef3da85054712eb28f154418d96b7b974a095cc19260 +generated: "2021-01-11T15:01:01.169105-08:00" diff --git a/charts/argo/requirements.yaml b/charts/argo/requirements.yaml index 869e1975..bd643139 100644 --- a/charts/argo/requirements.yaml +++ b/charts/argo/requirements.yaml @@ -1,5 +1,5 @@ dependencies: - name: minio - version: 5.0.6 - repository: https://kubernetes-charts.storage.googleapis.com/ + version: 8.0.9 + repository: https://helm.min.io/ condition: minio.install diff --git a/charts/argo/templates/cluster-workflow-template-crd.yaml b/charts/argo/templates/cluster-workflow-template-crd.yaml index c9c1cb52..be688da3 100644 --- a/charts/argo/templates/cluster-workflow-template-crd.yaml +++ b/charts/argo/templates/cluster-workflow-template-crd.yaml @@ -1,5 +1,5 @@ {{- if .Values.installCRD }} -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: clusterworkflowtemplates.argoproj.io diff --git a/charts/argo/templates/cron-workflow-crd.yaml b/charts/argo/templates/cron-workflow-crd.yaml index 8bf36ab3..923abdf2 100644 --- a/charts/argo/templates/cron-workflow-crd.yaml +++ b/charts/argo/templates/cron-workflow-crd.yaml @@ -1,5 +1,5 @@ {{- if .Values.installCRD }} -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: cronworkflows.argoproj.io @@ -16,4 +16,4 @@ spec: - cwf scope: Namespaced version: v1alpha1 -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/argo/templates/server-cluster-roles.yaml b/charts/argo/templates/server-cluster-roles.yaml index ac51e455..10c730c1 100644 --- a/charts/argo/templates/server-cluster-roles.yaml +++ b/charts/argo/templates/server-cluster-roles.yaml @@ -24,20 +24,46 @@ rules: - list - watch - delete +{{- if .Values.server.sso }} +- apiGroups: + - "" + resources: + - secrets + resourceNames: + - sso + verbs: + - get + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - create +{{- end}} +{{- if .Values.server.sso }} + {{- if .Values.server.sso.rbac }} - apiGroups: - "" resources: - serviceaccounts verbs: - get + - list + {{- end }} +{{- end }} - apiGroups: - "" resources: - secrets verbs: - get -{{- with .Values.server.rbac.secretWhitelist }} +{{- if .Values.server.sso }} + {{- if .Values.server.sso.rbac }} + {{- with .Values.server.sso.rbac.secretWhitelist }} resourceNames: {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} {{- end }} - apiGroups: - "" diff --git a/charts/argo/templates/workflow-controller-cluster-roles.yaml b/charts/argo/templates/workflow-controller-cluster-roles.yaml index 976d49f8..e51f5f4b 100644 --- a/charts/argo/templates/workflow-controller-cluster-roles.yaml +++ b/charts/argo/templates/workflow-controller-cluster-roles.yaml @@ -106,6 +106,25 @@ rules: verbs: - get {{- end}} +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +- apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - workflow-controller + - workflow-controller-lease + verbs: + - get + - watch + - update + - patch + - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/charts/argo/templates/workflow-controller-deployment.yaml b/charts/argo/templates/workflow-controller-deployment.yaml index dda3df94..82b36bf6 100755 --- a/charts/argo/templates/workflow-controller-deployment.yaml +++ b/charts/argo/templates/workflow-controller-deployment.yaml @@ -61,6 +61,9 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + {{- with .Values.controller.extraEnv }} + {{ toYaml . | nindent 10 }} + {{- end }} resources: {{- toYaml .Values.controller.resources | nindent 12 }} {{- if .Values.controller.metricsConfig.enabled }} diff --git a/charts/argo/templates/workflow-crd.yaml b/charts/argo/templates/workflow-crd.yaml index dca2e1bc..44a6fa98 100644 --- a/charts/argo/templates/workflow-crd.yaml +++ b/charts/argo/templates/workflow-crd.yaml @@ -1,5 +1,5 @@ {{- if .Values.installCRD }} -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: workflows.argoproj.io diff --git a/charts/argo/templates/workflow-template-crd.yaml b/charts/argo/templates/workflow-template-crd.yaml index 55c940d5..757fa098 100644 --- a/charts/argo/templates/workflow-template-crd.yaml +++ b/charts/argo/templates/workflow-template-crd.yaml @@ -1,5 +1,5 @@ {{- if .Values.installCRD }} -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: workflowtemplates.argoproj.io diff --git a/charts/argo/values.yaml b/charts/argo/values.yaml index 67c9af29..b1491b14 100644 --- a/charts/argo/values.yaml +++ b/charts/argo/values.yaml @@ -7,7 +7,7 @@ images: # Secrets with credentials to pull images from a private registry pullSecrets: [] # - name: argo-pull-secret - tag: v2.11.7 + tag: v2.12.3 crdVersion: v1alpha1 installCRD: true @@ -115,6 +115,9 @@ controller: # service type `LoadBalancer` loadBalancerSourceRanges: [] resources: {} + # The list of environment variable definitions to be added to the controller + # manages container verbatim. + extraEnv: [] replicas: 1 pdb: enabled: false @@ -164,9 +167,6 @@ server: serviceType: ClusterIP servicePort: 2746 # servicePortName: http - rbac: - # When present, restricts secrets the server can read to a given list. - secretWhitelist: [] serviceAccount: argo-server # Whether to create the service account with the name specified in # server.serviceAccount and bind it to the server role. @@ -264,6 +264,18 @@ server: # key: client-secret ## The OIDC redirect URL. Should be in the form /oauth2/callback. # redirectUrl: https://argo/oauth2/callback + # rbac: + # enabled: true + ## When present, restricts secrets the server can read to a given list. + ## You can use it to restrict the server to only be able to access the + ## service account token secrets that are associated with service accounts + ## used for authorization. + # secretWhitelist: [] + ## Scopes requested from the SSO ID provider. The 'groups' scope requests + ## group membership information, which is usually used for authorization + ## decisions. + # scopes: + # - groups # Influences the creation of the ConfigMap for the workflow-controller itself. useDefaultArtifactRepo: false diff --git a/scripts/publish.sh b/scripts/publish.sh index be918fe4..016b59f8 100755 --- a/scripts/publish.sh +++ b/scripts/publish.sh @@ -6,7 +6,6 @@ GIT_PUSH=${GIT_PUSH:-false} rm -rf $SRCROOT/output && git clone -b gh-pages git@github.com:argoproj/argo-helm.git $SRCROOT/output -helm repo add stable https://kubernetes-charts.storage.googleapis.com helm repo add argoproj https://argoproj.github.io/argo-helm for dir in $(find $SRCROOT/charts -mindepth 1 -maxdepth 1 -type d);