From 31803c05d66b91b0581ffc9e413e2e56c09cb124 Mon Sep 17 00:00:00 2001 From: Emanuel Oliveira Date: Thu, 26 Aug 2021 10:42:47 -0300 Subject: [PATCH] feat(argo-cd): Finalize update to argocd 2.1.0 (#884) Signed-off-by: Emanuel Oliveira Co-authored-by: Mateus Miranda Co-authored-by: Marco Kilchhofer --- charts/argo-cd/Chart.yaml | 7 +- charts/argo-cd/README.md | 4 ++ charts/argo-cd/crds/crd-application.yaml | 41 ++++++++++- charts/argo-cd/templates/NOTES.txt | 6 ++ .../deployment.yaml | 7 ++ ...repository-credentials-secret-legacy.yaml} | 2 +- .../repository-credentials-secret.yaml | 14 ++++ .../argocd-configs/repository-secret.yaml | 14 ++++ charts/argo-cd/values.yaml | 70 +++++++++++++------ 9 files changed, 138 insertions(+), 27 deletions(-) rename charts/argo-cd/templates/{argocd-repo-server/repository-credentials-secret.yaml => argocd-configs/repository-credentials-secret-legacy.yaml} (97%) create mode 100644 charts/argo-cd/templates/argocd-configs/repository-credentials-secret.yaml create mode 100644 charts/argo-cd/templates/argocd-configs/repository-secret.yaml diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml index ea642649..4392cbe8 100644 --- a/charts/argo-cd/Chart.yaml +++ b/charts/argo-cd/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 2.1.0 description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes. name: argo-cd -version: 3.16.0 +version: 3.17.0 home: https://github.com/argoproj/argo-helm icon: https://argoproj.github.io/argo-cd/assets/logo.png keywords: @@ -21,5 +21,6 @@ dependencies: condition: redis-ha.enabled annotations: artifacthub.io/changes: | - - "[Added]: Service monitor relabelings and metricsRelabelings" - - "[Fixed]: Service monitor interval configuration for all components" + - "[Changed]: Sync CRDs of ArgoCD v2.1.0" + - "[Added]: Enable use of separated secret just for repositories" + - "[Deprecated]: configs.repositoryCredentials is deprecated now. Instead, use configs.credentialTemplates and/or configs.repositories" diff --git a/charts/argo-cd/README.md b/charts/argo-cd/README.md index 57399e5e..d75802b3 100644 --- a/charts/argo-cd/README.md +++ b/charts/argo-cd/README.md @@ -167,6 +167,9 @@ NAME: my-release | configs.secret.createSecret | Create the argocd-secret. | `true` | | configs.secret.githubSecret | GitHub incoming webhook secret | `""` | | configs.secret.gitlabSecret | GitLab incoming webhook secret | `""` | +| configs.repositoryCredentials | DEPRECATED: Instead, use configs.credentialTemplates and/or configs.repositories. | `{}` | +| configs.credentialTemplates | Repository credentials to be used as Templates for other repos. | `{}` | +| configs.repositories | Repositories list to be used by applications. | `{}` | | configs.tlsCertsAnnotations | TLS certificate configmap annotations | `{}` | | configs.tlsCerts.data."argocd.example.com" | TLS certificate | See [values.yaml](values.yaml) | | configs.secret.extra | add additional secrets to be added to argocd-secret | `{}` | @@ -301,6 +304,7 @@ NAME: my-release | server.clusterAdminAccess.enabled | Enable RBAC for local cluster deployments. | `true` | | server.configAnnotations | ArgoCD configuration configmap annotations | `{}` | | server.config | [General Argo CD configuration](https://argoproj.github.io/argo-cd/operator-manual/declarative-setup/#repositories) | See [values.yaml](values.yaml) | +| server.config.repositories | [DEPRECATED: Instead, use configs.credentialTemplates and/or configs.repositories.](https://argo-cd.readthedocs.io/en/latest/operator-manual/declarative-setup/#legacy-behaviour) | See [values.yaml](values.yaml) | | server.containerPort | Server container port. | `8080` | | server.extraArgs | Additional arguments for the server. A list of flags. | `[]` | | server.staticAssets.enabled | Disable deprecated flag --staticassets | `false` | diff --git a/charts/argo-cd/crds/crd-application.yaml b/charts/argo-cd/crds/crd-application.yaml index 74364ae4..714b363e 100644 --- a/charts/argo-cd/crds/crd-application.yaml +++ b/charts/argo-cd/crds/crd-application.yaml @@ -267,6 +267,12 @@ spec: type: string description: CommonLabels is a list of additional labels to add to rendered manifests type: object + forceCommonAnnotations: + description: ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize apps + type: boolean + forceCommonLabels: + description: ForceCommonLabels specifies whether to force applying common labels to resources for Kustomize apps + type: boolean images: description: Images is a list of Kustomize image override specifications items: @@ -365,6 +371,10 @@ spec: properties: group: type: string + jqPathExpressions: + items: + type: string + type: array jsonPointers: items: type: string @@ -376,7 +386,6 @@ spec: namespace: type: string required: - - jsonPointers - kind type: object type: array @@ -543,6 +552,12 @@ spec: type: string description: CommonLabels is a list of additional labels to add to rendered manifests type: object + forceCommonAnnotations: + description: ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize apps + type: boolean + forceCommonLabels: + description: ForceCommonLabels specifies whether to force applying common labels to resources for Kustomize apps + type: boolean images: description: Images is a list of Kustomize image override specifications items: @@ -838,6 +853,12 @@ spec: type: string description: CommonLabels is a list of additional labels to add to rendered manifests type: object + forceCommonAnnotations: + description: ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize apps + type: boolean + forceCommonLabels: + description: ForceCommonLabels specifies whether toforce applying common labels to resources for Kustomizeapps + type: boolean images: description: Images is a list of Kustomize image override specifications items: @@ -1134,6 +1155,12 @@ spec: type: string description: CommonLabels is a list of additional labels to add to rendered manifests type: object + forceCommonAnnotations: + description: ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize apps + type: boolean + forceCommonLabels: + description: ForceCommonLabels specifies whether to force applying common labels to resources for Kustomize apps + type: boolean images: description: Images is a list of Kustomize image override specifications items: @@ -1412,6 +1439,12 @@ spec: type: string description: CommonLabels is a list of additional labels to add to rendered manifests type: object + forceCommonAnnotations: + description: ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize apps + type: boolean + forceCommonLabels: + description: ForceCommonLabels specifies whether to force applying common labels to resources for Kustomize apps + type: boolean images: description: Images is a list of Kustomize image override specifications items: @@ -1687,6 +1720,12 @@ spec: type: string description: CommonLabels is a list of additional labels to add to rendered manifests type: object + forceCommonAnnotations: + description: ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize apps + type: boolean + forceCommonLabels: + description: ForceCommonLabels specifies whether to force applying common labels to resources for Kustomize apps + type: boolean images: description: Images is a list of Kustomize image override specifications items: diff --git a/charts/argo-cd/templates/NOTES.txt b/charts/argo-cd/templates/NOTES.txt index a5f59108..34cdaaca 100644 --- a/charts/argo-cd/templates/NOTES.txt +++ b/charts/argo-cd/templates/NOTES.txt @@ -1,3 +1,9 @@ +{{- if or .Values.configs.repositoryCredentials .Values.server.config.repositories }} +WARNING: You are using configs.repositoryCredentials and/or server.config.repositories parameter that are DEPRECATED +Instead, use configs.repositoryTemplates and/or configs.repositories parameters +Read More about here: https://argo-cd.readthedocs.io/en/latest/operator-manual/declarative-setup/#legacy-behaviour + +{{- end}} In order to access the server UI you have the following options: 1. kubectl port-forward service/{{include "argo-cd.fullname" . }}-server -n {{ .Release.Namespace }} 8080:443 diff --git a/charts/argo-cd/templates/argocd-application-controller/deployment.yaml b/charts/argo-cd/templates/argocd-application-controller/deployment.yaml index fac40ab7..a75c1af1 100755 --- a/charts/argo-cd/templates/argocd-application-controller/deployment.yaml +++ b/charts/argo-cd/templates/argocd-application-controller/deployment.yaml @@ -48,6 +48,8 @@ spec: - {{ .Values.controller.args.selfHealTimeout | quote }} - --repo-server - {{ template "argo-cd.repoServer.fullname" . }}:{{ .Values.repoServer.service.port }} + - --repo-server-timeout-seconds + - {{ .Values.controller.args.repoServerTimeoutSeconds | quote }} - --logformat - {{ .Values.controller.logFormat }} - --loglevel @@ -93,7 +95,10 @@ spec: timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }} successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }} + workingDir: /home/argocd volumeMounts: + - name: argocd-home + mountPath: /home/argocd - mountPath: /app/config/controller/tls name: argocd-repo-server-tls {{- with .Values.controller.volumeMounts }} @@ -119,6 +124,8 @@ spec: {{ toYaml . | indent 6 }} {{- end }} volumes: + - emptyDir: {} + name: argocd-home - name: argocd-repo-server-tls secret: items: diff --git a/charts/argo-cd/templates/argocd-repo-server/repository-credentials-secret.yaml b/charts/argo-cd/templates/argocd-configs/repository-credentials-secret-legacy.yaml similarity index 97% rename from charts/argo-cd/templates/argocd-repo-server/repository-credentials-secret.yaml rename to charts/argo-cd/templates/argocd-configs/repository-credentials-secret-legacy.yaml index 354e2ca9..a89bedcb 100644 --- a/charts/argo-cd/templates/argocd-repo-server/repository-credentials-secret.yaml +++ b/charts/argo-cd/templates/argocd-configs/repository-credentials-secret-legacy.yaml @@ -10,4 +10,4 @@ data: {{- range $key, $value := .Values.configs.repositoryCredentials }} {{ $key }}: {{ $value | b64enc }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/argo-cd/templates/argocd-configs/repository-credentials-secret.yaml b/charts/argo-cd/templates/argocd-configs/repository-credentials-secret.yaml new file mode 100644 index 00000000..fe21917c --- /dev/null +++ b/charts/argo-cd/templates/argocd-configs/repository-credentials-secret.yaml @@ -0,0 +1,14 @@ +{{- range $repo_cred_key, $repo_cred_value := .Values.configs.credentialTemplates }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: argocd-repo-creds-{{ $repo_cred_key }} + labels: + argocd.argoproj.io/secret-type: repo-creds + {{- include "argo-cd.labels" (dict "context" .) | nindent 4 }} +data: + {{- range $key, $value := $repo_cred_value }} + {{ $key }}: {{ $value | toString | b64enc }} + {{- end }} +{{- end }} diff --git a/charts/argo-cd/templates/argocd-configs/repository-secret.yaml b/charts/argo-cd/templates/argocd-configs/repository-secret.yaml new file mode 100644 index 00000000..b42eaefc --- /dev/null +++ b/charts/argo-cd/templates/argocd-configs/repository-secret.yaml @@ -0,0 +1,14 @@ +{{- range $repo_key, $repo_value := .Values.configs.repositories }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: argocd-repo-{{ $repo_key }} + labels: + argocd.argoproj.io/secret-type: repository + {{- include "argo-cd.labels" (dict "context" .) | nindent 4 }} +data: + {{- range $key, $value := $repo_value }} + {{ $key }}: {{ $value | b64enc }} + {{- end }} +{{- end }} diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index ff23a597..930827d8 100755 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -61,6 +61,7 @@ controller: operationProcessors: "10" appResyncPeriod: "180" selfHealTimeout: "5" + repoServerTimeoutSeconds: "60" ## Argo controller log format: text|json logFormat: text @@ -101,6 +102,7 @@ controller: # drop: # - all # readOnlyRootFilesystem: true + # runAsNonRoot: true ## Configures the controller port containerPort: 8082 @@ -395,10 +397,8 @@ redis: ## Redis Pod specific security context securityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 runAsNonRoot: true + runAsUser: 999 serviceAccount: create: false @@ -696,6 +696,8 @@ server: url: https://argocd.example.com # Argo CD instance label key application.instanceLabelKey: argocd.argoproj.io/instance + + # DEPRECATED: Please instead use configs.credentialTemplates and configs.repositories # repositories: | # - url: git@github.com:group/repo.git # sshPrivateKeySecret: @@ -707,6 +709,7 @@ server: # - type: helm # url: https://argoproj.github.io/argo-helm # name: argo + # oidc.config: | # name: AzureAD # issuer: https://login.microsoftonline.com/TENANT_ID/v2.0 @@ -1115,25 +1118,48 @@ configs: # +LB9LGh4OAp68ImTjqf6ioGKG0RBSznwME+r4nXtT1S/qLR6ASWUS4ViWRhbRlNK # XWyb96wrUlv+E8I= # -----END CERTIFICATE----- - # Creates a secret with optional repository credentials - repositoryCredentials: - {} - # sample-ssh-key: | - # -----BEGIN RSA PRIVATE KEY----- - # MIICXAIBAAKBgQCcmiVJXGUvL8zqWmRRETbCKgFadtjJ9WDQpSwiZzMiktpYBo0N - # z0cThzGQfWqvdiJYEy72MrKCaSYssV3eHP5zTffk4VBDktNfdl1kgkOpqnh7tQO4 - # nBONRLzcK6KEbKUsmiTbW8Jb4UFYDhyyyveby7y3vYePmaRQIrlEenVfKwIDAQAB - # AoGAbbg+WZjnt9jYzHWKhZX29LDzg8ty9oT6URT4yB3gIOAdJMFqQHuyg8cb/e0x - # O0AcrfK623oHwgEj4vpeFwnfaBdtM5GfH9zaj6pnXV7VZc3oBHrBnHUgFT3NEYUe - # tt6rtatIguBH61Aj/pyij9sOfF0xDj0s1nwFTbdHtZR/31kCQQDIwcVTqhKkDNW6 - # cvdz+Wt3v9x1wNg+VhZhyA/pKILz3+qtn3GogLrQqhpVi+Y7tdvEv9FvgKaCjUp8 - # 6Lfp6dDFAkEAx7HpQbXFdrtcveOi9kosKRDX1PT4zdhB08jAXGlV8jr0jkrZazVM - # hV5rVCuu35Vh6x1fiyGwwiVsqhgWE+KPLwJAWrDemasM/LsnmjDxhJy6ZcBwsWlK - # xu5Q8h9UwLmiXtVayNBsofh1bGpLtzWZ7oN7ImidDkgJ8JQvgDoJS0xrGQJBALPJ - # FkMFnrjtqGqBVkc8shNqyZY90v6oM2OzupO4dht2PpUZCDPAMZtlTWXjSjabbCPc - # NxexBk1UmkdtFftjHxsCQGjG+nhRYH92MsmrbvZyFzgxg9SIOu6xel7D3Dq9l5Le - # XG+bpHPF4SiCpAxthP5WNa17zuvk+CDsMZgZNuhYNMo= - # -----END RSA PRIVATE KEY----- +## # Creates a secret with optional repository credentials +## DEPRECATED: Instead, use configs.credentialTemplates and/or configs.repositories + repositoryCredentials: {} + +## Creates a secret for each key/value specified below to create repository credentials + credentialTemplates: {} + # github-enterprise-creds-1: + # url: https://github.com/argoproj + # githubAppID: 1 + # githubAppInstallationID: 2 + # githubAppEnterpriseBaseUrl: https://ghe.example.com/api/v3 + # githubAppPrivateKey: | + # -----BEGIN OPENSSH PRIVATE KEY----- + # ... + # -----END OPENSSH PRIVATE KEY----- + # https-creds: + # url: https://github.com/argoproj + # password: my-password + # username: my-username + # ssh-creds: + # url: git@github.com:argoproj-labs + # sshPrivateKey: | + # -----BEGIN OPENSSH PRIVATE KEY----- + # ... + # -----END OPENSSH PRIVATE KEY----- + +## Creates a secret for each key/value specified below to create repositories +## Note: the last example in the list would use a repository credential template, configured under "configs.repositoryCredentials". + repositories: {} + # istio-helm-repo: + # url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts + # name: istio.io + # type: helm + # private-helm-repo: + # url: https://my-private-chart-repo.internal + # name: private-repo + # type: helm + # password: my-password + # username: my-username + # private-repo: + # url: https://github.com/argoproj/private-repo + secret: createSecret: true ## Annotations to be added to argocd-secret