DevFW-CICD/argocd-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'main' into argocd-image-updater-limit-label-length

Browse source
This commit is contained in:
Jason Meridth 2023-01-21 05:33:31 -06:00 committed by GitHub
commit 3344d960c7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
20 changed files with 418 additions and 147 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

125
CONTRIBUTING.md
View file

@ -2,38 +2,87 @@
Argo Helm is a collection of **community maintained** charts. Therefore we rely on you to test your changes sufficiently.
# Pull Requests
## Pull Requests
All submissions, including submissions by project members, require review. We use GitHub pull requests for this purpose. Consult [GitHub Help](https://help.github.com/articles/about-pull-requests/) for more information on using pull requests. See the above stated requirements for PR on this project.
### Pull Request Title Linting
We lint the title of your pull request to ensure it follows the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) specification. This is done using GitHub actions and the [action-semantic-pull-request](.github/workflows/pr-title.yml) workflow. We require the scope of the change to be included in the title. The scope should be the name of the chart you are changing. For example, if you are changing the `argo-cd` chart, the title of your pull request should be `fix(argo-cd): Fix typo in values.yaml`.
## Documentation
The documentation for each chart is generated with [helm-docs](https://github.com/norwoodj/helm-docs). This way we can ensure that values are consistent with the chart documentation.
We have a script on the repository which will execute the helm-docs docker container, so that you don't have to worry about downloading the binary etc. Simply execute the script (Bash compatible, might require sudo privileges):
```shell
./scripts/helm-docs.sh
```
> **Note**
> When creating your own `README.md.gotmpl`, don't forget to add it to your `.helmignore` file.
### Updating a chart README.md
When updating the `README.md.gotmpl` inside a chart directory you must to run the `helm-docs` script to generate the updated `README.md` file. To reiterate, you should not edit the `README.md` file manually. It will be generated by the following command:
```shell
./scripts/helm-docs.sh
```
> **Note**
> If you see changes to unrelated chart `README.md` files you may have accidentally updated a `README.md.gotmpl` file in another chart's folder unintentionally or someone else failed to run this script. Please revert those changes if you do not intend them to be a part of your pull request.
## Versioning
Each chart's version follows the [semver standard](https://semver.org/). New charts should start at version `1.0.0`, if it's considered stable. If it's not considered stable, it must be released as [prerelease](#prerelease).
Each chart's version follows the [semver standard](https://semver.org/).
New charts should start at version `1.0.0`, if it's considered stable. If it isn't considered stable, it must be released as `prerelease`.
Any breaking changes to a chart (backwards incompatible) require:
* Bump of the current Major version of the chart
* State possible manual changes for this chart version in the `Upgrading` section of the chart's `README.md.gotmpl` ([See Upgrade](#upgrades))
* Bump of the current Major version of the chart
* State possible manual changes for this chart version in the `Upgrading` section of the chart's `README.md.gotmpl`
### New Application Versions
When selecting new application versions ensure you make the following changes:
* `values.yaml`: Bump all instances of the container image version
* `Chart.yaml`: Ensure `appVersion` matches the above container image and bump `version`
Please ensure chart version changes adhere to semantic versioning standards:
* Major: Large chart rewrites, major non-backwards compatible or destructive changes
* Minor: New chart functionality (sidecars), major application updates or minor non-backwards compatible changes
* Patch: App version patch updates, backwards compatible optional chart features
### Immutability
Each release for each chart must be immutable. Any change to a chart (even just documentation) requires a version bump. Trying to release the same version twice will result in an error.
### Chart Versioning
Currently we require a chart version bump for every change to a chart, including updating information for older verions. This may change in the future.
### Artifact Hub Annotations
Since we release our charts on Artifact Hub we encourage making use of the provided chart annotations for Artifact Hub.
* [https://artifacthub.io/docs/topics/annotations/helm/](https://artifacthub.io/docs/topics/annotations/helm/)
* [https://artifacthub.io/docs/topics/annotations/helm/](https://artifacthub.io/docs/topics/annotations/helm/)
#### Changelog
We want to deliver transparent chart releases for our chart consumers. Therefore we require a changelog per new chart release.
Changes on a chart must be documented in a chart specific changelog in the `Chart.yaml` [Annotation Section](https://helm.sh/docs/topics/charts/#the-chartyaml-file). For every new release the entire `artifacthub.io/changes` needs to be rewritten. Each change requires a new bullet point following the pattern `- "[{type}]: {description}"`. You can use the following template:
Changes on a chart must be documented in a chart specific changelog in the `Chart.yaml` [Annotation Section](https://helm.sh/docs/topics/charts/#the-chartyaml-file).
```
A new `artifacthub.io/changes` needs to be written covering only the changes since the previous release.
Each change requires a new bullet point following the pattern `- "[{type}]: {description}"`. You can use the following template:
```yaml
name: argo-cd
version: 3.4.1
...
@ -45,67 +94,54 @@ annotations:
- "[Deprecated]: Something deprecated"
- "[Removed]: Something was removed"
- "[Fixed]: Something was fixed"
- "[Security]": Some Security Patch was included"
- "[Security]: Some Security Patch was included"
```
## Documentation
## Testing
The documentation for each chart is done with [helm-docs](https://github.com/norwoodj/helm-docs). This way we can ensure that values are consistent with the chart documentation.
We have a script on the repository which will execute the helm-docs docker container, so that you don't have to worry about downloading the binary etc. Simply execute the script (Bash compatible, might require sudo privileges):
```
bash scripts/helm-docs.sh
```
**NOTE**: When creating your own `README.md.gotmpl`, don't forget to add it to your `.helmignore` file.
# Testing
## Testing Argo Workflows Changes
### Testing Argo Workflows Changes
Minimally:
```
```shell
helm install charts/argo-workflows -n argo
argo version
```
Follow this instructions for running a hello world workflow.
## Testing Argo CD Changes
### Testing Argo CD Changes
Clean-up:
```
```shell
helm delete argo-cd --purge
kubectl delete crd -l app.kubernetes.io/part-of=argocd
```
Pre-requisites:
```
```shell
helm repo add redis-ha https://dandydeveloper.github.io/charts/
helm dependency update
```
Minimally:
```
```shell
helm install argocd argo/argo-cd -n argocd --create-namespace
kubectl port-forward service/argo-cd-argocd-server -n argocd 8080:443
```
In a new terminal:
```
```shell
argocd version --server localhost:8080 --insecure
# reset password to 'Password1!'
kubectl -n argocd patch secret argocd-secret \
-p '{"stringData": {
"admin.password": "$2a$10$hDj12Tw9xVmvybSahN1Y0.f9DZixxN8oybyA32Uy/eqWklFU4Mo8O",
"admin.passwordMtime": "'$(date +%FT%T%Z)'"
"admin.password": "$2a$10$hDj12Tw9xVmvybSahN1Y0.f9DZixxN8oybyA32Uy/eqWklFU4Mo8O",
"admin.passwordMtime": "'$(date +%FT%T%Z)'"
}}'
argocd login localhost:8080 --username admin --password 'Password1!'
@ -114,38 +150,25 @@ argocd login localhost:8080 --username admin --password 'Password1!'
Create and sync app:
```
```shell
argocd app create guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --path guestbook --project default --repo https://github.com/argoproj/argocd-example-apps.git
argocd app sync guestbook
```
## New Application Versions
When raising application versions ensure you make the following changes:
- `values.yaml`: Bump all instances of the container image version
- `Chart.yaml`: Ensure `appVersion` matches the above container image and bump `version`
Please ensure chart version changes adhere to semantic versioning standards:
- Patch: App version patch updates, backwards compatible optional chart features
- Minor: New chart functionality (sidecars), major application updates or minor non-backwards compatible changes
- Major: Large chart rewrites, major non-backwards compatible or destructive changes
## Testing Charts
### Testing Charts
As part of the Continuous Integration system we run Helm's [Chart Testing](https://github.com/helm/chart-testing) tool.
The checks for this tool are stricter than the standard Helm requirements, where fields normally considered optional like `maintainer` are required in the standard spec and must be valid GitHub usernames.
The checks for Chart Testing are stricter than the standard Helm requirements. For example, fields normally considered optional like `maintainer` are required in the standard spec and must be valid GitHub usernames.
Linting configuration can be found in [ct-lint.yaml](./.github/configs/ct-lint.yaml)
The linting can be invoked manually with the following command:
```
```shell
./scripts/lint.sh
```
## Publishing Changes
Changes are automatically publish whenever a commit is merged to main. The CI job (see `./.github/workflows/publish.yml`).
Changes are automatically publish whenever a commit is merged to the `main` branch by the CI job (see `./.github/workflows/publish.yml`).

6
charts/argo-cd/Chart.yaml
View file

@ -3,7 +3,7 @@ appVersion: v2.5.7
kubeVersion: ">=1.22.0-0"
description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
name: argo-cd
version: 5.17.4
version: 5.19.0
home: https://github.com/argoproj/argo-helm
icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
sources:
@ -23,4 +23,6 @@ dependencies:
condition: redis-ha.enabled
annotations:
artifacthub.io/changes: |
- "[Changed]: Update Argo CD extensions to v0.2.1"
- "[Added]: Option configs.ssh.extraHosts that allows to keep original SSH known list"
- "[Changed]: Option configs.knownHosts deprecated as moved to configs.ssh"
- "[Changed]: Option configs.tlsCerts deprecated as moved to configs.tls"

20
charts/argo-cd/README.md
View file

@ -105,14 +105,20 @@ For full list of changes please check ArtifactHub [changelog].
Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version.
### 5.19.0
This version consolidates config for custom repository TLS certificates and SSH known hosts. If you provide this values please move them into new `configs.ssh` and `configs.tls` sections.
You can also use new option `configs.ssh.extraHosts` to configure your SSH keys without maintaing / overwritting keys for public Git repositories.
### 5.13.0
This version reduces history limit for Argo CD deployment replicas to 3 to provide more visibility for Argo CD deployments that manage itself. If you need more deployment revisions for rollbacks set `global.revisionHistoryLimit` parameter.
### 5.12.0
This version deprecates the `configs.secret.argocdServerTlsConfig` option. Use `server.certificate` or `server.certificateSecret` to provide custom TLS configuration for Argo CD server.
If you terminate TLS on ingress please use `argocd-server-tls` secret instead of `argocd-secret` secret.
If Argo CD is managing termination of TLS and you are using `configs.secret.argocdServerTlsConfig` option to provide custom TLS configuration for this chart, please use `server.certificate` or `server.certificateSecret` instead.
For the secrets for tls termination, please use a secret named `argocd-server-tls` instead of `argocd-secret`.
For the technical details please check the [Argo CD documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/#tls-certificates-used-by-argocd-server). When transitioning from the one secret to the other pay attention to `tls.key` and `tls.crt` keys.
### 5.10.0
@ -409,8 +415,6 @@ NAME: my-release
| configs.credentialTemplatesAnnotations | object | `{}` | Annotations to be added to `configs.credentialTemplates` Secret |
| configs.gpg.annotations | object | `{}` | Annotations to be added to argocd-gpg-keys-cm configmap |
| configs.gpg.keys | object | `{}` (See [values.yaml]) | [GnuPG] public keys to add to the keyring |
| configs.knownHosts.data.ssh_known_hosts | string | See [values.yaml] | Known Hosts |
| configs.knownHostsAnnotations | object | `{}` | Known Hosts configmap annotations |
| configs.params."controller.operation.processors" | int | `10` | Number of application operation processors |
| configs.params."controller.repo.server.timeout.seconds" | int | `60` | Repo server RPC call timeout seconds. |
| configs.params."controller.self.heal.timeout.seconds" | int | `5` | Specifies timeout between application self heal attempts |
@ -442,9 +446,13 @@ NAME: my-release
| configs.secret.githubSecret | string | `""` | Shared secret for authenticating GitHub webhook events |
| configs.secret.gitlabSecret | string | `""` | Shared secret for authenticating GitLab webhook events |
| configs.secret.gogsSecret | string | `""` | Shared secret for authenticating Gogs webhook events |
| configs.secret.labels | object | `{}` | Labels to be added to argocd-secret |
| configs.ssh.annotations | object | `{}` | Annotations to be added to argocd-ssh-known-hosts-cm configmap |
| configs.ssh.extraHosts | string | `""` | Additional known hosts for private repositories |
| configs.ssh.knownHosts | string | See [values.yaml] | Known hosts to be added to the known host list by default. |
| configs.styles | string | `""` (See [values.yaml]) | Define custom [CSS styles] for your argo instance. This setting will automatically mount the provided CSS and reference it in the argo configuration. |
| configs.tlsCerts | object | See [values.yaml] | TLS certificate |
| configs.tlsCertsAnnotations | object | `{}` | TLS certificate configmap annotations |
| configs.tls.annotations | object | `{}` | Annotations to be added to argocd-tls-certs-cm configmap |
| configs.tls.certificates | object | `{}` (See [values.yaml]) | TLS certificates for Git repositories |
## Argo CD Controller

10
charts/argo-cd/README.md.gotmpl
View file

@ -104,14 +104,20 @@ For full list of changes please check ArtifactHub [changelog].
Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version.
### 5.19.0
This version consolidates config for custom repository TLS certificates and SSH known hosts. If you provide this values please move them into new `configs.ssh` and `configs.tls` sections.
You can also use new option `configs.ssh.extraHosts` to configure your SSH keys without maintaing / overwritting keys for public Git repositories.
### 5.13.0
This version reduces history limit for Argo CD deployment replicas to 3 to provide more visibility for Argo CD deployments that manage itself. If you need more deployment revisions for rollbacks set `global.revisionHistoryLimit` parameter.
### 5.12.0
This version deprecates the `configs.secret.argocdServerTlsConfig` option. Use `server.certificate` or `server.certificateSecret` to provide custom TLS configuration for Argo CD server.
If you terminate TLS on ingress please use `argocd-server-tls` secret instead of `argocd-secret` secret.
If Argo CD is managing termination of TLS and you are using `configs.secret.argocdServerTlsConfig` option to provide custom TLS configuration for this chart, please use `server.certificate` or `server.certificateSecret` instead.
For the secrets for tls termination, please use a secret named `argocd-server-tls` instead of `argocd-secret`.
For the technical details please check the [Argo CD documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/#tls-certificates-used-by-argocd-server). When transitioning from the one secret to the other pay attention to `tls.key` and `tls.crt` keys.
### 5.10.0

12
charts/argo-cd/templates/NOTES.txt
View file

@ -64,6 +64,18 @@ DEPRECATED option .server.clusterAdminAccess.enabled - Use createClusterRoles
{{- if hasKey (.Values.repoServer.clusterAdminAccess | default dict) "enabled" }}
DEPRECATED option .server.clusterAdminAccess.enabled - Use createClusterRoles
{{- end }}
{{- if .Values.configs.knownHostsAnnotations }}
DEPRECATED option configs.knownHostsAnnotations - Use configs.ssh.annotations
{{- end }}
{{- if hasKey .Values.configs "knownHosts" }}
DEPRECATED option configs.knownHosts.data.ssh_known_hosts - Use configs.ssh.knownHosts
{{- end }}
{{- if .Values.configs.tlsCertsAnnotations }}
DEPRECATED option configs.tlsCertsAnnotations - Use configs.tls.annotations
{{- end }}
{{- if hasKey .Values.configs "tlsCerts" }}
DEPRECATED option configs.tlsCerts.data - Use configs.tls.certificates
{{- end }}
{{- if .Values.controller.service }}
REMOVED option controller.service - Use controller.metrics
{{- end }}

3
charts/argo-cd/templates/argocd-configs/argocd-secret.yaml
View file

@ -5,6 +5,9 @@ metadata:
name: argocd-secret
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "secret") | nindent 4 }}
{{- with .Values.configs.secret.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.configs.secret.annotations }}
annotations:
{{- range $key, $value := . }}

15
charts/argo-cd/templates/argocd-configs/argocd-ssh-known-hosts-cm.yaml
View file

@ -3,11 +3,20 @@ kind: ConfigMap
metadata:
name: argocd-ssh-known-hosts-cm
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "ssh-known-hosts-cm") | nindent 4 }}
{{- with .Values.configs.knownHostsAnnotations }}
{{- include "argo-cd.labels" (dict "context" . "name" "ssh-known-hosts-cm") | nindent 4 }}
{{- with (mergeOverwrite (deepCopy .Values.configs.ssh.annotations) (.Values.configs.knownHostsAnnotations | default dict)) -}}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- toYaml .Values.configs.knownHosts | nindent 0 }}
data:
ssh_known_hosts: |
{{- if hasKey .Values.configs "knownHosts" }}
{{- .Values.configs.knownHosts.data.ssh_known_hosts | nindent 4 }}
{{- else }}
{{- .Values.configs.ssh.knownHosts | nindent 4 }}
{{- end }}
{{- with .Values.configs.ssh.extraHosts }}
{{- . | nindent 4 }}
{{- end }}

15
charts/argo-cd/templates/argocd-configs/argocd-tls-certs-cm.yaml
View file

@ -3,13 +3,20 @@ kind: ConfigMap
metadata:
name: argocd-tls-certs-cm
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "tls-certs-cm") | nindent 4 }}
{{- with .Values.configs.tlsCertsAnnotations }}
{{- include "argo-cd.labels" (dict "context" . "name" "tls-certs-cm") | nindent 4 }}
{{- with (mergeOverwrite (deepCopy .Values.configs.ssh.annotations) (.Values.configs.tlsCertsAnnotations | default dict)) -}}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- with .Values.configs.tlsCerts }}
{{- toYaml . | nindent 0 }}
{{- if hasKey .Values.configs "tlsCerts" }}
{{- with .Values.configs.tlsCerts }}
{{- toYaml . | nindent 0 }}
{{- end }}
{{- else }}
{{- with .Values.configs.tls.certificates }}
data:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}

104
charts/argo-cd/values.yaml
View file

@ -254,6 +254,41 @@ configs:
# ...
# -----END PGP PUBLIC KEY BLOCK-----
# SSH known hosts for Git repositories
## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#ssh-known-host-public-keys
ssh:
# -- Annotations to be added to argocd-ssh-known-hosts-cm configmap
annotations: {}
# -- Known hosts to be added to the known host list by default.
# @default -- See [values.yaml]
knownHosts: |
bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
# -- Additional known hosts for private repositories
extraHosts: ''
# Repository TLS certificates
# Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories-using-self-signed-tls-certificates-or-are-signed-by-custom-ca
tls:
# -- Annotations to be added to argocd-tls-certs-cm configmap
annotations: {}
# -- TLS certificates for Git repositories
# @default -- `{}` (See [values.yaml])
certificates: {}
# server.example.com: |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# -- Provide one or multiple [external cluster credentials]
# @default -- `[]` (See [values.yaml])
@ -282,64 +317,15 @@ configs:
# insecure: false
# caData: "<base64 encoded certificate>"
# -- Known Hosts configmap annotations
knownHostsAnnotations: {}
knownHosts:
data:
# -- Known Hosts
# @default -- See [values.yaml]
ssh_known_hosts: |
bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
# -- TLS certificate configmap annotations
tlsCertsAnnotations: {}
# -- TLS certificate
# @default -- See [values.yaml]
tlsCerts:
{}
# data:
# argocd.example.com: |
# -----BEGIN CERTIFICATE-----
# MIIF1zCCA7+gAwIBAgIUQdTcSHY2Sxd3Tq/v1eIEZPCNbOowDQYJKoZIhvcNAQEL
# BQAwezELMAkGA1UEBhMCREUxFTATBgNVBAgMDExvd2VyIFNheG9ueTEQMA4GA1UE
# BwwHSGFub3ZlcjEVMBMGA1UECgwMVGVzdGluZyBDb3JwMRIwEAYDVQQLDAlUZXN0
# c3VpdGUxGDAWBgNVBAMMD2Jhci5leGFtcGxlLmNvbTAeFw0xOTA3MDgxMzU2MTda
# Fw0yMDA3MDcxMzU2MTdaMHsxCzAJBgNVBAYTAkRFMRUwEwYDVQQIDAxMb3dlciBT
# YXhvbnkxEDAOBgNVBAcMB0hhbm92ZXIxFTATBgNVBAoMDFRlc3RpbmcgQ29ycDES
# MBAGA1UECwwJVGVzdHN1aXRlMRgwFgYDVQQDDA9iYXIuZXhhbXBsZS5jb20wggIi
# MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCv4mHMdVUcafmaSHVpUM0zZWp5
# NFXfboxA4inuOkE8kZlbGSe7wiG9WqLirdr39Ts+WSAFA6oANvbzlu3JrEQ2CHPc
# CNQm6diPREFwcDPFCe/eMawbwkQAPVSHPts0UoRxnpZox5pn69ghncBR+jtvx+/u
# P6HdwW0qqTvfJnfAF1hBJ4oIk2AXiip5kkIznsAh9W6WRy6nTVCeetmIepDOGe0G
# ZJIRn/OfSz7NzKylfDCat2z3EAutyeT/5oXZoWOmGg/8T7pn/pR588GoYYKRQnp+
# YilqCPFX+az09EqqK/iHXnkdZ/Z2fCuU+9M/Zhrnlwlygl3RuVBI6xhm/ZsXtL2E
# Gxa61lNy6pyx5+hSxHEFEJshXLtioRd702VdLKxEOuYSXKeJDs1x9o6cJ75S6hko
# Ml1L4zCU+xEsMcvb1iQ2n7PZdacqhkFRUVVVmJ56th8aYyX7KNX6M9CD+kMpNm6J
# kKC1li/Iy+RI138bAvaFplajMF551kt44dSvIoJIbTr1LigudzWPqk31QaZXV/4u
# kD1n4p/XMc9HYU/was/CmQBFqmIZedTLTtK7clkuFN6wbwzdo1wmUNgnySQuMacO
# gxhHxxzRWxd24uLyk9Px+9U3BfVPaRLiOPaPoC58lyVOykjSgfpgbus7JS69fCq7
# bEH4Jatp/10zkco+UQIDAQABo1MwUTAdBgNVHQ4EFgQUjXH6PHi92y4C4hQpey86
# r6+x1ewwHwYDVR0jBBgwFoAUjXH6PHi92y4C4hQpey86r6+x1ewwDwYDVR0TAQH/
# BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAFE4SdKsX9UsLy+Z0xuHSxhTd0jfn
# Iih5mtzb8CDNO5oTw4z0aMeAvpsUvjJ/XjgxnkiRACXh7K9hsG2r+ageRWGevyvx
# CaRXFbherV1kTnZw4Y9/pgZTYVWs9jlqFOppz5sStkfjsDQ5lmPJGDii/StENAz2
# XmtiPOgfG9Upb0GAJBCuKnrU9bIcT4L20gd2F4Y14ccyjlf8UiUi192IX6yM9OjT
# +TuXwZgqnTOq6piVgr+FTSa24qSvaXb5z/mJDLlk23npecTouLg83TNSn3R6fYQr
# d/Y9eXuUJ8U7/qTh2Ulz071AO9KzPOmleYPTx4Xty4xAtWi1QE5NHW9/Ajlv5OtO
# OnMNWIs7ssDJBsB7VFC8hcwf79jz7kC0xmQqDfw51Xhhk04kla+v+HZcFW2AO9so
# 6ZdVHHQnIbJa7yQJKZ+hK49IOoBR6JgdB5kymoplLLiuqZSYTcwSBZ72FYTm3iAr
# jzvt1hxpxVDmXvRnkhRrIRhK4QgJL0jRmirBjDY+PYYd7bdRIjN7WNZLFsgplnS8
# 9w6CwG32pRlm0c8kkiQ7FXA6BYCqOsDI8f1VGQv331OpR2Ck+FTv+L7DAmg6l37W
# +LB9LGh4OAp68ImTjqf6ioGKG0RBSznwME+r4nXtT1S/qLR6ASWUS4ViWRhbRlNK
# XWyb96wrUlv+E8I=
# -----END CERTIFICATE-----
# DEPRECATED - Moved to configs.ssh.annotations
# knownHostsAnnotations: {}
# DEPRECATED - Moved to configs.ssh.knownHosts
# knownHosts: {}
# DEPRECATED - Moved to configs.tls.annotations
# tlsCertsAnnotations: {}
# DEPRECATED - Moved to configs.tls.certificates
# tlsCerts: {}
# -- Repository credentials to be used as Templates for other repos
## Creates a secret for each key/value specified below to create repository credentials
@ -392,6 +378,8 @@ configs:
secret:
# -- Create the argocd-secret
createSecret: true
# -- Labels to be added to argocd-secret
labels: {}
# -- Annotations to be added to argocd-secret
annotations: {}

7
charts/argo-rollouts/Chart.yaml
View file

@ -1,8 +1,8 @@
apiVersion: v2
appVersion: v1.3.1
appVersion: v1.4.0
description: A Helm chart for Argo Rollouts
name: argo-rollouts
version: 2.21.3
version: 2.22.1
home: https://github.com/argoproj/argo-helm
icon: https://argoproj.github.io/argo-rollouts/assets/logo.png
keywords:
@ -15,5 +15,4 @@ maintainers:
url: https://argoproj.github.io/
annotations:
artifacthub.io/changes: |
- "[Fixed]: avoid app.kubernetes.io/version kubernetes label from exceeding maximum length (63)"
- "[Fixed]: generated value for app.kubernetes.io/version label is now valid even when defining a controller.image.tag with a SHA digest"
- "[Added]: Flags to toggle provider-specific RBAC rules in Role and ClusterRole"

8
charts/argo-rollouts/README.md
View file

@ -55,6 +55,14 @@ If dashboard is installed by `--set dashboard.enabled=true`, checkout the argo-r
| notifications.secret.items | object | `{}` | Generic key:value pairs to be inserted into the notifications secret |
| notifications.templates | object | `{}` | Notification templates |
| notifications.triggers | object | `{}` | The trigger defines the condition when the notification should be sent |
| providerRBAC.enabled | bool | `true` | Toggles addition of provider-specific RBAC rules to the controller Role and ClusterRole |
| providerRBAC.providers.ambassador | bool | `true` | Adds RBAC rules for the Ambassador provider |
| providerRBAC.providers.apisix | bool | `true` | Adds RBAC rules for the Apisix provider |
| providerRBAC.providers.awsAppMesh | bool | `true` | Adds RBAC rules for the AWS App Mesh provider |
| providerRBAC.providers.awsLoadBalancerController | bool | `true` | Adds RBAC rules for the AWS Load Balancer Controller provider |
| providerRBAC.providers.istio | bool | `true` | Adds RBAC rules for the Istio provider |
| providerRBAC.providers.smi | bool | `true` | Adds RBAC rules for the SMI provider |
| providerRBAC.providers.traefik | bool | `true` | Adds RBAC rules for the Traefik provider |
### Controller

42
charts/argo-rollouts/templates/controller/clusterrole.yaml
View file

@ -89,7 +89,7 @@ rules:
- create
- get
- update
# secret access to run analysis templates which reference secrets, allow init containers to manipulate secrets
# secret read access to run analysis templates which reference secrets
- apiGroups:
- ""
resources:
@ -99,9 +99,6 @@ rules:
- get
- list
- watch
- create
- patch
- update
# pod list/update needed for updating ephemeral data
- apiGroups:
- ""
@ -110,6 +107,7 @@ rules:
verbs:
- list
- update
- watch
# pods eviction needed for restart
- apiGroups:
- ""
@ -151,6 +149,8 @@ rules:
- update
- patch
- delete
{{- if .Values.providerRBAC.enabled }}
{{- if .Values.providerRBAC.providers.istio }}
# virtualservice/destinationrule access needed for using the Istio provider
- apiGroups:
- networking.istio.io
@ -163,6 +163,8 @@ rules:
- update
- patch
- list
{{- end }}
{{- if .Values.providerRBAC.providers.smi }}
# trafficsplit access needed for using the SMI provider
- apiGroups:
- split.smi-spec.io
@ -174,6 +176,8 @@ rules:
- get
- update
- patch
{{- end }}
{{- if .Values.providerRBAC.providers.ambassador }}
# ambassador access needed for Ambassador provider
- apiGroups:
- getambassador.io
@ -188,7 +192,9 @@ rules:
- update
- list
- delete
# Endpoints and TargetGroupBindings needed for ALB target group verification
{{- end }}
{{- if .Values.providerRBAC.providers.awsLoadBalancerController }}
# Endpoints and TargetGroupBindings needed for ALB target group verification when using AWS Load Balancer Controller
- apiGroups:
- ""
resources:
@ -202,6 +208,8 @@ rules:
verbs:
- list
- get
{{- end }}
{{- if .Values.providerRBAC.providers.awsAppMesh }}
# AppMesh virtualservices/virtualrouter CRD read-only access needed for using the App Mesh provider
- apiGroups:
- appmesh.k8s.aws
@ -224,3 +232,27 @@ rules:
- update
- patch
{{- end }}
{{- if .Values.providerRBAC.providers.traefik }}
# Traefik access needed when using the Traefik provider
- apiGroups:
- traefik.containo.us
resources:
- traefikservices
verbs:
- watch
- get
- update
{{- end }}
{{- if .Values.providerRBAC.providers.apisix }}
# Access needed when using the Apisix provider
- apiGroups:
- apisix.apache.org
resources:
- apisixroutes
verbs:
- watch
- get
- update
{{- end }}
{{- end }}
{{- end }}

117
charts/argo-rollouts/templates/controller/role.yaml
View file

@ -56,7 +56,19 @@ rules:
- update
- patch
- delete
# deployments and podtemplates read access needed for workload reference support
- apiGroups:
- ""
- apps
resources:
- deployments
- podtemplates
verbs:
- get
- list
- watch
# services patch needed to update selector of canary/stable/active/preview services
# services create needed to create and delete services for experiments
- apiGroups:
- ""
resources:
@ -66,8 +78,18 @@ rules:
- list
- watch
- patch
# secret access to run analysis templates which reference secrets
# configmap access to read notification-engine configuration
- create
- delete
# leases create/get/update needed for leader election
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
# secret read access to run analysis templates which reference secrets
- apiGroups:
- ""
resources:
@ -77,9 +99,6 @@ rules:
- get
- list
- watch
- create
- patch
- update
# pod list/update needed for updating ephemeral data
- apiGroups:
- ""
@ -88,6 +107,7 @@ rules:
verbs:
- list
- update
- watch
# pods eviction needed for restart
- apiGroups:
- ""
@ -129,16 +149,22 @@ rules:
- update
- patch
- delete
# virtualservice access needed for using the Istio provider
{{- if .Values.providerRBAC.enabled }}
{{- if .Values.providerRBAC.providers.istio }}
# virtualservice/destinationrule access needed for using the Istio provider
- apiGroups:
- networking.istio.io
resources:
- virtualservices
- destinationrules
verbs:
- watch
- get
- update
- patch
- list
{{- end }}
{{- if .Values.providerRBAC.providers.smi }}
# trafficsplit access needed for using the SMI provider
- apiGroups:
- split.smi-spec.io
@ -151,3 +177,82 @@ rules:
- update
- patch
{{- end }}
{{- if .Values.providerRBAC.providers.ambassador }}
# ambassador access needed for Ambassador provider
- apiGroups:
- getambassador.io
- x.getambassador.io
resources:
- mappings
- ambassadormappings
verbs:
- create
- watch
- get
- update
- list
- delete
{{- end }}
{{- if .Values.providerRBAC.providers.awsLoadBalancerController }}
# Endpoints and TargetGroupBindings needed for ALB target group verification when using AWS Load Balancer Controller
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
- apiGroups:
- elbv2.k8s.aws
resources:
- targetgroupbindings
verbs:
- list
- get
{{- end }}
{{- if .Values.providerRBAC.providers.awsAppMesh }}
# AppMesh virtualservices/virtualrouter CRD read-only access needed for using the App Mesh provider
- apiGroups:
- appmesh.k8s.aws
resources:
- virtualservices
verbs:
- watch
- get
- list
# AppMesh virtualnode CRD r/w access needed for using the App Mesh provider
- apiGroups:
- appmesh.k8s.aws
resources:
- virtualnodes
- virtualrouters
verbs:
- watch
- get
- list
- update
- patch
{{- end }}
{{- if .Values.providerRBAC.providers.traefik }}
# Traefik access needed when using the Traefik provider
- apiGroups:
- traefik.containo.us
resources:
- traefikservices
verbs:
- watch
- get
- update
{{- end }}
{{- if .Values.providerRBAC.providers.apisix }}
# Access needed when using the Apisix provider
- apiGroups:
- apisix.apache.org
resources:
- apisixroutes
verbs:
- watch
- get
- update
{{- end }}
{{- end }}
{{- end }}

3
charts/argo-rollouts/templates/crds/analysis-run-crd.yaml
View file

@ -2742,6 +2742,9 @@ spec:
type: array
insecure:
type: boolean
jsonBody:
type: object
x-kubernetes-preserve-unknown-fields: true
jsonPath:
type: string
method:

3
charts/argo-rollouts/templates/crds/analysis-template-crd.yaml
View file

@ -2738,6 +2738,9 @@ spec:
type: array
insecure:
type: boolean
jsonBody:
type: object
x-kubernetes-preserve-unknown-fields: true
jsonPath:
type: string
method:

3
charts/argo-rollouts/templates/crds/cluster-analysis-template-crd.yaml
View file

@ -2738,6 +2738,9 @@ spec:
type: array
insecure:
type: boolean
jsonBody:
type: object
x-kubernetes-preserve-unknown-fields: true
jsonPath:
type: string
method:

39
charts/argo-rollouts/templates/crds/rollout-crd.yaml
View file

@ -89,6 +89,12 @@ spec:
revisionHistoryLimit:
format: int32
type: integer
rollbackWindow:
properties:
revisions:
format: int32
type: integer
type: object
selector:
properties:
matchExpressions:
@ -397,6 +403,9 @@ spec:
- type: integer
- type: string
x-kubernetes-int-or-string: true
minPodsPerReplicaSet:
format: int32
type: integer
pingPong:
properties:
pingService:
@ -713,6 +722,20 @@ spec:
required:
- mappings
type: object
apisix:
properties:
route:
properties:
name:
type: string
rules:
items:
type: string
type: array
required:
- name
type: object
type: object
appMesh:
properties:
virtualNodeGroup:
@ -770,6 +793,14 @@ spec:
items:
type: string
type: array
tcpRoutes:
items:
properties:
port:
format: int64
type: integer
type: object
type: array
tlsRoutes:
items:
properties:
@ -794,6 +825,14 @@ spec:
items:
type: string
type: array
tcpRoutes:
items:
properties:
port:
format: int64
type: integer
type: object
type: array
tlsRoutes:
items:
properties:

7
charts/argo-rollouts/templates/dashboard/clusterrole.yaml
View file

@ -44,17 +44,18 @@ rules:
- get
- list
- watch
# deployments and podtemplates read access needed for workload reference support
- apiGroups:
- ""
- apps
resources:
- deployments
- podtemplates
verbs:
- get
- list
- watch
{{- if not .Values.dashboard.readonly }}
- update
- patch
{{- end }}
- apiGroups:
- apps
resources:

20
charts/argo-rollouts/values.yaml
View file

@ -190,6 +190,26 @@ podLabels: {}
imagePullSecrets: []
# - name: argo-pull-secret
providerRBAC:
# -- Toggles addition of provider-specific RBAC rules to the controller Role and ClusterRole
enabled: true
# providerRBAC.enabled must be true in order to toggle the individual providers
providers:
# -- Adds RBAC rules for the Istio provider
istio: true
# -- Adds RBAC rules for the SMI provider
smi: true
# -- Adds RBAC rules for the Ambassador provider
ambassador: true
# -- Adds RBAC rules for the AWS Load Balancer Controller provider
awsLoadBalancerController: true
# -- Adds RBAC rules for the AWS App Mesh provider
awsAppMesh: true
# -- Adds RBAC rules for the Traefik provider
traefik: true
# -- Adds RBAC rules for the Apisix provider
apisix: true
dashboard:
# -- Deploy dashboard server
enabled: false

6
scripts/helm-docs.sh
View file

@ -1,11 +1,11 @@
#!/bin/bash
## Reference: https://github.com/norwoodj/helm-docs
set -eux
CHART_DIR="$(cd "$(dirname "$0")/.." && pwd)"
echo "$CHART_DIR"
REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
echo "$REPO_ROOT"
echo "Running Helm-Docs"
docker run \
-v "$CHART_DIR:/helm-docs" \
-v "$REPO_ROOT:/helm-docs" \
-u $(id -u) \
jnorwood/helm-docs:v1.9.1