DevFW-CICD/argocd-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into master

Browse source
This commit is contained in:
Marco Kilchhofer 2021-07-26 15:03:29 +02:00 committed by GitHub
commit 3cead02184
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
16 changed files with 141 additions and 53 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
CONTRIBUTING.md
View file

@ -55,7 +55,7 @@ annotations:
Minimally:
```
helm install charts/argo -n argo
helm install charts/argo-workflows -n argo
argo version
```

5
charts/argo-cd/Chart.yaml
View file

@ -2,7 +2,7 @@ apiVersion: v2
appVersion: 2.0.4
description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes.
name: argo-cd
version: 3.9.0
version: 3.10.0
home: https://github.com/argoproj/argo-helm
icon: https://argoproj.github.io/argo-cd/assets/logo.png
keywords:
@ -21,5 +21,4 @@ dependencies:
condition: redis-ha.enabled
annotations:
artifacthub.io/changes: |
- "[Added]: Ability to create network policies"
- "[Changed]: Fix icon url"
- "[Added]: Support AWS ALB Ingress with gRPC"

21
charts/argo-cd/README.md
View file

@ -305,6 +305,7 @@ NAME: my-release
| server.ingressGrpc.labels | Additional ingress labels for dedicated [gRPC-ingress] | `{}` |
| server.ingressGrpc.ingressClassName | Defines which ingress controller will implement the resource [gRPC-ingress] | `""` |
| server.ingressGrpc.tls | Ingress TLS configuration for dedicated [gRPC-ingress] | `[]` |
| server.ingressGrpc.isAWSALB | Setup up GRPC ingress to work with an AWS ALB | `false` |
| server.route.enabled | Enable a OpenShift route for the server | `false` |
| server.route.hostname | Hostname of OpenShift route | `""` |
| server.lifecycle | PostStart and PreStop hooks configuration | `{}` |
@ -429,3 +430,23 @@ through `xxx.extraArgs`
| redis-ha.image.tag | Redis tag | `"6.2.1-alpine"` |
[gRPC-ingress]: https://argoproj.github.io/argo-cd/operator-manual/ingress/
### Using AWS ALB Ingress Controller With GRPC
If you are using an AWS ALB Ingress controller, you will need to set `server.ingressGrpc.isAWSALB` to `true`. This will create a second service with the annotation `alb.ingress.kubernetes.io/backend-protocol-version: HTTP2` and modify the server ingress to add a condition annotation to route GRPC traffic to the new service.
Example:
```yaml
server:
ingress:
enabled: true
annotations:
alb.ingress.kubernetes.io/backend-protocol: HTTPS
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
alb.ingress.kubernetes.io/scheme: internal
alb.ingress.kubernetes.io/target-type: ip
ingressGrpc:
enabled: true
isAWSALB: true
```

24
charts/argo-cd/templates/argocd-server/alb-grpc-service.yaml Normal file
View file

@ -0,0 +1,24 @@
{{- if and .Values.server.ingressGrpc.enabled .Values.server.ingressGrpc.isAWSALB -}}
apiVersion: v1
kind: Service
metadata:
annotations:
alb.ingress.kubernetes.io/backend-protocol-version: HTTP2 #This tells AWS to send traffic from the ALB using HTTP2. Can use GRPC as well if you want to leverage GRPC specific features
labels:
{{- include "argo-cd.labels" (dict "context" . "component" (print .Values.server.name "-gprc") "name" (print .Values.server.name "-grpc")) | nindent 4 }}
name: {{ template "argo-cd.server.fullname" . }}-grpc
spec:
ports:
- name: {{ .Values.server.service.servicePortHttpName }}
protocol: TCP
port: {{ .Values.server.service.servicePortHttp }}
targetPort: {{- if .Values.server.service.namedTargetPort }} {{ .Values.server.name }} {{- else }} {{ .Values.server.containerPort }} {{- end }}
- name: {{ .Values.server.service.servicePortHttpsName }}
protocol: TCP
port: {{ .Values.server.service.servicePortHttps }}
targetPort: {{- if .Values.server.service.namedTargetPort }} {{ .Values.server.name }} {{- else }} {{ .Values.server.containerPort }} {{- end }}
selector:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 4 }}
sessionAffinity: None
type: ClusterIP
{{- end -}}

2
charts/argo-cd/templates/argocd-server/ingress-grpc.yaml
View file

@ -1,4 +1,4 @@
{{- if .Values.server.ingressGrpc.enabled -}}
{{- if and .Values.server.ingressGrpc.enabled (not .Values.server.ingressGrpc.isAWSALB) -}}
{{- $serviceName := include "argo-cd.server.fullname" . -}}
{{- $servicePort := ternary .Values.server.service.servicePortHttps .Values.server.service.servicePortHttp .Values.server.ingressGrpc.https -}}
{{- $paths := .Values.server.ingressGrpc.paths -}}

24
charts/argo-cd/templates/argocd-server/ingress.yaml
View file

@ -12,6 +12,10 @@ metadata:
{{- range $key, $value := .Values.server.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if and .Values.server.ingressGrpc.isAWSALB .Values.server.ingressGrpc.enabled }}
alb.ingress.kubernetes.io/conditions.{{ template "argo-cd.server.fullname" . }}-grpc: |
[{"field":"http-header","httpHeaderConfig":{"httpHeaderName": "Content-Type", "values":["application/grpc"]}}]
{{- end }}
{{- end }}
name: {{ template "argo-cd.server.fullname" . }}
labels:
@ -35,6 +39,26 @@ spec:
{{- toYaml $extraPaths | nindent 10 }}
{{- end }}
{{- range $p := $paths }}
{{- if and $.Values.server.ingressGrpc.isAWSALB $.Values.server.ingressGrpc.enabled }}
- path: {{ $p }}
{{- if eq (include "argo-cd.ingress.apiVersion" $) "networking.k8s.io/v1" }}
pathType: Prefix
{{- end }}
backend:
{{- if eq (include "argo-cd.ingress.apiVersion" $) "networking.k8s.io/v1" }}
service:
name: {{ template "argo-cd.server.fullname" $ }}-grpc
port:
{{- if kindIs "float64" $servicePort }}
number: {{ $servicePort }}
{{- else }}
name: {{ $servicePort }}
{{- end }}
{{- else }}
serviceName: {{ template "argo-cd.server.fullname" $ }}-grpc
servicePort: {{ $servicePort }}
{{- end }}
{{- end }}
- path: {{ $p }}
{{- if eq (include "argo-cd.ingress.apiVersion" $) "networking.k8s.io/v1" }}
pathType: {{ $pathType }}

1
charts/argo-cd/values.yaml
View file

@ -601,6 +601,7 @@ server:
# https://argoproj.github.io/argo-cd/operator-manual/ingress/
ingressGrpc:
enabled: false
isAWSALB: false
annotations: {}
labels: {}
ingressClassName: ""

4
charts/argo-workflows/Chart.yaml
View file

@ -2,7 +2,7 @@ apiVersion: v2
name: argo-workflows
description: A Helm chart for Argo Workflows
type: application
version: 0.2.7
version: 0.2.12
appVersion: "v3.0.7"
icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png
home: https://github.com/argoproj/argo-helm
@ -15,4 +15,4 @@ maintainers:
- name: benjaminws
annotations:
artifacthub.io/changes: |
- "[Added]: Initialize Changelog"
- "[Changed]: Argo workflows values file no longer has examples referencing ArgoCD"

2
charts/argo-workflows/README.md
View file

@ -10,7 +10,7 @@ This chart uses an install hook to configure the CRD definition. Installation of
A few options are:
- Manually create a ServiceAccount in the Namespace which your release will be deployed w/ appropriate bindings to perform this action and set the `init.serviceAccount` attribute
- Manually create a ServiceAccount in the Namespace which your release will be deployed w/ appropriate bindings to perform this action and set the `serviceAccountName` field in the Workflow spec
- Augment the `default` ServiceAccount permissions in the Namespace in which your Release is deployed to have the appropriate permissions
## Usage Notes

2
charts/argo-workflows/crds/argoproj.io_workflows.yaml
View file

@ -36,9 +36,11 @@ spec:
spec:
type: object
x-kubernetes-preserve-unknown-fields: true
x-kubernetes-map-type: atomic
status:
type: object
x-kubernetes-preserve-unknown-fields: true
x-kubernetes-map-type: atomic
required:
- metadata
- spec

10
charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml
View file

@ -121,8 +121,18 @@ rules:
resources:
- leases
resourceNames:
{{- if .Values.controller.instanceID.enabled }}
{{- if .Values.controller.instanceID.useReleaseName }}
- workflow-controller-{{ .Release.Name }}
- workflow-controller-lease-{{ .Release.Name }}
{{- else }}
- workflow-controller-{{ .Values.controller.instanceID.explicitID }}
- workflow-controller-lease-{{ .Values.controller.instanceID.explicitID }}
{{- end }}
{{- else }}
- workflow-controller
- workflow-controller-lease
{{- end }}
verbs:
- get
- watch

6
charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml
View file

@ -7,11 +7,11 @@ metadata:
data:
config: |
{{- if .Values.controller.instanceID.enabled }}
{{- if .Values.controller.instanceID.useReleaseName }}
{{- if .Values.controller.instanceID.useReleaseName }}
instanceID: {{ .Release.Name }}
{{- else }}
{{- else }}
instanceID: {{ .Values.controller.instanceID.explicitID }}
{{- end }}
{{- end }}
{{- end }}
containerRuntimeExecutor: {{ .Values.controller.containerRuntimeExecutor }}
{{- if .Values.controller.parallelism }}

19
charts/argo-workflows/templates/controller/workflow-rb.yaml
View file

@ -1,19 +1,20 @@
{{- if .Values.workflow.rbac.create -}}
{{- range $namespace := or .Values.singeNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "argo-workflows.fullname" . }}-workflow
{{- with .Values.workflow.namespace }}
namespace: {{ . }}
{{- end }}
name: {{ template "argo-workflows.fullname" $ }}-workflow
namespace: {{ $namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "argo-workflows.fullname" . }}-workflow
name: {{ template "argo-workflows.fullname" $ }}-workflow
subjects:
- kind: ServiceAccount
name: {{ .Values.workflow.serviceAccount.name }}
{{- with .Values.workflow.namespace }}
namespace: {{ . }}
- kind: ServiceAccount
name: {{ $.Values.workflow.serviceAccount.name }}
{{- with $namespace }}
namespace: {{ . }}
{{- end }}
{{- end }}
{{- end }}

40
charts/argo-workflows/templates/controller/workflow-role.yaml
View file

@ -1,25 +1,29 @@
{{- if .Values.workflow.rbac.create -}}
{{- range $namespace := or .Values.singeNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "argo-workflows.fullname" . }}-workflow
{{- with .Values.workflow.namespace }}
name: {{ template "argo-workflows.fullname" $ }}-workflow
{{- with $namespace }}
namespace: {{ . }}
{{- end }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- watch
- patch
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- watch
- patch
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- watch
{{- end }}
{{- end }}

13
charts/argo-workflows/templates/controller/workflow-sa.yaml
View file

@ -1,13 +1,16 @@
{{- if .Values.workflow.serviceAccount.create -}}
{{- range $namespace := or .Values.singeNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq) }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.workflow.serviceAccount.name }}
{{- with .Values.workflow.namespace }}
name: {{ $.Values.workflow.serviceAccount.name }}
{{- with $namespace }}
namespace: {{ . }}
{{- end }}
{{- with .Values.workflow.serviceAccount.annotations }}
{{- end }}
{{- with $.Values.workflow.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

19
charts/argo-workflows/values.yaml
View file

@ -5,11 +5,6 @@ images:
pullSecrets: []
# - name: argo-pull-secret
init:
# By default the installation will not set an explicit one, which will mean it uses `default` for the namespace the chart is
# being deployed to. In RBAC clusters, that will almost certainly fail. See the NOTES: section of the readme for more info.
serviceAccount: ""
createAggregateRoles: true
## String to partially override "argo-workflows.fullname" template
@ -29,13 +24,15 @@ kubeVersionOverride: ""
singleNamespace: false
workflow:
namespace: "" # Specify namespace if workflows run in another namespace than argo. This controls where the service account and RBAC resources will be created.
namespace: # Deprecated, for backwards compatibility: specify a single namespace to run workflows in
serviceAccount:
create: false # Specifies whether a service account should be created
annotations: {}
name: "argo-workflow" # Service account which is used to run workflows
rbac:
create: false # adds Role and RoleBinding for the above specified service account to be able to run workflows
# Adds Role and RoleBinding for the above specified service account to be able to run workflows
# A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below)
create: true
controller:
image:
@ -109,6 +106,8 @@ controller:
# Annotations applied to created service account
annotations: {}
name: workflow-controller
# Specify all namespaces to run worksflows need to be able to run in. This controls where the service
# account and RBAC resources will be created. If unspecified, will run in the default namespace.
workflowNamespaces:
- default
containerRuntimeExecutor: docker
@ -279,7 +278,7 @@ server:
##
hosts:
[]
# - argocd.example.com
# - argoworkflows.example.com
paths:
- /
extraPaths:
@ -298,9 +297,9 @@ server:
# name: use-annotation
tls:
[]
# - secretName: argocd-example-tls
# - secretName: argoworkflows-example-tls
# hosts:
# - argocd.example.com
# - argoworkflows.example.com
https: false
clusterWorkflowTemplates: