Merge branch 'main' into rollout

2023-05-06 06:02:05 -05:00 · 2023-05-06 06:02:05 -05:00 · 3fcffb34f6
commit 3fcffb34f6
parent 07d52ef605 6cf01708d3
15 changed files with 159 additions and 45 deletions
--- a/.github/workflows/pr-title.yml
+++ b/.github/workflows/pr-title.yml
@ -31,6 +31,7 @@ jobs:
            argo-workflows
            argocd-image-updater
            argocd-apps
+            deps
            github
          # Configure that a scope must always be provided.
          requireScope: true
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@ -0,0 +1,72 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '21 6 * * 6'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3
+        with:
+          sarif_file: results.sarif
--- a/14
+++ b/14
@ -1,16 +1,14 @@
-# https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners
-
-# Other and new charts
-/charts/ @oliverbaehler
+# All
+*                              @mkilchhofer @jmeridth

 # Argo Workflows
-/charts/argo-workflows/ @stefansedich @paguos @vladlosev @yann-soubeyrand @jmeridth @yu-croco
+/charts/argo-workflows/        @vladlosev @yann-soubeyrand @jmeridth @yu-croco

 # Argo CD
-/charts/argo-cd/ @davidkarlsen @mr-sour @yann-soubeyrand @mbevc1 @mkilchhofer @yu-croco @jmeridth @pdrastil
+/charts/argo-cd/               @mbevc1 @mkilchhofer @yu-croco @jmeridth @pdrastil

 # Argo Events
-/charts/argo-events/ @jbehling @VaibhavPage @pdrastil
+/charts/argo-events/           @pdrastil @jmeridth

 # Argo Rollouts
-/charts/argo-rollouts/
+/charts/argo-rollouts/         @jmeridth
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@ -0,0 +1,9 @@
+# Code of Conduct
+
+We adhere to the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).  Please reference the link for details.
+
+## TL;DR (too long didn't read)
+
+Be kind
+
+Your participation is at the discression of the maintainers of this project.
--- a/EMERITUS.md
+++ b/EMERITUS.md
@ -0,0 +1,12 @@
+# Emeritus Approvers
+
+These are the people who have been approvers in the past, and have since retired from the role.
+
+We thank them for their service to the project.
+
+* @oliverbaehler
+* @stefansedich
+* @paguos
+* @yann-soubeyrand
+* @davidkarlsen
+* @jbehling
--- a/9
+++ b/9
@ -1,9 +0,0 @@
-owners:
- alexec
- alexmt
- jessesuen
-
-approvers:
- alexec
- alexmt
- jessesuen
--- a/README.md
+++ b/README.md
@ -5,6 +5,7 @@
 [![Chart Publish](https://github.com/argoproj/argo-helm/actions/workflows/publish.yml/badge.svg?branch=main)](https://github.com/argoproj/argo-helm/actions/workflows/publish.yml)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/argo)](https://artifacthub.io/packages/search?repo=argo)
 [![CLOMonitor](https://img.shields.io/endpoint?url=https://clomonitor.io/api/projects/cncf/argo/badge)](https://clomonitor.io/projects/cncf/argo)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/argoproj/argo-helm/badge)](https://api.securityscorecards.dev/projects/github.com/argoproj/argo-helm)

 Argo Helm is a collection of **community maintained** charts for [https://argoproj.github.io](https://argoproj.github.io) projects. The charts can be added using following command:

--- a/SECURITY.md
+++ b/SECURITY.md
@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions and Upstream Reporting
+
+Each helm chart currently supports the designated application version in the Chart.yaml.  There is a chance a security issue you've discovered may not be with the helm chart but with the upstream application.  Please visit that application's Security policy docueent to find out how to report the security issue.
+
+* [Security Policy for Argo Workflows](https://github.com/argoproj/argo-workflows/blob/master/SECURITY.md)
+* [Security Policy for Argo Events](https://github.com/argoproj/argo-events/blob/master/SECURITY.md)
+* [Security Policy for Argo Rollouts](https://github.com/argoproj/argo-rollouts/blob/master/docs/security.md)
+* [Security Policy for Argo CD](https://github.com/argoproj/argo-cd/blob/master/SECURITY.md)
+* [Security Policy for Argo CD Image Updater](https://github.com/argoproj-labs/argocd-image-updater/blob/master/SECURITY.md)
+
+## Reporting a Vulnerability for Argo Helm Charts
+
+We have enabled the ability to privately report security issues through the  Security tab above.
+
+[Here are the details on how to file](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability) on how to do that
+
+A repository owner/maintainer will respond as fast as possible to coordinate confirmation of issue and remediation.
+
+Thank you for helping to ensure this code stays secure.
--- a/charts/argo-cd/Chart.yaml
+++ b/charts/argo-cd/Chart.yaml
@ -1,9 +1,9 @@
 apiVersion: v2
-appVersion: v2.7.0
+appVersion: v2.7.1
 kubeVersion: ">=1.22.0-0"
 description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 5.31.0
+version: 5.32.0
 home: https://github.com/argoproj/argo-helm
 icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
 sources:
@ -23,5 +23,5 @@ dependencies:
    condition: redis-ha.enabled
 annotations:
  artifacthub.io/changes: |
-    - kind: changed
-      description: Use tini as the ENTRYPOINT
+    - kind: added
+      description: Allow extraObjects to contain string templates
--- a/charts/argo-cd/templates/extra-manifests.yaml
+++ b/charts/argo-cd/templates/extra-manifests.yaml
@ -1,4 +1,8 @@
 {{ range .Values.extraObjects }}
 ---
-{{ tpl (toYaml .) $ }}
+{{- if typeIs "string" . }}
+    {{- tpl . $ }}
+{{- else }}
+    {{- tpl (toYaml .) $ }}
+{{- end }}
 {{ end }}
--- a/charts/argo-workflows/Chart.yaml
+++ b/charts/argo-workflows/Chart.yaml
@ -3,7 +3,7 @@ appVersion: v3.4.7
 name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
-version: 0.25.1
+version: 0.26.0
 icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png
 home: https://github.com/argoproj/argo-helm
 sources:
@ -13,5 +13,5 @@ maintainers:
    url: https://argoproj.github.io/
 annotations:
  artifacthub.io/changes: |
-    - kind: added
-      description: Add Prometheus ServiceMonitor relabelings, metricRelabelings & targetLabels
+    - kind: fix
+      description: Drop .Values.useDefaultArtifactRepo flag to simplify usage
--- a/charts/argo-workflows/README.md
+++ b/charts/argo-workflows/README.md
@ -308,8 +308,7 @@ Fields to note:
 | artifactRepository.azure | object | `{}` (See [values.yaml]) | Store artifact in Azure Blob Storage |
 | artifactRepository.gcs | object | `{}` (See [values.yaml]) | Store artifact in a GCS object store |
 | artifactRepository.s3 | object | See [values.yaml] | Store artifact in a S3-compliant object store |
-| customArtifactRepository | object | `{}` | The section of custom artifact repository. Will be added to the config in case useDefaultArtifactRepo is set to false |
-| useDefaultArtifactRepo | bool | `false` | Influences the creation of the ConfigMap for the workflow-controller itself. |
+| customArtifactRepository | object | `{}` | The section of custom artifact repository. Utilize a custom artifact repository that is not one of the current base ones (s3, gcs, azure) |
 | useStaticCredentials | bool | `true` | Use static credentials for S3 (eg. when not using AWS IRSA) |

 ## Breaking changes from the deprecated `argo` chart
--- a/charts/argo-workflows/templates/_helpers.tpl
+++ b/charts/argo-workflows/templates/_helpers.tpl
@ -153,3 +153,16 @@ Return full image name including or excluding registry based on existence
  {{ .image.repository }}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Return the appropriate apiVersion for autoscaling
+*/}}
+{{- define "argo-workflows.apiVersion.autoscaling" -}}
+{{- if .Values.apiVersionOverrides.autoscaling -}}
+{{- print .Values.apiVersionOverrides.autoscaling -}}
+{{- else if semverCompare "<1.23-0" (include "argo-cd.kubeVersion" .) -}}
+{{- print "autoscaling/v2beta1" -}}
+{{- else -}}
+{{- print "autoscaling/v2" -}}
+{{- end -}}
+{{- end -}}
--- a/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml
+++ b/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml
@ -55,7 +55,6 @@ data:
      securityContext: {{- toYaml . | nindent 8 }}
      {{- end }}
    {{- end }}
-    {{- if .Values.useDefaultArtifactRepo }}
    artifactRepository:
      {{- if .Values.artifactRepository.archiveLogs }}
      archiveLogs: {{ .Values.artifactRepository.archiveLogs }}
@ -96,10 +95,8 @@ data:
          {{- toYaml . | nindent 10 }}
        {{- end }}
      {{- end }}
-    {{- else }}
-      {{- if .Values.customArtifactRepository }}
-    artifactRepository: {{- toYaml .Values.customArtifactRepository | nindent 6 }}
-      {{- end }}
+    {{- if .Values.customArtifactRepository }}
+    {{- toYaml .Values.customArtifactRepository | nindent 6 }}
    {{- end }}
    {{- if .Values.controller.metricsConfig.enabled }}
    metricsConfig:
--- a/charts/argo-workflows/values.yaml
+++ b/charts/argo-workflows/values.yaml
@ -639,8 +639,6 @@ extraObjects: []
  #       secretName: argo-server-sso-secrets-store
  #       type: Opaque

-# -- Influences the creation of the ConfigMap for the workflow-controller itself.
-useDefaultArtifactRepo: false
 # -- Use static credentials for S3 (eg. when not using AWS IRSA)
 useStaticCredentials: true
 artifactRepository:
@ -702,18 +700,16 @@ artifactRepository:
  #  key: account-access-key

 # -- The section of custom artifact repository.
-# Will be added to the config in case useDefaultArtifactRepo is set to false
+# Utilize a custom artifact repository that is not one of the current base ones (s3, gcs, azure)
 customArtifactRepository: {}
-# customArtifactRepository:
-#   archiveLogs: true
-#   artifactory:
-#     repoUrl: https://artifactory.example.com/raw
-#     usernameSecret:
-#       name: artifactory-creds
-#       key: username
-#     passwordSecret:
-#       name: artifactory-creds
-#       key: password
+# artifactory:
+#   repoUrl: https://artifactory.example.com/raw
+#   usernameSecret:
+#     name: artifactory-creds
+#     key: username
+#   passwordSecret:
+#     name: artifactory-creds
+#     key: password

 emissary:
  # -- The command/args for each image on workflow, needed when the command is not specified and the emissary executor is used.