From 46eb042763eb680d30ad4d90215129cac2d0acd2 Mon Sep 17 00:00:00 2001 From: Tuan Anh Tran Date: Sat, 20 Nov 2021 04:35:13 +0700 Subject: [PATCH] docs(argo-workflows): Use helm docs for workflows (#1003) * Use helm-docs for argo-workflows Signed-off-by: Tuan Anh Tran * bump version and update changelog Signed-off-by: Tuan Anh Tran * ci: add step to check if docs is staled and needs update Signed-off-by: Tuan Anh Tran * docs: run helm-docs to generate readme Signed-off-by: Tuan Anh Tran * Add missing parameter documentation Signed-off-by: Marco Kilchhofer * Add .helmdocsignore for charts which not yet use helm-docs Signed-off-by: Marco Kilchhofer * Do not exclude argocd-notifications anymore Signed-off-by: Marco Kilchhofer Co-authored-by: Marco Kilchhofer --- .github/workflows/lint-and-test.yml | 6 + .helmdocsignore | 2 + charts/argo-workflows/Chart.yaml | 4 +- charts/argo-workflows/README.md | 164 +++++++++++++ charts/argo-workflows/README.md.gotmpl | 120 ++++++++++ charts/argo-workflows/values.yaml | 306 ++++++++++++++++--------- 6 files changed, 492 insertions(+), 110 deletions(-) create mode 100644 .helmdocsignore create mode 100644 charts/argo-workflows/README.md.gotmpl diff --git a/.github/workflows/lint-and-test.yml b/.github/workflows/lint-and-test.yml index 6dee7c2b..7dd576cf 100644 --- a/.github/workflows/lint-and-test.yml +++ b/.github/workflows/lint-and-test.yml @@ -35,6 +35,12 @@ jobs: fi - name: Run chart-testing (lint) run: ct lint --debug --config ./.github/configs/ct-lint.yaml --lint-conf ./.github/configs/lintconf.yaml + + - name: Run docs-testing (helm-docs) + uses: buttahtoast/helm-release-action@v2.0.1 + with: + charts: "${{ steps.list-changed.outputs.changed_charts }}" + if: steps.list-changed.outputs.changed == 'true' - name: Create kind cluster uses: helm/kind-action@v1.2.0 diff --git a/.helmdocsignore b/.helmdocsignore new file mode 100644 index 00000000..a02fad29 --- /dev/null +++ b/.helmdocsignore @@ -0,0 +1,2 @@ +charts/argo-events +charts/argo-rollouts diff --git a/charts/argo-workflows/Chart.yaml b/charts/argo-workflows/Chart.yaml index 43dc0644..8ac087e5 100644 --- a/charts/argo-workflows/Chart.yaml +++ b/charts/argo-workflows/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: argo-workflows description: A Helm chart for Argo Workflows type: application -version: 0.8.1 +version: 0.8.2 appVersion: v3.2.0 icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png home: https://github.com/argoproj/argo-helm @@ -15,4 +15,4 @@ maintainers: - name: benjaminws annotations: artifacthub.io/changes: | - - "[Changed]: Restore RBAC permissions and clarify namespace settings." + - "[Changed]: Use helm-docs to generate README.md" diff --git a/charts/argo-workflows/README.md b/charts/argo-workflows/README.md index d580d9f3..098bad79 100644 --- a/charts/argo-workflows/README.md +++ b/charts/argo-workflows/README.md @@ -31,6 +31,162 @@ Fields to note: workflow controller will manage workflows. Only valid when `singleNamespace` is false. +### General parameters + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| createAggregateRoles | bool | `true` | Create clusterroles that extend existing clusterroles to interact with argo-cd crds | +| fullnameOverride | string | `nil` | String to fully override "argo-workflows.fullname" template | +| images.pullPolicy | string | `"Always"` | imagePullPolicy to apply to all containers | +| images.pullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry | +| kubeVersionOverride | string | `""` | Override the Kubernetes version, which is used to evaluate certain manifests | +| nameOverride | string | `nil` | String to partially override "argo-workflows.fullname" template | +| singleNamespace | bool | `false` | Restrict Argo to operate only in a single namespace (the namespace of the Helm release) by apply Roles and RoleBindings instead of the Cluster equivalents, and start workflow-controller with the --namespaced flag. Use it in clusters with strict access policy. | + +### Workflow + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| workflow.namespace | string | `nil` | Deprecated; use controller.workflowNamespaces instead. | +| workflow.rbac.create | bool | `true` | Adds Role and RoleBinding for the above specified service account to be able to run workflows. A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below) | +| workflow.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | +| workflow.serviceAccount.create | bool | `false` | Specifies whether a service account should be created | +| workflow.serviceAccount.name | string | `"argo-workflow"` | Service account which is used to run workflows | + +### Workflow Controller + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| controller.affinity | object | `{}` | Assign custom [affinity] rules | +| controller.clusterWorkflowTemplates.enabled | bool | `true` | Create a ClusterRole and CRB for the controller to access ClusterWorkflowTemplates. | +| controller.containerRuntimeExecutor | string | `"docker"` | Specifies the container runtime interface to use (one of: `docker`, `kubelet`, `k8sapi`, `pns`, `emissary`) | +| controller.containerRuntimeExecutors | list | `[]` | Specifies the executor to use. This has precedence over `controller.containerRuntimeExecutor`. | +| controller.extraArgs | list | `[]` | Extra arguments to be added to the controller | +| controller.extraContainers | list | `[]` | Extra containers to be added to the controller deployment | +| controller.extraEnv | list | `[]` | Extra environment variables to provide to the controller container | +| controller.image.registry | string | `"quay.io"` | Registry to use for the controller | +| controller.image.repository | string | `"argoproj/workflow-controller"` | Registry to use for the controller | +| controller.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| controller.initialDelay | string | `nil` | Resolves ongoing, uncommon AWS EKS bug: https://github.com/argoproj/argo-workflows/pull/4224 | +| controller.instanceID.enabled | bool | `false` | Configures the controller to filter workflow submissions to only those which have a matching instanceID attribute. | +| controller.instanceID.explicitID | string | `""` | Use a custom instanceID | +| controller.instanceID.useReleaseName | bool | `false` | Use ReleaseName as instanceID | +| controller.links | list | `[]` | Configure Argo Server to show custom [links] | +| controller.livenessProbe | object | See [values.yaml] | Configure liveness [probe] for the controller | +| controller.loadBalancerSourceRanges | list | `[]` | Source ranges to allow access to service from. Only applies to service type `LoadBalancer` | +| controller.logging.globallevel | string | `"0"` | Set the glog logging level | +| controller.logging.level | string | `"info"` | Set the logging level (one of: `debug`, `info`, `warn`, `error`) | +| controller.metricsConfig.enabled | bool | `false` | Enables prometheus metrics server | +| controller.metricsConfig.path | string | `"/metrics"` | Path is the path where metrics are emitted. Must start with a "/". | +| controller.metricsConfig.port | int | `9090` | Port is the port where metrics are emitted | +| controller.metricsConfig.portName | string | `"metrics"` | Container metrics port name | +| controller.metricsConfig.servicePort | int | `8080` | Service metrics port | +| controller.metricsConfig.servicePortName | string | `"metrics"` | Service metrics port name | +| controller.name | string | `"workflow-controller"` | Workflow controller name string | +| controller.namespaceParallelism | string | `nil` | Limits the maximum number of incomplete workflows in a namespace | +| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | [Node selector] | +| controller.parallelism | string | `nil` | parallelism dictates how many workflows can be running at the same time | +| controller.pdb.enabled | bool | `false` | Configure [Pod Disruption Budget] for the controller pods | +| controller.persistence | object | `{}` | enable persistence using postgres | +| controller.podAnnotations | object | `{}` | podAnnotations is an optional map of annotations to be applied to the controller Pods | +| controller.podLabels | object | `{}` | Optional labels to add to the controller pods | +| controller.podSecurityContext | object | `{}` | SecurityContext to set on the controller pods | +| controller.podWorkers | string | `nil` | Number of pod workers | +| controller.priorityClassName | string | `""` | Leverage a PriorityClass to ensure your pods survive resource shortages. | +| controller.replicas | int | `1` | The number of controller pods to run | +| controller.resources | object | `{}` | Resource limits and requests for the controller | +| controller.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | the controller container's securityContext | +| controller.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | +| controller.serviceAccount.create | bool | `true` | Create a service account for the controller | +| controller.serviceAccount.name | string | `""` | Service account name | +| controller.serviceAnnotations | object | `{}` | Annotations to be applied to the controller Service | +| controller.serviceLabels | object | `{}` | Optional labels to add to the controller Service | +| controller.serviceMonitor.additionalLabels | object | `{}` | Prometheus ServiceMonitor labels | +| controller.serviceMonitor.enabled | bool | `false` | Enable a prometheus ServiceMonitor | +| controller.serviceType | string | `"ClusterIP"` | Service type of the controller Service | +| controller.telemetryConfig.enabled | bool | `false` | Enables prometheus telemetry server | +| controller.telemetryConfig.path | string | `"/telemetry"` | telemetry path | +| controller.telemetryConfig.port | int | `8081` | telemetry container port | +| controller.telemetryConfig.servicePort | int | `8081` | telemetry service port | +| controller.telemetryConfig.servicePortName | string | `"telemetry"` | telemetry service port name | +| controller.tolerations | list | `[]` | [Tolerations] for use with node taints | +| controller.workflowDefaults | object | `{}` | Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level. Only valid for 2.7+ | +| controller.workflowNamespaces | list | `["default"]` | Specify all namespaces where this workflow controller instance will manage workflows. This controls where the service account and RBAC resources will be created. Only valid when singleNamespace is false. | +| controller.workflowRestrictions | object | `{}` | Restricts the Workflows that the controller will process. Only valid for 2.9+ | +| controller.workflowWorkers | string | `nil` | Number of workflow workers | + +### Workflow Executor + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| executor.env | object | `{}` | Adds environment variables for the executor. | +| executor.image.registry | string | `"quay.io"` | Registry to use for the Workflow Executors | +| executor.image.repository | string | `"argoproj/argoexec"` | Repository to use for the Workflow Executors | +| executor.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| executor.resources | object | `{}` | Resource limits and requests for the Workflow Executors | +| executor.securityContext | object | `{}` | sets security context for the executor container | + +### Workflow Server + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| server.affinity | object | `{}` | Assign custom [affinity] rules | +| server.baseHref | string | `"/"` | Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /. | +| server.clusterWorkflowTemplates.enableEditing | bool | `true` | Give the server permissions to edit ClusterWorkflowTemplates. | +| server.clusterWorkflowTemplates.enabled | bool | `true` | Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates. | +| server.enabled | bool | `true` | Deploy the Argo Server | +| server.extraArgs | list | `[]` | Extra arguments to provide to the Argo server binary. | +| server.extraContainers | list | `[]` | Extra containers to be added to the server deployment | +| server.extraEnv | list | `[]` | Extra environment variables to provide to the argo-server container | +| server.image.registry | string | `"quay.io"` | Registry to use for the server | +| server.image.repository | string | `"argoproj/argocli"` | Repository to use for the server | +| server.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| server.ingress.annotations | object | `{}` | Additional ingress annotations | +| server.ingress.enabled | bool | `false` | Enable an ingress resource | +| server.ingress.extraPaths | list | `[]` | Additional ingress paths | +| server.ingress.hosts | list | `[]` | List of ingress hosts | +| server.ingress.ingressClassName | string | `""` | Defines which ingress controller will implement the resource | +| server.ingress.labels | object | `{}` | Additional ingress labels | +| server.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` | +| server.ingress.paths | list | `["/"]` | List of ingress paths | +| server.ingress.tls | list | `[]` | Ingress TLS configuration | +| server.loadBalancerIP | string | `""` | Static IP address to assign to loadBalancer service type `LoadBalancer` | +| server.loadBalancerSourceRanges | list | `[]` | Source ranges to allow access to service from. Only applies to service type `LoadBalancer` | +| server.name | string | `"server"` | Server name string | +| server.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | [Node selector] | +| server.pdb.enabled | bool | `false` | Configure [Pod Disruption Budget] for the server pods | +| server.podAnnotations | object | `{}` | optional map of annotations to be applied to the ui Pods | +| server.podLabels | object | `{}` | Optional labels to add to the UI pods | +| server.podSecurityContext | object | `{}` | SecurityContext to set on the server pods | +| server.priorityClassName | string | `""` | Leverage a PriorityClass to ensure your pods survive resource shortages | +| server.replicas | int | `1` | The number of server pods to run | +| server.resources | object | `{}` | Resource limits and requests for the server | +| server.secure | bool | `false` | Run the argo server in "secure" mode. Configure this value instead of `--secure` in extraArgs. | +| server.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true}` | Servers container-level security context | +| server.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | +| server.serviceAccount.create | bool | `true` | Create a service account for the server | +| server.serviceAccount.name | string | `""` | Service account name | +| server.serviceAnnotations | object | `{}` | Annotations to be applied to the UI Service | +| server.serviceLabels | object | `{}` | Optional labels to add to the UI Service | +| server.serviceNodePort | string | `nil` | Service node port | +| server.servicePort | int | `2746` | Service port for server | +| server.servicePortName | string | `""` | Service port name | +| server.serviceType | string | `"ClusterIP"` | Service type for server pods | +| server.sso | object | `{}` | SSO configuration when SSO is specified as a server auth mode. | +| server.tolerations | list | `[]` | [Tolerations] for use with node taints | +| server.volumeMounts | list | `[]` | Additional volume mounts to the server main container. | +| server.volumes | list | `[]` | Additional volumes to the server pod. | + +### Artifact Repository + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| artifactRepository.archiveLogs | bool | `false` | Archive the main container logs as an artifact | +| artifactRepository.gcs | object | `{}` (See [values.yaml]) | Store artifact in a GCS object store | +| artifactRepository.s3 | object | See [values.yaml] | Store artifact in a S3-compliant object store | +| useDefaultArtifactRepo | bool | `false` | Influences the creation of the ConfigMap for the workflow-controller itself. | +| useStaticCredentials | bool | `true` | Use static credentials for S3 (eg. when not using AWS IRSA) | + ## Breaking changes from the deprecated `argo` chart 1. the `installCRD` value has been removed. CRDs are now only installed from the conventional crds/ directory @@ -50,3 +206,11 @@ Fields to note: 1. removed any included usage of Minio 1. aligned the configuration of serviceAccounts with the argo-cd chart, ie: what used to be `server.createServiceAccount` is now `server.serviceAccount.create` 1. moved the previously known as `telemetryServicePort` inside the `telemetryConfig` as `telemetryConfig.servicePort` - same for `metricsConfig` + +[affinity]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ +[links]: https://argoproj.github.io/argo-workflows/links/ +[Node selector]: https://kubernetes.io/docs/user-guide/node-selection/ +[Pod Disruption Budget]: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +[probe]: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +[Tolerations]: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +[values.yaml]: values.yaml diff --git a/charts/argo-workflows/README.md.gotmpl b/charts/argo-workflows/README.md.gotmpl new file mode 100644 index 00000000..65d3368e --- /dev/null +++ b/charts/argo-workflows/README.md.gotmpl @@ -0,0 +1,120 @@ +# Argo Workflows Chart + +This is a **community maintained** chart. It is used to set up argo and it's needed dependencies through one command. This is used in conjunction with [helm](https://github.com/kubernetes/helm). + +If you want your deployment of this helm chart to most closely match the [argo CLI](https://github.com/argoproj/argo-workflows), you should deploy it in the `kube-system` namespace. + +## Pre-Requisites + +This chart uses an install hook to configure the CRD definition. Installation of CRDs is a somewhat privileged process in itself and in RBAC enabled clusters the `default` service account for namespaces does not typically have the ability to do create these. + +A few options are: + +- Manually create a ServiceAccount in the Namespace which your release will be deployed w/ appropriate bindings to perform this action and set the `serviceAccountName` field in the Workflow spec +- Augment the `default` ServiceAccount permissions in the Namespace in which your Release is deployed to have the appropriate permissions + +## Usage Notes + +This chart defaults to setting the `controller.instanceID.enabled` to `false` now, which means the deployed controller will act upon any workflow deployed to the cluster. If you would like to limit the behavior and deploy multiple workflow controllers, please use the `controller.instanceID.enabled` attribute along with one of it's configuration options to set the `instanceID` of the workflow controller to be properly scoped for your needs. + +## Values + +The `values.yaml` contains items used to tweak a deployment of this chart. +Fields to note: + +- `controller.instanceID.enabled`: If set to true, the Argo Controller will **ONLY** monitor Workflow submissions with a `--instanceid` attribute +- `controller.instanceID.useReleaseName`: If set to true then chart set controller instance id to release name +- `controller.instanceID.explicitID`: Allows customization of an instance id for the workflow controller to monitor +- `singleNamespace`: When true, restricts the workflow controller to operate + in just the single namespace (that one of the Helm release). +- `controller.workflowNamespaces`: This is a list of namespaces where the + workflow controller will manage workflows. Only valid when `singleNamespace` + is false. + +### General parameters + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range .Values }} + {{- if not (or (hasPrefix "workflow" .Key) (hasPrefix "controller" .Key) (hasPrefix "executor" .Key) (hasPrefix "server" .Key) (hasPrefix "artifactRepository" .Key) (hasPrefix "use" .Key) ) }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | + {{- end }} +{{- end }} + +### Workflow + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range .Values }} + {{- if hasPrefix "workflow" .Key }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | + {{- end }} +{{- end }} + +### Workflow Controller + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range .Values }} + {{- if hasPrefix "controller" .Key }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | + {{- end }} +{{- end }} + +### Workflow Executor + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range .Values }} + {{- if hasPrefix "executor" .Key }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | + {{- end }} +{{- end }} + +### Workflow Server + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range .Values }} + {{- if hasPrefix "server" .Key }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | + {{- end }} +{{- end }} + +### Artifact Repository + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range .Values }} + {{- if or (hasPrefix "artifactRepository" .Key) (hasPrefix "use" .Key) }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | + {{- end }} +{{- end }} + +## Breaking changes from the deprecated `argo` chart + +1. the `installCRD` value has been removed. CRDs are now only installed from the conventional crds/ directory +1. the CRDs were updated to `apiextensions.k8s.io/v1` +1. the container image registry/project/tag format was changed to be more in line with the more common + + ```yaml + image: + registry: quay.io + repository: argoproj/argocli + tag: v3.0.1 + ``` + + this also makes it easier for automatic update tooling (eg. renovate bot) to detect and update images. + +1. switched to quay.io as the default registry for all images +1. removed any included usage of Minio +1. aligned the configuration of serviceAccounts with the argo-cd chart, ie: what used to be `server.createServiceAccount` is now `server.serviceAccount.create` +1. moved the previously known as `telemetryServicePort` inside the `telemetryConfig` as `telemetryConfig.servicePort` - same for `metricsConfig` + +[affinity]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ +[links]: https://argoproj.github.io/argo-workflows/links/ +[Node selector]: https://kubernetes.io/docs/user-guide/node-selection/ +[Pod Disruption Budget]: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +[probe]: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +[Tolerations]: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +[values.yaml]: values.yaml diff --git a/charts/argo-workflows/values.yaml b/charts/argo-workflows/values.yaml index 625961f4..bf336a4e 100644 --- a/charts/argo-workflows/values.yaml +++ b/charts/argo-workflows/values.yaml @@ -1,68 +1,79 @@ images: - # imagePullPolicy to apply to all containers + # -- imagePullPolicy to apply to all containers pullPolicy: Always - # Secrets with credentials to pull images from a private registry + # -- Secrets with credentials to pull images from a private registry pullSecrets: [] # - name: argo-pull-secret +# -- Create clusterroles that extend existing clusterroles to interact with argo-cd crds +## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles createAggregateRoles: true -## String to partially override "argo-workflows.fullname" template -## +# -- String to partially override "argo-workflows.fullname" template nameOverride: -## String to fully override "argo-workflows.fullname" template -## +# -- String to fully override "argo-workflows.fullname" template fullnameOverride: -## Override the Kubernetes version, which is used to evaluate certain manifests -## +# -- Override the Kubernetes version, which is used to evaluate certain manifests kubeVersionOverride: "" -# Restrict Argo to operate only in a single namespace (the namespace of the +# -- Restrict Argo to operate only in a single namespace (the namespace of the # Helm release) by apply Roles and RoleBindings instead of the Cluster # equivalents, and start workflow-controller with the --namespaced flag. Use it # in clusters with strict access policy. singleNamespace: false workflow: - namespace: # Deprecated; use controller.workflowNamespaces instead. + # -- Deprecated; use controller.workflowNamespaces instead. + namespace: serviceAccount: - create: false # Specifies whether a service account should be created + # -- Specifies whether a service account should be created + create: false + # -- Annotations applied to created service account annotations: {} - name: "argo-workflow" # Service account which is used to run workflows + # -- Service account which is used to run workflows + name: "argo-workflow" rbac: - # Adds Role and RoleBinding for the above specified service account to be able to run workflows + # -- Adds Role and RoleBinding for the above specified service account to be able to run workflows. # A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below) create: true controller: image: + # -- Registry to use for the controller registry: quay.io + # -- Registry to use for the controller repository: argoproj/workflow-controller - # Overrides the image tag whose default is the chart appVersion. + # -- Overrides the image tag whose default is the chart appVersion. tag: "" - # parallelism dictates how many workflows can be running at the same time + # -- parallelism dictates how many workflows can be running at the same time parallelism: - # Limits the maximum number of incomplete workflows in a namespace + # -- Limits the maximum number of incomplete workflows in a namespace namespaceParallelism: - # Resolves ongoing, uncommon AWS EKS bug: https://github.com/argoproj/argo-workflows/pull/4224 + # -- Resolves ongoing, uncommon AWS EKS bug: https://github.com/argoproj/argo-workflows/pull/4224 initialDelay: - # podAnnotations is an optional map of annotations to be applied to the controller Pods + # -- podAnnotations is an optional map of annotations to be applied to the controller Pods podAnnotations: {} - # Optional labels to add to the controller pods + # -- Optional labels to add to the controller pods podLabels: {} - # SecurityContext to set on the controller pods + # -- SecurityContext to set on the controller pods podSecurityContext: {} # podPortName: http metricsConfig: + # -- Enables prometheus metrics server enabled: false + # -- Path is the path where metrics are emitted. Must start with a "/". path: /metrics + # -- Port is the port where metrics are emitted port: 9090 + # -- Container metrics port name portName: metrics + # -- Service metrics port servicePort: 8080 + # -- Service metrics port name servicePortName: metrics - # the controller container's securityContext + # -- the controller container's securityContext securityContext: readOnlyRootFilesystem: true runAsNonRoot: true @@ -70,6 +81,7 @@ controller: capabilities: drop: - ALL + # -- enable persistence using postgres persistence: {} # connectionPool: # maxIdleConns: 100 @@ -90,132 +102,185 @@ controller: # passwordSecret: # name: argo-postgres-config # key: password - workflowDefaults: {} # Only valid for 2.7+ + + # -- Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level. + # Only valid for 2.7+ + ## See more: https://argoproj.github.io/argo-workflows/default-workflow-specs/ + workflowDefaults: {} # spec: # ttlStrategy: # secondsAfterCompletion: 84600 - # workflowWorkers: 32 - # podWorkers: 32 - workflowRestrictions: {} # Only valid for 2.9+ - # templateReferencing: Strict|Secure + + # -- Number of workflow workers + workflowWorkers: # 32 + # -- Number of pod workers + podWorkers: # 32 + # -- Restricts the Workflows that the controller will process. + # Only valid for 2.9+ + workflowRestrictions: {} + # templateReferencing: Strict|Secure + + # telemetryConfig controls the path and port for prometheus telemetry. Telemetry is enabled and emitted in the same endpoint + # as metrics by default, but can be overridden using this config. telemetryConfig: + # -- Enables prometheus telemetry server enabled: false + # -- telemetry path path: /telemetry + # -- telemetry container port port: 8081 + # -- telemetry service port servicePort: 8081 + # -- telemetry service port name servicePortName: telemetry serviceMonitor: + # -- Enable a prometheus ServiceMonitor enabled: false + # -- Prometheus ServiceMonitor labels additionalLabels: {} serviceAccount: + # -- Create a service account for the controller create: true + # -- Service account name name: "" - # Annotations applied to created service account + # -- Annotations applied to created service account annotations: {} + + # -- Workflow controller name string name: workflow-controller - # Specify all namespaces where this workflow controller instance will manage + + # -- Specify all namespaces where this workflow controller instance will manage # workflows. This controls where the service account and RBAC resources will # be created. Only valid when singleNamespace is false. workflowNamespaces: - default + + # -- Specifies the container runtime interface to use (one of: `docker`, `kubelet`, `k8sapi`, `pns`, `emissary`) + ## Ref: https://argoproj.github.io/argo-workflows/workflow-executors/ containerRuntimeExecutor: docker - # containerRuntimeExecutors: - # - name: emissary - # selector: - # matchLabels: - # workflows.argoproj.io/container-runtime-executor: emissary + # -- Specifies the executor to use. This has precedence over `controller.containerRuntimeExecutor`. + containerRuntimeExecutors: [] + # - name: emissary + # selector: + # matchLabels: + # workflows.argoproj.io/container-runtime-executor: emissary instanceID: - # `instanceID.enabled` configures the controller to filter workflow submissions + # -- Configures the controller to filter workflow submissions # to only those which have a matching instanceID attribute. + ## NOTE: If `instanceID.enabled` is set to `true` then either `instanceID.userReleaseName` + ## or `instanceID.explicitID` must be defined. enabled: false - # NOTE: If `instanceID.enabled` is set to `true` then either `instanceID.userReleaseName` - # or `instanceID.explicitID` must be defined. + # -- Use ReleaseName as instanceID + useReleaseName: false # useReleaseName: true + + # -- Use a custom instanceID + explicitID: "" # explicitID: unique-argo-controller-identifier + logging: + # -- Set the logging level (one of: `debug`, `info`, `warn`, `error`) level: info + # -- Set the glog logging level globallevel: "0" + + # -- Service type of the controller Service serviceType: ClusterIP - # Annotations to be applied to the controller Service + # -- Annotations to be applied to the controller Service serviceAnnotations: {} - # Optional labels to add to the controller Service + # -- Optional labels to add to the controller Service serviceLabels: {} - # Source ranges to allow access to service from. Only applies to - # service type `LoadBalancer` + # -- Source ranges to allow access to service from. Only applies to service type `LoadBalancer` loadBalancerSourceRanges: [] + + # -- Resource limits and requests for the controller resources: {} + + # -- Configure liveness [probe] for the controller + # @default -- See [values.yaml] livenessProbe: httpGet: port: 6060 path: /healthz - # Require three failures to tolerate transient errors. failureThreshold: 3 initialDelaySeconds: 90 periodSeconds: 60 timeoutSeconds: 30 - ## Extra environment variables to provide to the controller container - ## extraEnv: - ## - name: FOO - ## value: "bar" + # -- Extra environment variables to provide to the controller container extraEnv: [] + # - name: FOO + # value: "bar" - # Extra arguments to be added to the controller + # -- Extra arguments to be added to the controller extraArgs: [] + # -- The number of controller pods to run replicas: 1 + pdb: + # -- Configure [Pod Disruption Budget] for the controller pods enabled: false # minAvailable: 1 # maxUnavailable: 1 - ## Node selectors and tolerations for server scheduling to nodes with taints - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - ## + + # -- [Node selector] nodeSelector: kubernetes.io/os: linux + # -- [Tolerations] for use with node taints tolerations: [] + # -- Assign custom [affinity] rules affinity: {} - # Leverage a PriorityClass to ensure your pods survive resource shortages - # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ - # PriorityClass: system-cluster-critical + # -- Leverage a PriorityClass to ensure your pods survive resource shortages. + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ priorityClassName: "" - # https://argoproj.github.io/argo-workflows/links/ + + # -- Configure Argo Server to show custom [links] + ## Ref: https://argoproj.github.io/argo-workflows/links/ links: [] clusterWorkflowTemplates: - # Create a ClusterRole and CRB for the controller to access ClusterWorkflowTemplates. + # -- Create a ClusterRole and CRB for the controller to access ClusterWorkflowTemplates. enabled: true - # Extra containers to be added to the controller deployment + # -- Extra containers to be added to the controller deployment extraContainers: [] # executor controls how the init and wait container should be customized executor: image: + # -- Registry to use for the Workflow Executors registry: quay.io + # -- Repository to use for the Workflow Executors repository: argoproj/argoexec - # Overrides the image tag whose default is the chart appVersion. + # -- Overrides the image tag whose default is the chart appVersion. tag: "" + # -- Resource limits and requests for the Workflow Executors resources: {} - # Adds environment variables for the executor. + # -- Adds environment variables for the executor. env: {} - # sets security context for the executor container + # -- sets security context for the executor container securityContext: {} server: + # -- Deploy the Argo Server enabled: true - # only updates base url of resources on client side, - # it's expected that a proxy server rewrites the request URL and gets rid of this prefix - # https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190 + # -- Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /. + ## only updates base url of resources on client side, + ## it's expected that a proxy server rewrites the request URL and gets rid of this prefix + ## https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190 baseHref: / image: + # -- Registry to use for the server registry: quay.io + # -- Repository to use for the server repository: argoproj/argocli - # Overrides the image tag whose default is the chart appVersion. + # -- Overrides the image tag whose default is the chart appVersion. tag: "" - # optional map of annotations to be applied to the ui Pods + # -- optional map of annotations to be applied to the ui Pods podAnnotations: {} - # Optional labels to add to the UI pods + # -- Optional labels to add to the UI pods podLabels: {} - # SecurityContext to set on the server pods + # -- SecurityContext to set on the server pods podSecurityContext: {} + # -- Servers container-level security context securityContext: readOnlyRootFilesystem: false runAsNonRoot: true @@ -223,83 +288,101 @@ server: capabilities: drop: - ALL + # -- Server name string name: server + # -- Service type for server pods serviceType: ClusterIP + # -- Service port for server servicePort: 2746 - # serviceNodePort: 32746 - # servicePortName: http + # -- Service node port + serviceNodePort: # 32746 + # -- Service port name + servicePortName: "" # http + serviceAccount: + # -- Create a service account for the server create: true + # -- Service account name name: "" + # -- Annotations applied to created service account annotations: {} - # Annotations to be applied to the UI Service + + # -- Annotations to be applied to the UI Service serviceAnnotations: {} - # Optional labels to add to the UI Service + # -- Optional labels to add to the UI Service serviceLabels: {} - # Static IP address to assign to loadBalancer - # service type `LoadBalancer` + # -- Static IP address to assign to loadBalancer service type `LoadBalancer` loadBalancerIP: "" - # Source ranges to allow access to service from. Only applies to - # service type `LoadBalancer` + # -- Source ranges to allow access to service from. Only applies to service type `LoadBalancer` loadBalancerSourceRanges: [] + # -- Resource limits and requests for the server resources: {} + # -- The number of server pods to run replicas: 1 pdb: + # -- Configure [Pod Disruption Budget] for the server pods enabled: false # minAvailable: 1 # maxUnavailable: 1 - ## Node selectors and tolerations for server scheduling to nodes with taints - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - ## + + # -- [Node selector] nodeSelector: kubernetes.io/os: linux + + # -- [Tolerations] for use with node taints tolerations: [] + + # -- Assign custom [affinity] rules affinity: {} - # Leverage a PriorityClass to ensure your pods survive resource shortages - # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ - # PriorityClass: system-cluster-critical + + # -- Leverage a PriorityClass to ensure your pods survive resource shortages + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ priorityClassName: "" - # Run the argo server in "secure" mode. Configure this value instead of - # "--secure" in extraArgs. See the following documentation for more details - # on secure mode: - # https://argoproj.github.io/argo-workflows/tls/ + # -- Run the argo server in "secure" mode. Configure this value instead of `--secure` in extraArgs. + ## See the following documentation for more details on secure mode: + ## https://argoproj.github.io/argo-workflows/tls/ secure: false - ## Extra environment variables to provide to the argo-server container - ## extraEnv: - ## - name: FOO - ## value: "bar" + # -- Extra environment variables to provide to the argo-server container extraEnv: [] + # - name: FOO + # value: "bar" - # Extra arguments to provide to the Argo server binary. + # -- Extra arguments to provide to the Argo server binary. extraArgs: [] - ## Additional volumes to the server main container. + # -- Additional volume mounts to the server main container. volumeMounts: [] + # -- Additional volumes to the server pod. volumes: [] ## Ingress configuration. - ## ref: https://kubernetes.io/docs/user-guide/ingress/ - ## + # ref: https://kubernetes.io/docs/user-guide/ingress/ ingress: + # -- Enable an ingress resource enabled: false + # -- Additional ingress annotations annotations: {} + # -- Additional ingress labels labels: {} + # -- Defines which ingress controller will implement the resource ingressClassName: "" - ## Argo Workflows Server Ingress. + # -- List of ingress hosts ## Hostnames must be provided if Ingress is enabled. ## Secrets must be manually created in the namespace - ## - hosts: - [] + hosts: [] # - argoworkflows.example.com + + # -- List of ingress paths paths: - / + + # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` pathType: Prefix - extraPaths: - [] + # -- Additional ingress paths + extraPaths: [] # - path: /* # backend: # serviceName: ssl-redirect @@ -312,20 +395,21 @@ server: # name: ssl-redirect # port: # name: use-annotation - tls: - [] + + # -- Ingress TLS configuration + tls: [] # - secretName: argoworkflows-example-tls # hosts: # - argoworkflows.example.com - https: false clusterWorkflowTemplates: - # Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates. + # -- Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates. enabled: true - # Give the server permissions to edit ClusterWorkflowTemplates. + # -- Give the server permissions to edit ClusterWorkflowTemplates. enableEditing: true - sso: - ## SSO configuration when SSO is specified as a server auth mode. + + # -- SSO configuration when SSO is specified as a server auth mode. + sso: {} ## All the values are required. SSO is activated by adding --auth-mode=sso ## to the server command line. # @@ -353,15 +437,19 @@ server: ## decisions. # scopes: # - groups - # Extra containers to be added to the server deployment + + # -- Extra containers to be added to the server deployment extraContainers: [] -# Influences the creation of the ConfigMap for the workflow-controller itself. +# -- Influences the creation of the ConfigMap for the workflow-controller itself. useDefaultArtifactRepo: false +# -- Use static credentials for S3 (eg. when not using AWS IRSA) useStaticCredentials: true artifactRepository: - # archiveLogs will archive the main container logs as an artifact + # -- Archive the main container logs as an artifact archiveLogs: false + # -- Store artifact in a S3-compliant object store + # @default -- See [values.yaml] s3: # Note the `key` attribute is not the actual secret, it's the PATH to # the contents in the associated secret, as defined by the `name` attribute. @@ -377,7 +465,9 @@ artifactRepository: # region: # roleARN: # useSDKCreds: true - # gcs: + # -- Store artifact in a GCS object store + # @default -- `{}` (See [values.yaml]) + gcs: {} # bucket: -argo # keyFormat: "{{workflow.namespace}}/{{workflow.name}}/" # serviceAccountKeySecret is a secret selector.