Merge branch 'master' into master

.gitignore

@@ -1,4 +1,5 @@
 output
 .vscode
 .DS_Store
+.idea
 **/*.tgz

CODEOWNERS

@@ -7,7 +7,7 @@
 /charts/argo-events @jbehling
 
 # Argo Workflows
-/charts/argo @benjaminws
+/charts/argo @benjaminws @stefansedich @paguos
 
 # Argo Rollouts
 /charts/argo-rollouts @cabrinha

charts/argo-cd/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v1
-appVersion: "1.5.2"
+appVersion: "1.5.4"
 description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 2.2.8
+version: 2.3.0
 home: https://github.com/argoproj/argo-helm
 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png
 keywords:

charts/argo-cd/README.md

@@ -19,9 +19,8 @@ This chart currently installs the non-HA version of ArgoCD.
 `controller.extraArgs`, `repoServer.extraArgs` and `server.extraArgs`  are not arrays of strings intead of a map
 
 What was
-
 ```yaml
-controller:
+server:
   extraArgs:
     insecure: ""
 ```
@@ -29,7 +28,7 @@ controller:
 is now
 
 ```yaml
-controller:
+server:
   extraArgs:
   - --insecure
 ```
@@ -63,7 +62,7 @@ Helm v3 has removed the `install-crds` hook so CRDs are now populated by files i
 |-----|------|---------|
 | global.image.imagePullPolicy | If defined, a imagePullPolicy applied to all ArgoCD deployments. | `"IfNotPresent"` |
 | global.image.repository | If defined, a repository applied to all ArgoCD deployments. | `"argoproj/argocd"` |
-| global.image.tag | If defined, a tag applied to all ArgoCD deployments. | `"v1.5.2"` |
+| global.image.tag | If defined, a tag applied to all ArgoCD deployments. | `"v1.5.3"` |
 | global.securityContext | Toggle and define securityContext | See [values.yaml](values.yaml) |
 | global.imagePullSecrets | If defined, uses a Secret to pull an image from a private Docker registry or repository. | `[]` |
 | global.hostAliases | Mapping between IP and hostnames that will be injected as entries in the pod's hosts files | `[]` |
@@ -71,7 +70,7 @@ Helm v3 has removed the `install-crds` hook so CRDs are now populated by files i
 | installCRDs | Install CRDs if you are using Helm2. | `true` |
 | configs.knownHosts.data.ssh_known_hosts | Known Hosts | See [values.yaml](values.yaml) |
 | configs.secret.annotations | Annotations for argocd-secret | `{}` |
-| configs.secret.argocdServerAdminPassword | Admin password | `null` |
+| configs.secret.argocdServerAdminPassword | Bcrypt hashed admin password | `null` |
 | configs.secret.argocdServerAdminPasswordMtime | Admin password modification time | `date "2006-01-02T15:04:05Z" now` if configs.secret.argocdServerAdminPassword is set |
 | configs.secret.bitbucketSecret | BitBucket incoming webhook secret | `""` |
 | configs.secret.createSecret | Create the argocd-secret. | `true` |
@@ -79,6 +78,7 @@ Helm v3 has removed the `install-crds` hook so CRDs are now populated by files i
 | configs.secret.gitlabSecret | GitLab incoming webhook secret | `""` |
 | configs.tlsCerts.data."argocd.example.com" | TLS certificate | See [values.yaml](values.yaml) |
 | configs.secret.extra | add additional secrets to be added to argocd-secret | `{}` |
+| openshift.enabled | enables using arbitrary uid for argo repo server | `false` |
 
 ## ArgoCD Controller
 
@@ -183,6 +183,8 @@ Helm v3 has removed the `install-crds` hook so CRDs are now populated by files i
 | server.autoscaling.maxReplicas | Maximum number of replicas for the server [HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | `5` |
 | server.autoscaling.targetCPUUtilizationPercentage | Average CPU utilization percentage for the server [HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | `50` |
 | server.autoscaling.targetMemoryUtilizationPercentage | Average memory utilization percentage for the server [HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | `50` |
+| server.GKEbackendConfig.enabled | Enable BackendConfig custom resource for Google Kubernetes Engine. | `false` |
+| server.GKEbackendConfig.spec | [BackendConfigSpec](https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig#backendconfigspec_v1beta1_cloudgooglecom) | `{}` |
 | server.certificate.additionalHosts | Certificate manager additional hosts | `[]` |
 | server.certificate.domain | Certificate manager domain | `"argocd.example.com"` |
 | server.certificate.enabled | Enables a certificate manager certificate. | `false` |
@@ -231,6 +233,8 @@ Helm v3 has removed the `install-crds` hook so CRDs are now populated by files i
 | server.service.labels | Server service labels | `{}` |
 | server.service.servicePortHttp | Server service http port | `80` |
 | server.service.servicePortHttps | Server service https port | `443` |
+| server.service.servicePortHttpName | Server service http port name, can be used to route traffic via istio | `http` |
+| server.service.servicePortHttpsName | Server service https port name, can be used to route traffic via istio | `https` |
 | server.service.loadBalancerSourceRanges | Source IP ranges to allow access to service from. | `[]` |
 | server.service.type | Server service type | `"ClusterIP"` |
 | server.serviceAccount.create | Create server service account | `true` |

charts/argo-cd/templates/argocd-repo-server/deployment.yaml

@@ -52,10 +52,10 @@ spec:
         image: {{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default .Values.global.image.tag .Values.repoServer.image.tag }}
         imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy }}
         command:
-        - argocd-repo-server
         {{- if .Values.openshift.enabled }}
         - uid_entrypoint.sh
         {{- end }}
+        - argocd-repo-server
         {{- if or (and .Values.redis.enabled (not $redisHa.enabled)) (and $redisHa.enabled $redisHa.haproxy.enabled) }}
         - --redis
         - {{ template "argo-cd.redis.fullname" . }}:{{ .Values.redis.servicePort }}

charts/argo-cd/templates/argocd-server/backendconfig.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.server.GKEbackendConfig.enabled }}
+apiVersion: cloud.google.com/v1beta1
+kind: BackendConfig
+metadata:
+  name: {{ template "argo-cd.server.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "argo-cd.name" . }}-{{ .Values.server.name }}
+    helm.sh/chart: {{ include "argo-cd.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/part-of: argocd
+    app.kubernetes.io/component: {{ .Values.server.name }}
+spec:
+  {{- toYaml .Values.server.GKEbackendConfig.spec | nindent 2 }}
+{{- end }}

charts/argo-cd/templates/argocd-server/projects.yaml

@@ -33,6 +33,10 @@ items:
       {{- if .namespaceResourceBlacklist }}
       namespaceResourceBlacklist:
 {{- toYaml .namespaceResourceBlacklist | nindent 8 }}
+      {{- end }}
+      {{- if .namespaceResourceWhitelist }}
+      namespaceResourceWhitelist:
+{{- toYaml .namespaceResourceWhitelist | nindent 8 }}
       {{- end }}
       {{- if .orphanedResources }}
       orphanedResources:

charts/argo-cd/templates/argocd-server/service.yaml

@@ -21,11 +21,11 @@ metadata:
 spec:
   type: {{ .Values.server.service.type }}
   ports:
-  - name: http
+  - name: {{ .Values.server.service.servicePortHttpName }}
     protocol: TCP
     port: {{ .Values.server.service.servicePortHttp }}
     targetPort: {{ .Values.server.name }}
-  - name: https
+  - name: {{ .Values.server.service.servicePortHttpsName }}
     protocol: TCP
     port: {{ .Values.server.service.servicePortHttps }}
     targetPort: {{ .Values.server.name }}

charts/argo-cd/values.yaml

@@ -10,7 +10,7 @@ installCRDs: true
 global:
   image:
     repository: argoproj/argocd
-    tag: v1.5.2
+    tag: v1.5.4
     imagePullPolicy: IfNotPresent
   securityContext: {}
   #  runAsUser: 999
@@ -28,7 +28,7 @@ controller:
 
   image:
     repository: # argoproj/argocd
-    tag: # v1.5.2
+    tag: # v1.5.4
     imagePullPolicy: # IfNotPresent
 
   ## Argo controller commandline flags
@@ -319,7 +319,7 @@ server:
 
   image:
     repository: # argoproj/argocd
-    tag: # v1.5.2
+    tag: # v1.5.4
     imagePullPolicy: # IfNotPresent
 
   ## Additional command line arguments to pass to argocd-server
@@ -404,6 +404,8 @@ server:
     type: ClusterIP
     servicePortHttp: 80
     servicePortHttps: 443
+    servicePortHttpName: http
+    servicePortHttpsName: https
     loadBalancerIP: ""
     loadBalancerSourceRanges: []
 
@@ -553,6 +555,11 @@ server:
   #     kind: NetworkPolicy
   #     orphanedResources: {}
   #     roles: []
+  #   namespaceResourceWhitelist:
+  #   - group: 'apps'
+  #     kind: Deployment
+  #   - group: 'apps'
+  #     kind: StatefulSet
   #   orphanedResources: {}
   #   roles: []
 
@@ -561,6 +568,16 @@ server:
   clusterAdminAccess:
     enabled: true
 
+  ## Enable BackendConfig custom resource for Google Kubernetes Engine
+  GKEbackendConfig:
+    enabled: false
+    spec: {}
+  #  spec:
+  #    iap:
+  #      enabled: true
+  #      oauthclientCredentials:
+  #        secretName: argocd-secret
+
 ## Repo Server
 repoServer:
   name: repo-server
@@ -576,7 +593,7 @@ repoServer:
 
   image:
     repository: # argoproj/argocd
-    tag: # v1.5.2
+    tag: # v1.5.4
     imagePullPolicy: # IfNotPresent
 
   ## Additional command line arguments to pass to argocd-repo-server

charts/argo/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v1
-appVersion: "v2.6.1"
+appVersion: "v2.7.6"
 description: A Helm chart for Argo Workflows
 name: argo
-version: 0.7.5
+version: 0.8.5
 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png
 home: https://github.com/argoproj/argo-helm
 maintainers:

charts/argo/templates/server-cluster-role.yaml

@@ -1,8 +1,14 @@
 {{- if .Values.server.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.singleNamespace }}
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-{{ .Values.server.name }}-role
+{{ else }}
 kind: ClusterRole
 metadata:
   name: {{ .Release.Name }}-{{ .Values.server.name }}-cluster-role
+{{- end }}
 rules:
 - apiGroups:
   - ""
@@ -28,12 +34,24 @@ rules:
   - get
   - list
   - watch
+  - delete
+{{- if .Values.controller.persistence }}
 - apiGroups:
   - ""
   resources:
   - secrets
+  resourceNames:
+  {{- if .Values.controller.persistence.postgresql }}
+  - {{ .Values.controller.persistence.postgresql.userNameSecret.name }}
+  - {{ .Values.controller.persistence.postgresql.passwordSecret.name }}
+  {{- end}}
+  {{- if .Values.controller.persistence.mysql }}
+  - {{ .Values.controller.persistence.mysql.userNameSecret.name }}
+  - {{ .Values.controller.persistence.mysql.passwordSecret.name }}
+  {{- end}}
   verbs:
   - get
+{{- end}}
 - apiGroups:
   - argoproj.io
   resources:

charts/argo/templates/server-crb.yaml

@@ -1,12 +1,23 @@
 {{- if .Values.server.enabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.singleNamespace }}
+kind: RoleBinding
+metadata:
+  name: {{ .Release.Name }}-{{ .Values.server.name}}-rb
+{{ else }}
 kind: ClusterRoleBinding
 metadata:
   name: {{ .Release.Name }}-{{ .Values.server.name}}-crb
+{{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
+  {{- if .Values.singleNamespace }}
+  kind: Role
+  name: {{ .Release.Name }}-{{ .Values.server.name}}-role
+  {{ else }}
   kind: ClusterRole
   name: {{ .Release.Name }}-{{ .Values.server.name}}-cluster-role
+  {{- end }}
 subjects:
 - kind: ServiceAccount
   name: {{ .Values.server.serviceAccount }}

charts/argo/templates/server-deployment.yaml

@@ -1,5 +1,5 @@
-
+{{- if .Values.server.enabled -}}
-{{- if .Values.server.enabled -}}apiVersion: apps/v1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ .Release.Name }}-{{ .Values.server.name}}
@@ -13,7 +13,6 @@ spec:
     matchLabels:
       app: {{ .Release.Name }}-{{ .Values.server.name}}
       release: {{ .Release.Name }}
-      app: {{ .Release.Name }}-{{ .Values.server.name}}
   template:
     metadata:
       labels:
@@ -31,16 +30,20 @@ spec:
         - name: argo-server
           args:
           - server
+          - --configmap={{ .Release.Name }}-{{ .Values.controller.name }}-configmap
           {{- if .Values.server.extraArgs }}
           {{- toYaml .Values.server.extraArgs | nindent 10 }}
           {{- end }}
+          {{- if .Values.singleNamespace }}
+          - "--namespaced"
+          {{- end }}
           image: "{{ .Values.images.namespace }}/{{ .Values.images.server }}:{{ default .Values.images.tag .Values.server.image.tag }}"
           imagePullPolicy: {{ .Values.images.pullPolicy }}
           {{- if .Values.server.podPortName }}
           ports:
           - name: {{ .Values.server.podPortName }}
-            ports:
             containerPort: 2746
+          {{- end }}
           readinessProbe:
             httpGet:
               path: /
@@ -48,12 +51,7 @@ spec:
               scheme: HTTP
             initialDelaySeconds: 10
             periodSeconds: 20
-          {{- end }}
           env:
-          {{- if .Values.server.forceNamespaceIsolation }}
-          - name: FORCE_NAMESPACE_ISOLATION
-            value: "true"
-          {{- end }}
           - name: IN_CLUSTER
             value: "true"
           - name: ARGO_NAMESPACE

charts/argo/templates/server-ingress.yaml

@@ -24,6 +24,13 @@ spec:
     - host: {{ . }}
       http:
         paths:
+          {{- if $.Values.server.ingress.paths }}
+          {{- range $.Values.server.ingress.paths }}
+          - backend:
+              serviceName: {{ .serviceName }}
+              servicePort: {{ .servicePort }}
+          {{- end }}
+          {{- end }}
           - backend:
               serviceName: {{ $serviceName }}
               servicePort: {{ $servicePort }}

charts/argo/templates/server-sa.yaml

@@ -3,4 +3,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ .Values.server.serviceAccount }}
+  annotations:
+{{ toYaml .Values.server.serviceAccountAnnotations | indent 4 }}
 {{- end -}}

charts/argo/templates/workflow-controller-clusterrole.yaml

@@ -1,7 +1,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.singleNamespace }}
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-{{ .Values.controller.name }}-role
+{{ else }}
 kind: ClusterRole
 metadata:
   name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-role
+{{- end }}
 rules:
 - apiGroups:
   - ""
@@ -78,4 +84,22 @@ rules:
   verbs:
   - get
   - list
+{{- if .Values.controller.persistence }}
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  {{- if .Values.controller.persistence.postgresql }}
+  - {{ .Values.controller.persistence.postgresql.userNameSecret.name }}
+  - {{ .Values.controller.persistence.postgresql.passwordSecret.name }}
+  {{- end}}
+  {{- if .Values.controller.persistence.mysql }}
+  - {{ .Values.controller.persistence.mysql.userNameSecret.name }}
+  - {{ .Values.controller.persistence.mysql.passwordSecret.name }}
+  {{- end}}
+  verbs:
+  - get
+{{- end}}
+
 

charts/argo/templates/workflow-controller-config-map.yaml

@@ -16,6 +16,11 @@ data:
     {{- end }}
     {{- end }}
     containerRuntimeExecutor: {{ .Values.controller.containerRuntimeExecutor }}
+    {{- with .Values.executor.resources }}
+    executor:
+      resources:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
     artifactRepository:
       {{- if or .Values.minio.install .Values.useDefaultArtifactRepo }}
       {{- if .Values.artifactRepository.archiveLogs }}
@@ -39,6 +44,12 @@ data:
         {{- if .Values.artifactRepository.s3.region }}
         region: {{ .Values.artifactRepository.s3.region }}
         {{- end }}
+        {{- if .Values.artifactRepository.s3.roleARN }}
+        roleARN: {{ .Values.artifactRepository.s3.roleARN }}
+        {{- end }}
+        {{- if .Values.artifactRepository.s3.useSDKCreds }}
+        useSDKCreds: {{ .Values.artifactRepository.s3.useSDKCreds }}
+        {{- end }}
       {{- end}}
     {{- if .Values.controller.metricsConfig.enabled }}
     metricsConfig:
@@ -49,3 +60,6 @@ data:
     {{- if .Values.controller.persistence }}
     persistence:
 {{ toYaml .Values.controller.persistence | indent 6 }}{{- end }}
+    {{- if .Values.controller.workflowDefaults }}
+    workflowDefaults:
+{{ toYaml .Values.controller.workflowDefaults | indent 6 }}{{- end }}

charts/argo/templates/workflow-controller-crb.yaml

@@ -1,11 +1,20 @@
 apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.singleNamespace }}
+kind: RoleBinding
+{{ else }}
 kind: ClusterRoleBinding
+{{- end }}
 metadata:
   name: {{ .Release.Name }}-{{ .Values.controller.name }}-binding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
+  {{- if .Values.singleNamespace }}
+  kind: Role
+  name: {{ .Release.Name }}-{{ .Values.controller.name }}-role
+  {{ else }}
   kind: ClusterRole
   name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-role
+  {{- end }}
 subjects:
   - kind: ServiceAccount
     name: {{ .Values.controller.serviceAccount }}

charts/argo/templates/workflow-controller-deployment.yaml

@@ -40,6 +40,9 @@ spec:
           - "{{ .Values.controller.logging.level }}"
           - "--gloglevel"
           - "{{ .Values.controller.logging.globallevel }}"
+          {{- if .Values.singleNamespace }}
+          - "--namespaced"
+          {{- end }}
           env:
           - name: ARGO_NAMESPACE
             valueFrom:

charts/argo/templates/workflow-controller-sa.yaml

@@ -2,3 +2,5 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ .Values.controller.serviceAccount }}
+  annotations:
+{{ toYaml .Values.controller.serviceAccountAnnotations | indent 4 }}

charts/argo/values.yaml

@@ -4,7 +4,7 @@ images:
   server: argocli
   executor: argoexec
   pullPolicy: Always
-  tag: v2.6.1
+  tag: v2.7.6
 
 crdVersion: v1alpha1
 installCRD: true
@@ -16,6 +16,10 @@ init:
 
 createAggregateRoles: true
 
+# Restrict Argo to only deploy into a single namespace by apply Roles and RoleBindings instead of the Cluster equivalents,
+# and start argo-cli with the --namespaced flag. Use it in clusters with strict access policy.
+singleNamespace: false
+
 controller:
   image:
     # Overrides .images.tag if defined.
@@ -47,6 +51,10 @@ controller:
     #    passwordSecret:
     #      name: argo-postgres-config
     #      key: password
+  workflowDefaults: {}  # Only valid for 2.7+
+  #  spec:
+  #    ttlStrategy:
+  #      secondsAfterCompletion: 84600
   telemetryConfig:
     enabled: false
     path: /telemetry
@@ -55,6 +63,8 @@ controller:
     enabled: false
     additionalLabels: {}
   serviceAccount: argo
+  # Service account annotations
+  serviceAccountAnnotations: {}
   name: workflow-controller
   workflowNamespaces:
     - default
@@ -95,15 +105,15 @@ controller:
   tolerations: []
   affinity: {}
 
+# executor controls how the init and wait container should be customized
 executor:
   image:
     # Overrides .images.tag if defined.
     tag: ""
+  resources: {}
 
 server:
   enabled: true
-  # only show workflows where UI installed
-  forceNamespaceIsolation: false
   # only updates base url of resources on client side,
   # it's expected that a proxy server rewrites the request URL and gets rid of this prefix
   # https://github.com/argoproj/argo/issues/716#issuecomment-433213190
@@ -120,6 +130,8 @@ server:
   servicePort: 2746
   # servicePortName: http
   serviceAccount: argo-server
+  # Service account annotations
+  serviceAccountAnnotations: {}
   # Annotations to be applied to the UI Service
   serviceAnnotations: {}
   # Optional labels to add to the UI Service
@@ -164,6 +176,11 @@ server:
     # hosts:
     #   - argo.domain.com
 
+    ## Additional Paths for each host
+    # paths:
+    #   - serviceName: "ssl-redirect"
+    #     servicePort: "use-annotation"
+
     ## TLS configuration.
     ## Secrets must be manually created in the namespace.
     ##
@@ -191,6 +208,8 @@ artifactRepository:
     # bucket:
     # endpoint:
     # region:
+    # roleARN:
+    # useSDKCreds: true
 
 # NOTE: These are setting attributes for the `minio` optional dependency
 minio: