Merge branch 'master' into feature-argo-workflow-sa-setup

.gitignore

@@ -3,3 +3,4 @@ output
 .DS_Store
 .idea
 **/*.tgz
+**/charts/*/charts

charts/argo-cd/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v1
-appVersion: "1.6.1"
+appVersion: "1.6.2"
 description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 2.5.0
+version: 2.6.3
 home: https://github.com/argoproj/argo-helm
 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png
 keywords:

charts/argo-cd/README.md

@@ -68,6 +68,7 @@ Helm v3 has removed the `install-crds` hook so CRDs are now populated by files i
 | global.hostAliases | Mapping between IP and hostnames that will be injected as entries in the pod's hosts files | `[]` |
 | nameOverride | Provide a name in place of `argocd` | `"argocd"` |
 | installCRDs | Install CRDs if you are using Helm2. | `true` |
+| configs.knownHostsAnnotations | Known Hosts configmap annotations | `{}` |
 | configs.knownHosts.data.ssh_known_hosts | Known Hosts | See [values.yaml](values.yaml) |
 | configs.secret.annotations | Annotations for argocd-secret | `{}` |
 | configs.secret.argocdServerAdminPassword | Bcrypt hashed admin password | `null` |
@@ -76,6 +77,7 @@ Helm v3 has removed the `install-crds` hook so CRDs are now populated by files i
 | configs.secret.createSecret | Create the argocd-secret. | `true` |
 | configs.secret.githubSecret | GitHub incoming webhook secret | `""` |
 | configs.secret.gitlabSecret | GitLab incoming webhook secret | `""` |
+| configs.tlsCertsAnnotations | TLS certificate configmap annotations | `{}` |
 | configs.tlsCerts.data."argocd.example.com" | TLS certificate | See [values.yaml](values.yaml) |
 | configs.secret.extra | add additional secrets to be added to argocd-secret | `{}` |
 | openshift.enabled | enables using arbitrary uid for argo repo server | `false` |
@@ -86,6 +88,7 @@ Helm v3 has removed the `install-crds` hook so CRDs are now populated by files i
 |-----|---------|-------------|
 | controller.affinity | [Assign custom affinity rules to the deployment](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) | `{}` |
 | controller.args.operationProcessors | define the controller `--operation-processors` | `"10"` |
+| controller.args.appResyncPeriod | define the controller `--app-resync` | `"180"` |
 | controller.args.statusProcessors | define the controller `--status-processors` | `"20"` |
 | controller.clusterAdminAccess.enabled | Enable RBAC for local cluster deployments. | `true` |
 | controller.containerPort | Controller listening port. | `8082` |
@@ -194,6 +197,7 @@ Helm v3 has removed the `install-crds` hook so CRDs are now populated by files i
 | server.certificate.enabled | Enables a certificate manager certificate. | `false` |
 | server.certificate.issuer | Certificate manager issuer | `{}` |
 | server.clusterAdminAccess.enabled | Enable RBAC for local cluster deployments. | `true` |
+| server.configAnnotations | ArgoCD configuration configmap annotations | `{}` |
 | server.config | [General Argo CD configuration](https://argoproj.github.io/argo-cd/operator-manual/declarative-setup/#repositories) | See [values.yaml](values.yaml) |
 | server.containerPort | Server container port. | `8080` |
 | server.extraArgs | Additional arguments for the server. A list of flags. | `[]` |
@@ -231,6 +235,7 @@ Helm v3 has removed the `install-crds` hook so CRDs are now populated by files i
 | server.podAnnotations | Annotations for the server pods | `{}` |
 | server.podLabels | Labels for the server pods | `{}` |
 | server.priorityClassName | Priority class for the server | `""` |
+| server.rbacConfigAnnotations | RBAC configmap annotations | `{}` |
 | server.rbacConfig | [Argo CD RBAC policy](https://argoproj.github.io/argo-cd/operator-manual/rbac/) | `{}` |
 | server.readinessProbe.failureThreshold | [Kubernetes probe configuration](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes) | `3` |
 | server.readinessProbe.initialDelaySeconds | [Kubernetes probe configuration](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes) | `10` |
@@ -306,6 +311,7 @@ through `xxx.extraArgs`
 | redis.podLabels | Labels for the Redis server pods | `{}` |
 | redis.priorityClassName | Priority class for redis | `""` |
 | redis.resources | Resource limits and requests for redis | `{}` |
+| redis.securityContext | Redis Pod Security Context | See [values.yaml](values.yaml) |
 | redis.servicePort | Redis service port | `6379` |
 | redis.tolerations | [Tolerations for use with node taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` |
 | redis-ha | Configures [Redis HA subchart](https://github.com/helm/charts/tree/master/stable/redis-ha) The properties below have been changed from the subchart defaults | |

charts/argo-cd/crds/crd-project.yaml

@@ -20,34 +20,37 @@ spec:
   scope: Namespaced
   validation:
     openAPIV3Schema:
-      description: 'AppProject provides a logical grouping of applications, providing
+      description: 'AppProject provides a logical grouping of applications, providing controls for: * where the apps may deploy to (cluster whitelist) * what may be deployed (repository whitelist, resource whitelist/blacklist) * who can access these applications (roles, OIDC group claims bindings) * and what they can do (RBAC policies) * automation access to these roles (JWT tokens)'
-        controls for: * where the apps may deploy to (cluster whitelist) * what may
-        be deployed (repository whitelist, resource whitelist/blacklist) * who can
-        access these applications (roles, OIDC group claims bindings) * and what they
-        can do (RBAC policies) * automation access to these roles (JWT tokens)'
       properties:
         apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
+          description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
           type: string
         kind:
-          description: 'Kind is a string value representing the REST resource this
+          description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
           type: string
         metadata:
           type: object
         spec:
           description: AppProjectSpec is the specification of an AppProject
           properties:
-            clusterResourceWhitelist:
+            clusterResourceBlacklist:
-              description: ClusterResourceWhitelist contains list of whitelisted cluster
+              description: ClusterResourceBlacklist contains list of blacklisted cluster level resources
-                level resources
               items:
-                description: GroupKind specifies a Group and a Kind, but does not
+                description: GroupKind specifies a Group and a Kind, but does not force a version.  This is useful for identifying concepts during lookup stages without having partially valid types
-                  force a version.  This is useful for identifying concepts during
+                properties:
-                  lookup stages without having partially valid types
+                  group:
+                    type: string
+                  kind:
+                    type: string
+                required:
+                - group
+                - kind
+                type: object
+              type: array
+            clusterResourceWhitelist:
+              description: ClusterResourceWhitelist contains list of whitelisted cluster level resources
+              items:
+                description: GroupKind specifies a Group and a Kind, but does not force a version.  This is useful for identifying concepts during lookup stages without having partially valid types
                 properties:
                   group:
                     type: string
@@ -62,29 +65,25 @@ spec:
               description: Description contains optional project description
               type: string
             destinations:
-              description: Destinations contains list of destinations available for
+              description: Destinations contains list of destinations available for deployment
-                deployment
               items:
-                description: ApplicationDestination contains deployment destination
+                description: ApplicationDestination contains deployment destination information
-                  information
                 properties:
+                  name:
+                    description: Name of the destination cluster which can be used instead of server (url) field
+                    type: string
                   namespace:
-                    description: Namespace overrides the environment namespace value
+                    description: Namespace overrides the environment namespace value in the ksonnet app.yaml
-                      in the ksonnet app.yaml
                     type: string
                   server:
-                    description: Server overrides the environment server value in
+                    description: Server overrides the environment server value in the ksonnet app.yaml
-                      the ksonnet app.yaml
                     type: string
                 type: object
               type: array
             namespaceResourceBlacklist:
-              description: NamespaceResourceBlacklist contains list of blacklisted
+              description: NamespaceResourceBlacklist contains list of blacklisted namespace level resources
-                namespace level resources
               items:
-                description: GroupKind specifies a Group and a Kind, but does not
+                description: GroupKind specifies a Group and a Kind, but does not force a version.  This is useful for identifying concepts during lookup stages without having partially valid types
-                  force a version.  This is useful for identifying concepts during
-                  lookup stages without having partially valid types
                 properties:
                   group:
                     type: string
@@ -96,12 +95,9 @@ spec:
                 type: object
               type: array
             namespaceResourceWhitelist:
-              description: NamespaceResourceWhitelist contains list of whitelisted
+              description: NamespaceResourceWhitelist contains list of whitelisted namespace level resources
-                namespace level resources
               items:
-                description: GroupKind specifies a Group and a Kind, but does not
+                description: GroupKind specifies a Group and a Kind, but does not force a version.  This is useful for identifying concepts during lookup stages without having partially valid types
-                  force a version.  This is useful for identifying concepts during
-                  lookup stages without having partially valid types
                 properties:
                   group:
                     type: string
@@ -113,17 +109,25 @@ spec:
                 type: object
               type: array
             orphanedResources:
-              description: OrphanedResources specifies if controller should monitor
+              description: OrphanedResources specifies if controller should monitor orphaned resources of apps in this project
-                orphaned resources of apps in this project
               properties:
+                ignore:
+                  items:
+                    properties:
+                      group:
+                        type: string
+                      kind:
+                        type: string
+                      name:
+                        type: string
+                    type: object
+                  type: array
                 warn:
-                  description: Warn indicates if warning condition should be created
+                  description: Warn indicates if warning condition should be created for apps which have orphaned resources
-                    for apps which have orphaned resources
                   type: boolean
               type: object
             roles:
-              description: Roles are user defined RBAC roles associated with this
+              description: Roles are user defined RBAC roles associated with this project
-                project
               items:
                 description: ProjectRole represents a role that has access to a project
                 properties:
@@ -131,17 +135,14 @@ spec:
                     description: Description is a description of the role
                     type: string
                   groups:
-                    description: Groups are a list of OIDC group claims bound to this
+                    description: Groups are a list of OIDC group claims bound to this role
-                      role
                     items:
                       type: string
                     type: array
                   jwtTokens:
-                    description: JWTTokens are a list of generated JWT tokens bound
+                    description: JWTTokens are a list of generated JWT tokens bound to this role
-                      to this role
                     items:
-                      description: JWTToken holds the issuedAt and expiresAt values
+                      description: JWTToken holds the issuedAt and expiresAt values of a token
-                        of a token
                       properties:
                         exp:
                           format: int64
@@ -159,8 +160,7 @@ spec:
                     description: Name is a name for this role
                     type: string
                   policies:
-                    description: Policies Stores a list of casbin formated strings
+                    description: Policies Stores a list of casbin formated strings that define access policies for the role in the project
-                      that define access policies for the role in the project
                     items:
                       type: string
                     type: array
@@ -168,55 +168,83 @@ spec:
                 - name
                 type: object
               type: array
+            signatureKeys:
+              description: List of PGP key IDs that commits to be synced to must be signed with
+              items:
+                description: SignatureKey is the specification of a key required to verify commit signatures with
+                properties:
+                  keyID:
+                    description: The ID of the key in hexadecimal notation
+                    type: string
+                required:
+                - keyID
+                type: object
+              type: array
             sourceRepos:
-              description: SourceRepos contains list of repository URLs which can
+              description: SourceRepos contains list of repository URLs which can be used for deployment
-                be used for deployment
               items:
                 type: string
               type: array
             syncWindows:
-              description: SyncWindows controls when syncs can be run for apps in
+              description: SyncWindows controls when syncs can be run for apps in this project
-                this project
               items:
-                description: SyncWindow contains the kind, time, duration and attributes
+                description: SyncWindow contains the kind, time, duration and attributes that are used to assign the syncWindows to apps
-                  that are used to assign the syncWindows to apps
                 properties:
                   applications:
-                    description: Applications contains a list of applications that
+                    description: Applications contains a list of applications that the window will apply to
-                      the window will apply to
                     items:
                       type: string
                     type: array
                   clusters:
-                    description: Clusters contains a list of clusters that the window
+                    description: Clusters contains a list of clusters that the window will apply to
-                      will apply to
                     items:
                       type: string
                     type: array
                   duration:
-                    description: Duration is the amount of time the sync window will
+                    description: Duration is the amount of time the sync window will be open
-                      be open
                     type: string
                   kind:
                     description: Kind defines if the window allows or blocks syncs
                     type: string
                   manualSync:
-                    description: ManualSync enables manual syncs when they would otherwise
+                    description: ManualSync enables manual syncs when they would otherwise be blocked
-                      be blocked
                     type: boolean
                   namespaces:
-                    description: Namespaces contains a list of namespaces that the
+                    description: Namespaces contains a list of namespaces that the window will apply to
-                      window will apply to
                     items:
                       type: string
                     type: array
                   schedule:
-                    description: Schedule is the time the window will begin, specified
+                    description: Schedule is the time the window will begin, specified in cron format
-                      in cron format
                     type: string
                 type: object
               type: array
           type: object
+        status:
+          description: AppProjectStatus contains information about appproj
+          properties:
+            jwtTokensByRole:
+              additionalProperties:
+                properties:
+                  items:
+                    items:
+                      description: JWTToken holds the issuedAt and expiresAt values of a token
+                      properties:
+                        exp:
+                          format: int64
+                          type: integer
+                        iat:
+                          format: int64
+                          type: integer
+                        id:
+                          type: string
+                      required:
+                      - iat
+                      type: object
+                    type: array
+                type: object
+              type: object
+          type: object
       required:
       - metadata
       - spec

charts/argo-cd/templates/argocd-application-controller/deployment.yaml

@@ -52,6 +52,8 @@ spec:
         - {{ .Values.controller.args.statusProcessors | quote }}
         - --operation-processors
         - {{ .Values.controller.args.operationProcessors | quote }}
+        - --app-resync
+        - {{ .Values.controller.args.appResyncPeriod | quote }}
         - --repo-server
         - {{ template "argo-cd.repoServer.fullname" . }}:{{ .Values.repoServer.service.port }}
         - --loglevel
@@ -121,3 +123,6 @@ spec:
       volumes:
 {{- toYaml .Values.controller.volumes | nindent 8 }}
 {{- end }}
+{{- if .Values.controller.priorityClassName }}
+      priorityClassName: {{ .Values.controller.priorityClassName }}
+{{- end }}

charts/argo-cd/templates/argocd-configs/argocd-cm.yaml

@@ -9,5 +9,11 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/part-of: argocd
     app.kubernetes.io/component: {{ .Values.server.name }}
+  {{- if .Values.server.configAnnotations }}
+  annotations:
+  {{- range $key, $value := .Values.server.configAnnotations }}
+    {{ $key }}: {{ $value | quote }}
+  {{- end }}
+  {{- end }}
 data:
 {{- toYaml .Values.server.config | nindent 4 }}

charts/argo-cd/templates/argocd-configs/argocd-rbac-cm.yaml

@@ -9,6 +9,12 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/part-of: argocd
     app.kubernetes.io/component: {{ .Values.server.name }}
+  {{- if .Values.server.rbacConfigAnnotations }}
+  annotations:
+  {{- range $key, $value := .Values.server.rbacConfigAnnotations }}
+    {{ $key }}: {{ $value | quote }}
+  {{- end }}
+  {{- end }}
 {{- if .Values.server.rbacConfig }}
 data:
 {{- toYaml .Values.server.rbacConfig | nindent 4 }}

charts/argo-cd/templates/argocd-configs/argocd-ssh-known-hosts-cm.yaml

@@ -9,4 +9,10 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/part-of: argocd
     app.kubernetes.io/component: {{ .Values.server.name }}
+  {{- if .Values.configs.knownHostsAnnotations }}
+  annotations:
+  {{- range $key, $value := .Values.configs.knownHostsAnnotations }}
+    {{ $key }}: {{ $value | quote }}
+  {{- end }}
+  {{- end }}
   name: argocd-ssh-known-hosts-cm

charts/argo-cd/templates/argocd-configs/argocd-tls-certs-cm.yaml

@@ -11,4 +11,10 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/part-of: argocd
     app.kubernetes.io/component: {{ .Values.server.name }}
+  {{- if .Values.configs.tlsCertsAnnotations }}
+  annotations:
+  {{- range $key, $value := .Values.configs.tlsCertsAnnotations }}
+    {{ $key }}: {{ $value | quote }}
+  {{- end }}
+  {{- end }}
   name: argocd-tls-certs-cm

charts/argo-cd/templates/argocd-repo-server/deployment.yaml

@@ -152,3 +152,6 @@ spec:
       initContainers:
 {{- toYaml .Values.repoServer.initContainers | nindent 6 }}
       {{- end }}
+{{- if .Values.repoServer.priorityClassName }}
+      priorityClassName: {{ .Values.repoServer.priorityClassName }}
+{{- end }}

charts/argo-cd/templates/argocd-server/deployment.yaml

@@ -151,3 +151,6 @@ spec:
           name: argocd-tls-certs-cm
         name: tls-certs
       {{- end }}
+{{- if .Values.server.priorityClassName }}
+      priorityClassName: {{ .Values.server.priorityClassName }}
+{{- end }}

charts/argo-cd/templates/argocd-server/ingress-grpc.yaml

@@ -2,6 +2,7 @@
 {{- $serviceName := include "argo-cd.server.fullname" . -}}
 {{- $servicePort := ternary .Values.server.service.servicePortHttps .Values.server.service.servicePortHttp .Values.server.ingressGrpc.https -}}
 {{- $paths := .Values.server.ingressGrpc.paths -}}
+{{- $extraPaths := .Values.server.ingressGrpc.extraPaths -}}
 {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}
 apiVersion: networking.k8s.io/v1beta1
 {{ else }}
@@ -33,6 +34,9 @@ spec:
     - host: {{ $host }}
       http:
         paths:
+  {{- if $extraPaths }}
+  {{- toYaml $extraPaths | nindent 10 }}
+  {{- end -}}
   {{- range $p := $paths }}
           - path: {{ $p }}
             backend:
@@ -43,6 +47,9 @@ spec:
   {{- else }}
     - http:
         paths:
+  {{- if $extraPaths }}
+  {{- toYaml $extraPaths | nindent 10 }}
+  {{- end -}}
   {{- range $p := $paths }}
           - path: {{ $p }}
             backend:

charts/argo-cd/templates/argocd-server/ingress.yaml

@@ -2,6 +2,7 @@
 {{- $serviceName := include "argo-cd.server.fullname" . -}}
 {{- $servicePort := ternary .Values.server.service.servicePortHttps .Values.server.service.servicePortHttp .Values.server.ingress.https -}}
 {{- $paths := .Values.server.ingress.paths -}}
+{{- $extraPaths := .Values.server.ingress.extraPaths -}}
 {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}
 apiVersion: networking.k8s.io/v1beta1
 {{ else }}
@@ -33,6 +34,9 @@ spec:
     - host: {{ $host }}
       http:
         paths:
+  {{- if $extraPaths }}
+  {{- toYaml $extraPaths | nindent 10 }}
+  {{- end }}
   {{- range $p := $paths }}
           - path: {{ $p }}
             backend:
@@ -43,6 +47,9 @@ spec:
   {{- else }}
     - http:
         paths:
+  {{- if $extraPaths }}
+  {{- toYaml $extraPaths | nindent 10 }}
+  {{- end }}
   {{- range $p := $paths }}
           - path: {{ $p }}
             backend:

charts/argo-cd/templates/argocd-server/projects.yaml

@@ -46,5 +46,9 @@ items:
       roles:
 {{- toYaml .roles | nindent 8 }}
       {{- end }}
+      {{- if .syncWindows }}
+      syncWindows:
+{{- toYaml .syncWindows | nindent 8 }}
+      {{- end }}
 {{- end }}
 {{- end }}

charts/argo-cd/templates/dex/deployment.yaml

@@ -103,4 +103,7 @@ spec:
       volumes:
 {{- toYaml .Values.dex.volumes | nindent 8}}
 {{- end }}
+{{- if .Values.dex.priorityClassName }}
+      priorityClassName: {{ .Values.dex.priorityClassName }}
+{{- end }}
 {{- end }}

charts/argo-cd/templates/redis/deployment.yaml

@@ -41,8 +41,8 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       automountServiceAccountToken: false
-      {{- if .Values.global.securityContext }}
+      {{- if .Values.redis.securityContext }}
-      securityContext: {{- toYaml .Values.global.securityContext | nindent 8 }}
+      securityContext: {{- toYaml .Values.redis.securityContext | nindent 8 }}
       {{- end }}
       containers:
       - name: {{ template "argo-cd.redis.fullname" . }}
@@ -85,4 +85,7 @@ spec:
       volumes:
 {{- toYaml .Values.redis.volumes | nindent 8}}
 {{- end }}
+{{- if .Values.redis.priorityClassName }}
+      priorityClassName: {{ .Values.redis.priorityClassName }}
+{{- end }}
 {{- end }}

charts/argo-cd/values.yaml

@@ -10,7 +10,7 @@ installCRDs: true
 global:
   image:
     repository: argoproj/argocd
-    tag: v1.6.1
+    tag: v1.6.2
     imagePullPolicy: IfNotPresent
   securityContext: {}
   #  runAsUser: 999
@@ -28,13 +28,14 @@ controller:
 
   image:
     repository: # argoproj/argocd
-    tag: # v1.6.1
+    tag: # v1.6.2
     imagePullPolicy: # IfNotPresent
 
   ## Argo controller commandline flags
   args:
     statusProcessors: "20"
     operationProcessors: "10"
+    appResyncPeriod: "180"
 
   ## Argo controller log level
   logLevel: info
@@ -276,6 +277,12 @@ redis:
     #   drop:
     #     - all
 
+  ## Redis Pod specific security context
+  securityContext:
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
+    runAsNonRoot: true
 
   resources: {}
   #  limits:
@@ -447,6 +454,12 @@ server:
       # - argocd.example.com
     paths:
       - /
+    extraPaths:
+      []
+      # - path: /*
+      #   backend:
+      #     serviceName: ssl-redirect
+      #     servicePort: use-annotation
     tls:
       []
       # - secretName: argocd-example-tls
@@ -469,6 +482,12 @@ server:
       # - argocd.example.com
     paths:
       - /
+    extraPaths:
+      []
+      # - path: /*
+      #   backend:
+      #     serviceName: ssl-redirect
+      #     servicePort: use-annotation
     tls:
       []
       # - secretName: argocd-example-tls
@@ -515,6 +534,9 @@ server:
     #     - profile
     #     - email
 
+  ## Annotations to be added to ArgoCD ConfigMap
+  configAnnotations: {}
+
   ## ArgoCD rbac config
   ## reference https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md
   rbacConfig:
@@ -538,6 +560,9 @@ server:
     # If omitted, defaults to: '[groups]'. The scope value can be a string, or a list of strings.
     # scopes: '[cognito:groups, email]'
 
+  ## Annotations to be added to ArgoCD rbac ConfigMap
+  rbacConfigAnnotations: {}
+
   ## Not well tested and not well supported on release v1.0.0.
   ## Applications
   ## reference: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/
@@ -591,6 +616,13 @@ server:
   #     kind: StatefulSet
   #   orphanedResources: {}
   #   roles: []
+  #   syncWindows:
+  #   - kind: allow
+  #     schedule: '10 1 * * *'
+  #     duration: 1h
+  #     applications:
+  #     - '*-prod'
+  #     manualSync: true
 
   ## Enable Admin ClusterRole resources.
   ## Enable if you would like to grant rights to ArgoCD to deploy to the local Kubernetes cluster.
@@ -756,6 +788,7 @@ repoServer:
 
 ## Argo Configs
 configs:
+  knownHostsAnnotations: {}
   knownHosts:
     data:
       ssh_known_hosts: |
@@ -766,6 +799,7 @@ configs:
         gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
         ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
         vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
+  tlsCertsAnnotations: {}
   tlsCerts:
     {}
     # data:

charts/argo-ci/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 description: A Helm chart for Argo-CI
 name: argo-ci
-version: 0.1.6
+version: 0.1.7
 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png
 appVersion: v1.0.0-alpha2
 home: https://github.com/argoproj/argo-helm

charts/argo-ci/templates/ci-deployment.yaml

@@ -33,3 +33,7 @@ spec:
           ports:
           - containerPort: 8001
           - containerPort: 8002
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/argo-ci/values.yaml

@@ -2,6 +2,9 @@ imageNamespace: argoproj
 ciImage: argoci
 imageTag: v1.0.0-alpha2
 imagePullPolicy: Always
+# Secrets with credentials to pull images from a private registry
+imagePullSecrets: []
+# - name: argo-pull-secret
 workflowNamespace: default
 
 argo:

charts/argo-events/Chart.yaml

@@ -1,15 +1,17 @@
 apiVersion: v1
 description: A Helm chart to install Argo-Events in k8s Cluster
 name: argo-events
-version: 0.14.0
+version: 0.17.1
 keywords:
   - argo-events
   - sensor-controller
-  - gateway-controller
+  - eventsource-controller
+  - eventbus-controller
 sources:
   - https://github.com/argoproj/argo-events
 maintainers:
   - name: VaibhavPage
-appVersion: 0.14.0
+  - name: whynowy
+appVersion: 0.17.0
 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png
 home: https://github.com/argoproj/argo-helm

charts/argo-events/README.md

@@ -2,13 +2,14 @@
 
 This is a **community maintained** chart. It installs the [argo-events](https://github.com/argoproj/argo-events) application. This application comes packaged with:
 - Sensor Custom Resource Definition (See CRD Notes)
-- Gateway Custom Resource Definition (See CRD Notes)
 - EventSource Custom Resource Definition (See CRD Notes)
+- EventBus Custom Resource Definition (See CRD Notes)
 - Sensor Controller Deployment
-- Sensor Controller ConfigMap
+- EventSource Controller Deployment
-- Gateway Controller Deployment
+- EventBus Controller Deployment
-- Gateway Controller ConfigMap
 - Service Account
+- Roles
+- Role Bindings
 - Cluster Roles
 - Cluster Role Bindings
 
@@ -16,10 +17,4 @@ This is a **community maintained** chart. It installs the [argo-events](https://
 
 Some users would prefer to install the CRDs _outside_ of the chart. You can disable the CRD installation of this chart by using `--set installCRD=false` when installing the chart.
 
-You can install the CRDs manually like so:
+You can install the CRDs manually from `crds` folder.
-
-```
-kubectl apply -f https://github.com/argoproj/argo-events/raw/v0.14.0/hack/k8s/manifests/sensor-crd.yaml
-kubectl apply -f https://github.com/argoproj/argo-events/raw/v0.14.0/hack/k8s/manifests/gateway-crd.yaml
-kubectl apply -f https://github.com/argoproj/argo-events/raw/v0.14.0/hack/k8s/manifests/event-source-crd.yaml
-```

charts/argo-events/crds/eventbus-crd.yml

@@ -1,16 +1,15 @@
----
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  name: gateways.argoproj.io
+  name: eventbus.argoproj.io
 spec:
   group: argoproj.io
   names:
-    kind: Gateway
+    kind: EventBus
-    listKind: GatewayList
+    listKind: EventBusList
-    plural: gateways
+    plural: eventbus
-    singular: gateway
     shortNames:
-      - gw
+      - eb
+    singular: eventbus
   scope: Namespaced
-  version: "v1alpha1"
+  version: v1alpha1

charts/argo-events/templates/argo-events-cluster-roles.yaml

@@ -1,3 +1,5 @@
+{{- if not .Values.singleNamespace }}
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -43,12 +45,12 @@ rules:
       - workflows/finalizers
       - workflowtemplates
       - workflowtemplates/finalizers
-      - gateways
-      - gateways/finalizers
       - sensors
       - sensors/finalizers
       - eventsources
       - eventsources/finalizers
+      - eventbus
+      - eventbus/finalizers
   - apiGroups:
       - ""
     resources:
@@ -83,6 +85,7 @@ rules:
       - "apps"
     resources:
       - deployments
+      - statefulsets
     verbs:
       - create
       - get
@@ -92,3 +95,4 @@ rules:
       - patch
       - delete
 
+{{- end }}

charts/argo-events/templates/argo-events-roles.yaml

@@ -0,0 +1,100 @@
+{{- if .Values.singleNamespace }}
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argo-events-binding
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argo-events-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.serviceAccount }}
+    namespace: {{ .Release.Namespace }}
+  {{- if .Values.additionalSaNamespaces }}
+  {{ $sa := .Values.serviceAccount }}
+  {{- range $namespace := .Values.additionalSaNamespaces }}
+  - kind: ServiceAccount
+    name: {{ $sa }}
+    namespace: {{ $namespace }}
+  {{- end }}
+  {{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: argo-events-role
+  namespace: {{ .Release.Namespace }}
+rules:
+  {{- if .Values.additionalServiceAccountRules }}
+  {{ .Values.additionalServiceAccountRules | toYaml | nindent 2}}
+  {{- end }}
+  - apiGroups:
+      - argoproj.io
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
+    resources:
+      - workflows
+      - workflows/finalizers
+      - workflowtemplates
+      - workflowtemplates/finalizers
+      - sensors
+      - sensors/finalizers
+      - eventsources
+      - eventsources/finalizers
+      - eventbus
+      - eventbus/finalizers
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - pods/exec
+      - configmaps
+      - secrets
+      - services
+      - events
+      - persistentvolumeclaims
+    verbs:
+      - create
+      - get
+      - list
+      - watch
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - "batch"
+    resources:
+      - jobs
+    verbs:
+      - create
+      - get
+      - list
+      - watch
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - "apps"
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - create
+      - get
+      - list
+      - watch
+      - update
+      - patch
+      - delete
+
+{{- end }}

charts/argo-events/templates/eventbus-controller-deployment.yaml

@@ -0,0 +1,43 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}-{{ .Values.eventbusController.name }}
+  labels:
+    app: {{ .Release.Name }}-{{ .Values.eventbusController.name }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  replicas: {{ .Values.eventbusController.replicaCount }}
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-{{ .Values.eventbusController.name }}
+      release: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}-{{ .Values.eventbusController.name }}
+        release: {{ .Release.Name }}
+    spec:
+      serviceAccountName: {{ .Values.serviceAccount }}
+      containers:
+        - name: {{ .Values.eventbusController.name }}
+          image: "{{ .Values.registry }}/{{ .Values.eventbusController.image }}:{{ .Values.eventbusController.tag }}"
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          {{- if .Values.singleNamespace }}
+          args:
+            - --namespaced
+          {{- end }}
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: NATS_STREAMING_IMAGE
+              value: {{ .Values.eventbusController.natsStreamingImage }}
+            - name: NATS_METRICS_EXPORTER_IMAGE
+              value: {{ .Values.eventbusController.natsMetricsExporterImage }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/argo-events/templates/eventbus-crd.yaml

@@ -0,0 +1,24 @@
+{{- if .Values.installCRD }}
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: eventbus.argoproj.io
+  annotations:
+    helm.sh/hook: crd-install
+    helm.sh/hook-delete-policy: before-hook-creation
+spec:
+  group: argoproj.io
+  names:
+    kind: EventBus
+    listKind: EventBusList
+    plural: eventbus
+    shortNames:
+      - eb
+    singular: eventbus
+  scope: Namespaced
+  version: v1alpha1
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+{{- end }}

charts/argo-events/templates/eventsource-controller-deployment.yaml

@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}-{{ .Values.eventsourceController.name }}
+  labels:
+    app: {{ .Release.Name }}-{{ .Values.eventsourceController.name }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  replicas: {{ .Values.eventsourceController.replicaCount }}
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-{{ .Values.eventsourceController.name }}
+      release: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}-{{ .Values.eventsourceController.name }}
+        release: {{ .Release.Name }}
+    spec:
+      serviceAccountName: {{ .Values.serviceAccount }}
+      containers:
+        - name: {{ .Values.eventsourceController.name }}
+          image: "{{ .Values.registry }}/{{ .Values.eventsourceController.image }}:{{ .Values.eventsourceController.tag }}"
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          {{- if .Values.singleNamespace }}
+          args:
+            - --namespaced
+          {{- end }}
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: EVENTSOURCE_IMAGE
+              value: "{{ .Values.registry }}/{{ .Values.eventsourceController.eventsourceImage }}:{{ .Values.eventsourceController.tag }}"
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/argo-events/templates/eventsource-crd.yaml

@@ -3,6 +3,9 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: eventsources.argoproj.io
+  annotations:
+    helm.sh/hook: crd-install
+    helm.sh/hook-delete-policy: before-hook-creation
 spec:
   group: argoproj.io
   scope: Namespaced

charts/argo-events/templates/gateway-controller-configmap.yaml

@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ .Release.Name }}-{{ .Values.gatewayController.name }}-configmap
-  labels:
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-data:
-  config: |
-    instanceID: {{ .Values.instanceID }}
-{{- if .Values.singleNamespace }}
-    namespace: {{ .Values.namespace }}
-{{- end }}

charts/argo-events/templates/gateway-controller-deployment.yaml

@@ -1,33 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ .Release.Name }}-{{ .Values.gatewayController.name }}
-  labels:
-    app: {{ .Release.Name }}-{{ .Values.gatewayController.name }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-spec:
-  replicas: {{ .Values.gatewayController.replicaCount }}
-  selector:
-    matchLabels:
-      app: {{ .Release.Name }}-{{ .Values.gatewayController.name }}
-      release: {{ .Release.Name }}
-  template:
-    metadata:
-      labels:
-        app: {{ .Release.Name }}-{{ .Values.gatewayController.name }}
-        release: {{ .Release.Name }}
-    spec:
-      serviceAccountName: {{ .Values.serviceAccount }}
-      containers:
-        - name: {{ .Values.gatewayController.name }}
-          image: "{{ .Values.registry }}/{{ .Values.gatewayController.image }}:{{ .Values.gatewayController.tag }}"
-          imagePullPolicy: {{ .Values.imagePullPolicy }}
-          env:
-            - name: NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: CONTROLLER_CONFIG_MAP
-              value: {{ .Release.Name }}-{{ .Values.gatewayController.name }}-configmap

charts/argo-events/templates/gateway-crd.yaml

@@ -1,18 +0,0 @@
-{{- if .Values.installCRD }}
-# Define a "gateway" custom resource definition
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: gateways.argoproj.io
-spec:
-  group: argoproj.io
-  names:
-    kind: Gateway
-    listKind: GatewayList
-    plural: gateways
-    singular: gateway
-    shortNames:
-      - gw
-  scope: Namespaced
-  version: "v1alpha1"
-{{- end }}

charts/argo-events/templates/sensor-controller-configmap.yaml

@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ .Release.Name }}-{{ .Values.sensorController.name }}-configmap
-  labels:
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-data:
-  config: |
-    instanceID: {{ .Values.instanceID }}
-{{- if .Values.singleNamespace }}
-    namespace: {{ .Values.namespace }}
-{{- end }}

charts/argo-events/templates/sensor-controller-deployment.yaml

@@ -24,10 +24,18 @@ spec:
         - name: {{ .Values.sensorController.name }}
           image: "{{ .Values.registry }}/{{ .Values.sensorController.image }}:{{ .Values.sensorController.tag }}"
           imagePullPolicy: {{ .Values.imagePullPolicy }}
+          {{- if .Values.singleNamespace }}
+          args:
+            - --namespaced
+          {{- end }}
           env:
             - name: NAMESPACE
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
-            - name: CONTROLLER_CONFIG_MAP
+            - name: SENSOR_IMAGE
-              value: {{ .Release.Name }}-{{ .Values.sensorController.name }}-configmap
+              value: "{{ .Values.registry }}/{{ .Values.sensorController.sensorImage }}:{{ .Values.sensorController.tag }}"
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/argo-events/templates/sensor-crd.yaml

@@ -4,6 +4,9 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: sensors.argoproj.io
+  annotations:
+    helm.sh/hook: crd-install
+    helm.sh/hook-delete-policy: before-hook-creation
 spec:
   group: argoproj.io
   names:

charts/argo-events/values.yaml

@@ -4,6 +4,10 @@ registry: argoproj
 # The image pull policy
 imagePullPolicy: Always
 
+# Secrets with credentials to pull images from a private registry
+imagePullSecrets: []
+# - name: argo-pull-secret
+
 # If set to false, skip installing the CRDs. Requires user to have them installed prior to helm chart installation.
 installCRD: true
 
@@ -42,11 +46,21 @@ singleNamespace: true
 sensorController:
   name: sensor-controller
   image: sensor-controller
-  tag: v0.14.0
+  tag: v0.17.0
   replicaCount: 1
+  sensorImage: sensor
 
-gatewayController:
+eventsourceController:
-  name: gateway-controller
+  name: eventsource-controller
-  image: gateway-controller
+  image: eventsource-controller
-  tag: v0.14.0
+  tag: v0.17.0
   replicaCount: 1
+  eventsourceImage: eventsource
+
+eventbusController:
+  name: eventbus-controller
+  image: eventbus-controller
+  tag: v0.17.0
+  replicaCount: 1
+  natsStreamingImage: nats-streaming:0.17.0
+  natsMetricsExporterImage: synadia/prometheus-nats-exporter:0.6.2

charts/argo-rollouts/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v1
-appVersion: "0.8.0"
+appVersion: "0.8.3"
 description: A Helm chart for Argo Rollouts
 name: argo-rollouts
-version: 0.3.1
+version: 0.3.6
 icon: https://raw.githubusercontent.com/argoproj/argo/master/argo.png
 home: https://github.com/argoproj/argo-helm
 maintainers:

charts/argo-rollouts/README.md

@@ -35,6 +35,10 @@ $ helm install --name my-release argo/argo-rollouts
 | controller.image.repository | string | `"argoproj/argo-rollouts"` |  |
 | controller.image.tag | string | `"v0.8.0"` |  |
 | controller.name | string | `"argo-rollouts"` |  |
+| controller.resources | Resource limits and requests for the controller pods. | `{}` |
+| controller.tolerations | [Tolerations for use with node taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` |
+| controller.affinity | [Assign custom affinity rules to the deployment](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) | `{}` |
+| controller.nodeSelector | [Node selector](https://kubernetes.io/docs/user-guide/node-selection/) | `{}` |
 | imagePullSecrets | list | `[]` |  |
 | installCRDs | bool | `true` |  |
 | podAnnotations | object | `{}` |  |

charts/argo-rollouts/templates/argo-rollouts-clusterrole.yaml

@@ -106,4 +106,11 @@ rules:
   - watch
   - get
   - update
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - list
+  - delete
 {{- end }}

charts/argo-rollouts/templates/argo-rollouts-deployment.yaml

@@ -40,6 +40,18 @@ spec:
           mountPath: /tmp
         resources:
           {{- toYaml .Values.controller.resources | nindent 10 }}
+      {{- if .Values.controller.nodeSelector }}
+      nodeSelector:
+        {{- toYaml .Values.controller.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.controller.tolerations }}
+      tolerations:
+        {{- toYaml .Values.controller.tolerations | nindent 8 }}
+      {{- end }}
+      {{- if .Values.controller.affinity }}
+      affinity:
+        {{- toYaml .Values.controller.affinity | nindent 8 }}
+      {{- end }}
       volumes:
       - name: tmp
         emptyDir: {}

charts/argo-rollouts/templates/argo-rollouts-metrics-service.yaml

@@ -6,6 +6,10 @@ metadata:
     app.kubernetes.io/component: server
     app.kubernetes.io/name: {{ .Release.Name }}-metrics
     app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+  {{- range $key, $value := .Values.serviceAnnotations }}
+    {{ $key }}: {{ $value | quote }}
+  {{- end }}
 spec:
   ports:
   - name: metrics

charts/argo-rollouts/values.yaml

@@ -5,9 +5,15 @@ clusterInstall: true
 controller:
   name: argo-rollouts
   component: rollouts-controller
+  ## Node selectors and tolerations for server scheduling to nodes with taints
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+  ##
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
   image:
     repository: argoproj/argo-rollouts
-    tag: v0.8.0
+    tag: v0.8.3
     pullPolicy: IfNotPresent
 
   resources: {}
@@ -22,12 +28,18 @@ controller:
 serviceAccount:
   name: argo-rollouts
 
-## Annotations to be added to the Redis server pods
+## Annotations to be added to the Rollout pods
 ##
 podAnnotations: {}
 
-## Labels to be added to the Redis server pods
+## Annotations to be added to the Rollout service
+##
+serviceAnnotations: {}
+
+## Labels to be added to the Rollout pods
 ##
 podLabels: {}
 
+# Secrets with credentials to pull images from a private registry
 imagePullSecrets: []
+# - name: argo-pull-secret

charts/argo/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: v2.8.0
 description: A Helm chart for Argo Workflows
 name: argo
-version: 0.10.8
+version: 0.10.2
 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png
 home: https://github.com/argoproj/argo-helm
 maintainers:

charts/argo/templates/server-deployment.yaml

@@ -26,6 +26,10 @@ spec:
 {{ toYaml .Values.server.podAnnotations | indent 8}}{{- end }}
     spec:
       serviceAccountName: {{ .Values.server.serviceAccount | quote }}
+      {{- if .Values.server.podSecurityContext }}
+      securityContext:
+        {{- toYaml .Values.server.podSecurityContext | nindent 8 }}
+      {{- end }}
       containers:
         - name: argo-server
           args:
@@ -67,6 +71,10 @@ spec:
           volumeMounts:
             {{- toYaml . | nindent 12}}
           {{- end }}
+      {{- with .Values.images.pullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- with .Values.server.volumes }}
       volumes:
         {{- toYaml . | nindent 8}}

charts/argo/templates/workflow-controller-cluster-roles.yaml

@@ -73,6 +73,7 @@ rules:
   - events
   verbs:
   - create
+  - patch
 - apiGroups:
   - ""
   resources:
@@ -80,6 +81,14 @@ rules:
   verbs:
   - get
   - list
+- apiGroups:
+  - "policy"
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - create
+  - get
+  - delete
 {{- if .Values.controller.persistence }}
 - apiGroups:
   - ""

charts/argo/templates/workflow-controller-config-map.yaml

@@ -16,7 +16,7 @@ data:
     {{- end }}
     {{- end }}
     containerRuntimeExecutor: {{ .Values.controller.containerRuntimeExecutor }}
-    {{- if or .Values.executor.resources .Values.executor.env }}
+    {{- if or .Values.executor.resources .Values.executor.env .Values.executor.securityContext}}
     executor:
       {{- with .Values.executor.resources }}
       resources: {{- toYaml . | nindent 8 }}
@@ -24,6 +24,9 @@ data:
       {{- with .Values.executor.env }}
       env: {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.executor.securityContext }}
+      securityContext: {{- toYaml . | nindent 8 }}
+      {{- end }}
     {{- end }}
     {{- if or .Values.minio.install .Values.useDefaultArtifactRepo }}
     artifactRepository:

charts/argo/templates/workflow-controller-deployment.yaml

@@ -26,6 +26,10 @@ spec:
 {{ toYaml .Values.controller.podAnnotations | indent 8}}{{- end }}
     spec:
       serviceAccountName: {{ .Values.controller.serviceAccount | quote }}
+      {{- if .Values.controller.podSecurityContext }}
+      securityContext:
+        {{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
+      {{- end }}
       containers:
         - name: controller
           image: "{{ .Values.images.namespace }}/{{ .Values.images.controller }}:{{ default .Values.images.tag .Values.controller.image.tag }}"
@@ -63,6 +67,10 @@ spec:
           ports:
           - containerPort: 8080
           {{- end }}
+      {{- with .Values.images.pullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- with .Values.controller.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/argo/values.yaml

@@ -4,6 +4,9 @@ images:
   server: argocli
   executor: argoexec
   pullPolicy: Always
+  # Secrets with credentials to pull images from a private registry
+  pullSecrets: []
+  # - name: argo-pull-secret
   tag: v2.7.6
 
 crdVersion: v1alpha1
@@ -37,6 +40,8 @@ controller:
   podAnnotations: {}
   # Optional labels to add to the controller pods
   podLabels: {}
+  # SecurityContext to set on the controller pods
+  podSecurityContext: {}
   # podPortName: http
   metricsConfig:
     enabled: false
@@ -114,7 +119,8 @@ controller:
   ## Node selectors and tolerations for server scheduling to nodes with taints
   ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
   ##
-  nodeSelector: {}
+  nodeSelector:
+    kubernetes.io/os: linux
   tolerations: []
   affinity: {}
 
@@ -126,6 +132,8 @@ executor:
   resources: {}
   # Adds environment variables for the executor.
   env: {}
+  # sets security context for the executor container
+  securityContext: {}
 
 server:
   enabled: true
@@ -140,6 +148,8 @@ server:
   podAnnotations: {}
   # Optional labels to add to the UI pods
   podLabels: {}
+  # SecurityContext to set on the server pods
+  podSecurityContext: {}
   name: server
   serviceType: ClusterIP
   servicePort: 2746
@@ -166,7 +176,8 @@ server:
   ## Node selectors and tolerations for server scheduling to nodes with taints
   ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
   ##
-  nodeSelector: {}
+  nodeSelector:
+    kubernetes.io/os: linux
   tolerations: []
   affinity: {}
 

charts/argocd-notifications/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: 0.7.0
 description: A Helm chart for ArgoCD notifications, an add-on to ArgoCD.
 name: argocd-notifications
 type: application
-version: 1.0.7
+version: 1.0.11
 home: https://github.com/argoproj/argo-helm
 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png
 keywords:

charts/argocd-notifications/templates/_helpers.tpl

@@ -43,6 +43,19 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
 
+{{/*
+Common metrics labels
+*/}}
+{{- define "argocd-notifications.metrics.labels" -}}
+helm.sh/chart: {{ include "argocd-notifications.chart" . }}
+{{ include "argocd-notifications.metrics.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+
 {{/*
 Common slack bot labels
 */}}
@@ -63,6 +76,14 @@ app.kubernetes.io/name: {{ include "argocd-notifications.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
+{{/*
+Selector metrics labels
+*/}}
+{{- define "argocd-notifications.metrics.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "argocd-notifications.name" . }}-metrics
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
 {{/*
 Selector slack bot labels
 */}}

charts/argocd-notifications/templates/bots/slack/deployment.yaml

@@ -30,6 +30,9 @@ spec:
           command:
             - /app/argocd-notifications
             - bot
+          ports:
+          - containerPort: 8080
+            name: http
       {{- with .Values.bots.slack.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/argocd-notifications/templates/bots/slack/service.yaml

@@ -3,12 +3,16 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "argocd-notifications.name" . }}-bot
+  {{- if .Values.bots.slack.service.annotations }}
+  annotations:
+    {{- toYaml .Values.bots.slack.service.annotations | nindent 4 }}
+  {{- end }}
 spec:
   ports:
-  - name: server
+  - name: http
-    port: 80
+    port: {{ .Values.bots.slack.service.port }}
     protocol: TCP
-    targetPort: 8080
+    targetPort: http
   selector:
     {{- include "argocd-notifications.bots.slack.selectorLabels" . | nindent 4 }}
   type: {{ .Values.bots.slack.service.type }}

charts/argocd-notifications/templates/deployment.yaml

@@ -12,6 +12,12 @@ spec:
       {{- include "argocd-notifications.selectorLabels" . | nindent 6 }}
   template:
     metadata:
+      {{- if .Values.podAnnotations }}
+      annotations:
+      {{- range $key, $value := .Values.podAnnotations }}
+        {{ $key }}: {{ $value | quote }}
+      {{- end }}
+      {{- end }}
       labels:
         {{- include "argocd-notifications.selectorLabels" . | nindent 8 }}
     spec:
@@ -29,6 +35,19 @@ spec:
           command:
             - /app/argocd-notifications
             - controller
+            - --loglevel={{ .Values.logLevel }}
+            {{- if .Values.metrics.enabled }}
+            - --metrics-port={{ .Values.metrics.port }}
+            {{- end }}
+            {{- range .Values.extraArgs }}
+            - {{ . | squote }}
+            {{- end }}
+          ports:
+          {{- if .Values.metrics.enabled }}
+          - containerPort: {{ .Values.metrics.port }}
+            name: metrics
+            protocol: TCP
+          {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/argocd-notifications/templates/service-metrics.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.metrics.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "argocd-notifications.name" . }}-metrics
+  labels:
+    {{- include "argocd-notifications.metrics.labels" . | nindent 4 }}
+spec:
+  selector:
+    {{- include "argocd-notifications.selectorLabels" . | nindent 4 }}
+  ports:
+  - name: metrics
+    port: {{ .Values.metrics.port }}
+    targetPort: {{ .Values.metrics.port }}
+{{- end }}

charts/argocd-notifications/templates/servicemonitor.yaml

@@ -0,0 +1,30 @@
+{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "argocd-notifications.name" . }}-metrics
+  {{- if .Values.metrics.serviceMonitor.namespace }}
+  namespace: {{ .Values.metrics.serviceMonitor.namespace }}
+  {{- end }}
+  labels:
+    {{- include "argocd-notifications.metrics.labels" . | nindent 4 }}
+    {{- if .Values.metrics.serviceMonitor.additionalLabels }}
+      {{- toYaml .Values.metrics.serviceMonitor.additionalLabels | nindent 4 }}
+    {{- end }}
+spec:
+  endpoints:
+    - port: metrics
+      path: /metrics
+      {{- if .Values.metrics.serviceMonitor.interval }}
+      interval: {{ .Values.metrics.serviceMonitor.interval }}
+      {{- end }}
+      {{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
+      scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
+      {{- end }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      {{- include "argocd-notifications.metrics.selectorLabels" . | nindent 6 }}
+{{- end }}

charts/argocd-notifications/values.yaml

@@ -87,6 +87,22 @@ secret:
       # email address in from field
       from:
 
+logLevel: info
+
+extraArgs: []
+
+metrics:
+  enabled: false
+  port: 9001
+  serviceMonitor:
+    enabled: false
+    additionalLabels: {}
+    # namespace: monitoring
+    # interval: 30s
+    # scrapeTimeout: 10s
+
+podAnnotations: {}
+
 resources: {}
   # limits:
   #   cpu: 100m
@@ -194,6 +210,8 @@ bots:
     imagePullSecrets: []
 
     service:
+      annotations: {}
+      port: 80
       type: LoadBalancer
 
     serviceAccount: