diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml index 077a96f4..e4937114 100644 --- a/.github/workflows/renovate.yaml +++ b/.github/workflows/renovate.yaml @@ -23,7 +23,7 @@ jobs: private-key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY }} - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Self-hosted Renovate uses: renovatebot/github-action@e1db501385ddcccbaae6fb9c06befae04f379f23 # v40.2.10 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index b94e76ce..8cfa51f0 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -68,6 +68,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7 + uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8 with: sarif_file: results.sarif diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml index f1287bfe..41132c7d 100644 --- a/charts/argo-cd/Chart.yaml +++ b/charts/argo-cd/Chart.yaml @@ -3,7 +3,7 @@ appVersion: v2.12.3 kubeVersion: ">=1.25.0-0" description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. name: argo-cd -version: 7.5.3 +version: 7.6.4 home: https://github.com/argoproj/argo-helm icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png sources: diff --git a/charts/argo-cd/README.md b/charts/argo-cd/README.md index 8b0cb174..6d07f360 100644 --- a/charts/argo-cd/README.md +++ b/charts/argo-cd/README.md @@ -713,6 +713,7 @@ NAME: my-release | global.podLabels | object | `{}` | Labels for the all deployed pods | | global.priorityClassName | string | `""` | Default priority class for all components | | global.revisionHistoryLimit | int | `3` | Number of old deployment ReplicaSets to retain. The rest will be garbage collected. | +| global.runtimeClassName | string | `""` | Runtime class name for all components | | global.securityContext | object | `{}` (See [values.yaml]) | Toggle and define pod-level security context. | | global.statefulsetAnnotations | object | `{}` | Annotations for the all deployed Statefulsets | | global.tolerations | list | `[]` | Default tolerations for all components | @@ -741,6 +742,7 @@ NAME: my-release | configs.gpg.keys | object | `{}` (See [values.yaml]) | [GnuPG] public keys to add to the keyring | | configs.params."application.namespaces" | string | `""` | Enables [Applications in any namespace] | | configs.params."applicationsetcontroller.enable.progressive.syncs" | bool | `false` | Enables use of the Progressive Syncs capability | +| configs.params."applicationsetcontroller.namespaces" | string | `""` | A list of glob patterns specifying where to look for ApplicationSet resources. (e.g. `"namespace1, namespace2"`) | | configs.params."applicationsetcontroller.policy" | string | `"sync"` | Modify how application is synced between the generator and the cluster. One of: `sync`, `create-only`, `create-update`, `create-delete` | | configs.params."controller.ignore.normalizer.jq.timeout" | string | `"1s"` | JQ Path expression timeout | | configs.params."controller.operation.processors" | int | `10` | Number of application operation processors | @@ -856,6 +858,7 @@ NAME: my-release | controller.replicas | int | `1` | The number of application controller pods to run. Additional replicas will cause sharding of managed clusters across number of replicas. | | controller.resources | object | `{}` | Resource limits and requests for the application controller pods | | controller.revisionHistoryLimit | int | `5` | Maximum number of controller revisions that will be maintained in StatefulSet history | +| controller.runtimeClassName | string | `""` (defaults to global.runtimeClassName) | Runtime class name for the application controller | | controller.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | | controller.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account | | controller.serviceAccount.create | bool | `true` | Create a service account for the application controller | @@ -950,6 +953,7 @@ NAME: my-release | repoServer.readinessProbe.timeoutSeconds | int | `1` | Number of seconds after which the [probe] times out | | repoServer.replicas | int | `1` | The number of repo server pods to run | | repoServer.resources | object | `{}` | Resource limits and requests for the repo server pods | +| repoServer.runtimeClassName | string | `""` (defaults to global.runtimeClassName) | Runtime class name for the repo server | | repoServer.service.annotations | object | `{}` | Repo server service annotations | | repoServer.service.labels | object | `{}` | Repo server service labels | | repoServer.service.port | int | `8081` | Repo server service port | @@ -1103,6 +1107,7 @@ NAME: my-release | server.route.hostname | string | `""` | Hostname of OpenShift Route | | server.route.termination_policy | string | `"None"` | Termination policy of Openshift Route | | server.route.termination_type | string | `"passthrough"` | Termination type of Openshift Route | +| server.runtimeClassName | string | `""` (defaults to global.runtimeClassName) | Runtime class name for the Argo CD server | | server.service.annotations | object | `{}` | Server service annotations | | server.service.externalIPs | list | `[]` | Server service external IPs | | server.service.externalTrafficPolicy | string | `"Cluster"` | Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints | @@ -1210,6 +1215,7 @@ NAME: my-release | dex.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed | | dex.readinessProbe.timeoutSeconds | int | `1` | Number of seconds after which the [probe] times out | | dex.resources | object | `{}` | Resource limits and requests for dex | +| dex.runtimeClassName | string | `""` (defaults to global.runtimeClassName) | Runtime class name for Dex | | dex.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | | dex.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account | | dex.serviceAccount.create | bool | `true` | Create dex service account | @@ -1308,6 +1314,7 @@ NAME: my-release | redis.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed | | redis.readinessProbe.timeoutSeconds | int | `15` | Number of seconds after which the [probe] times out | | redis.resources | object | `{}` | Resource limits and requests for redis | +| redis.runtimeClassName | string | `""` (defaults to global.runtimeClassName) | Runtime class name for redis | | redis.securityContext | object | See [values.yaml] | Redis pod-level security context | | redis.service.annotations | object | `{}` | Redis service annotations | | redis.service.labels | object | `{}` | Additional redis service labels | @@ -1500,6 +1507,7 @@ If you use an External Redis (See Option 3 above), this Job is not deployed. | applicationSet.readinessProbe.timeoutSeconds | int | `1` | Number of seconds after which the [probe] times out | | applicationSet.replicas | int | `1` | The number of ApplicationSet controller pods to run | | applicationSet.resources | object | `{}` | Resource limits and requests for the ApplicationSet controller pods. | +| applicationSet.runtimeClassName | string | `""` (defaults to global.runtimeClassName) | Runtime class name for the ApplicationSet controller | | applicationSet.service.annotations | object | `{}` | ApplicationSet service annotations | | applicationSet.service.labels | object | `{}` | ApplicationSet service labels | | applicationSet.service.port | int | `7000` | ApplicationSet service port | @@ -1583,6 +1591,7 @@ If you use an External Redis (See Option 3 above), this Job is not deployed. | notifications.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed | | notifications.readinessProbe.timeoutSeconds | int | `1` | Number of seconds after which the [probe] times out | | notifications.resources | object | `{}` | Resource limits and requests for the notifications controller | +| notifications.runtimeClassName | string | `""` (defaults to global.runtimeClassName) | Runtime class name for the notifications controller | | notifications.secret.annotations | object | `{}` | key:value pairs of annotations to be added to the secret | | notifications.secret.create | bool | `true` | Whether helm chart creates notifications controller secret | | notifications.secret.items | object | `{}` | Generic key:value pairs to be inserted into the secret | diff --git a/charts/argo-cd/templates/argocd-application-controller/deployment.yaml b/charts/argo-cd/templates/argocd-application-controller/deployment.yaml index 3938c25d..32205efd 100644 --- a/charts/argo-cd/templates/argocd-application-controller/deployment.yaml +++ b/charts/argo-cd/templates/argocd-application-controller/deployment.yaml @@ -36,6 +36,9 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + {{- with .Values.controller.runtimeClassName | default .Values.global.runtimeClassName }} + runtimeClassName: {{ . }} + {{- end }} {{- with .Values.controller.imagePullSecrets | default .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} diff --git a/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml b/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml index 4fb49bee..3c644c69 100644 --- a/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml +++ b/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml @@ -37,6 +37,9 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + {{- with .Values.controller.runtimeClassName | default .Values.global.runtimeClassName }} + runtimeClassName: {{ . }} + {{- end }} {{- with .Values.controller.imagePullSecrets | default .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} diff --git a/charts/argo-cd/templates/argocd-applicationset/clusterrole.yaml b/charts/argo-cd/templates/argocd-applicationset/clusterrole.yaml index 7b1f1998..2723e3d2 100644 --- a/charts/argo-cd/templates/argocd-applicationset/clusterrole.yaml +++ b/charts/argo-cd/templates/argocd-applicationset/clusterrole.yaml @@ -3,7 +3,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ include "argo-cd.applicationSet.fullname" . }} - namespace: {{ include "argo-cd.namespace" . }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }} rules: diff --git a/charts/argo-cd/templates/argocd-applicationset/clusterrolebinding.yaml b/charts/argo-cd/templates/argocd-applicationset/clusterrolebinding.yaml index af6d5297..c6c1beb7 100644 --- a/charts/argo-cd/templates/argocd-applicationset/clusterrolebinding.yaml +++ b/charts/argo-cd/templates/argocd-applicationset/clusterrolebinding.yaml @@ -3,7 +3,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ template "argo-cd.applicationSet.fullname" . }} - namespace: {{ include "argo-cd.namespace" . }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }} roleRef: @@ -14,4 +13,12 @@ subjects: - kind: ServiceAccount name: {{ template "argo-cd.applicationSet.serviceAccountName" . }} namespace: {{ include "argo-cd.namespace" . }} +{{- $namespaces := index .Values.configs.params "applicationsetcontroller.namespaces" -}} +{{- range $namespace := (split "," $namespaces) }} + {{- if $namespace }} + - kind: ServiceAccount + name: {{ include "argo-cd.applicationSet.serviceAccountName" $ }} + namespace: {{ $namespace | trim | quote }} + {{- end }} +{{- end }} {{- end }} diff --git a/charts/argo-cd/templates/argocd-applicationset/deployment.yaml b/charts/argo-cd/templates/argocd-applicationset/deployment.yaml index 060d20c5..9af597b2 100644 --- a/charts/argo-cd/templates/argocd-applicationset/deployment.yaml +++ b/charts/argo-cd/templates/argocd-applicationset/deployment.yaml @@ -36,6 +36,9 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + {{- with .Values.applicationSet.runtimeClassName | default .Values.global.runtimeClassName }} + runtimeClassName: {{ . }} + {{- end }} {{- with .Values.applicationSet.imagePullSecrets | default .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} diff --git a/charts/argo-cd/templates/argocd-notifications/deployment.yaml b/charts/argo-cd/templates/argocd-notifications/deployment.yaml index 0f6ad38b..85d58e2b 100644 --- a/charts/argo-cd/templates/argocd-notifications/deployment.yaml +++ b/charts/argo-cd/templates/argocd-notifications/deployment.yaml @@ -36,6 +36,9 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + {{- with .Values.notifications.runtimeClassName | default .Values.global.runtimeClassName }} + runtimeClassName: {{ . }} + {{- end }} {{- with .Values.notifications.imagePullSecrets | default .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} diff --git a/charts/argo-cd/templates/argocd-repo-server/deployment.yaml b/charts/argo-cd/templates/argocd-repo-server/deployment.yaml index 500b2e44..9a15e596 100755 --- a/charts/argo-cd/templates/argocd-repo-server/deployment.yaml +++ b/charts/argo-cd/templates/argocd-repo-server/deployment.yaml @@ -47,6 +47,9 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + {{- with .Values.repoServer.runtimeClassName | default .Values.global.runtimeClassName }} + runtimeClassName: {{ . }} + {{- end }} {{- with .Values.repoServer.imagePullSecrets | default .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} diff --git a/charts/argo-cd/templates/argocd-server/deployment.yaml b/charts/argo-cd/templates/argocd-server/deployment.yaml index f20f2af0..f015c847 100755 --- a/charts/argo-cd/templates/argocd-server/deployment.yaml +++ b/charts/argo-cd/templates/argocd-server/deployment.yaml @@ -41,6 +41,9 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + {{- with .Values.server.runtimeClassName | default .Values.global.runtimeClassName }} + runtimeClassName: {{ . }} + {{- end }} {{- with .Values.server.imagePullSecrets | default .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} diff --git a/charts/argo-cd/templates/dex/deployment.yaml b/charts/argo-cd/templates/dex/deployment.yaml index bc9b4530..fa11aef6 100755 --- a/charts/argo-cd/templates/dex/deployment.yaml +++ b/charts/argo-cd/templates/dex/deployment.yaml @@ -43,6 +43,9 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + {{- with .Values.dex.runtimeClassName | default .Values.global.runtimeClassName }} + runtimeClassName: {{ . }} + {{- end }} {{- with .Values.dex.imagePullSecrets | default .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} diff --git a/charts/argo-cd/templates/redis/deployment.yaml b/charts/argo-cd/templates/redis/deployment.yaml index 76e1b00a..65581665 100755 --- a/charts/argo-cd/templates/redis/deployment.yaml +++ b/charts/argo-cd/templates/redis/deployment.yaml @@ -33,6 +33,9 @@ spec: {{- end }} {{- end }} spec: + {{- with .Values.redis.runtimeClassName | default .Values.global.runtimeClassName }} + runtimeClassName: {{ . }} + {{- end }} {{- with .Values.redis.imagePullSecrets | default .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index 08a26b8b..832d4184 100644 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -44,6 +44,9 @@ global: ## Used for ingresses, certificates, SSO, notifications, etc. domain: argocd.example.com + # -- Runtime class name for all components + runtimeClassName: "" + # -- Common labels for the all resources additionalLabels: {} # app: argo-cd @@ -275,6 +278,8 @@ configs: applicationsetcontroller.policy: sync # -- Enables use of the Progressive Syncs capability applicationsetcontroller.enable.progressive.syncs: false + # -- A list of glob patterns specifying where to look for ApplicationSet resources. (e.g. `"namespace1, namespace2"`) + applicationsetcontroller.namespaces: "" # -- Enables [Applications in any namespace] ## List of additional namespaces where applications may be created in and reconciled from. @@ -619,6 +624,10 @@ controller: ## like round-robin, then the shards will be well-balanced. dynamicClusterDistribution: false + # -- Runtime class name for the application controller + # @default -- `""` (defaults to global.runtimeClassName) + runtimeClassName: "" + # -- Application controller heartbeat time # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution/#working-of-dynamic-distribution heartbeatTime: 10 @@ -919,6 +928,10 @@ dex: # -- Additional command line arguments to pass to the Dex server extraArgs: [] + # -- Runtime class name for Dex + # @default -- `""` (defaults to global.runtimeClassName) + runtimeClassName: "" + metrics: # -- Deploy metrics service enabled: false @@ -1213,6 +1226,10 @@ redis: # -- Redis name name: redis + # -- Runtime class name for redis + # @default -- `""` (defaults to global.runtimeClassName) + runtimeClassName: "" + ## Redis Pod Disruption Budget ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ pdb: @@ -1701,6 +1718,10 @@ server: # -- The number of server pods to run replicas: 1 + # -- Runtime class name for the Argo CD server + # @default -- `""` (defaults to global.runtimeClassName) + runtimeClassName: "" + ## Argo CD server Horizontal Pod Autoscaler autoscaling: # -- Enable Horizontal Pod Autoscaler ([HPA]) for the Argo CD server @@ -2364,6 +2385,10 @@ repoServer: # -- The number of repo server pods to run replicas: 1 + # -- Runtime class name for the repo server + # @default -- `""` (defaults to global.runtimeClassName) + runtimeClassName: "" + ## Repo server Horizontal Pod Autoscaler autoscaling: # -- Enable Horizontal Pod Autoscaler ([HPA]) for the repo server @@ -2752,6 +2777,10 @@ applicationSet: # -- The number of ApplicationSet controller pods to run replicas: 1 + # -- Runtime class name for the ApplicationSet controller + # @default -- `""` (defaults to global.runtimeClassName) + runtimeClassName: "" + ## ApplicationSet controller Pod Disruption Budget ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ pdb: @@ -3119,6 +3148,10 @@ notifications: # @default -- `""` (defaults to https://`global.domain`) argocdUrl: "" + # -- Runtime class name for the notifications controller + # @default -- `""` (defaults to global.runtimeClassName) + runtimeClassName: "" + ## Notifications controller Pod Disruption Budget ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ pdb: diff --git a/charts/argo-events/Chart.yaml b/charts/argo-events/Chart.yaml index aae23442..dc6af9ac 100644 --- a/charts/argo-events/Chart.yaml +++ b/charts/argo-events/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: v1.9.2 description: A Helm chart for Argo Events, the event-driven workflow automation framework name: argo-events -version: 2.4.7 +version: 2.4.8 home: https://github.com/argoproj/argo-helm icon: https://avatars.githubusercontent.com/u/30269780?s=200&v=4 keywords: @@ -19,4 +19,4 @@ annotations: url: https://argoproj.github.io/argo-helm/pgp_keys.asc artifacthub.io/changes: | - kind: fixed - description: Update Jetstream versions as following upstream + description: events-webhook Service using non-default port diff --git a/charts/argo-events/templates/argo-events-webhook/service.yaml b/charts/argo-events/templates/argo-events-webhook/service.yaml index e1f2b2ee..797ceb43 100644 --- a/charts/argo-events/templates/argo-events-webhook/service.yaml +++ b/charts/argo-events/templates/argo-events-webhook/service.yaml @@ -8,7 +8,7 @@ metadata: {{- include "argo-events.labels" (dict "context" . "name" .Values.webhook.name) | nindent 4 }} spec: ports: - - port: 443 + - port: {{ int .Values.webhook.port }} targetPort: webhook selector: {{- include "argo-events.selectorLabels" (dict "context" $ "name" $.Values.webhook.name) | nindent 4 }} diff --git a/charts/argo-workflows/Chart.yaml b/charts/argo-workflows/Chart.yaml index 30ff622d..6071b4e8 100644 --- a/charts/argo-workflows/Chart.yaml +++ b/charts/argo-workflows/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: v3.5.10 +appVersion: v3.5.11 name: argo-workflows description: A Helm chart for Argo Workflows type: application -version: 0.42.2 +version: 0.42.3 icon: https://argo-workflows.readthedocs.io/en/stable/assets/logo.png home: https://github.com/argoproj/argo-helm sources: @@ -17,4 +17,4 @@ annotations: url: https://argoproj.github.io/argo-helm/pgp_keys.asc artifacthub.io/changes: | - kind: changed - description: add honorLabels config for ServiceMonitor resource + description: Bump argo-workflows to v3.5.11