feat: add kubernetes version tag and set container security capabilities (#203)

charts/argo-cd/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: "1.3.6"
 description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 1.6.0
+version: 1.6.1
 home: https://github.com/argoproj/argo-helm
 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png
 keywords:

charts/argo-cd/templates/argocd-application-controller/deployment.yaml

@@ -9,6 +9,7 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/part-of: argocd
     app.kubernetes.io/component: {{ .Values.controller.name }}
+    app.kubernetes.io/version: {{ .Values.controller.image.tag }}
 spec:
   selector:
     matchLabels:
@@ -31,6 +32,7 @@ spec:
         app.kubernetes.io/managed-by: {{ .Release.Service }}
         app.kubernetes.io/part-of: argocd
         app.kubernetes.io/component: {{ .Values.controller.name }}
+        app.kubernetes.io/version: {{ .Values.controller.image.tag }}
         {{- if .Values.controller.podLabels }}
 {{- toYaml .Values.controller.podLabels | nindent 8 }}
         {{- end }}
@@ -63,6 +65,9 @@ spec:
         image: {{ default .Values.global.image.repository .Values.controller.image.repository }}:{{ default .Values.global.image.tag .Values.controller.image.tag }}
         imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.controller.image.imagePullPolicy }}
         name: {{ .Values.controller.name }}
+        {{- if .Values.controller.containerSecurityContext }}
+        securityContext: {{- toYaml .Values.controller.containerSecurityContext | nindent 10 }}
+        {{- end }}      
         {{- if .Values.controller.env }}
         env:
 {{- toYaml .Values.controller.env | nindent 8 }}

charts/argo-cd/templates/argocd-repo-server/deployment.yaml

@@ -9,6 +9,7 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/part-of: argocd
     app.kubernetes.io/component: {{ .Values.repoServer.name }}
+    app.kubernetes.io/version: {{ .Values.repoServer.image.tag }}    
 spec:
   selector:
     matchLabels:
@@ -31,6 +32,7 @@ spec:
         app.kubernetes.io/managed-by: {{ .Release.Service }}
         app.kubernetes.io/part-of: argocd
         app.kubernetes.io/component: {{ .Values.repoServer.name }}
+        app.kubernetes.io/version: {{ .Values.repoServer.image.tag }}        
         {{- if .Values.controller.podLabels }}
 {{- toYaml .Values.controller.podLabels | nindent 8 }}
         {{- end }}
@@ -57,6 +59,9 @@ spec:
         - --{{ $key }}
           {{- end }}
         {{- end }}
+        {{- if .Values.repoServer.containerSecurityContext }}
+        securityContext: {{- toYaml .Values.repoServer.containerSecurityContext | nindent 10 }}
+        {{- end }}           
         {{- if .Values.repoServer.env }}
         env:
 {{- toYaml .Values.repoServer.env | nindent 8 }}

charts/argo-cd/templates/argocd-server/deployment.yaml

@@ -9,6 +9,7 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/part-of: argocd
     app.kubernetes.io/component: {{ .Values.server.name }}
+    app.kubernetes.io/version: {{ .Values.server.image.tag }}    
 spec:
   selector:
     matchLabels:
@@ -31,6 +32,7 @@ spec:
         app.kubernetes.io/managed-by: {{ .Release.Service }}
         app.kubernetes.io/part-of: argocd
         app.kubernetes.io/component: {{ .Values.server.name }}
+        app.kubernetes.io/version: {{ .Values.server.image.tag }}        
         {{- if .Values.controller.podLabels }}
 {{- toYaml .Values.controller.podLabels | nindent 8 }}
         {{- end }}
@@ -65,6 +67,9 @@ spec:
         - --{{ $key }}
           {{- end }}
         {{- end }}
+        {{- if .Values.server.containerSecurityContext }}
+        securityContext: {{- toYaml .Values.server.containerSecurityContext | nindent 10 }}
+        {{- end }}          
         {{- if .Values.server.env }}
         env:
 {{- toYaml .Values.server.env | nindent 8 }}

charts/argo-cd/templates/dex/deployment.yaml

@@ -10,6 +10,7 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/part-of: argocd
     app.kubernetes.io/component: {{ .Values.dex.name }}
+    app.kubernetes.io/version: {{ .Values.dex.image.tag }}    
 spec:
   selector:
     matchLabels:
@@ -24,11 +25,17 @@ spec:
         app.kubernetes.io/managed-by: {{ .Release.Service }}
         app.kubernetes.io/part-of: argocd
         app.kubernetes.io/component: {{ .Values.dex.name }}
+        app.kubernetes.io/version: {{ .Values.dex.image.tag }}        
     spec:
       initContainers:
       - name: copyutil
         image: {{ default .Values.global.image.repository .Values.dex.initImage.repository }}:{{ default .Values.global.image.tag .Values.dex.initImage.tag }}
         imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.dex.initImage.imagePullPolicy }}
+        resources:
+{{- toYaml .Values.dex.resources | nindent 10 }}  
+        {{- if .Values.dex.containerSecurityContext }}
+        securityContext: {{- toYaml .Values.dex.containerSecurityContext | nindent 10 }}
+        {{- end }}        
         command:
         - cp
         - /usr/local/bin/argocd-util
@@ -43,6 +50,9 @@ spec:
         command:
         - /shared/argocd-util
         - rundex
+        {{- if .Values.dex.containerSecurityContext }}
+        securityContext: {{- toYaml .Values.dex.containerSecurityContext | nindent 10 }}
+        {{- end }}            
         {{- if .Values.dex.env }}
         env:
 {{- toYaml .Values.dex.env | nindent 8 }}

charts/argo-cd/templates/redis/deployment.yaml

@@ -10,6 +10,7 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/part-of: argocd
     app.kubernetes.io/component: {{ .Values.redis.name }}
+    app.kubernetes.io/version: {{ .Values.redis.image.tag }}    
 spec:
   selector:
     matchLabels:
@@ -23,6 +24,7 @@ spec:
         app.kubernetes.io/managed-by: {{ .Release.Service }}
         app.kubernetes.io/part-of: argocd
         app.kubernetes.io/component: {{ .Values.redis.name }}
+        app.kubernetes.io/version: {{ .Values.redis.image.tag }}        
     spec:
       automountServiceAccountToken: false
       {{- if .Values.global.securityContext }}
@@ -37,6 +39,9 @@ spec:
         - "no"
         image: {{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }}
         imagePullPolicy: {{ .Values.redis.image.imagePullPolicy}}
+        {{- if .Values.redis.containerSecurityContext }}
+        securityContext: {{- toYaml .Values.redis.containerSecurityContext | nindent 10 }}
+        {{- end }}          
         {{- if .Values.redis.env }}
         env:
 {{- toYaml .Values.redis.env | nindent 8 }}

charts/argo-cd/values.yaml

@@ -50,6 +50,12 @@ controller:
   ##
   podLabels: {}
 
+  ## Labels to set container specific security contexts
+  containerSecurityContext: {}
+    # capabilities:
+    #   drop:
+    #     - all
+
   ## Configures the controller port
   containerPort: 8082
 
@@ -199,6 +205,13 @@ dex:
 
   priorityClassName: ""
 
+  ## Labels to set container specific security contexts
+  containerSecurityContext: {}
+    # capabilities:
+    #   drop:
+    #     - all
+
+
   resources: {}
   #  limits:
   #    cpu: 50m
@@ -233,6 +246,13 @@ redis:
 
   priorityClassName: ""
 
+  ## Labels to set container specific security contexts
+  containerSecurityContext: {}
+    # capabilities:
+    #   drop:
+    #     - all
+
+
   resources: {}
   #  limits:
   #    cpu: 200m
@@ -307,6 +327,12 @@ server:
 
   priorityClassName: ""
 
+  ## Labels to set container specific security contexts
+  containerSecurityContext: {}
+    # capabilities:
+    #   drop:
+    #     - all
+
   resources: {}
   #  limits:
   #    cpu: 100m
@@ -541,6 +567,12 @@ repoServer:
 
   priorityClassName: ""
 
+  ## Labels to set container specific security contexts
+  containerSecurityContext: {}
+    # capabilities:
+    #   drop:
+    #     - all
+
   resources: {}
   #  limits:
   #    cpu: 50m