diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml index ffeaa9ff..9922f5ef 100644 --- a/charts/argo-cd/Chart.yaml +++ b/charts/argo-cd/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v1 appVersion: "1.1.2" description: A Helm chart for Argo-CD name: argo-cd -version: 0.3.0 +version: 0.3.0 \ No newline at end of file diff --git a/charts/argo-cd/templates/NOTES.txt b/charts/argo-cd/templates/NOTES.txt index ecd1f64b..36ade656 100644 --- a/charts/argo-cd/templates/NOTES.txt +++ b/charts/argo-cd/templates/NOTES.txt @@ -5,7 +5,7 @@ In order to access the server UI you have the following options: and then open the browser on http://localhost:8080 and accept the certificate 2. enable ingress and check the first option ssl passthrough: - https://github.com/argoproj/argo-cd/blob/master/docs/ingress.md#option-1-ssl-passthrough + https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/ingress.md#option-1-ssl-passthrough After reaching the UI the first time you can login with username: admin and the password will be the name of the server pod. You can get the pod name by running: diff --git a/charts/argo-cd/templates/argocd-cm.yaml b/charts/argo-cd/templates/argocd-cm.yaml index ab7f1961..2c8f2f36 100755 --- a/charts/argo-cd/templates/argocd-cm.yaml +++ b/charts/argo-cd/templates/argocd-cm.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: argocd-cm - labels: + labels: app.kubernetes.io/name: {{ include "argo-cd.name" . }} helm.sh/chart: {{ include "argo-cd.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} @@ -28,3 +28,11 @@ data: oidc.config: | {{ toYaml .Values.config.oidcConfig | indent 4 }} {{- end }} +{{- if .Values.config.resourceCustomizations }} + resource.customizations: | +{{ toYaml .Values.config.resourceCustomizations | indent 4 }} +{{- end }} +{{- if .Values.config.configManagementPlugins }} + configManagementPlugins: | +{{ toYaml .Values.config.configManagementPlugins | indent 4 }} +{{- end }} diff --git a/charts/argo-cd/templates/argocd-rbac-cm.yaml b/charts/argo-cd/templates/argocd-rbac-cm.yaml index fb688d03..7d3aa6ea 100755 --- a/charts/argo-cd/templates/argocd-rbac-cm.yaml +++ b/charts/argo-cd/templates/argocd-rbac-cm.yaml @@ -16,3 +16,6 @@ data: policy.csv: {{- toYaml .Values.rbac.policyCsv | indent 4 }} {{- end }} +{{- if .Values.rbac.scopes }} + scopes: {{ .Values.rbac.scopes }} +{{- end }} diff --git a/charts/argo-cd/templates/argocd-server-clusterrole.yaml b/charts/argo-cd/templates/argocd-server-clusterrole.yaml new file mode 100644 index 00000000..703e953e --- /dev/null +++ b/charts/argo-cd/templates/argocd-server-clusterrole.yaml @@ -0,0 +1,35 @@ +{{- if .Values.clusterAdminAccess.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: argocd-server + labels: + app.kubernetes.io/name: {{ include "argo-cd.name" . }}-server + helm.sh/chart: {{ include "argo-cd.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/part-of: {{ include "argo-cd.name" . }} + app.kubernetes.io/component: server +rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - delete + - get + - patch + - apiGroups: + - "" + resources: + - events + verbs: + - list + - apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - get +{{- end }} diff --git a/charts/argo-cd/templates/argocd-server-clusterrolebinding.yaml b/charts/argo-cd/templates/argocd-server-clusterrolebinding.yaml new file mode 100644 index 00000000..34a92829 --- /dev/null +++ b/charts/argo-cd/templates/argocd-server-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{- if .Values.clusterAdminAccess.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: argocd-server + labels: + app.kubernetes.io/name: {{ include "argo-cd.name" . }}-server + helm.sh/chart: {{ include "argo-cd.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/part-of: {{ include "argo-cd.name" . }} + app.kubernetes.io/component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argocd-server +subjects: + - kind: ServiceAccount + name: argocd-server + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/argo-cd/templates/argocd-server-deployment.yaml b/charts/argo-cd/templates/argocd-server-deployment.yaml index 9fde25e0..0c4cb317 100755 --- a/charts/argo-cd/templates/argocd-server-deployment.yaml +++ b/charts/argo-cd/templates/argocd-server-deployment.yaml @@ -22,6 +22,10 @@ spec: app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/part-of: {{ include "argo-cd.name" . }} app.kubernetes.io/component: server + annotations: + {{- range $key, $value := .Values.server.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} spec: serviceAccountName: argocd-server initContainers: diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index bee5cc3c..af7e0a8b 100644 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -24,6 +24,7 @@ server: extraArgs: [] volumeMounts: [] volumes: [] + annotations: {} repoServer: containerPort: 8081 @@ -62,9 +63,9 @@ ingress: hosts: - argocd.example.com -# Standard Argo CD installation with cluster-admin access. -# Set this true if you plan to use Argo CD to deploy applications in the same cluster that -# Argo CD runs in (i.e. kubernetes.svc.default). +# Standard Argo CD installation with cluster-admin access. +# Set this true if you plan to use Argo CD to deploy applications in the same cluster that +# Argo CD runs in (i.e. kubernetes.svc.default). # Will still be able to deploy to external clusters with inputted credentials. clusterAdminAccess: @@ -96,7 +97,7 @@ config: # # url: https://argo-cd-demo.argoproj.io # # # A dex connector configuration. See documentation on how to configure SSO: - # # https://github.com/argoproj/argo-cd/blob/master/docs/sso.md#2-configure-argocd-for-sso + # # https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/sso.md#2-configure-argo-cd-for-sso # connectors: # # GitHub example # - type: github @@ -119,12 +120,29 @@ config: # provider webhook secret. The payload URL configured in the git provider should use the # /api/webhook endpoint of your Argo CD instance (e.g. https://argocd.example.com/api/webhook) webhook: - githubSecret: + githubSecret: gitlabSecret: bitbucketSecret: + # resourceCustomizations can be used to create custom health checks for resources + # https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/health.md#way-1-define-a-custom-health-check-in-argocd-cm-configmap + resourceCustomizations: + # certmanager.k8s.io/Certificate: + # health.lua: | + # hs = {} + # ... + # return hs + configManagementPlugins: + # - name: pluginName + # init: # Optional command to initialize application source directory + # command: ["sample command"] + # args: ["sample args"] + # generate: # Command to generate manifests YAML + # command: ["sample command"] + # args: ["sample args"] + rbac: # # An RBAC policy .csv file containing additional policy and role definitions. -# # See https://github.com/argoproj/argo-cd/blob/master/docs/rbac.md on how to write RBAC policies. +# # See https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md on how to write RBAC policies. # policy.csv: | # # Give all members of "my-org:team-alpha" the ability to sync apps in "my-project" # p, my-org:team-alpha, applications, sync, my-project/*, allow @@ -140,6 +158,8 @@ rbac: # g, your-github-org:your-team, role:org-admin # The default role Argo CD will fall back to, when authorizing API requests policyDefault: #role:readonly + # Scopes controls which OIDC scopes to examine during rbac enforcement (in addition to `sub` scope). + scopes: #[groups] redis: image: diff --git a/charts/argo-ci/Chart.yaml b/charts/argo-ci/Chart.yaml index 1ae37023..bdbd58e5 100644 --- a/charts/argo-ci/Chart.yaml +++ b/charts/argo-ci/Chart.yaml @@ -1,4 +1,4 @@ apiVersion: v1 -description: A Helm chart for Kubernetes +description: A Helm chart for Argo-CI name: argo-ci version: 0.1.2 diff --git a/charts/argo-ci/templates/ci-deployment.yaml b/charts/argo-ci/templates/ci-deployment.yaml index c5577cab..8495176b 100644 --- a/charts/argo-ci/templates/ci-deployment.yaml +++ b/charts/argo-ci/templates/ci-deployment.yaml @@ -16,6 +16,7 @@ spec: containers: - name: ci image: "{{ .Values.imageNamespace }}/{{ .Values.ciImage }}:{{ .Values.imageTag }}" + imagePullPolicy: {{ .Values.imagePullPolicy }} env: - name: IN_CLUSTER value: "true" diff --git a/charts/argo-ci/values.yaml b/charts/argo-ci/values.yaml index 59e4daec..092b182e 100644 --- a/charts/argo-ci/values.yaml +++ b/charts/argo-ci/values.yaml @@ -1,6 +1,7 @@ imageNamespace: argoproj ciImage: argoci imageTag: v1.0.0-alpha2 +imagePullPolicy: Always workflowNamespace: default argo: diff --git a/charts/argo-events/Chart.yaml b/charts/argo-events/Chart.yaml index 4b9eac9f..a68d9d65 100644 --- a/charts/argo-events/Chart.yaml +++ b/charts/argo-events/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 description: A Helm chart to install Argo-Events in k8s Cluster name: argo-events -version: 0.4.1 +version: 0.4.2 keywords: - argo-events - sensor-controller @@ -11,4 +11,4 @@ sources: maintainers: - name: Vaibhav Page - name: Matt Magaldi -appVersion: 0.8.1 +appVersion: 0.9.2 diff --git a/charts/argo-events/values.yaml b/charts/argo-events/values.yaml index d187f0c7..53f1c470 100644 --- a/charts/argo-events/values.yaml +++ b/charts/argo-events/values.yaml @@ -23,11 +23,11 @@ singleNamespace: true sensorController: name: sensor-controller image: sensor-controller - tag: v0.8.1 + tag: v0.9.2 replicaCount: 1 gatewayController: name: gateway-controller image: gateway-controller - tag: v0.8.1 + tag: v0.9.2 replicaCount: 1 diff --git a/charts/argo/Chart.yaml b/charts/argo/Chart.yaml index 3ab858f2..58745eb6 100644 --- a/charts/argo/Chart.yaml +++ b/charts/argo/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: "v2.2.1" -description: A Helm chart for Kubernetes +appVersion: "v2.3.0" +description: A Helm chart for Argo Workflows name: argo -version: 0.3.1 +version: 0.5.0 diff --git a/charts/argo/templates/ui-deployment.yaml b/charts/argo/templates/ui-deployment.yaml index 8790a277..fda2a0d9 100644 --- a/charts/argo/templates/ui-deployment.yaml +++ b/charts/argo/templates/ui-deployment.yaml @@ -20,8 +20,13 @@ spec: serviceAccountName: {{ .Values.ui.serviceAccount | quote }} containers: - name: ui - image: "{{ .Values.images.namespace }}/{{ .Values.images.ui }}:{{ .Values.images.tag }}" + image: "{{ .Values.images.namespace }}/{{ .Values.images.ui }}:{{ default .Values.images.tag .Values.ui.image.tag }}" + imagePullPolicy: {{ .Values.images.pullPolicy }} env: + {{- if .Values.ui.forceNamespaceIsolation }} + - name: FORCE_NAMESPACE_ISOLATION + value: "true" + {{- end }} - name: IN_CLUSTER value: "true" - name: ARGO_NAMESPACE diff --git a/charts/argo/templates/ui-service.yaml b/charts/argo/templates/ui-service.yaml index 3a63613d..5cd848cc 100644 --- a/charts/argo/templates/ui-service.yaml +++ b/charts/argo/templates/ui-service.yaml @@ -19,6 +19,9 @@ spec: app: {{ .Release.Name }}-{{ .Values.ui.name }} sessionAffinity: None type: {{ .Values.ui.serviceType }} + {{- if and (eq .Values.ui.serviceType "LoadBalancer") .Values.ui.loadBalancerIP }} + loadBalancerIP: {{ .Values.ui.loadBalancerIP | quote }} + {{- end }} {{- if and (eq .Values.ui.serviceType "LoadBalancer") .Values.ui.loadBalancerSourceRanges }} loadBalancerSourceRanges: {{ toYaml .Values.ui.loadBalancerSourceRanges | indent 4 }}{{- end }} diff --git a/charts/argo/templates/workflow-aggregate-roles.yaml b/charts/argo/templates/workflow-aggregate-roles.yaml new file mode 100644 index 00000000..5164ade0 --- /dev/null +++ b/charts/argo/templates/workflow-aggregate-roles.yaml @@ -0,0 +1,73 @@ +{{- if .Values.createAggregateRoles }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: before-hook-creation + name: argo-aggregate-to-view + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + verbs: + - get + - list + - watch + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: before-hook-creation + name: argo-aggregate-to-edit + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: before-hook-creation + name: argo-aggregate-to-admin + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +{{- end }} diff --git a/charts/argo/templates/workflow-controller-config-map.yaml b/charts/argo/templates/workflow-controller-config-map.yaml index f77637a0..b635ec81 100644 --- a/charts/argo/templates/workflow-controller-config-map.yaml +++ b/charts/argo/templates/workflow-controller-config-map.yaml @@ -15,8 +15,12 @@ data: instanceID: {{ .Values.controller.instanceID.explicitID }} {{- end }} {{- end }} + containerRuntimeExecutor: {{ .Values.controller.containerRuntimeExecutor }} artifactRepository: {{- if or .Values.minio.install .Values.useDefaultArtifactRepo }} + {{- if .Values.artifactRepository.archiveLogs }} + archiveLogs: {{ .Values.artifactRepository.archiveLogs }} + {{- end }} s3: {{- if .Values.useStaticCredentials }} accessKeySecret: @@ -29,7 +33,13 @@ data: bucket: {{ .Values.artifactRepository.s3.bucket | default .Values.minio.defaultBucket.name }} endpoint: {{ .Values.artifactRepository.s3.endpoint | default (printf "%s-%s" .Release.Name "minio:9000") }} insecure: {{ .Values.artifactRepository.s3.insecure }} + {{- if .Values.artifactRepository.s3.keyPrefix }} + keyPrefix: {{ .Values.artifactRepository.s3.keyPrefix }} + {{- end }} {{- end}} {{- if .Values.controller.metricsConfig.enabled }} metricsConfig: {{ toYaml .Values.controller.metricsConfig | indent 6}}{{- end }} + {{- if .Values.controller.telemetryConfig.enabled }} + telemetryConfig: +{{ toYaml .Values.controller.telemetryConfig | indent 6}}{{- end }} diff --git a/charts/argo/templates/workflow-controller-deployment.yaml b/charts/argo/templates/workflow-controller-deployment.yaml index 2f35f983..586d4132 100644 --- a/charts/argo/templates/workflow-controller-deployment.yaml +++ b/charts/argo/templates/workflow-controller-deployment.yaml @@ -20,13 +20,14 @@ spec: serviceAccountName: {{ .Values.controller.serviceAccount | quote }} containers: - name: controller - image: "{{ .Values.images.namespace }}/{{ .Values.images.controller }}:{{ .Values.images.tag }}" + image: "{{ .Values.images.namespace }}/{{ .Values.images.controller }}:{{ default .Values.images.tag .Values.controller.image.tag }}" + imagePullPolicy: {{ .Values.images.pullPolicy }} command: [ "workflow-controller" ] args: - "--configmap" - "{{ .Release.Name }}-{{ .Values.controller.name}}-configmap" - "--executor-image" - - "{{ .Values.images.namespace }}/{{ .Values.images.executor }}:{{ .Values.images.tag }}" + - "{{ .Values.images.namespace }}/{{ .Values.images.executor }}:{{ default .Values.images.tag .Values.executor.image.tag }}" - "--loglevel" - "{{ .Values.controller.logging.level }}" - "--gloglevel" diff --git a/charts/argo/templates/workflow-controller-service.yaml b/charts/argo/templates/workflow-controller-service.yaml new file mode 100644 index 00000000..5d4391de --- /dev/null +++ b/charts/argo/templates/workflow-controller-service.yaml @@ -0,0 +1,35 @@ +{{- if or .Values.controller.metricsConfig.enabled .Values.controller.telemetryConfig.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ .Release.Name }}-{{ .Values.controller.name }} + labels: + app: {{ .Release.Name }}-{{ .Values.controller.name}} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- if .Values.controller.serviceAnnotations }} + annotations: +{{ toYaml .Values.controller.serviceAnnotations | indent 4}}{{- end }} +spec: + ports: + {{- if .Values.controller.metricsConfig.enabled }} + - name: metrics + port: {{ .Values.controller.metricsServicePort }} + protocol: TCP + targetPort: {{ .Values.controller.metricsConfig.port }} + {{- end }} + {{- if .Values.controller.telemetryConfig.enabled }} + - name: telemetry + port: {{ .Values.controller.telemetryServicePort }} + protocol: TCP + targetPort: {{ .Values.controller.telemetryConfig.port }} + {{- end }} + selector: + app: {{ .Release.Name }}-{{ .Values.controller.name }} + sessionAffinity: None + type: {{ .Values.controller.serviceType }} + {{- if and (eq .Values.controller.serviceType "LoadBalancer") .Values.controller.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.loadBalancerSourceRanges | indent 4 }}{{- end }} +{{- end -}} diff --git a/charts/argo/templates/workflow-controller-servicemonitor.yaml b/charts/argo/templates/workflow-controller-servicemonitor.yaml new file mode 100644 index 00000000..425fedac --- /dev/null +++ b/charts/argo/templates/workflow-controller-servicemonitor.yaml @@ -0,0 +1,33 @@ +{{- if and (or .Values.controller.metricsConfig.enabled .Values.controller.telemetryConfig.enabled) .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ .Release.Name }}-{{ .Values.controller.name }} + labels: + app: {{ .Release.Name }}-{{ .Values.controller.name}} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- if .Values.controller.serviceMonitor.additionalLabels }} +{{ toYaml .Values.controller.serviceMonitor.additionalLabels | indent 4 }} + {{- end }} +spec: + endpoints: + {{- if .Values.controller.metricsConfig.enabled }} + - port: metrics + path: {{ .Values.controller.metricsConfig.path }} + interval: 30s + {{- end }} + {{- if .Values.controller.telemetryConfig.enabled }} + - port: telemetry + path: {{ .Values.controller.telemetryConfig.path }} + interval: 30s + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ .Values.controller.name}} + release: {{ .Release.Name }} +{{- end }} diff --git a/charts/argo/values.yaml b/charts/argo/values.yaml index 09faee2f..f4a60c10 100644 --- a/charts/argo/values.yaml +++ b/charts/argo/values.yaml @@ -3,7 +3,8 @@ images: controller: workflow-controller ui: argoui executor: argoexec - tag: v2.2.1 + pullPolicy: Always + tag: v2.3.0 crdVersion: v1alpha1 @@ -12,17 +13,30 @@ init: # being deployed to. In RBAC clusters, that will almost certainly fail. See the NOTES: section of the readme for more info. serviceAccount: "" +createAggregateRoles: true + controller: + image: + # Overrides .images.tag if defined. + tag: "" # podAnnotations is an optional map of annotations to be applied to the controller Pods podAnnotations: {} metricsConfig: enabled: false path: /metrics port: 8080 + telemetryConfig: + enabled: false + path: /telemetry + port: 8081 + serviceMonitor: + enabled: false + additionalLabels: {} serviceAccount: argo name: workflow-controller workflowNamespaces: - default + containerRuntimeExecutor: docker instanceID: # `instanceID.enabled` configures the controller to filter workflow submissions # to only those which have a matching instanceID attribute. @@ -34,9 +48,27 @@ controller: logging: level: info globallevel: "0" + serviceType: ClusterIP + metricsServicePort: 8080 + telemetryServicePort: 8081 + # Annotations to be applied to the controller Service + serviceAnnotations: {} + # Source ranges to allow access to service from. Only applies to + # service type `LoadBalancer` + loadBalancerSourceRanges: [] + +executor: + image: + # Overrides .images.tag if defined. + tag: "" ui: enabled: true + # only show workflows where UI installed + forceNamespaceIsolation: false + image: + # Overrides .images.tag if defined. + tag: "" # optional map of annotations to be applied to the ui Pods podAnnotations: {} name: ui @@ -45,6 +77,9 @@ ui: serviceAccount: argo-ui # Annotations to be applied to the UI Service serviceAnnotations: {} + # Static IP address to assign to loadBalancer + # service type `LoadBalancer` + loadBalancerIP: "" # Source ranges to allow access to service from. Only applies to # service type `LoadBalancer` loadBalancerSourceRanges: [] @@ -79,6 +114,8 @@ ui: useDefaultArtifactRepo: false useStaticCredentials: true artifactRepository: + # archiveLogs will archive the main container logs as an artifact + archiveLogs: false s3: # Note the `key` attribute is not the actual secret, it's the PATH to # the contents in the associated secret, as defined by the `name` attribute.