Merge branch 'master' into update-argocd

charts/argo-cd/templates/NOTES.txt

@@ -5,7 +5,7 @@ In order to access the server UI you have the following options:
     and then open the browser on http://localhost:8080 and accept the certificate
 
 2. enable ingress and check the first option ssl passthrough:
-    https://github.com/argoproj/argo-cd/blob/master/docs/ingress.md#option-1-ssl-passthrough
+    https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/ingress.md#option-1-ssl-passthrough
 
 After reaching the UI the first time you can login with username: admin and the password will be the
 name of the server pod. You can get the pod name by running:

charts/argo-cd/templates/argocd-cm.yaml

@@ -28,3 +28,11 @@ data:
   oidc.config: |
 {{ toYaml .Values.config.oidcConfig | indent 4 }}
 {{- end }}
+{{- if .Values.config.resourceCustomizations }}
+  resource.customizations: |
+{{ toYaml .Values.config.resourceCustomizations | indent 4 }}
+{{- end }}
+{{- if .Values.config.configManagementPlugins }}
+  configManagementPlugins: |
+{{ toYaml .Values.config.configManagementPlugins | indent 4 }}
+{{- end }}

charts/argo-cd/templates/argocd-rbac-cm.yaml

@@ -16,3 +16,6 @@ data:
   policy.csv:
 {{- toYaml .Values.rbac.policyCsv | indent 4 }}
 {{- end }}
+{{- if .Values.rbac.scopes }}
+  scopes: {{ .Values.rbac.scopes }}
+{{- end }}

charts/argo-cd/templates/argocd-server-clusterrole.yaml

@@ -0,0 +1,35 @@
+{{- if .Values.clusterAdminAccess.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argocd-server
+  labels:
+    app.kubernetes.io/name: {{ include "argo-cd.name" . }}-server
+    helm.sh/chart: {{ include "argo-cd.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/part-of: {{ include "argo-cd.name" . }}
+    app.kubernetes.io/component: server
+rules:
+  - apiGroups:
+      - '*'
+    resources:
+      - '*'
+    verbs:
+      - delete
+      - get
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - list
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - pods/log
+    verbs:
+      - get
+{{- end }}

charts/argo-cd/templates/argocd-server-clusterrolebinding.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.clusterAdminAccess.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argocd-server
+  labels:
+    app.kubernetes.io/name: {{ include "argo-cd.name" . }}-server
+    helm.sh/chart: {{ include "argo-cd.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/part-of: {{ include "argo-cd.name" . }}
+    app.kubernetes.io/component: server
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argocd-server
+subjects:
+  - kind: ServiceAccount
+    name: argocd-server
+    namespace: {{ .Release.Namespace }}
+{{- end -}}

charts/argo-cd/templates/argocd-server-deployment.yaml

@@ -22,6 +22,10 @@ spec:
         app.kubernetes.io/managed-by: {{ .Release.Service }}
         app.kubernetes.io/part-of: {{ include "argo-cd.name" . }}
         app.kubernetes.io/component: server
+      annotations:
+        {{- range $key, $value := .Values.server.annotations }}
+        {{ $key }}: {{ $value | quote }}
+        {{- end }}
     spec:
       serviceAccountName: argocd-server
       initContainers:

charts/argo-cd/values.yaml

@@ -24,6 +24,7 @@ server:
   extraArgs: []
   volumeMounts: []
   volumes: []
+  annotations: {}
 
 repoServer:
   containerPort: 8081
@@ -96,7 +97,7 @@ config:
     #   # url: https://argo-cd-demo.argoproj.io
     #
     #   # A dex connector configuration. See documentation on how to configure SSO:
-    #   # https://github.com/argoproj/argo-cd/blob/master/docs/sso.md#2-configure-argocd-for-sso
+    #   # https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/sso.md#2-configure-argo-cd-for-sso
     # connectors:
     #   # GitHub example
     #   - type: github
@@ -122,9 +123,26 @@ config:
     githubSecret:
     gitlabSecret:
     bitbucketSecret:
+  # resourceCustomizations can be used to create custom health checks for resources
+  # https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/health.md#way-1-define-a-custom-health-check-in-argocd-cm-configmap
+  resourceCustomizations:
+  #   certmanager.k8s.io/Certificate:
+  #     health.lua: |
+  #       hs = {}
+  #       ...
+  #       return hs
+  configManagementPlugins:
+    # - name: pluginName
+    #   init:                          # Optional command to initialize application source directory
+    #     command: ["sample command"]
+    #     args: ["sample args"]
+    #   generate:                      # Command to generate manifests YAML
+    #     command: ["sample command"]
+    #     args: ["sample args"]
+
 rbac:
 #   # An RBAC policy .csv file containing additional policy and role definitions.
-#   # See https://github.com/argoproj/argo-cd/blob/master/docs/rbac.md on how to write RBAC policies.
+#   # See https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md on how to write RBAC policies.
 #   policy.csv: |
 #     # Give all members of "my-org:team-alpha" the ability to sync apps in "my-project"
 #     p, my-org:team-alpha, applications, sync, my-project/*, allow
@@ -140,6 +158,8 @@ rbac:
   #   g, your-github-org:your-team, role:org-admin
   # The default role Argo CD will fall back to, when authorizing API requests
   policyDefault: #role:readonly
+  # Scopes controls which OIDC scopes to examine during rbac enforcement (in addition to `sub` scope).
+  scopes: #[groups]
 
 redis:
   image:

charts/argo-ci/Chart.yaml

@@ -1,4 +1,4 @@
 apiVersion: v1
-description: A Helm chart for Kubernetes
+description: A Helm chart for Argo-CI
 name: argo-ci
 version: 0.1.2

charts/argo-ci/templates/ci-deployment.yaml

@@ -16,6 +16,7 @@ spec:
       containers:
         - name: ci
           image: "{{ .Values.imageNamespace }}/{{ .Values.ciImage }}:{{ .Values.imageTag }}"
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
           env:
           - name: IN_CLUSTER
             value: "true"

charts/argo-ci/values.yaml

@@ -1,6 +1,7 @@
 imageNamespace: argoproj
 ciImage: argoci
 imageTag: v1.0.0-alpha2
+imagePullPolicy: Always
 workflowNamespace: default
 
 argo:

charts/argo-events/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 description: A Helm chart to install Argo-Events in k8s Cluster
 name: argo-events
-version: 0.4.1
+version: 0.4.2
 keywords:
 - argo-events
 - sensor-controller
@@ -11,4 +11,4 @@ sources:
 maintainers:
 - name: Vaibhav Page
 - name: Matt Magaldi
-appVersion: 0.8.1
+appVersion: 0.9.2

charts/argo-events/values.yaml

@@ -23,11 +23,11 @@ singleNamespace: true
 sensorController:
   name: sensor-controller
   image: sensor-controller
-  tag: v0.8.1
+  tag: v0.9.2
   replicaCount: 1
 
 gatewayController:
   name: gateway-controller
   image: gateway-controller
-  tag: v0.8.1
+  tag: v0.9.2
   replicaCount: 1

charts/argo/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
-appVersion: "v2.2.1"
-description: A Helm chart for Kubernetes
+appVersion: "v2.3.0"
+description: A Helm chart for Argo Workflows
 name: argo
-version: 0.3.1
+version: 0.5.0

charts/argo/templates/ui-deployment.yaml

@@ -20,8 +20,13 @@ spec:
       serviceAccountName: {{ .Values.ui.serviceAccount | quote }}
       containers:
         - name: ui
-          image: "{{ .Values.images.namespace }}/{{ .Values.images.ui }}:{{ .Values.images.tag }}"
+          image: "{{ .Values.images.namespace }}/{{ .Values.images.ui }}:{{ default .Values.images.tag .Values.ui.image.tag }}"
+          imagePullPolicy: {{ .Values.images.pullPolicy }}
           env:
+          {{- if .Values.ui.forceNamespaceIsolation }}
+          - name: FORCE_NAMESPACE_ISOLATION
+            value: "true"
+          {{- end }}
           - name: IN_CLUSTER
             value: "true"
           - name: ARGO_NAMESPACE

charts/argo/templates/ui-service.yaml

@@ -19,6 +19,9 @@ spec:
     app: {{ .Release.Name }}-{{ .Values.ui.name }}
   sessionAffinity: None
   type: {{ .Values.ui.serviceType }}
+  {{- if and (eq .Values.ui.serviceType "LoadBalancer") .Values.ui.loadBalancerIP }}
+  loadBalancerIP: {{ .Values.ui.loadBalancerIP | quote }}
+  {{- end }}
   {{- if and (eq .Values.ui.serviceType "LoadBalancer") .Values.ui.loadBalancerSourceRanges }}
   loadBalancerSourceRanges:
 {{ toYaml .Values.ui.loadBalancerSourceRanges | indent 4 }}{{- end }}

charts/argo/templates/workflow-aggregate-roles.yaml

@@ -0,0 +1,73 @@
+{{- if .Values.createAggregateRoles }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: before-hook-creation
+  name: argo-aggregate-to-view
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  - workflows/finalizers
+  verbs:
+  - get
+  - list
+  - watch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: before-hook-creation
+  name: argo-aggregate-to-edit
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  - workflows/finalizers
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: before-hook-creation
+  name: argo-aggregate-to-admin
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  - workflows/finalizers
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+{{- end }}

charts/argo/templates/workflow-controller-config-map.yaml

@@ -15,8 +15,12 @@ data:
     instanceID: {{ .Values.controller.instanceID.explicitID }}
     {{- end }}
     {{- end }}
+    containerRuntimeExecutor: {{ .Values.controller.containerRuntimeExecutor }}
     artifactRepository:
       {{- if or .Values.minio.install .Values.useDefaultArtifactRepo }}
+      {{- if .Values.artifactRepository.archiveLogs }}
+      archiveLogs: {{ .Values.artifactRepository.archiveLogs }}
+      {{- end }}
       s3:
         {{- if .Values.useStaticCredentials }}
         accessKeySecret:
@@ -29,7 +33,13 @@ data:
         bucket: {{ .Values.artifactRepository.s3.bucket | default .Values.minio.defaultBucket.name }}
         endpoint: {{ .Values.artifactRepository.s3.endpoint | default (printf "%s-%s" .Release.Name "minio:9000") }}
         insecure: {{ .Values.artifactRepository.s3.insecure }}
+        {{- if .Values.artifactRepository.s3.keyPrefix }}
+        keyPrefix: {{ .Values.artifactRepository.s3.keyPrefix }}
+        {{- end }}
       {{- end}}
     {{- if .Values.controller.metricsConfig.enabled }}
     metricsConfig:
 {{ toYaml .Values.controller.metricsConfig | indent 6}}{{- end }}
+    {{- if .Values.controller.telemetryConfig.enabled }}
+    telemetryConfig:
+{{ toYaml .Values.controller.telemetryConfig | indent 6}}{{- end }}

charts/argo/templates/workflow-controller-deployment.yaml

@@ -20,13 +20,14 @@ spec:
       serviceAccountName: {{ .Values.controller.serviceAccount | quote }}
       containers:
         - name: controller
-          image: "{{ .Values.images.namespace }}/{{ .Values.images.controller }}:{{ .Values.images.tag }}"
+          image: "{{ .Values.images.namespace }}/{{ .Values.images.controller }}:{{ default .Values.images.tag .Values.controller.image.tag }}"
+          imagePullPolicy: {{ .Values.images.pullPolicy }}
           command: [ "workflow-controller" ]
           args:
           - "--configmap"
           - "{{ .Release.Name }}-{{ .Values.controller.name}}-configmap"
           - "--executor-image"
-          - "{{ .Values.images.namespace }}/{{ .Values.images.executor }}:{{ .Values.images.tag }}"
+          - "{{ .Values.images.namespace }}/{{ .Values.images.executor }}:{{ default .Values.images.tag .Values.executor.image.tag }}"
           - "--loglevel"
           - "{{ .Values.controller.logging.level }}"
           - "--gloglevel"

charts/argo/templates/workflow-controller-service.yaml

@@ -0,0 +1,35 @@
+{{- if or .Values.controller.metricsConfig.enabled .Values.controller.telemetryConfig.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-{{ .Values.controller.name }}
+  labels:
+    app: {{ .Release.Name }}-{{ .Values.controller.name}}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  {{- if .Values.controller.serviceAnnotations }}
+  annotations:
+{{ toYaml .Values.controller.serviceAnnotations | indent 4}}{{- end }}
+spec:
+  ports:
+  {{- if .Values.controller.metricsConfig.enabled }}
+  - name: metrics
+    port: {{ .Values.controller.metricsServicePort }}
+    protocol: TCP
+    targetPort: {{ .Values.controller.metricsConfig.port }}
+  {{- end }}
+  {{- if .Values.controller.telemetryConfig.enabled }}
+  - name: telemetry
+    port: {{ .Values.controller.telemetryServicePort }}
+    protocol: TCP
+    targetPort: {{ .Values.controller.telemetryConfig.port }}
+  {{- end }}
+  selector:
+    app: {{ .Release.Name }}-{{ .Values.controller.name }}
+  sessionAffinity: None
+  type: {{ .Values.controller.serviceType }}
+  {{- if and (eq .Values.controller.serviceType "LoadBalancer") .Values.controller.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+{{ toYaml .Values.controller.loadBalancerSourceRanges | indent 4 }}{{- end }}
+{{- end -}}

charts/argo/templates/workflow-controller-servicemonitor.yaml

@@ -0,0 +1,33 @@
+{{- if and (or .Values.controller.metricsConfig.enabled .Values.controller.telemetryConfig.enabled) .Values.controller.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ .Release.Name }}-{{ .Values.controller.name }}
+  labels:
+    app: {{ .Release.Name }}-{{ .Values.controller.name}}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    {{- if .Values.controller.serviceMonitor.additionalLabels }}
+{{ toYaml .Values.controller.serviceMonitor.additionalLabels | indent 4 }}
+    {{- end }}
+spec:
+  endpoints:
+  {{- if .Values.controller.metricsConfig.enabled }}
+    - port: metrics
+      path: {{ .Values.controller.metricsConfig.path }}
+      interval: 30s
+  {{- end }}
+  {{- if .Values.controller.telemetryConfig.enabled }}
+    - port: telemetry
+      path: {{ .Values.controller.telemetryConfig.path }}
+      interval: 30s
+  {{- end }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-{{ .Values.controller.name}}
+      release: {{ .Release.Name }}
+{{- end }}

charts/argo/values.yaml

@@ -3,7 +3,8 @@ images:
   controller: workflow-controller
   ui: argoui
   executor: argoexec
-  tag: v2.2.1
+  pullPolicy: Always
+  tag: v2.3.0
 
 crdVersion: v1alpha1
 
@@ -12,17 +13,30 @@ init:
   # being deployed to.  In RBAC clusters, that will almost certainly fail.  See the NOTES: section of the readme for more info.
   serviceAccount: ""
 
+createAggregateRoles: true
+
 controller:
+  image:
+    # Overrides .images.tag if defined.
+    tag: ""
   # podAnnotations is an optional map of annotations to be applied to the controller Pods
   podAnnotations: {}
   metricsConfig:
     enabled: false
     path: /metrics
     port: 8080
+  telemetryConfig:
+    enabled: false
+    path: /telemetry
+    port: 8081
+  serviceMonitor:
+    enabled: false
+    additionalLabels: {}
   serviceAccount: argo
   name: workflow-controller
   workflowNamespaces:
     - default
+  containerRuntimeExecutor: docker
   instanceID:
     # `instanceID.enabled` configures the controller to filter workflow submissions
     # to only those which have a matching instanceID attribute.
@@ -34,9 +48,27 @@ controller:
   logging:
     level: info
     globallevel: "0"
+  serviceType: ClusterIP
+  metricsServicePort: 8080
+  telemetryServicePort: 8081
+  # Annotations to be applied to the controller Service
+  serviceAnnotations: {}
+  # Source ranges to allow access to service from. Only applies to
+  # service type `LoadBalancer`
+  loadBalancerSourceRanges: []
+
+executor:
+  image:
+    # Overrides .images.tag if defined.
+    tag: ""
 
 ui:
   enabled: true
+  # only show workflows where UI installed
+  forceNamespaceIsolation: false
+  image:
+    # Overrides .images.tag if defined.
+    tag: ""
   # optional map of annotations to be applied to the ui Pods
   podAnnotations: {}
   name: ui
@@ -45,6 +77,9 @@ ui:
   serviceAccount: argo-ui
   # Annotations to be applied to the UI Service
   serviceAnnotations: {}
+  # Static IP address to assign to loadBalancer
+  # service type `LoadBalancer`
+  loadBalancerIP: ""
   # Source ranges to allow access to service from. Only applies to
   # service type `LoadBalancer`
   loadBalancerSourceRanges: []
@@ -79,6 +114,8 @@ ui:
 useDefaultArtifactRepo: false
 useStaticCredentials: true
 artifactRepository:
+  # archiveLogs will archive the main container logs as an artifact
+  archiveLogs: false
   s3:
     # Note the `key` attribute is not the actual secret, it's the PATH to
     # the contents in the associated secret, as defined by the `name` attribute.