diff --git a/charts/argo-cd/templates/acr-controller/clusterrole.yaml b/charts/argo-cd/templates/acr-controller/clusterrole.yaml new file mode 100644 index 00000000..1e4a2562 --- /dev/null +++ b/charts/argo-cd/templates/acr-controller/clusterrole.yaml @@ -0,0 +1,26 @@ +{{- if .Values.acrController.enabled }} +{{- $config := .Values.acrController.clusterAdminAccess | default dict -}} +{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "argo-cd.acr-controller.fullname" . }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }} +rules: + {{- if .Values.acrController.clusterRoleRules.enabled }} + {{- toYaml .Values.acrController.clusterRoleRules.rules | nindent 2 }} + {{- else }} + - apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' + - nonResourceURLs: + - '*' + verbs: + - '*' + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/argo-cd/templates/acr-controller/clusterrolebinding.yaml b/charts/argo-cd/templates/acr-controller/clusterrolebinding.yaml new file mode 100644 index 00000000..eb6bcca0 --- /dev/null +++ b/charts/argo-cd/templates/acr-controller/clusterrolebinding.yaml @@ -0,0 +1,19 @@ +{{- if .Values.acrController.enabled }} +{{- $config := .Values.acrController.clusterAdminAccess | default dict -}} +{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "argo-cd.acr-controller.fullname" . }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "argo-cd.acr-controller.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "argo-cd.acrControllerServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/argo-cd/templates/acr-controller/deployment.yaml b/charts/argo-cd/templates/acr-controller/deployment.yaml new file mode 100644 index 00000000..46a26e0a --- /dev/null +++ b/charts/argo-cd/templates/acr-controller/deployment.yaml @@ -0,0 +1,161 @@ +{{- if .Values.acrController.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + {{- with (mergeOverwrite (deepCopy .Values.global.statefulsetAnnotations) .Values.acrController.statefulsetAnnotations) }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + name: {{ template "argo-cd.acr-controller.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }} +spec: + replicas: {{ .Values.acrController.replicas }} + # TODO: Remove for breaking release as history limit cannot be patched + revisionHistoryLimit: 5 + selector: + matchLabels: + {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.acrController.name) | nindent 6 }} + template: + metadata: + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 8 }} + {{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.acrController.podLabels) }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.acrController.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.global.hostAliases }} + hostAliases: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.global.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.acrController.priorityClassName | default .Values.global.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + {{- if .Values.acrController.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.acrController.terminationGracePeriodSeconds }} + {{- end }} + serviceAccountName: {{ include "argo-cd.acrControllerServiceAccountName" . }} + containers: + - args: + - /usr/local/bin/argocd-application-change-revision-controller + {{- with .Values.acrController.extraArgs }} + {{- toYaml . | nindent 8 }} + {{- end }} + image: {{ default .Values.global.image.repository .Values.acrController.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.acrController.image.tag }} + imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.acrController.image.imagePullPolicy }} + name: {{ .Values.acrController.name }} + env: + {{- with (concat .Values.global.env .Values.acrController.env) }} + {{- toYaml . | nindent 10 }} + {{- end }} + - name: ARGOCD_SERVER + value: "http://argocd-server:80" + - name: ARGOCD_TOKEN + valueFrom: + secretKeyRef: + key: token + name: argocd-token + - name: ARGOCD_APPLICATION_NAMESPACES + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: application.namespaces + optional: true + - name: ACR_CONTROLLER_LOGFORMAT + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: acr.log.format + optional: true + - name: ACR_CONTROLLER_LOG_LEVEL + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: acr.log.level + optional: true + - name: ACR_CONTROLLER_LISTEN_ADDRESS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: acr.listen.address + optional: true + {{- with .Values.acrController.envFrom }} + envFrom: + {{- toYaml . | nindent 10 }} + {{- end }} + ports: + - name: health + containerPort: {{ .Values.acrController.containerPorts.health }} + protocol: TCP + livenessProbe: + httpGet: + path: /healthz?full=true + port: health + initialDelaySeconds: 3 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /healthz + port: health + initialDelaySeconds: {{ .Values.acrController.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.acrController.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.acrController.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.acrController.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.acrController.readinessProbe.failureThreshold }} + resources: + {{- toYaml .Values.acrController.resources | nindent 12 }} + {{- with .Values.acrController.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.acrController.extraContainers }} + {{- tpl (toYaml .) $ | nindent 6 }} + {{- end }} + {{- with .Values.acrController.initContainers }} + initContainers: + {{- tpl (toYaml .) $ | nindent 6 }} + {{- end }} + {{- with include "argo-cd.affinity" (dict "context" . "component" .Values.acrController) }} + affinity: + {{- trim . | nindent 8 }} + {{- end }} + {{- with .Values.acrController.nodeSelector | default .Values.global.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.acrController.tolerations | default .Values.global.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.acrController.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }} + topologySpreadConstraints: + {{- range $constraint := . }} + - {{ toYaml $constraint | nindent 8 | trim }} + {{- if not $constraint.labelSelector }} + labelSelector: + matchLabels: + {{- include "argo-cd.selectorLabels" (dict "context" $ "name" $.Values.acrController.name) | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.acrController.hostNetwork }} + hostNetwork: {{ .Values.acrController.hostNetwork }} + {{- end }} + {{- with .Values.acrController.dnsConfig }} + dnsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.acrController.dnsPolicy }} +{{- end }} diff --git a/charts/argo-cd/templates/acr-controller/role.yaml b/charts/argo-cd/templates/acr-controller/role.yaml new file mode 100644 index 00000000..5e6a9bde --- /dev/null +++ b/charts/argo-cd/templates/acr-controller/role.yaml @@ -0,0 +1,44 @@ +{{- if .Values.acrController.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "argo-cd.acr-controller.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - secrets + - configmaps + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - argoproj.io + resources: + - applications + - appprojects + - applicationsets + verbs: + - create + - get + - list + - watch + - update + - delete + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - list +{{- end }} diff --git a/charts/argo-cd/templates/acr-controller/rolebinding.yaml b/charts/argo-cd/templates/acr-controller/rolebinding.yaml new file mode 100644 index 00000000..a4a57446 --- /dev/null +++ b/charts/argo-cd/templates/acr-controller/rolebinding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.acrController.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "argo-cd.acr-controller.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "argo-cd.acr-controller.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "argo-cd.acrControllerServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/argo-cd/templates/acr-controller/serviceaccount.yaml b/charts/argo-cd/templates/acr-controller/serviceaccount.yaml new file mode 100644 index 00000000..3ded855c --- /dev/null +++ b/charts/argo-cd/templates/acr-controller/serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.acrController.enabled .Values.acrController.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.acrController.serviceAccount.automountServiceAccountToken }} +metadata: + name: {{ template "argo-cd.acrControllerServiceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} +{{- if .Values.acrController.serviceAccount.annotations }} + annotations: + {{- range $key, $value := .Values.acrController.serviceAccount.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- end }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }} + {{- range $key, $value := .Values.acrController.serviceAccount.labels }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- end }} diff --git a/charts/argo-cd/templates/crds/crd-application.yaml b/charts/argo-cd/templates/crds/crd-application.yaml index 686626ba..fd0ecb11 100644 --- a/charts/argo-cd/templates/crds/crd-application.yaml +++ b/charts/argo-cd/templates/crds/crd-application.yaml @@ -116,6 +116,12 @@ spec: sync: description: Sync contains parameters for the operation properties: + changeRevision: + type: string + changeRevisions: + items: + type: string + type: array dryRun: description: DryRun specifies to perform a `kubectl apply --dry-run` without actually performing the sync @@ -2544,6 +2550,12 @@ spec: sync: description: Sync contains parameters for the operation properties: + changeRevision: + type: string + changeRevisions: + items: + type: string + type: array dryRun: description: DryRun specifies to perform a `kubectl apply --dry-run` without actually performing the sync diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index ddb48f3a..3bdf5e02 100644 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -3907,3 +3907,174 @@ eventReporter: enabled: false # -- List of custom rules for the event reporter's ClusterRole resource rules: [] + +acrController: + # Enabled we need to skip argo-cd chart tests for this component + enabled: false + name: acr-controller + ## Amount of replicas for event reporting sharding + replicas: 1 + ## ACR controller image + image: + # -- Repository to use for the event reporter + # @default -- `""` (defaults to global.image.repository) + repository: "" + # -- Tag to use for the event reporter + # @default -- `""` (defaults to global.image.tag) + tag: "" + # -- Image pull policy for the event reporter + # @default -- `""` (defaults to global.image.imagePullPolicy) + imagePullPolicy: "" + + # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) + imagePullSecrets: [] + + # -- Additional command line arguments to pass to event reporter + extraArgs: [] + + # -- Environment variables to pass to event reporter + env: [] + + # -- envFrom to pass to event reporter + # @default -- `[]` (See [values.yaml]) + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + + # -- Additional containers to be added to the event reporter pod + ## Note: Supports use of custom Helm templates + extraContainers: [] + + # -- Init containers to add to the event reporter pod + ## If your target Kubernetes cluster(s) require a custom credential (exec) plugin + ## you could use this (and the same in the server pod) to provide such executable + ## Ref: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins + ## Note: Supports use of custom Helm templates + initContainers: [] + # - name: download-tools + # image: alpine:3 + # command: [sh, -c] + # args: + # - wget -qO kubelogin.zip https://github.com/Azure/kubelogin/releases/download/v0.0.25/kubelogin-linux-amd64.zip && + # unzip kubelogin.zip && mv bin/linux_amd64/kubelogin /custom-tools/ + # volumeMounts: + # - mountPath: /custom-tools + # name: custom-tools + + # -- Additional volumeMounts to the event reporter main container + volumeMounts: [] + # - mountPath: /usr/local/bin/kubelogin + # name: custom-tools + # subPath: kubelogin + + # -- Additional volumes to the event reporter pod + volumes: [] + # - name: custom-tools + # emptyDir: {} + + # -- Annotations for the event reporter StatefulSet + statefulsetAnnotations: {} + + # -- Annotations to be added to event reporter pods + podAnnotations: {} + + # -- Labels to be added to event reporter pods + podLabels: {} + + # -- Resource limits and requests for the event reporter pods + resources: {} + # limits: + # cpu: 500m + # memory: 512Mi + # requests: + # cpu: 250m + # memory: 256Mi + + # Event reporter container ports + containerPorts: + health: 8090 + + # -- Host Network for event reporter pods + hostNetwork: false + + # -- [DNS configuration] + dnsConfig: {} + # -- Alternative DNS policy for event reporter pods + dnsPolicy: "ClusterFirst" + + # -- Event reporter container-level security context + # @default -- See [values.yaml] + containerSecurityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + + # Readiness probe for event reporter + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + readinessProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 3 + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 10 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 1 + + # -- terminationGracePeriodSeconds for container lifecycle hook + terminationGracePeriodSeconds: 30 + + # -- Priority class for the event reporter pods + # @default -- `""` (defaults to global.priorityClassName) + priorityClassName: "" + + # -- [Node selector] + # @default -- `{}` (defaults to global.nodeSelector) + nodeSelector: {} + + # -- [Tolerations] for use with node taints + # @default -- `[]` (defaults to global.tolerations) + tolerations: [] + + # -- Assign custom [affinity] rules to the deployment + # @default -- `{}` (defaults to global.affinity preset) + affinity: {} + + # -- Assign custom [TopologySpreadConstraints] rules to the event reporter + # @default -- `[]` (defaults to global.topologySpreadConstraints) + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + serviceAccount: + # -- Create a service account for the event reporter + create: true + # -- Service account name + name: acr-controller + # -- Annotations applied to created service account + annotations: {} + # -- Labels applied to created service account + labels: {} + # -- Automount API credentials for the Service Account + automountServiceAccountToken: true + + ## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource. + ## Defaults to off + clusterRoleRules: + # -- Enable custom rules for the event reporter's ClusterRole resource + enabled: false + # -- List of custom rules for the event reporter's ClusterRole resource + rules: []