DevFW-CICD/argocd-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: support acr controller in our chart

Browse source
This commit is contained in:
pashakostohrys 2024-09-26 12:38:24 +03:00
parent fbc6b8841f
commit 72fb3b7580
8 changed files with 469 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
charts/argo-cd/templates/acr-controller/clusterrole.yaml Normal file
View file

@ -0,0 +1,26 @@
{{- if .Values.acrController.enabled }}
{{- $config := .Values.acrController.clusterAdminAccess | default dict -}}
{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "argo-cd.acr-controller.fullname" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }}
rules:
{{- if .Values.acrController.clusterRoleRules.enabled }}
{{- toYaml .Values.acrController.clusterRoleRules.rules | nindent 2 }}
{{- else }}
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
{{- end }}
{{- end }}
{{- end }}

19
charts/argo-cd/templates/acr-controller/clusterrolebinding.yaml Normal file
View file

@ -0,0 +1,19 @@
{{- if .Values.acrController.enabled }}
{{- $config := .Values.acrController.clusterAdminAccess | default dict -}}
{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "argo-cd.acr-controller.fullname" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "argo-cd.acr-controller.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "argo-cd.acrControllerServiceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

161
charts/argo-cd/templates/acr-controller/deployment.yaml Normal file
View file

@ -0,0 +1,161 @@
{{- if .Values.acrController.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
{{- with (mergeOverwrite (deepCopy .Values.global.statefulsetAnnotations) .Values.acrController.statefulsetAnnotations) }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
name: {{ template "argo-cd.acr-controller.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }}
spec:
replicas: {{ .Values.acrController.replicas }}
# TODO: Remove for breaking release as history limit cannot be patched
revisionHistoryLimit: 5
selector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.acrController.name) | nindent 6 }}
template:
metadata:
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 8 }}
{{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.acrController.podLabels) }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.acrController.imagePullSecrets | default .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.global.hostAliases }}
hostAliases:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.global.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.acrController.priorityClassName | default .Values.global.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- if .Values.acrController.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.acrController.terminationGracePeriodSeconds }}
{{- end }}
serviceAccountName: {{ include "argo-cd.acrControllerServiceAccountName" . }}
containers:
- args:
- /usr/local/bin/argocd-application-change-revision-controller
{{- with .Values.acrController.extraArgs }}
{{- toYaml . | nindent 8 }}
{{- end }}
image: {{ default .Values.global.image.repository .Values.acrController.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.acrController.image.tag }}
imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.acrController.image.imagePullPolicy }}
name: {{ .Values.acrController.name }}
env:
{{- with (concat .Values.global.env .Values.acrController.env) }}
{{- toYaml . | nindent 10 }}
{{- end }}
- name: ARGOCD_SERVER
value: "http://argocd-server:80"
- name: ARGOCD_TOKEN
valueFrom:
secretKeyRef:
key: token
name: argocd-token
- name: ARGOCD_APPLICATION_NAMESPACES
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: application.namespaces
optional: true
- name: ACR_CONTROLLER_LOGFORMAT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: acr.log.format
optional: true
- name: ACR_CONTROLLER_LOG_LEVEL
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: acr.log.level
optional: true
- name: ACR_CONTROLLER_LISTEN_ADDRESS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: acr.listen.address
optional: true
{{- with .Values.acrController.envFrom }}
envFrom:
{{- toYaml . | nindent 10 }}
{{- end }}
ports:
- name: health
containerPort: {{ .Values.acrController.containerPorts.health }}
protocol: TCP
livenessProbe:
httpGet:
path: /healthz?full=true
port: health
initialDelaySeconds: 3
periodSeconds: 30
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /healthz
port: health
initialDelaySeconds: {{ .Values.acrController.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.acrController.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.acrController.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.acrController.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.acrController.readinessProbe.failureThreshold }}
resources:
{{- toYaml .Values.acrController.resources | nindent 12 }}
{{- with .Values.acrController.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.acrController.extraContainers }}
{{- tpl (toYaml .) $ | nindent 6 }}
{{- end }}
{{- with .Values.acrController.initContainers }}
initContainers:
{{- tpl (toYaml .) $ | nindent 6 }}
{{- end }}
{{- with include "argo-cd.affinity" (dict "context" . "component" .Values.acrController) }}
affinity:
{{- trim . | nindent 8 }}
{{- end }}
{{- with .Values.acrController.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.acrController.tolerations | default .Values.global.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.acrController.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
topologySpreadConstraints:
{{- range $constraint := . }}
- {{ toYaml $constraint | nindent 8 | trim }}
{{- if not $constraint.labelSelector }}
labelSelector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" $ "name" $.Values.acrController.name) | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.acrController.hostNetwork }}
hostNetwork: {{ .Values.acrController.hostNetwork }}
{{- end }}
{{- with .Values.acrController.dnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.acrController.dnsPolicy }}
{{- end }}

44
charts/argo-cd/templates/acr-controller/role.yaml Normal file
View file

@ -0,0 +1,44 @@
{{- if .Values.acrController.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "argo-cd.acr-controller.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- argoproj.io
resources:
- applications
- appprojects
- applicationsets
verbs:
- create
- get
- list
- watch
- update
- delete
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- list
{{- end }}

17
charts/argo-cd/templates/acr-controller/rolebinding.yaml Normal file
View file

@ -0,0 +1,17 @@
{{- if .Values.acrController.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "argo-cd.acr-controller.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "argo-cd.acr-controller.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "argo-cd.acrControllerServiceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

19
charts/argo-cd/templates/acr-controller/serviceaccount.yaml Normal file
View file

@ -0,0 +1,19 @@
{{- if and .Values.acrController.enabled .Values.acrController.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: {{ .Values.acrController.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ template "argo-cd.acrControllerServiceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
{{- if .Values.acrController.serviceAccount.annotations }}
annotations:
{{- range $key, $value := .Values.acrController.serviceAccount.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }}
{{- range $key, $value := .Values.acrController.serviceAccount.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}

12
charts/argo-cd/templates/crds/crd-application.yaml
View file

@ -116,6 +116,12 @@ spec:
sync: sync:
description: Sync contains parameters for the operation description: Sync contains parameters for the operation
properties: properties:
changeRevision:
type: string
changeRevisions:
items:
type: string
type: array
dryRun: dryRun:
description: DryRun specifies to perform a `kubectl apply --dry-run` description: DryRun specifies to perform a `kubectl apply --dry-run`
without actually performing the sync without actually performing the sync
@ -2544,6 +2550,12 @@ spec:
sync: sync:
description: Sync contains parameters for the operation description: Sync contains parameters for the operation
properties: properties:
changeRevision:
type: string
changeRevisions:
items:
type: string
type: array
dryRun: dryRun:
description: DryRun specifies to perform a `kubectl apply description: DryRun specifies to perform a `kubectl apply
--dry-run` without actually performing the sync --dry-run` without actually performing the sync

171
charts/argo-cd/values.yaml
View file

@ -3907,3 +3907,174 @@ eventReporter:
enabled: false enabled: false
# -- List of custom rules for the event reporter's ClusterRole resource # -- List of custom rules for the event reporter's ClusterRole resource
rules: [] rules: []
acrController:
# Enabled we need to skip argo-cd chart tests for this component
enabled: false
name: acr-controller
## Amount of replicas for event reporting sharding
replicas: 1
## ACR controller image
image:
# -- Repository to use for the event reporter
# @default -- `""` (defaults to global.image.repository)
repository: ""
# -- Tag to use for the event reporter
# @default -- `""` (defaults to global.image.tag)
tag: ""
# -- Image pull policy for the event reporter
# @default -- `""` (defaults to global.image.imagePullPolicy)
imagePullPolicy: ""
# -- Secrets with credentials to pull images from a private registry
# @default -- `[]` (defaults to global.imagePullSecrets)
imagePullSecrets: []
# -- Additional command line arguments to pass to event reporter
extraArgs: []
# -- Environment variables to pass to event reporter
env: []
# -- envFrom to pass to event reporter
# @default -- `[]` (See [values.yaml])
envFrom: []
# - configMapRef:
# name: config-map-name
# - secretRef:
# name: secret-name
# -- Additional containers to be added to the event reporter pod
## Note: Supports use of custom Helm templates
extraContainers: []
# -- Init containers to add to the event reporter pod
## If your target Kubernetes cluster(s) require a custom credential (exec) plugin
## you could use this (and the same in the server pod) to provide such executable
## Ref: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins
## Note: Supports use of custom Helm templates
initContainers: []
# - name: download-tools
# image: alpine:3
# command: [sh, -c]
# args:
# - wget -qO kubelogin.zip https://github.com/Azure/kubelogin/releases/download/v0.0.25/kubelogin-linux-amd64.zip &&
# unzip kubelogin.zip && mv bin/linux_amd64/kubelogin /custom-tools/
# volumeMounts:
# - mountPath: /custom-tools
# name: custom-tools
# -- Additional volumeMounts to the event reporter main container
volumeMounts: []
# - mountPath: /usr/local/bin/kubelogin
# name: custom-tools
# subPath: kubelogin
# -- Additional volumes to the event reporter pod
volumes: []
# - name: custom-tools
# emptyDir: {}
# -- Annotations for the event reporter StatefulSet
statefulsetAnnotations: {}
# -- Annotations to be added to event reporter pods
podAnnotations: {}
# -- Labels to be added to event reporter pods
podLabels: {}
# -- Resource limits and requests for the event reporter pods
resources: {}
# limits:
# cpu: 500m
# memory: 512Mi
# requests:
# cpu: 250m
# memory: 256Mi
# Event reporter container ports
containerPorts:
health: 8090
# -- Host Network for event reporter pods
hostNetwork: false
# -- [DNS configuration]
dnsConfig: {}
# -- Alternative DNS policy for event reporter pods
dnsPolicy: "ClusterFirst"
# -- Event reporter container-level security context
# @default -- See [values.yaml]
containerSecurityContext:
runAsNonRoot: true
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
# Readiness probe for event reporter
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
readinessProbe:
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
failureThreshold: 3
# -- Number of seconds after the container has started before [probe] is initiated
initialDelaySeconds: 10
# -- How often (in seconds) to perform the [probe]
periodSeconds: 10
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
successThreshold: 1
# -- Number of seconds after which the [probe] times out
timeoutSeconds: 1
# -- terminationGracePeriodSeconds for container lifecycle hook
terminationGracePeriodSeconds: 30
# -- Priority class for the event reporter pods
# @default -- `""` (defaults to global.priorityClassName)
priorityClassName: ""
# -- [Node selector]
# @default -- `{}` (defaults to global.nodeSelector)
nodeSelector: {}
# -- [Tolerations] for use with node taints
# @default -- `[]` (defaults to global.tolerations)
tolerations: []
# -- Assign custom [affinity] rules to the deployment
# @default -- `{}` (defaults to global.affinity preset)
affinity: {}
# -- Assign custom [TopologySpreadConstraints] rules to the event reporter
# @default -- `[]` (defaults to global.topologySpreadConstraints)
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: DoNotSchedule
serviceAccount:
# -- Create a service account for the event reporter
create: true
# -- Service account name
name: acr-controller
# -- Annotations applied to created service account
annotations: {}
# -- Labels applied to created service account
labels: {}
# -- Automount API credentials for the Service Account
automountServiceAccountToken: true
## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource.
## Defaults to off
clusterRoleRules:
# -- Enable custom rules for the event reporter's ClusterRole resource
enabled: false
# -- List of custom rules for the event reporter's ClusterRole resource
rules: []