From 46e08b1fe8c9f2233e37f8b16c15a68c8e902d15 Mon Sep 17 00:00:00 2001 From: Mark Haley Date: Wed, 29 Apr 2020 21:45:20 -0400 Subject: [PATCH 1/5] feat: Allow custom paths for server ingress (#317) --- charts/argo/Chart.yaml | 2 +- charts/argo/templates/server-ingress.yaml | 7 +++++++ charts/argo/values.yaml | 5 +++++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/charts/argo/Chart.yaml b/charts/argo/Chart.yaml index a7e383f2..eac1f9e1 100644 --- a/charts/argo/Chart.yaml +++ b/charts/argo/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 appVersion: "v2.7.6" description: A Helm chart for Argo Workflows name: argo -version: 0.8.1 +version: 0.8.2 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png home: https://github.com/argoproj/argo-helm maintainers: diff --git a/charts/argo/templates/server-ingress.yaml b/charts/argo/templates/server-ingress.yaml index bee5a7f8..eb0f37e0 100644 --- a/charts/argo/templates/server-ingress.yaml +++ b/charts/argo/templates/server-ingress.yaml @@ -24,6 +24,13 @@ spec: - host: {{ . }} http: paths: + {{- if $.Values.server.ingress.paths }} + {{- range $.Values.server.ingress.paths }} + - backend: + serviceName: {{ .serviceName }} + servicePort: {{ .servicePort }} + {{- end }} + {{- end }} - backend: serviceName: {{ $serviceName }} servicePort: {{ $servicePort }} diff --git a/charts/argo/values.yaml b/charts/argo/values.yaml index 8cbf4542..3c031df2 100644 --- a/charts/argo/values.yaml +++ b/charts/argo/values.yaml @@ -168,6 +168,11 @@ server: # hosts: # - argo.domain.com + ## Additional Paths for each host + # paths: + # - serviceName: "ssl-redirect" + # servicePort: "use-annotation" + ## TLS configuration. ## Secrets must be manually created in the namespace. ## From f2a3adc7f49236ea57819f22e00d9ee024bf1c8d Mon Sep 17 00:00:00 2001 From: ygapon-mio <60629171+ygapon-mio@users.noreply.github.com> Date: Wed, 29 Apr 2020 22:04:07 -0400 Subject: [PATCH 2/5] feat: add support for setting roleARN and useSDKCreds properties for S3 artifact repository (#329) --- charts/argo/Chart.yaml | 2 +- charts/argo/templates/workflow-controller-config-map.yaml | 6 ++++++ charts/argo/values.yaml | 2 ++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/charts/argo/Chart.yaml b/charts/argo/Chart.yaml index eac1f9e1..3f86de62 100644 --- a/charts/argo/Chart.yaml +++ b/charts/argo/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 appVersion: "v2.7.6" description: A Helm chart for Argo Workflows name: argo -version: 0.8.2 +version: 0.8.3 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png home: https://github.com/argoproj/argo-helm maintainers: diff --git a/charts/argo/templates/workflow-controller-config-map.yaml b/charts/argo/templates/workflow-controller-config-map.yaml index 305428de..ae73d117 100644 --- a/charts/argo/templates/workflow-controller-config-map.yaml +++ b/charts/argo/templates/workflow-controller-config-map.yaml @@ -39,6 +39,12 @@ data: {{- if .Values.artifactRepository.s3.region }} region: {{ .Values.artifactRepository.s3.region }} {{- end }} + {{- if .Values.artifactRepository.s3.roleARN }} + roleARN: {{ .Values.artifactRepository.s3.roleARN }} + {{- end }} + {{- if .Values.artifactRepository.s3.useSDKCreds }} + useSDKCreds: {{ .Values.artifactRepository.s3.useSDKCreds }} + {{- end }} {{- end}} {{- if .Values.controller.metricsConfig.enabled }} metricsConfig: diff --git a/charts/argo/values.yaml b/charts/argo/values.yaml index 3c031df2..3bf74b3f 100644 --- a/charts/argo/values.yaml +++ b/charts/argo/values.yaml @@ -200,6 +200,8 @@ artifactRepository: # bucket: # endpoint: # region: + # roleARN: + # useSDKCreds: true # NOTE: These are setting attributes for the `minio` optional dependency minio: From ad34abed7e81514cc7f14369d07d5fb214bcc1f2 Mon Sep 17 00:00:00 2001 From: Kristof Farkas-Pall Date: Thu, 30 Apr 2020 15:29:30 +0100 Subject: [PATCH 3/5] fix: allow server cluster role to delete pods (#278) --- charts/argo/Chart.yaml | 2 +- charts/argo/templates/server-cluster-role.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/argo/Chart.yaml b/charts/argo/Chart.yaml index 3f86de62..a919ab27 100644 --- a/charts/argo/Chart.yaml +++ b/charts/argo/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 appVersion: "v2.7.6" description: A Helm chart for Argo Workflows name: argo -version: 0.8.3 +version: 0.8.4 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png home: https://github.com/argoproj/argo-helm maintainers: diff --git a/charts/argo/templates/server-cluster-role.yaml b/charts/argo/templates/server-cluster-role.yaml index 0d8103f2..193a5c7b 100644 --- a/charts/argo/templates/server-cluster-role.yaml +++ b/charts/argo/templates/server-cluster-role.yaml @@ -28,6 +28,7 @@ rules: - get - list - watch + - delete {{- if .Values.controller.persistence }} - apiGroups: - "" From ab83169c2d7a04d6911a8833e9949387831ba426 Mon Sep 17 00:00:00 2001 From: Pablo Osinaga Date: Thu, 30 Apr 2020 16:39:08 +0200 Subject: [PATCH 4/5] docs: Add paguos to argo workflows codeowners (#331) --- CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CODEOWNERS b/CODEOWNERS index 4e0014f8..7de4e9c4 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -7,7 +7,7 @@ /charts/argo-events @jbehling # Argo Workflows -/charts/argo @benjaminws @stefansedich +/charts/argo @benjaminws @stefansedich @paguos # Argo Rollouts /charts/argo-rollouts @cabrinha From de30e84cf4a21b3c5a23d5f5105e77e56e9b99f8 Mon Sep 17 00:00:00 2001 From: Kristof Farkas-Pall Date: Thu, 30 Apr 2020 22:00:07 +0100 Subject: [PATCH 5/5] feat: add support for namespaced install (#263) --- .gitignore | 1 + charts/argo/Chart.yaml | 2 +- .../argo/templates/server-cluster-role.yaml | 8 +++++- charts/argo/templates/server-crb.yaml | 11 ++++++++ charts/argo/templates/server-deployment.yaml | 27 +++++++++---------- charts/argo/templates/server-sa.yaml | 2 ++ .../workflow-controller-clusterrole.yaml | 8 +++++- .../workflow-controller-config-map.yaml | 5 ++++ .../templates/workflow-controller-crb.yaml | 13 +++++++-- .../workflow-controller-deployment.yaml | 3 +++ .../templates/workflow-controller-sa.yaml | 2 ++ charts/argo/values.yaml | 12 +++++++-- 12 files changed, 72 insertions(+), 22 deletions(-) diff --git a/.gitignore b/.gitignore index f501fc92..2529e3b1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ output .vscode .DS_Store +.idea **/*.tgz diff --git a/charts/argo/Chart.yaml b/charts/argo/Chart.yaml index a919ab27..df37b454 100644 --- a/charts/argo/Chart.yaml +++ b/charts/argo/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 appVersion: "v2.7.6" description: A Helm chart for Argo Workflows name: argo -version: 0.8.4 +version: 0.8.5 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png home: https://github.com/argoproj/argo-helm maintainers: diff --git a/charts/argo/templates/server-cluster-role.yaml b/charts/argo/templates/server-cluster-role.yaml index 193a5c7b..efb9d564 100644 --- a/charts/argo/templates/server-cluster-role.yaml +++ b/charts/argo/templates/server-cluster-role.yaml @@ -1,8 +1,14 @@ {{- if .Values.server.enabled }} apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.singleNamespace }} +kind: Role +metadata: + name: {{ .Release.Name }}-{{ .Values.server.name }}-role +{{ else }} kind: ClusterRole metadata: - name: {{ .Release.Name }}-{{ .Values.server.name}}-cluster-role + name: {{ .Release.Name }}-{{ .Values.server.name }}-cluster-role +{{- end }} rules: - apiGroups: - "" diff --git a/charts/argo/templates/server-crb.yaml b/charts/argo/templates/server-crb.yaml index e764b847..ed7d7982 100644 --- a/charts/argo/templates/server-crb.yaml +++ b/charts/argo/templates/server-crb.yaml @@ -1,12 +1,23 @@ {{- if .Values.server.enabled -}} apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.singleNamespace }} +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-{{ .Values.server.name}}-rb +{{ else }} kind: ClusterRoleBinding metadata: name: {{ .Release.Name }}-{{ .Values.server.name}}-crb +{{- end }} roleRef: apiGroup: rbac.authorization.k8s.io + {{- if .Values.singleNamespace }} + kind: Role + name: {{ .Release.Name }}-{{ .Values.server.name}}-role + {{ else }} kind: ClusterRole name: {{ .Release.Name }}-{{ .Values.server.name}}-cluster-role + {{- end }} subjects: - kind: ServiceAccount name: {{ .Values.server.serviceAccount }} diff --git a/charts/argo/templates/server-deployment.yaml b/charts/argo/templates/server-deployment.yaml index 1d716c35..5f5ff726 100644 --- a/charts/argo/templates/server-deployment.yaml +++ b/charts/argo/templates/server-deployment.yaml @@ -1,5 +1,5 @@ - -{{- if .Values.server.enabled -}}apiVersion: apps/v1 +{{- if .Values.server.enabled -}} +apiVersion: apps/v1 kind: Deployment metadata: name: {{ .Release.Name }}-{{ .Values.server.name}} @@ -13,7 +13,6 @@ spec: matchLabels: app: {{ .Release.Name }}-{{ .Values.server.name}} release: {{ .Release.Name }} - app: {{ .Release.Name }}-{{ .Values.server.name}} template: metadata: labels: @@ -35,26 +34,24 @@ spec: {{- if .Values.server.extraArgs }} {{- toYaml .Values.server.extraArgs | nindent 10 }} {{- end }} + {{- if .Values.singleNamespace }} + - "--namespaced" + {{- end }} image: "{{ .Values.images.namespace }}/{{ .Values.images.server }}:{{ default .Values.images.tag .Values.server.image.tag }}" imagePullPolicy: {{ .Values.images.pullPolicy }} {{- if .Values.server.podPortName }} ports: - name: {{ .Values.server.podPortName }} - ports: containerPort: 2746 - readinessProbe: - httpGet: - path: / - port: 2746 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 20 {{- end }} + readinessProbe: + httpGet: + path: / + port: 2746 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 20 env: - {{- if .Values.server.forceNamespaceIsolation }} - - name: FORCE_NAMESPACE_ISOLATION - value: "true" - {{- end }} - name: IN_CLUSTER value: "true" - name: ARGO_NAMESPACE diff --git a/charts/argo/templates/server-sa.yaml b/charts/argo/templates/server-sa.yaml index 8027811e..c0d332e1 100644 --- a/charts/argo/templates/server-sa.yaml +++ b/charts/argo/templates/server-sa.yaml @@ -3,4 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Values.server.serviceAccount }} + annotations: +{{ toYaml .Values.server.serviceAccountAnnotations | indent 4 }} {{- end -}} diff --git a/charts/argo/templates/workflow-controller-clusterrole.yaml b/charts/argo/templates/workflow-controller-clusterrole.yaml index 2511c1a3..20515321 100644 --- a/charts/argo/templates/workflow-controller-clusterrole.yaml +++ b/charts/argo/templates/workflow-controller-clusterrole.yaml @@ -1,7 +1,13 @@ apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.singleNamespace }} +kind: Role +metadata: + name: {{ .Release.Name }}-{{ .Values.controller.name }}-role +{{ else }} kind: ClusterRole metadata: - name: {{ .Release.Name }}-{{ .Values.controller.name}}-cluster-role + name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-role +{{- end }} rules: - apiGroups: - "" diff --git a/charts/argo/templates/workflow-controller-config-map.yaml b/charts/argo/templates/workflow-controller-config-map.yaml index ae73d117..068b381c 100644 --- a/charts/argo/templates/workflow-controller-config-map.yaml +++ b/charts/argo/templates/workflow-controller-config-map.yaml @@ -16,6 +16,11 @@ data: {{- end }} {{- end }} containerRuntimeExecutor: {{ .Values.controller.containerRuntimeExecutor }} + {{- with .Values.executor.resources }} + executor: + resources: + {{- toYaml . | nindent 8 }} + {{- end }} artifactRepository: {{- if or .Values.minio.install .Values.useDefaultArtifactRepo }} {{- if .Values.artifactRepository.archiveLogs }} diff --git a/charts/argo/templates/workflow-controller-crb.yaml b/charts/argo/templates/workflow-controller-crb.yaml index 5dc55111..3eba3cf2 100644 --- a/charts/argo/templates/workflow-controller-crb.yaml +++ b/charts/argo/templates/workflow-controller-crb.yaml @@ -1,11 +1,20 @@ apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.singleNamespace }} +kind: RoleBinding +{{ else }} kind: ClusterRoleBinding +{{- end }} metadata: - name: {{ .Release.Name }}-{{ .Values.controller.name}}-binding + name: {{ .Release.Name }}-{{ .Values.controller.name }}-binding roleRef: apiGroup: rbac.authorization.k8s.io + {{- if .Values.singleNamespace }} + kind: Role + name: {{ .Release.Name }}-{{ .Values.controller.name }}-role + {{ else }} kind: ClusterRole - name: {{ .Release.Name }}-{{ .Values.controller.name}}-cluster-role + name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-role + {{- end }} subjects: - kind: ServiceAccount name: {{ .Values.controller.serviceAccount }} diff --git a/charts/argo/templates/workflow-controller-deployment.yaml b/charts/argo/templates/workflow-controller-deployment.yaml index 06b708c6..2b8b1dbd 100644 --- a/charts/argo/templates/workflow-controller-deployment.yaml +++ b/charts/argo/templates/workflow-controller-deployment.yaml @@ -40,6 +40,9 @@ spec: - "{{ .Values.controller.logging.level }}" - "--gloglevel" - "{{ .Values.controller.logging.globallevel }}" + {{- if .Values.singleNamespace }} + - "--namespaced" + {{- end }} env: - name: ARGO_NAMESPACE valueFrom: diff --git a/charts/argo/templates/workflow-controller-sa.yaml b/charts/argo/templates/workflow-controller-sa.yaml index af3ef519..02d274da 100644 --- a/charts/argo/templates/workflow-controller-sa.yaml +++ b/charts/argo/templates/workflow-controller-sa.yaml @@ -2,3 +2,5 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Values.controller.serviceAccount }} + annotations: +{{ toYaml .Values.controller.serviceAccountAnnotations | indent 4 }} diff --git a/charts/argo/values.yaml b/charts/argo/values.yaml index 3bf74b3f..b1324014 100644 --- a/charts/argo/values.yaml +++ b/charts/argo/values.yaml @@ -16,6 +16,10 @@ init: createAggregateRoles: true +# Restrict Argo to only deploy into a single namespace by apply Roles and RoleBindings instead of the Cluster equivalents, +# and start argo-cli with the --namespaced flag. Use it in clusters with strict access policy. +singleNamespace: false + controller: image: # Overrides .images.tag if defined. @@ -59,6 +63,8 @@ controller: enabled: false additionalLabels: {} serviceAccount: argo + # Service account annotations + serviceAccountAnnotations: {} name: workflow-controller workflowNamespaces: - default @@ -99,15 +105,15 @@ controller: tolerations: [] affinity: {} +# executor controls how the init and wait container should be customized executor: image: # Overrides .images.tag if defined. tag: "" + resources: {} server: enabled: true - # only show workflows where UI installed - forceNamespaceIsolation: false # only updates base url of resources on client side, # it's expected that a proxy server rewrites the request URL and gets rid of this prefix # https://github.com/argoproj/argo/issues/716#issuecomment-433213190 @@ -124,6 +130,8 @@ server: servicePort: 2746 # servicePortName: http serviceAccount: argo-server + # Service account annotations + serviceAccountAnnotations: {} # Annotations to be applied to the UI Service serviceAnnotations: {} # Optional labels to add to the UI Service