From af9a14a1ec4a445bb001d1de4c7851aa9b4a797d Mon Sep 17 00:00:00 2001
From: Vlad Losev <vladlosev@users.noreply.github.com>
Date: Wed, 18 Nov 2020 11:59:17 -0800
Subject: [PATCH 1/3] feat(Argo): Add secret access whitelist for server.
 (#499)

Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
---
 charts/argo/Chart.yaml                        |  2 +-
 .../argo/templates/server-cluster-roles.yaml  | 34 ++++++++++++-------
 charts/argo/values.yaml                       |  3 ++
 3 files changed, 25 insertions(+), 14 deletions(-)

diff --git a/charts/argo/Chart.yaml b/charts/argo/Chart.yaml
index 7ac88c50..ccc7fa7f 100644
--- a/charts/argo/Chart.yaml
+++ b/charts/argo/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: v2.11.7
 description: A Helm chart for Argo Workflows
 name: argo
-version: 0.13.6
+version: 0.13.7
 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png
 home: https://github.com/argoproj/argo-helm
 maintainers:
diff --git a/charts/argo/templates/server-cluster-roles.yaml b/charts/argo/templates/server-cluster-roles.yaml
index eb7b71a4..ac51e455 100644
--- a/charts/argo/templates/server-cluster-roles.yaml
+++ b/charts/argo/templates/server-cluster-roles.yaml
@@ -13,12 +13,6 @@ rules:
   - get
   - watch
   - list
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
 - apiGroups:
   - ""
   resources:
@@ -30,6 +24,21 @@ rules:
   - list
   - watch
   - delete
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+{{- with .Values.server.rbac.secretWhitelist }}
+  resourceNames: {{- toYaml . | nindent 4 }}
+{{- end }}
 - apiGroups:
   - ""
   resources:
@@ -41,15 +50,14 @@ rules:
   - ""
   resources:
   - secrets
-  - serviceaccounts
   resourceNames:
-  {{- if .Values.controller.persistence.postgresql }}
-  - {{ .Values.controller.persistence.postgresql.userNameSecret.name }}
-  - {{ .Values.controller.persistence.postgresql.passwordSecret.name }}
+  {{- with .Values.controller.persistence.postgresql }}
+  - {{ .userNameSecret.name }}
+  - {{ .passwordSecret.name }}
   {{- end}}
-  {{- if .Values.controller.persistence.mysql }}
-  - {{ .Values.controller.persistence.mysql.userNameSecret.name }}
-  - {{ .Values.controller.persistence.mysql.passwordSecret.name }}
+  {{- with .Values.controller.persistence.mysql }}
+  - {{ .userNameSecret.name }}
+  - {{ .passwordSecret.name }}
   {{- end}}
   verbs:
   - get
diff --git a/charts/argo/values.yaml b/charts/argo/values.yaml
index 4fa4cd7a..5a9a452b 100644
--- a/charts/argo/values.yaml
+++ b/charts/argo/values.yaml
@@ -164,6 +164,9 @@ server:
   serviceType: ClusterIP
   servicePort: 2746
   # servicePortName: http
+  rbac:
+    # When present, restricts secrets the server can read to a given list.
+    secretWhitelist: []
   serviceAccount: argo-server
   # Whether to create the service account with the name specified in
   # server.serviceAccount and bind it to the server role.

From ab8f54d3c2ad920414e4520f4e6b8eb53905fa1a Mon Sep 17 00:00:00 2001
From: abuckenheimer <abuckenheimer@gmail.com>
Date: Wed, 18 Nov 2020 15:53:44 -0500
Subject: [PATCH 2/3] fix --pod-workers helm context (#481)

Signed-off-by: Alec Buckenheimer <abuckenheimer@gmail.com>
---
 charts/argo/Chart.yaml                                    | 2 +-
 charts/argo/templates/workflow-controller-deployment.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 mode change 100644 => 100755 charts/argo/templates/workflow-controller-deployment.yaml

diff --git a/charts/argo/Chart.yaml b/charts/argo/Chart.yaml
index ccc7fa7f..63fbbdbb 100644
--- a/charts/argo/Chart.yaml
+++ b/charts/argo/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: v2.11.7
 description: A Helm chart for Argo Workflows
 name: argo
-version: 0.13.7
+version: 0.13.8
 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png
 home: https://github.com/argoproj/argo-helm
 maintainers:
diff --git a/charts/argo/templates/workflow-controller-deployment.yaml b/charts/argo/templates/workflow-controller-deployment.yaml
old mode 100644
new mode 100755
index 74828caa..dda3df94
--- a/charts/argo/templates/workflow-controller-deployment.yaml
+++ b/charts/argo/templates/workflow-controller-deployment.yaml
@@ -51,7 +51,7 @@ spec:
           - "--workflow-workers"
           - {{ . | quote }}
           {{- end }}
-          {{- if .Values.controller.podWorkers }}
+          {{- with .Values.controller.podWorkers }}
           - "--pod-workers"
           - {{ . | quote }}
           {{- end }}

From 15a76e56d01ffafef0b3193b45a58857120c6778 Mon Sep 17 00:00:00 2001
From: Christopher Sauer <christophersauer@hotmail.com>
Date: Mon, 23 Nov 2020 19:29:19 -0600
Subject: [PATCH 3/3] feat: allow controller replicas to be set (#496)

Signed-off-by: mr-sour <mr-sour@users.noreply.github.com>

Co-authored-by: mr-sour <mr-sour@users.noreply.github.com>
---
 charts/argo-cd/Chart.yaml                                  | 2 +-
 charts/argo-cd/README.md                                   | 1 +
 .../argocd-application-controller/deployment.yaml          | 2 +-
 charts/argo-cd/values.yaml                                 | 7 +++++++
 4 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml
index 8b70c98b..f6b967a1 100644
--- a/charts/argo-cd/Chart.yaml
+++ b/charts/argo-cd/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: 1.7.6
 description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 2.9.5
+version: 2.10.0
 home: https://github.com/argoproj/argo-helm
 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png
 keywords:
diff --git a/charts/argo-cd/README.md b/charts/argo-cd/README.md
index b58434e2..07b72e20 100644
--- a/charts/argo-cd/README.md
+++ b/charts/argo-cd/README.md
@@ -119,6 +119,7 @@ Helm v3 has removed the `install-crds` hook so CRDs are now populated by files i
 | controller.readinessProbe.periodSeconds | [Kubernetes probe configuration](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes) | `10` |
 | controller.readinessProbe.successThreshold | [Kubernetes probe configuration](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes) | `1` |
 | controller.readinessProbe.timeoutSeconds | [Kubernetes probe configuration](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes) | `1` |
+| controller.replicas | The number of controller pods to run | `1` |\
 | controller.resources | Resource limits and requests for the controller pods. | `{}` |
 | controller.service.annotations | Controller service annotations. | `{}` |
 | controller.service.labels | Controller service labels. | `{}` |
diff --git a/charts/argo-cd/templates/argocd-application-controller/deployment.yaml b/charts/argo-cd/templates/argocd-application-controller/deployment.yaml
index 3067e969..3dde5e51 100755
--- a/charts/argo-cd/templates/argocd-application-controller/deployment.yaml
+++ b/charts/argo-cd/templates/argocd-application-controller/deployment.yaml
@@ -17,7 +17,7 @@ spec:
       app.kubernetes.io/name: {{ include "argo-cd.name" . }}-application-controller
       app.kubernetes.io/instance: {{ .Release.Name }}
   revisionHistoryLimit: 5
-  replicas: 1
+  replicas: {{ .Values.controller.replicas }}
   template:
     metadata:
       {{- if .Values.controller.podAnnotations }}
diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml
index 57095815..745b270b 100755
--- a/charts/argo-cd/values.yaml
+++ b/charts/argo-cd/values.yaml
@@ -31,6 +31,10 @@ controller:
     tag: # v1.7.6
     imagePullPolicy: # IfNotPresent
 
+  # If changing the number of replicas you must pass the number as ARGOCD_CONTROLLER_REPLICAS as an environment variable
+  replicas: 1
+
+
   ## Argo controller commandline flags
   args:
     statusProcessors: "20"
@@ -49,6 +53,9 @@ controller:
   ## Environment variables to pass to argocd-controller
   ##
   env: []
+   # - name: "ARGOCD_CONTROLLER_REPLICAS"
+   #   value: ""
+
 
   ## Annotations to be added to controller pods
   ##