Merge branch 'main' into add_permitonlyscopedprojects

charts/argo-cd/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: v2.7.7
 kubeVersion: ">=1.23.0-0"
 description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 5.38.0
+version: 5.38.1
 home: https://github.com/argoproj/argo-helm
 icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
 sources:
@@ -26,5 +26,5 @@ annotations:
     fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
     url: https://argoproj.github.io/argo-helm/pgp_keys.asc
   artifacthub.io/changes: |
-    - kind: changed
+    - kind: added
-      description: Upgrade dexidp from v2.36.0 to v2.37.0
+      description: Adding the option to set `annotations` for `Certificate` resources

charts/argo-cd/README.md

@@ -407,6 +407,7 @@ NAME: my-release
 | global.affinity.nodeAffinity.matchExpressions | list | `[]` | Default match expressions for node affinity |
 | global.affinity.nodeAffinity.type | string | `"hard"` | Default node affinity rules. Either: `none`, `soft` or `hard` |
 | global.affinity.podAntiAffinity | string | `"soft"` | Default pod anti-affinity rules. Either: `none`, `soft` or `hard` |
+| global.certificateAnnotations | object | `{}` | Annotations for the all deployed Certificates |
 | global.deploymentAnnotations | object | `{}` | Annotations for the all deployed Deployments |
 | global.deploymentStrategy | object | `{}` | Deployment strategy for the all deployed Deployments |
 | global.env | list | `[]` | Environment variables to pass to all deployed Deployments |
@@ -676,6 +677,7 @@ NAME: my-release
 | server.autoscaling.targetCPUUtilizationPercentage | int | `50` | Average CPU utilization percentage for the Argo CD server [HPA] |
 | server.autoscaling.targetMemoryUtilizationPercentage | int | `50` | Average memory utilization percentage for the Argo CD server [HPA] |
 | server.certificate.additionalHosts | list | `[]` | Certificate Subject Alternate Names (SANs) |
+| server.certificate.annotations | object | `{}` | Annotations to be applied to the Server Certificate |
 | server.certificate.domain | string | `"argocd.example.com"` | Certificate primary domain (commonName) |
 | server.certificate.duration | string | `""` (defaults to 2160h = 90d if not specified) | The requested 'duration' (i.e. lifetime) of the certificate. |
 | server.certificate.enabled | bool | `false` | Deploy a Certificate resource (requires cert-manager) |
@@ -1036,6 +1038,7 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
 | applicationSet.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules |
 | applicationSet.args | object | `{}` | DEPRECATED - ApplicationSet controller command line flags |
 | applicationSet.certificate.additionalHosts | list | `[]` | Certificate Subject Alternate Names (SANs) |
+| applicationSet.certificate.annotations | object | `{}` | Annotations to be applied to the ApplicationSet Certificate |
 | applicationSet.certificate.domain | string | `"argocd.example.com"` | Certificate primary domain (commonName) |
 | applicationSet.certificate.duration | string | `""` (defaults to 2160h = 90d if not specified) | The requested 'duration' (i.e. lifetime) of the certificate. |
 | applicationSet.certificate.enabled | bool | `false` | Deploy a Certificate resource (requires cert-manager) |

charts/argo-cd/templates/argocd-applicationset/certificate.yaml

@@ -2,6 +2,12 @@
 apiVersion: {{ include "argo-cd.apiVersion.cert-manager" . }}
 kind: Certificate
 metadata:
+  {{- with (mergeOverwrite (deepCopy .Values.global.certificateAnnotations) .Values.applicationSet.certificate.annotations) }}
+  annotations:
+    {{- range $key, $value := . }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
   name: {{ template "argo-cd.applicationSet.fullname" . }}
   namespace: {{ .Release.Namespace | quote }}
   labels:

charts/argo-cd/templates/argocd-server/certificate.yaml

@@ -2,6 +2,12 @@
 apiVersion: {{ include "argo-cd.apiVersion.cert-manager" . }}
 kind: Certificate
 metadata:
+  {{- with (mergeOverwrite (deepCopy .Values.global.certificateAnnotations) .Values.server.certificate.annotations) }}
+  annotations:
+    {{- range $key, $value := . }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
   name: {{ include "argo-cd.server.fullname" . }}
   namespace: {{ .Release.Namespace | quote }}
   labels:

charts/argo-cd/values.yaml

@@ -147,6 +147,9 @@ global:
   # -- Environment variables to pass to all deployed Deployments
   env: []
 
+  # -- Annotations for the all deployed Certificates
+  certificateAnnotations: {}
+
 ## Argo Configs
 configs:
   # General Argo CD configuration
@@ -1743,6 +1746,8 @@ server:
       algorithm: RSA
       # -- Key bit size of the private key. If algorithm is set to `Ed25519`, size is ignored.
       size: 2048
+    # -- Annotations to be applied to the Server Certificate
+    annotations: {}
     # -- Usages for the certificate
     ### Ref: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.KeyUsage
     usages: []
@@ -2681,6 +2686,8 @@ applicationSet:
       algorithm: RSA
       # -- Key bit size of the private key. If algorithm is set to `Ed25519`, size is ignored.
       size: 2048
+    # -- Annotations to be applied to the ApplicationSet Certificate
+    annotations: {}
 
 ## Notifications controller
 notifications:

charts/argo-workflows/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: v3.4.8
 name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
-version: 0.30.0
+version: 0.31.0
 icon: https://argoproj.github.io/argo-workflows/assets/logo.png
 home: https://github.com/argoproj/argo-helm
 sources:
@@ -16,5 +16,5 @@ annotations:
     fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
     url: https://argoproj.github.io/argo-helm/pgp_keys.asc
   artifacthub.io/changes: |
-    - kind: fixed
+    - kind: added
-      description: artifactRepository will not be configured by default
+      description: Add support for artifactRepositoryRef

charts/argo-workflows/README.md

@@ -331,6 +331,7 @@ Fields to note:
 | artifactRepository.azure | object | `{}` (See [values.yaml]) | Store artifact in Azure Blob Storage |
 | artifactRepository.gcs | object | `{}` (See [values.yaml]) | Store artifact in a GCS object store |
 | artifactRepository.s3 | object | See [values.yaml] | Store artifact in a S3-compliant object store |
+| artifactRepositoryRef | object | `{}` (See [values.yaml]) | The section of [artifact repository ref](https://argoproj.github.io/argo-workflows/artifact-repository-ref/). Each map key is the name of configmap |
 | customArtifactRepository | object | `{}` | The section of custom artifact repository. Utilize a custom artifact repository that is not one of the current base ones (s3, gcs, azure) |
 | useStaticCredentials | bool | `true` | Use static credentials for S3 (eg. when not using AWS IRSA) |
 

charts/argo-workflows/ci/enable-artifact-repo-ref.yaml

@@ -0,0 +1,41 @@
+artifactRepositoryRef:
+  # 1st ConfigMap
+  artifact-repositories:
+    annotations:
+      workflows.argoproj.io/default-artifact-repository: default-v1-s3-artifact-repository
+    # 1st data
+    default-v1-s3-artifact-repository:
+      archiveLogs: true
+      s3:
+        bucket: my-bucket
+        endpoint: minio:9000
+        insecure: true
+        accessKeySecret:
+          name: my-minio-cred
+          key: accesskey
+        secretKeySecret:
+          name: my-minio-cred
+          key: secretkey
+    # 2nd data
+    oss-artifact-repository:
+      archiveLogs: false
+      oss:
+        endpoint: http://oss-cn-zhangjiakou-internal.aliyuncs.com
+        bucket: $mybucket
+        accessKeySecret:
+          name: $mybucket-credentials
+          key: accessKey
+        secretKeySecret:
+          name: $mybucket-credentials
+          key: secretKey
+  # 2nd ConfigMap
+  another-artifact-repositories:
+    annotations:
+      workflows.argoproj.io/default-artifact-repository: gcs
+    gcs:
+      archiveLogs: false
+      bucket: my-bucket
+      keyFormat: prefix/in/bucket/{{workflow.name}}/{{pod.name}}
+      serviceAccountKeySecret:
+        name: my-gcs-credentials
+        key: serviceAccountKey

charts/argo-workflows/templates/controller/artifact-repository-ref-cm.yaml

@@ -0,0 +1,19 @@
+{{- range $cm_name, $cm_val := .Values.artifactRepositoryRef }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $cm_name }}
+  namespace: {{ $.Release.Namespace | quote }}
+  labels:
+    {{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $cm_name) | nindent 4 }}
+  {{- with $cm_val.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+data:
+  {{- range $data_key, $data_val := (omit $cm_val "annotations") }}
+  {{- $data_key | nindent 2 }}: |
+    {{- toYaml $data_val | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/argo-workflows/values.yaml

@@ -161,9 +161,13 @@ controller:
   # Only valid for 2.7+
   ## See more: https://argoproj.github.io/argo-workflows/default-workflow-specs/
   workflowDefaults: {}
-  #  spec:
+  #   spec:
-  #    ttlStrategy:
+  #     ttlStrategy:
-  #      secondsAfterCompletion: 84600
+  #       secondsAfterCompletion: 84600
+  #     # Ref: https://argoproj.github.io/argo-workflows/artifact-repository-ref/
+  #     artifactRepositoryRef:
+  #       configMap: my-artifact-repository # default is "artifact-repositories"
+  #       key: v2-s3-artifact-repository # default can be set by the `workflows.argoproj.io/default-artifact-repository` annotation in config map.
 
   # -- Number of workflow workers
   workflowWorkers: # 32
@@ -770,6 +774,59 @@ customArtifactRepository: {}
 #     name: artifactory-creds
 #     key: password
 
+# -- The section of [artifact repository ref](https://argoproj.github.io/argo-workflows/artifact-repository-ref/).
+# Each map key is the name of configmap
+# @default -- `{}` (See [values.yaml])
+artifactRepositoryRef: {}
+  # # -- 1st ConfigMap
+  # # If you want to use this config map by default, name it "artifact-repositories".
+  # # Otherwise, you can provide a reference to a
+  # # different config map in `artifactRepositoryRef.configMap`.
+  # artifact-repositories:
+  #   # -- v3.0 and after - if you want to use a specific key, put that key into this annotation.
+  #   annotations:
+  #     workflows.argoproj.io/default-artifact-repository: default-v1-s3-artifact-repository
+  #   # 1st data of configmap. See above artifactRepository or customArtifactRepository.
+  #   default-v1-s3-artifact-repository:
+  #     archiveLogs: false
+  #     s3:
+  #       bucket: my-bucket
+  #       endpoint: minio:9000
+  #       insecure: true
+  #       accessKeySecret:
+  #         name: my-minio-cred
+  #         key: accesskey
+  #       secretKeySecret:
+  #         name: my-minio-cred
+  #         key: secretkey
+  #    # 2nd data
+  #    oss-artifact-repository:
+  #      archiveLogs: false
+  #      oss:
+  #        endpoint: http://oss-cn-zhangjiakou-internal.aliyuncs.com
+  #        bucket: $mybucket
+  #        # accessKeySecret and secretKeySecret are secret selectors.
+  #        # It references the k8s secret named 'bucket-workflow-artifect-credentials'.
+  #        # This secret is expected to have have the keys 'accessKey'
+  #        # and 'secretKey', containing the base64 encoded credentials
+  #        # to the bucket.
+  #        accessKeySecret:
+  #          name: $mybucket-credentials
+  #          key: accessKey
+  #        secretKeySecret:
+  #          name: $mybucket-credentials
+  #          key: secretKey
+  # # 2nd ConfigMap
+  # another-artifact-repositories:
+  #   annotations:
+  #     workflows.argoproj.io/default-artifact-repository: gcs
+  #   gcs:
+  #     bucket: my-bucket
+  #     keyFormat: prefix/in/bucket/{{workflow.name}}/{{pod.name}}
+  #     serviceAccountKeySecret:
+  #       name: my-gcs-credentials
+  #       key: serviceAccountKey
+
 emissary:
   # -- The command/args for each image on workflow, needed when the command is not specified and the emissary executor is used.
   ## See more: https://argoproj.github.io/argo-workflows/workflow-executors/#emissary-emissary