Update chart to 5.16.0 (#5)

* feat(argo-cd): Upgrade Argo CD to 2.5.0 (#1568) Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * chore(github): Bump GitHub actions versions (#1575) Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * fix(argo-cd): Chart NOTES nil references (#1582) Signed-off-by: Filipe Santos <filipe@not.sh> * docs(argo-cd): Improve documentation (#1584) Signed-off-by: Petr Drastil <petr.drastil@gmail.com> Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * fix(argo-workflows): serviceaccount rbac when sso is enabled (#1586) Signed-off-by: Nick Fisher <nxf5025@gmail.com> Signed-off-by: Nick Fisher <nxf5025@gmail.com> * Fix incorrect applicationSet property in README (#1590) Based on [here](55b8b34d20/charts/argo-cd/templates/argocd-applicationset/deployment.yaml (L9)), I think `replicas` should be `replicaCount` (though `replicas` would be more consistent). Signed-off-by: Ashlin Eldridge <ashlin.eldridge@gmail.com> Signed-off-by: Ashlin Eldridge <ashlin.eldridge@gmail.com> * fix(argo-cd): Remove AWS volume from server (#1591) Signed-off-by: Petr Drastil <petr.drastil@gmail.com> Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * chore(argo-cd): Cleanup Redis manifest (#1577) Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * fix(argo-cd): Fix migration path for server configs (#1585) Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * fix(argo-cd): Type conversion for ConfigMaps values (#1594) Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * feat(argo-cd): Add probes for ApplicationSet controller (#1532) Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * chore(argo-cd): Remove liveness probe from application controller (#1581) Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * chore(github): Add dependabot.yml (#1595) Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * feat(argo-cd): Set container security contexts (#1579) Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * feat(argo-cd): Support custom TLS certificates for Dex (#1477) Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * feat(argo-cd): Support manually managed TLS certificate for Server (#1534) Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * fix(argo-cd): Don't install CRDs for disabled components (#1596) Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> * fix(argo-cd): update network policy port name (#1603) Signed-off-by: Eric Cimino <ecimino@vailsys.com> * chore(argo-workflows): Update ArgoWorkflows to v3.4.3 (#1610) Signed-off-by: yu-croco <yu.croco@gmail.com> * fix(argo-cd): Replace coalesce with merge for old config values (#1612) Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * feat(argo-cd): Add revisionHistoryLimit (#1599) Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * Upgrade Argo Image to the latest (#1614) Signed-off-by: Dong Wang <wd@wdicc.com> Signed-off-by: Dong Wang <wd@wdicc.com> * chore(argo-cd): Update redis-ha (#1617) Signed-off-by: yu-croco <yu.croco@gmail.com> * fix(argo-cd): Add /tmp voulmeMount to extensions container (#1620) * Fixes #1619 - Add /tmp voulmeMount to extensions container Signed-off-by: Tim Van de Walle <tvandewalle@trek10.com> * Bump version, add change notes Signed-off-by: Tim Van de Walle <tvandewalle@trek10.com> Signed-off-by: Tim Van de Walle <tvandewalle@trek10.com> * fix(argo-cd): Add missing ClusterRole permissions to argo-cd-server to manage Application in all namespaces (#1621) Signed-off-by: Elad Dolev <dolevelad@gmail.com> * fix(argo-cd): Use Dex non-distroless image (#1626) Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * chore(argo-cd): Upgrade Argo CD to 2.5.2 (#1628) Signed-off-by: Petr Drastil <petr.drastil@gmail.com> Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * Allow to add custom artifact repository (#1453) Signed-off-by: Max Kochubey <20810306+maxkochubey@users.noreply.github.com> Signed-off-by: Max Kochubey <20810306+maxkochubey@users.noreply.github.com> * fix(argo-cd): Use raw json for cluster credentials for Vault compatibility (#1634) Signed-off-by: Petr Drastil <petr.drastil@gmail.com> Signed-off-by: Petr Drastil <petr.drastil@gmail.com> Co-authored-by: Aikawa <yu.croco@gmail.com> * fix(argo-cd): Cluster credentials config should be a string (#1636) Signed-off-by: Petr Drastil <petr.drastil@gmail.com> Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * fix(argo-workflows): Added missing attribute for sso (#1641) Signed-off-by: yu-croco <yu.croco@gmail.com> * docs(argo-cd): Improve changelog information (#1652) Signed-off-by: Petr Drastil <petr.drastil@gmail.com> Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * chore(argo-cd): Consolidated GnuPG configuration (#1609) Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * fix(argo-cd): Invalid argocd-gpg-keys-cm template (#1656) The template removed a little too much whitespace resulting in an invalid ConfigMap. Error: ``` Error: YAML parse error on argocd/charts/argo-cd/templates/argocd-configs/argocd-gpg-keys-cm.yaml: error converting YAML to JSON: yaml: line 10: mapping values are not allowed in this context ``` Signed-off-by: Allex <allexveldman+github@gmail.com> Signed-off-by: Allex <allexveldman+github@gmail.com> * feat(argo-workflows): Allow controller to whitelist secrets (#1646) * allow users to whitelist secrets Signed-off-by: emmayylu <84873428+yolu-kxs@users.noreply.github.com> * remove unnecessary if-statement Signed-off-by: emmayylu <44856279+emmayylu@users.noreply.github.com> * use square bracket for array Signed-off-by: emmayylu <44856279+emmayylu@users.noreply.github.com> * fix typo and update readme Signed-off-by: emmayylu <44856279+emmayylu@users.noreply.github.com> Signed-off-by: emmayylu <84873428+yolu-kxs@users.noreply.github.com> Signed-off-by: emmayylu <44856279+emmayylu@users.noreply.github.com> Co-authored-by: emmayylu <84873428+yolu-kxs@users.noreply.github.com> * feat(argo-workflows): Add labels for ServiceAccounts (#1665) * Add labels for ServiceAccounts Signed-off-by: Eugene Lugovtsov <lug.zhenia@gmail.com> * fix workflow serviceaccount labels Signed-off-by: Eugene Lugovtsov <lug.zhenia@gmail.com> * fix docs Signed-off-by: Eugene Lugovtsov <lug.zhenia@gmail.com> Signed-off-by: Eugene Lugovtsov <lug.zhenia@gmail.com> * fix(argo-cd): deprecate server.extraArgs."--insecure" (#1669) Signed-off-by: GitHub <noreply@github.com> Signed-off-by: GitHub <noreply@github.com> * chore(argo-workflows): Support workflow retention (#1668) Signed-off-by: yu-croco <yu.croco@gmail.com> * feat(argo-cd): Upgrade argocd to v2.5.3 (#1671) Signed-off-by: smcavallo <smcavallo@hotmail.com> * fix helm install md (#1672) Signed-off-by: fsl <1171313930@qq.com> Signed-off-by: fsl <1171313930@qq.com> * feat(argo-cd): Add Repo Server strict TLS cert support (#1673) Signed-off-by: Karl Parry <karl.parry@imbursepayments.com> * chore(argo-workflows): Update Argo Workflows to v3.4.4 (#1674) Signed-off-by: yu-croco <yu.croco@gmail.com> * fix(argo-cd): Rename tls secret to include the -secret suffix (#1676) - "[Fixed]: TLS secret name so Dex correctly generates the checksum for argocd-dex-server-tls." - "[Fixed]: Standardise the naming convention of the TLS secret manifests." - "[Added]: Add checksum to Repo-Server for the argocd-repo-server-tls secret." Signed-off-by: Karl Parry <karl.parry@imbursepayments.com> * chore(argo-cd): Remove duplicate ApplicationSet features (#1598) Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * feat(argo-cd): Add ability to annotate Deployments and StatefulSets (#1608) * feat(argo-cd): Add ability to annotate Deployments and StatefulSets Signed-off-by: John Stewart <jstewart@rentpath.com> * fix: Controller and AppSet controller was mixed Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> Signed-off-by: John Stewart <jstewart@rentpath.com> Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> Co-authored-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> * chart update WIP * backport applicationset * backport applicationset * argocd 2.5.5 --------- Signed-off-by: Petr Drastil <petr.drastil@gmail.com> Signed-off-by: Filipe Santos <filipe@not.sh> Signed-off-by: Nick Fisher <nxf5025@gmail.com> Signed-off-by: Ashlin Eldridge <ashlin.eldridge@gmail.com> Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> Signed-off-by: Eric Cimino <ecimino@vailsys.com> Signed-off-by: yu-croco <yu.croco@gmail.com> Signed-off-by: Dong Wang <wd@wdicc.com> Signed-off-by: Tim Van de Walle <tvandewalle@trek10.com> Signed-off-by: Elad Dolev <dolevelad@gmail.com> Signed-off-by: Max Kochubey <20810306+maxkochubey@users.noreply.github.com> Signed-off-by: Allex <allexveldman+github@gmail.com> Signed-off-by: emmayylu <84873428+yolu-kxs@users.noreply.github.com> Signed-off-by: emmayylu <44856279+emmayylu@users.noreply.github.com> Signed-off-by: Eugene Lugovtsov <lug.zhenia@gmail.com> Signed-off-by: GitHub <noreply@github.com> Signed-off-by: smcavallo <smcavallo@hotmail.com> Signed-off-by: fsl <1171313930@qq.com> Signed-off-by: Karl Parry <karl.parry@imbursepayments.com> Signed-off-by: John Stewart <jstewart@rentpath.com> Co-authored-by: Petr Drastil <petr.drastil@gmail.com> Co-authored-by: Filipe <filipe@not.sh> Co-authored-by: Nick Fisher <nxf5025@gmail.com> Co-authored-by: Ashlin Eldridge <ashlin.eldridge@gmail.com> Co-authored-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> Co-authored-by: Eric Cimino <58572548+cimin0@users.noreply.github.com> Co-authored-by: Aikawa <yu.croco@gmail.com> Co-authored-by: Dong Wang <wd@wdicc.com> Co-authored-by: tvandewalle <1022306+tvandewalle@users.noreply.github.com> Co-authored-by: Elad Dolev <dolevelad@gmail.com> Co-authored-by: Max Kochubey <20810306+maxkochubey@users.noreply.github.com> Co-authored-by: Allex <a.veldman@chain-stock.com> Co-authored-by: emmayylu <44856279+emmayylu@users.noreply.github.com> Co-authored-by: emmayylu <84873428+yolu-kxs@users.noreply.github.com> Co-authored-by: Eugene Lugovtsov <34510252+EugeneLugovtsov@users.noreply.github.com> Co-authored-by: Zadkiel Aharonian <zadkiel.aharonian@gmail.com> Co-authored-by: smcavallo <smcavallo@users.noreply.github.com> Co-authored-by: fsl <1171313930@qq.com> Co-authored-by: Karl Parry <88431088+karlparry@users.noreply.github.com> Co-authored-by: John Stewart <32647598+jstewart612@users.noreply.github.com>
2023-02-02 14:54:39 +02:00 · 2023-02-02 14:54:39 +02:00 · 9591bf1023
commit 9591bf1023
parent 4befcd5dc5
47 changed files with 1223 additions and 493 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,8 @@
 ## Reference: https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
 version: 2
 updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: weekly
      day: "saturday"
--- a/.github/workflows/lint-and-test.yml
+++ b/.github/workflows/lint-and-test.yml
@ -26,10 +26,10 @@ jobs:
      - name: Setup Chart Linting
        id: lint
-        uses: helm/chart-testing-action@v2.3.0
+        uses: helm/chart-testing-action@v2.3.1
        with:
          # Note: Also update in scripts/lint.sh
-          version: v3.7.0
+          version: v3.7.1
      - name: List changed charts
        id: list-changed
@ -41,6 +41,7 @@ jobs:
            echo "::set-output name=changed::true"
            echo "::set-output name=changed_charts::$charts"
          fi
      - name: Run chart-testing (lint)
        run: ct lint --debug --config ./.github/configs/ct-lint.yaml --target-branch ${{ github.base_ref }} --lint-conf ./.github/configs/lintconf.yaml
--- a/.github/workflows/pr-title.yml
+++ b/.github/workflows/pr-title.yml
@ -19,7 +19,7 @@ jobs:
    name: Validate PR title
    runs-on: ubuntu-latest
    steps:
-      - uses: amannn/action-semantic-pull-request@v4
+      - uses: amannn/action-semantic-pull-request@v5
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -93,7 +93,7 @@ helm dependency update
 Minimally:
 ```
-helm install charts/argo-cd --namespace argocd -n argo-cd
+helm install argocd  argo/argo-cd  -n argocd --create-namespace
 kubectl port-forward service/argo-cd-argocd-server -n argocd 8080:443
 ```
--- a/charts/argo-cd/Chart.lock
+++ b/charts/argo-cd/Chart.lock
@ -1,6 +1,6 @@
 dependencies:
 - name: redis-ha
  repository: https://dandydeveloper.github.io/charts/
-  version: 4.22.2
+  version: 4.22.3
-digest: sha256:b6dc7774d0cc20a7a889d10e61f3dd653bdacd7836558f4875688b5cb5051d80
+digest: sha256:ef6269e4e073dad10c230ccfb069fc013608111c895c5e7568450bb3967cf195
-generated: "2022-09-19T12:39:19.736045+02:00"
+generated: "2022-11-03T12:04:33.673857+09:00"
--- a/charts/argo-cd/Chart.yaml
+++ b/charts/argo-cd/Chart.yaml
@ -1,8 +1,9 @@
 apiVersion: v2
-appVersion: v2.4.15-cap-CR-16709-init-app-proxy
+appVersion: v2.5.5-cap-CR-16950
 description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 5.7.0-2-CR-16709-init-app-proxy
+version: 5.16.0-2-cap-CR-16950
 kubeVersion: ">=1.22.0-0"
 home: https://github.com/argoproj/argo-helm
 icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
 sources:
@ -17,11 +18,9 @@ maintainers:
    url: https://argoproj.github.io/
 dependencies:
  - name: redis-ha
-    version: 4.22.2
+    version: 4.22.3
    repository: https://dandydeveloper.github.io/charts/
    condition: redis-ha.enabled
 annotations:
  artifacthub.io/changes: |
-    - "[Added]: Configuration sections configs.cm and configs.rbac"
+    - "[Added]: Ability to annotate Deployment and Statefulset objects for all components"
    - "[Deprecated]: Generic configuration via server.config"
    - "[Deprecated]: Argo RBAC configuration via server.rbacConfig"
--- a/charts/argo-cd/README.md
+++ b/charts/argo-cd/README.md
@ -11,7 +11,7 @@ This is a **community maintained** chart. This chart installs [argo-cd](https://
 The default installation is intended to be similar to the provided Argo CD [releases](https://github.com/argoproj/argo-cd/releases).
-If you want to avoid including sensitive information unencrypted (clear text) in your version control, make use of the [declarative set up](https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/) of Argo CD.
+If you want to avoid including sensitive information unencrypted (clear text) in your version control, make use of the [declarative setup] of Argo CD.
 For instance, rather than adding repositories and their keys in your Helm values, you could deploy [SealedSecrets](https://github.com/bitnami-labs/sealed-secrets) with contents as seen in this [repositories section](https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories) or any other secrets manager service (i.e. HashiCorp Vault, AWS/GCP Secrets Manager, etc.).
 ## High Availability
@ -42,7 +42,7 @@ repoServer:
    minReplicas: 2
 applicationSet:
-  replicas: 2
+  replicaCount: 2
 ```
 ### HA mode without autoscaling
@ -61,7 +61,7 @@ repoServer:
  replicas: 2
 applicationSet:
-  replicas: 2
+  replicaCount: 2
 ```
 ### Synchronizing Changes from Original Repository
@ -84,8 +84,6 @@ git diff v1.8.7 v2.0.0 -- manifests/install.yaml
 Changes in the `CustomResourceDefinition` resources shall be fixed easily by copying 1:1 from the [`manifests/crds` folder](https://github.com/argoproj/argo-cd/tree/master/manifests/crds) into this [`charts/argo-cd/templates/crds` folder](https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd/templates/crds).
 ## Upgrading
 ### Custom resource definitions
 Some users would prefer to install the CRDs _outside_ of the chart. You can disable the CRD installation of this chart by using `--set crds.install=false` when installing the chart.
@ -101,6 +99,32 @@ kubectl apply -k "https://github.com/argoproj/argo-cd/manifests/crds?ref=<appVer
 kubectl apply -k "https://github.com/argoproj/argo-cd/manifests/crds?ref=v2.4.9"
 ```
 ## Changelog
 For full list of changes please check ArtifactHub [changelog].
 Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version.
 ### 5.13.0
 This version reduces history limit for Argo CD deployment replicas to 3 to provide more visibility for Argo CD deployments that manage itself. If you need more deployment revisions for rollbacks set `global.revisionHistoryLimit` parameter.
 ### 5.12.0
 This version deprecates the `configs.secret.argocdServerTlsConfig` option. Use `server.certificate` or `server.certificateSecret` to provide custom TLS configuration for Argo CD server.
 If you terminate TLS on ingress please use `argocd-server-tls` secret instead of `argocd-secret` secret.
 ### 5.10.0
 This version hardens security by configuring default container security contexts and adds hard requirement for Kubernetes 1.22+ to work properly.
 The change aligns chart with officially [supported versions](https://argo-cd.readthedocs.io/en/release-2.5/operator-manual/installation/#supported-versions) by upstream project.
 ### 5.7.0
 This version introcudes new `configs.cm` and `configs.rbac` sections that replaces `server.config` and `server.rbacConfig` respectively.
 Please move your current configuration to the new place. The Argo CD RBAC config now also sets defaults in the `argocd-rbac-cm`.
 If you have manually created this ConfigMap please ensure templating is disabled so you will not lose your changes.
 ### 5.5.20
 This version moved API version templates into dedicated helper. If you are using these in your umbrella
@ -312,7 +336,7 @@ server:
 ## Prerequisites
- Kubernetes 1.7+
+- Kubernetes: `>=1.22.0-0`
 - Helm v3.0.0+
 ## Installing the Chart
@ -333,7 +357,7 @@ NAME: my-release
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | apiVersionOverrides.autoscaling | string | `""` | String to override apiVersion of autoscaling rendered by this helm chart |
-| apiVersionOverrides.certmanager | string | `""` | String to override apiVersion of certmanager resources rendered by this helm chart |
+| apiVersionOverrides.certmanager | string | `""` | String to override apiVersion of cert-manager resources rendered by this helm chart |
 | apiVersionOverrides.cloudgoogle | string | `""` | String to override apiVersion of GKE resources rendered by this helm chart |
 | apiVersionOverrides.ingress | string | `""` | String to override apiVersion of ingresses rendered by this helm chart |
 | apiVersionOverrides.pdb | string | `""` | String to override apiVersion of pod disruption budgets rendered by this helm chart |
@ -351,7 +375,8 @@ NAME: my-release
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| global.additionalLabels | object | `{}` | Additional labels to add to all resources |
+| global.additionalLabels | object | `{}` | Common labels for the all resources |
 | global.deploymentAnnotations | object | `{}` | Annotations for the all deployed Deployments |
 | global.hostAliases | list | `[]` | Mapping between IP and hostnames that will be injected as entries in the pod's hosts files |
 | global.image.imagePullPolicy | string | `"IfNotPresent"` | If defined, a imagePullPolicy applied to all Argo CD deployments |
 | global.image.repository | string | `"quay.io/codefresh/argocd"` | If defined, a repository applied to all Argo CD deployments |
@ -363,25 +388,28 @@ NAME: my-release
 | global.networkPolicy.defaultDenyIngress | bool | `false` | Default deny all ingress traffic |
 | global.podAnnotations | object | `{}` | Annotations for the all deployed pods |
 | global.podLabels | object | `{}` | Labels for the all deployed pods |
-| global.securityContext | object | `{}` | Toggle and define securityContext. See [values.yaml] |
+| global.revisionHistoryLimit | int | `3` | Number of old deployment ReplicaSets to retain. The rest will be garbage collected. |
 | global.securityContext | object | `{}` (See [values.yaml]) | Toggle and define pod-level security context. |
 | global.statefulsetAnnotations | object | `{}` | Annotations for the all deployed Statefulsets |
 ## Argo CD Configs
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | configs.clusterCredentials | list | `[]` (See [values.yaml]) | Provide one or multiple [external cluster credentials] |
-| configs.cm."admin.enabled" | string | `"true"` | Enable local admin user |
+| configs.cm."admin.enabled" | bool | `true` | Enable local admin user |
 | configs.cm."application.instanceLabelKey" | string | Defaults to app.kubernetes.io/instance | The name of tracking label used by Argo CD for resource pruning |
-| configs.cm."exec.enabled" | string | `"false"` | Enable exec feature in Argo UI |
+| configs.cm."exec.enabled" | bool | `false` | Enable exec feature in Argo UI |
-| configs.cm."server.rbac.log.enforce.enable" | string | `"false"` | Enable logs RBAC enforcement |
+| configs.cm."server.rbac.log.enforce.enable" | bool | `false` | Enable logs RBAC enforcement |
-| configs.cm."timeout.hard.reconciliation" | string | `"0"` | Timeout to refresh application data as well as target manifests cache |
+| configs.cm."timeout.hard.reconciliation" | int | `0` | Timeout to refresh application data as well as target manifests cache |
 | configs.cm."timeout.reconciliation" | string | `"180s"` | Timeout to discover if a new manifests version got published to the repository |
 | configs.cm.annotations | object | `{}` | Annotations to be added to argocd-cm configmap |
-| configs.cm.create | bool | `true` | Create the argocd-cm configmap for [Declarative setup] |
+| configs.cm.create | bool | `true` | Create the argocd-cm configmap for [declarative setup] |
 | configs.cm.url | string | `""` | Argo CD's externally facing base URL (optional). Required when configuring SSO |
 | configs.credentialTemplates | object | `{}` | Repository credentials to be used as Templates for other repos |
 | configs.credentialTemplatesAnnotations | object | `{}` | Annotations to be added to `configs.credentialTemplates` Secret |
-| configs.gpgKeys | object | `{}` (See [values.yaml]) | [GnuPG](https://argo-cd.readthedocs.io/en/stable/user-guide/gpg-verification/) keys to add to the key ring |
+| configs.gpg.annotations | object | `{}` | Annotations to be added to argocd-gpg-keys-cm configmap |
-| configs.gpgKeysAnnotations | object | `{}` | GnuPG key ring annotations |
+| configs.gpg.keys | object | `{}` (See [values.yaml]) | [GnuPG] public keys to add to the keyring |
 | configs.knownHosts.data.ssh_known_hosts | string | See [values.yaml] | Known Hosts |
 | configs.knownHostsAnnotations | object | `{}` | Known Hosts configmap annotations |
 | configs.params."controller.operation.processors" | int | `10` | Number of application operation processors |
@ -408,7 +436,6 @@ NAME: my-release
 | configs.secret.annotations | object | `{}` | Annotations to be added to argocd-secret |
 | configs.secret.argocdServerAdminPassword | string | `""` | Bcrypt hashed admin password |
 | configs.secret.argocdServerAdminPasswordMtime | string | `""` (defaults to current time) | Admin password modification time. Eg. `"2006-01-02T15:04:05Z"` |
 | configs.secret.argocdServerTlsConfig | object | `{}` | Argo TLS Data |
 | configs.secret.bitbucketServerSecret | string | `""` | Shared secret for authenticating BitbucketServer webhook events |
 | configs.secret.bitbucketUUID | string | `""` | UUID for authenticating Bitbucket webhook events |
 | configs.secret.createSecret | bool | `true` | Create the argocd-secret |
@ -430,7 +457,7 @@ NAME: my-release
 | controller.clusterRoleRules.enabled | bool | `false` | Enable custom rules for the application controller's ClusterRole resource |
 | controller.clusterRoleRules.rules | list | `[]` | List of custom rules for the application controller's ClusterRole resource |
 | controller.containerPort | int | `8082` | Application controller listening port |
-| controller.containerSecurityContext | object | `{}` | Application controller container-level security context |
+| controller.containerSecurityContext | object | See [values.yaml] | Application controller container-level security context |
 | controller.env | list | `[]` | Environment variables to pass to application controller |
 | controller.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to application controller |
 | controller.extraArgs | list | `[]` | Additional command line arguments to pass to application controller |
@ -440,11 +467,6 @@ NAME: my-release
 | controller.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the application controller |
 | controller.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry |
 | controller.initContainers | list | `[]` | Init containers to add to the application controller pod |
 | controller.livenessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
 | controller.livenessProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before [probe] is initiated |
 | controller.livenessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] |
 | controller.livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed |
 | controller.livenessProbe.timeoutSeconds | int | `1` | Number of seconds after which the [probe] times out |
 | controller.metrics.applicationLabels.enabled | bool | `false` | Enables additional labels in argocd_app_labels metric |
 | controller.metrics.applicationLabels.labels | list | `[]` | Additional labels |
 | controller.metrics.enabled | bool | `false` | Deploy metrics service |
@ -486,6 +508,7 @@ NAME: my-release
 | controller.serviceAccount.create | bool | `true` | Create a service account for the application controller |
 | controller.serviceAccount.labels | object | `{}` | Labels applied to created service account |
 | controller.serviceAccount.name | string | `"argocd-application-controller"` | Service account name |
 | controller.statefulsetAnnotations | object | `{}` | Annotations for the application controller StatefulSet |
 | controller.tolerations | list | `[]` | [Tolerations] for use with node taints |
 | controller.topologySpreadConstraints | list | `[]` | Assign custom [TopologySpreadConstraints] rules to the application controller |
 | controller.volumeMounts | list | `[]` | Additional volumeMounts to the application controller main container |
@ -502,11 +525,18 @@ NAME: my-release
 | repoServer.autoscaling.minReplicas | int | `1` | Minimum number of replicas for the repo server [HPA] |
 | repoServer.autoscaling.targetCPUUtilizationPercentage | int | `50` | Average CPU utilization percentage for the repo server [HPA] |
 | repoServer.autoscaling.targetMemoryUtilizationPercentage | int | `50` | Average memory utilization percentage for the repo server [HPA] |
 | repoServer.certificateSecret.annotations | object | `{}` | Annotations to be added to argocd-repo-server-tls secret |
 | repoServer.certificateSecret.ca | string | `""` | Certificate authority. Required for self-signed certificates. |
 | repoServer.certificateSecret.crt | string | `""` | Certificate data. Must contain SANs of Repo service (ie: argocd-repo-server, argocd-repo-server.argo-cd.svc) |
 | repoServer.certificateSecret.enabled | bool | `false` | Create argocd-repo-server-tls secret |
 | repoServer.certificateSecret.key | string | `""` | Certificate private key |
 | repoServer.certificateSecret.labels | object | `{}` | Labels to be added to argocd-repo-server-tls secret |
 | repoServer.clusterAdminAccess.enabled | bool | `false` | Enable RBAC for local cluster deployments |
 | repoServer.clusterRoleRules.enabled | bool | `false` | Enable custom rules for the Repo server's Cluster Role resource |
 | repoServer.clusterRoleRules.rules | list | `[]` | List of custom rules for the Repo server's Cluster Role resource |
 | repoServer.containerPort | int | `8081` | Configures the repo server port |
-| repoServer.containerSecurityContext | object | `{}` | Repo server container-level security context |
+| repoServer.containerSecurityContext | object | See [values.yaml] | Repo server container-level security context |
 | repoServer.deploymentAnnotations | object | `{}` | Annotations to be added to repo server Deployment |
 | repoServer.env | list | `[]` | Environment variables to pass to repo server |
 | repoServer.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to repo server |
 | repoServer.extraArgs | list | `[]` | Additional command line arguments to pass to repo server |
@ -585,9 +615,9 @@ NAME: my-release
 | server.autoscaling.minReplicas | int | `1` | Minimum number of replicas for the Argo CD server [HPA] |
 | server.autoscaling.targetCPUUtilizationPercentage | int | `50` | Average CPU utilization percentage for the Argo CD server [HPA] |
 | server.autoscaling.targetMemoryUtilizationPercentage | int | `50` | Average memory utilization percentage for the Argo CD server [HPA] |
-| server.certificate.additionalHosts | list | `[]` | Certificate manager additional hosts |
+| server.certificate.additionalHosts | list | `[]` | Certificate Subject Alternate Names (SANs) |
 | server.certificate.domain | string | `"argocd.example.com"` | Certificate primary domain (commonName) |
-| server.certificate.duration | string | `""` | The requested 'duration' (i.e. lifetime) of the Certificate. Value must be in units accepted by Go time.ParseDuration |
+| server.certificate.duration | string | `""` (defaults to 2160h = 90d if not specified) | The requested 'duration' (i.e. lifetime) of the certificate. |
 | server.certificate.enabled | bool | `false` | Deploy a Certificate resource (requires cert-manager) |
 | server.certificate.issuer.group | string | `""` | Certificate issuer group. Set if using an external issuer. Eg. `cert-manager.io` |
 | server.certificate.issuer.kind | string | `""` | Certificate issuer kind. Either `Issuer` or `ClusterIssuer` |
@ -596,13 +626,20 @@ NAME: my-release
 | server.certificate.privateKey.encoding | string | `"PKCS1"` | The private key cryptography standards (PKCS) encoding for private key. Either: `PCKS1` or `PKCS8` |
 | server.certificate.privateKey.rotationPolicy | string | `"Never"` | Rotation policy of private key when certificate is re-issued. Either: `Never` or `Always` |
 | server.certificate.privateKey.size | int | `2048` | Key bit size of the private key. If algorithm is set to `Ed25519`, size is ignored. |
-| server.certificate.renewBefore | string | `""` | How long before the currently issued certificate's expiry cert-manager should renew the certificate. Value must be in units accepted by Go time.ParseDuration |
+| server.certificate.renewBefore | string | `""` (defaults to 360h = 15d if not specified) | How long before the expiry a certificate should be renewed. |
 | server.certificate.secretName | string | `"argocd-server-tls"` | The name of the Secret that will be automatically created and managed by this Certificate resource |
 | server.certificateSecret.annotations | object | `{}` | Annotations to be added to argocd-server-tls secret |
 | server.certificateSecret.crt | string | `""` | Certificate data |
 | server.certificateSecret.enabled | bool | `false` | Create argocd-server-tls secret |
 | server.certificateSecret.key | string | `""` | Private Key of the certificate |
 | server.certificateSecret.labels | object | `{}` | Labels to be added to argocd-server-tls secret |
 | server.clusterAdminAccess.enabled | bool | `true` | Enable RBAC for local cluster deployments |
 | server.containerPort | int | `8080` | Configures the server port |
-| server.containerSecurityContext | object | `{}` | Servers container-level security context |
+| server.containerSecurityContext | object | See [values.yaml] | Server container-level security context |
 | server.deploymentAnnotations | object | `{}` | Annotations to be added to server Deployment |
 | server.env | list | `[]` | Environment variables to pass to Argo CD server |
 | server.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to Argo CD server |
 | server.extensions.containerSecurityContext | object | See [values.yaml] | Server UI extensions container-level security context |
 | server.extensions.enabled | bool | `false` | Enable support for Argo UI extensions |
 | server.extensions.image.imagePullPolicy | string | `"IfNotPresent"` | Image pull policy for extensions |
 | server.extensions.image.repository | string | `"ghcr.io/argoproj-labs/argocd-extensions"` | Repository to use for extensions image |
@ -733,10 +770,17 @@ server:
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | dex.affinity | object | `{}` | Assign custom [affinity] rules to the deployment |
 | dex.certificateSecret.annotations | object | `{}` | Annotations to be added to argocd-dex-server-tls secret |
 | dex.certificateSecret.ca | string | `""` | Certificate authority. Required for self-signed certificates. |
 | dex.certificateSecret.crt | string | `""` | Certificate data. Must contain SANs of Dex service (ie: argocd-dex-server, argocd-dex-server.argo-cd.svc) |
 | dex.certificateSecret.enabled | bool | `false` | Create argocd-dex-server-tls secret |
 | dex.certificateSecret.key | string | `""` | Certificate private key |
 | dex.certificateSecret.labels | object | `{}` | Labels to be added to argocd-dex-server-tls secret |
 | dex.containerPortGrpc | int | `5557` | Container port for gRPC access |
 | dex.containerPortHttp | int | `5556` | Container port for HTTP access |
 | dex.containerPortMetrics | int | `5558` | Container port for metrics access |
-| dex.containerSecurityContext | object | `{}` | Dex container-level security context |
+| dex.containerSecurityContext | object | See [values.yaml] | Dex container-level security context |
 | dex.deploymentAnnotations | object | `{}` | Annotations to be added to the Dex server Deployment |
 | dex.enabled | bool | `true` | Enable dex |
 | dex.env | list | `[]` | Environment variables to pass to the Dex server |
 | dex.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to the Dex server |
@ -744,7 +788,7 @@ server:
 | dex.extraContainers | list | `[]` | Additional containers to be added to the dex pod |
 | dex.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Dex imagePullPolicy |
 | dex.image.repository | string | `"ghcr.io/dexidp/dex"` | Dex image repository |
-| dex.image.tag | string | `"v2.35.3-distroless"` | Dex image tag |
+| dex.image.tag | string | `"v2.35.3"` | Dex image tag |
 | dex.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry |
 | dex.initContainers | list | `[]` | Init containers to add to the dex pod |
 | dex.initImage.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Argo CD init image imagePullPolicy |
@ -809,7 +853,8 @@ server:
 |-----|------|---------|-------------|
 | redis.affinity | object | `{}` | Assign custom [affinity] rules to the deployment |
 | redis.containerPort | int | `6379` | Redis container port |
-| redis.containerSecurityContext | object | `{}` | Redis container-level security context |
+| redis.containerSecurityContext | object | See [values.yaml] | Redis container-level security context |
 | redis.deploymentAnnotations | object | `{}` | Annotations to be added to the Redis server Deployment |
 | redis.enabled | bool | `true` | Enable redis |
 | redis.env | list | `[]` | Environment variables to pass to the Redis server |
 | redis.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to the Redis server |
@ -817,10 +862,11 @@ server:
 | redis.extraContainers | list | `[]` | Additional containers to be added to the redis pod |
 | redis.image.imagePullPolicy | string | `"IfNotPresent"` | Redis imagePullPolicy |
 | redis.image.repository | string | `"quay.io/codefresh/redis"` | Redis repository |
-| redis.image.tag | string | `"7.0.4-alpine"` | Redis tag |
+| redis.image.tag | string | `"7.0.5-alpine"` | Redis tag |
 | redis.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry |
 | redis.initContainers | list | `[]` | Init containers to add to the redis pod |
 | redis.metrics.containerPort | int | `9121` | Port to use for redis-exporter sidecar |
 | redis.metrics.containerSecurityContext | object | See [values.yaml] | Redis exporter security context |
 | redis.metrics.enabled | bool | `false` | Deploy metrics service and redis-exporter sidecar |
 | redis.metrics.image.imagePullPolicy | string | `"IfNotPresent"` | redis-exporter image PullPolicy |
 | redis.metrics.image.repository | string | `"public.ecr.aws/bitnami/redis-exporter"` | redis-exporter image repository |
@ -853,7 +899,7 @@ server:
 | redis.podLabels | object | `{}` | Labels to be added to the Redis server pods |
 | redis.priorityClassName | string | `""` | Priority class for redis |
 | redis.resources | object | `{}` | Resource limits and requests for redis |
-| redis.securityContext | object | `{"runAsNonRoot":true,"runAsUser":999}` | Redis pod-level security context |
+| redis.securityContext | object | See [values.yaml] | Redis pod-level security context |
 | redis.service.annotations | object | `{}` | Redis service annotations |
 | redis.service.labels | object | `{}` | Additional redis service labels |
 | redis.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
@ -985,7 +1031,7 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
 | notifications.affinity | object | `{}` | Assign custom [affinity] rules |
 | notifications.argocdUrl | string | `nil` | Argo CD dashboard url; used in place of {{.context.argocdUrl}} in templates |
 | notifications.bots.slack.affinity | object | `{}` | Assign custom [affinity] rules |
-| notifications.bots.slack.containerSecurityContext | object | `{}` | Container Security Context |
+| notifications.bots.slack.containerSecurityContext | object | See [values.yaml] | Slack bot container-level security Context |
 | notifications.bots.slack.enabled | bool | `false` | Enable slack bot |
 | notifications.bots.slack.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the Slack bot |
 | notifications.bots.slack.image.repository | string | `""` (defaults to global.image.repository) | Repository to use for the Slack bot |
@ -998,7 +1044,6 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
 | notifications.bots.slack.pdb.maxUnavailable | string | `""` | Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). |
 | notifications.bots.slack.pdb.minAvailable | string | `""` (defaults to 0 if not specified) | Number of pods that are available after eviction as number or percentage (eg.: 50%) |
 | notifications.bots.slack.resources | object | `{}` | Resource limits and requests for the Slack bot |
 | notifications.bots.slack.securityContext | object | `{"runAsNonRoot":true}` | Pod Security Context |
 | notifications.bots.slack.service.annotations | object | `{}` | Service annotations for Slack bot |
 | notifications.bots.slack.service.port | int | `80` | Service port for Slack bot |
 | notifications.bots.slack.service.type | string | `"LoadBalancer"` | Service type for Slack bot |
@ -1006,10 +1051,10 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
 | notifications.bots.slack.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
 | notifications.bots.slack.serviceAccount.name | string | `"argocd-notifications-bot"` | The name of the service account to use. |
 | notifications.bots.slack.tolerations | list | `[]` | [Tolerations] for use with node taints |
 | notifications.bots.slack.updateStrategy | object | `{"type":"Recreate"}` | The deployment strategy to use to replace existing pods with new ones |
 | notifications.cm.create | bool | `true` | Whether helm chart creates controller config map |
-| notifications.containerSecurityContext | object | `{}` | Container Security Context |
+| notifications.containerSecurityContext | object | See [values.yaml] | Notification controller container-level security Context |
 | notifications.context | object | `{}` | Define user-defined context |
 | notifications.deploymentAnnotations | object | `{}` | Annotations to be applied to the notifications controller Deployment |
 | notifications.enabled | bool | `false` | Enable notifications controller |
 | notifications.extraArgs | list | `[]` | Extra arguments to provide to the controller |
 | notifications.extraEnv | list | `[]` | Additional container environment variables |
@ -1064,10 +1109,12 @@ Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/
 [affinity]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
 [BackendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig#backendconfigspec_v1beta1_cloudgooglecom
 [CSS styles]: https://argo-cd.readthedocs.io/en/stable/operator-manual/custom-styles/
 [changelog]: https://artifacthub.io/packages/helm/argo/argo-cd?modal=changelog
 [external cluster credentials]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#clusters
 [FrontendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
-[Declarative setup]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup
+[declarative setup]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup
 [gRPC-ingress]: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/
 [GnuPG]: https://argo-cd.readthedocs.io/en/stable/user-guide/gpg-verification/
 [HPA]: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
 [MetricRelabelConfigs]: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs
 [Node selector]: https://kubernetes.io/docs/user-guide/node-selection/
--- a/charts/argo-cd/README.md.gotmpl
+++ b/charts/argo-cd/README.md.gotmpl
@ -10,7 +10,7 @@ This is a **community maintained** chart. This chart installs [argo-cd](https://
 The default installation is intended to be similar to the provided Argo CD [releases](https://github.com/argoproj/argo-cd/releases).
-If you want to avoid including sensitive information unencrypted (clear text) in your version control, make use of the [declarative set up](https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/) of Argo CD.
+If you want to avoid including sensitive information unencrypted (clear text) in your version control, make use of the [declarative setup] of Argo CD.
 For instance, rather than adding repositories and their keys in your Helm values, you could deploy [SealedSecrets](https://github.com/bitnami-labs/sealed-secrets) with contents as seen in this [repositories section](https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories) or any other secrets manager service (i.e. HashiCorp Vault, AWS/GCP Secrets Manager, etc.).
 ## High Availability
@ -41,7 +41,7 @@ repoServer:
    minReplicas: 2
 applicationSet:
-  replicas: 2
+  replicaCount: 2
 ```
 ### HA mode without autoscaling
@ -60,7 +60,7 @@ repoServer:
  replicas: 2
 applicationSet:
-  replicas: 2
+  replicaCount: 2
 ```
 ### Synchronizing Changes from Original Repository
@ -83,8 +83,6 @@ git diff v1.8.7 v2.0.0 -- manifests/install.yaml
 Changes in the `CustomResourceDefinition` resources shall be fixed easily by copying 1:1 from the [`manifests/crds` folder](https://github.com/argoproj/argo-cd/tree/master/manifests/crds) into this [`charts/argo-cd/templates/crds` folder](https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd/templates/crds).
 ## Upgrading
 ### Custom resource definitions
 Some users would prefer to install the CRDs _outside_ of the chart. You can disable the CRD installation of this chart by using `--set crds.install=false` when installing the chart.
@ -100,6 +98,32 @@ kubectl apply -k "https://github.com/argoproj/argo-cd/manifests/crds?ref=<appVer
 kubectl apply -k "https://github.com/argoproj/argo-cd/manifests/crds?ref=v2.4.9"
 ```
 ## Changelog
 For full list of changes please check ArtifactHub [changelog].
 Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version.
 ### 5.13.0
 This version reduces history limit for Argo CD deployment replicas to 3 to provide more visibility for Argo CD deployments that manage itself. If you need more deployment revisions for rollbacks set `global.revisionHistoryLimit` parameter.
 ### 5.12.0
 This version deprecates the `configs.secret.argocdServerTlsConfig` option. Use `server.certificate` or `server.certificateSecret` to provide custom TLS configuration for Argo CD server.
 If you terminate TLS on ingress please use `argocd-server-tls` secret instead of `argocd-secret` secret.
 ### 5.10.0
 This version hardens security by configuring default container security contexts and adds hard requirement for Kubernetes 1.22+ to work properly.
 The change aligns chart with officially [supported versions](https://argo-cd.readthedocs.io/en/release-2.5/operator-manual/installation/#supported-versions) by upstream project.
 ### 5.7.0
 This version introcudes new `configs.cm` and `configs.rbac` sections that replaces `server.config` and `server.rbacConfig` respectively.
 Please move your current configuration to the new place. The Argo CD RBAC config now also sets defaults in the `argocd-rbac-cm`.
 If you have manually created this ConfigMap please ensure templating is disabled so you will not lose your changes.
 ### 5.5.20
 This version moved API version templates into dedicated helper. If you are using these in your umbrella
@ -312,7 +336,7 @@ server:
 ## Prerequisites
- Kubernetes 1.7+
+- {{ template "chart.kubeVersionLine" . }}
 - Helm v3.0.0+
 ## Installing the Chart
@ -490,10 +514,12 @@ Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/
 [affinity]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
 [BackendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig#backendconfigspec_v1beta1_cloudgooglecom
 [CSS styles]: https://argo-cd.readthedocs.io/en/stable/operator-manual/custom-styles/
 [changelog]: https://artifacthub.io/packages/helm/argo/argo-cd?modal=changelog
 [external cluster credentials]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#clusters
 [FrontendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
-[Declarative setup]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup
+[declarative setup]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup
 [gRPC-ingress]: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/
 [GnuPG]: https://argo-cd.readthedocs.io/en/stable/user-guide/gpg-verification/
 [HPA]: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
 [MetricRelabelConfigs]: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs
 [Node selector]: https://kubernetes.io/docs/user-guide/node-selection/
--- a/charts/argo-cd/templates/NOTES.txt
+++ b/charts/argo-cd/templates/NOTES.txt
@ -28,24 +28,42 @@ DEPRECATED option server.logFormat - Use configs.params.server.log.format
 {{- if .Values.server.logLevel }}
 DEPRECATED option server.logLevel - Use configs.params.server.log.level
 {{- end }}
 {{- if has "--insecure" .Values.server.extraArgs }}
 DEPRECATED option server.extraArgs."--insecure" - Use configs.params.server.insecure
 {{- end }}
 {{- if .Values.repoServer.logFormat }}
 DEPRECATED option repoServer.logFormat - Use configs.params.repoServer.log.format
 {{- end }}
 {{- if .Values.repoServer.logLevel }}
 DEPRECATED option repoServer.logLevel - Use configs.params.repoServer.log.level
 {{- end }}
-{{- if or .Values.server.config .Values.server.configEnabled .Values.server.configAnnotations }}
+{{- if or .Values.server.config (hasKey .Values.server "configEnabled") .Values.server.configAnnotations }}
 DEPRECATED option server.config - Use configs.cm
 {{- end }}
-{{- if or .Values.server.rbacConfig .Values.server.rbacConfigCreate .Values.server.rbacConfigAnnotations }}
+{{- if or .Values.server.rbacConfig (hasKey .Values.server "rbacConfigCreate") .Values.server.rbacConfigAnnotations }}
 DEPRECATED option server.rbacConfig - Use configs.rbac
 {{- end }}
 {{- if .Values.configs.secret.argocdServerTlsConfig }}
 DEPRECATED option config.secret.argocdServerTlsConfig - Use server.certificate or server.certificateSecret
 {{- end }}
 {{- if .Values.configs.gpgKeys }}
 DEPRECATED option configs.gpgKeys - Use config.gpg.keys
 {{- end }}
 {{- if .Values.configs.gpgKeysAnnotations }}
 DEPRECATED option configs.gpgKeysAnnotations - Use config.gpg.annotations
 {{- end }}
 {{- if .Values.controller.service }}
 REMOVED option controller.service - Use controller.metrics
 {{- end }}
 {{- if .Values.repoServer.copyutil }}
 REMOVED option repoSever.copyutil.resources - Use repoServer.resources
 {{- end }}
 {{- if .Values.applicationSet.args.debug }}
 REMOVED option applicationSet.args.debug - Use applicationSet.logLevel: debug
 {{- end }}
 {{- if .Values.applicationSet.args.enableLeaderElection }}
 REMOVED option applicationSet.args.enableLeaderElection - Value determined based on replicas
 {{- end }}
 In order to access the server UI you have the following options:
@ -58,14 +76,14 @@ In order to access the server UI you have the following options:
      - Set the `configs.params."server.insecure"` in the values file and terminate SSL at your ingress: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-2-multiple-ingress-objects-and-hosts
-{{ if eq (index (coalesce .Values.server.config .Values.configs.cm) "admin.enabled") "true" -}}
+{{ if eq (toString (index (coalesce .Values.server.config .Values.configs.cm) "admin.enabled")) "true" -}}
 After reaching the UI the first time you can login with username: admin and the random password generated during the installation. You can find the password by running:
 kubectl -n {{ .Release.Namespace }} get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
 (You should delete the initial secret afterwards as suggested by the Getting Started Guide: https://argo-cd.readthedocs.io/en/stable/getting_started/#4-login-using-the-cli)
-{{ else if or (index .Values.server.config "dex.config") (index .Values.server.config "oidc.config") -}}
+{{ else if or (index .Values.configs.cm "dex.config") (index .Values.configs.cm "oidc.config") -}}
 After reaching the UI the first time you can login using Dex or OIDC.
 {{ else -}}
-After reaching the UI the first time you cannot login with username and password since you've disabled it. You should enable admin back or configure Dex via `server.config.dex.config` or OIDC via `server.config.oidc.config`.
+After reaching the UI the first time you cannot login with username and password since you've disabled it. You should enable admin back or configure Dex via `configs.cm.dex.config` or OIDC via `configs.cm.oidc.config`.
 {{ end -}}
--- a/charts/argo-cd/templates/_helpers.tpl
+++ b/charts/argo-cd/templates/_helpers.tpl
@ -15,6 +15,17 @@ Create dex name and version as used by the chart label.
 {{- printf "%s-%s" (include "argo-cd.fullname" .) .Values.dex.name | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{/*
 Create Dex server endpoint
 */}}
 {{- define "argo-cd.dex.server" -}}
 {{- $insecure := index .Values.configs.params "dexserver.disable.tls" | toString -}}
 {{- $scheme := (eq $insecure "true") | ternary "http" "https" -}}
 {{- $host := include "argo-cd.dex.fullname" . -}}
 {{- $port := int .Values.dex.servicePortHttp -}}
 {{- printf "%s://%s:%d" $scheme $host $port }}
 {{- end }}
 {{/*
 Create redis name and version as used by the chart label.
 */}}
@ -171,9 +182,11 @@ ui.cssurl: "./custom/custom.styles.css"
 Merge Argo Configuration with Preset Configuration
 */}}
 {{- define "argo-cd.config.cm" -}}
-{{- $config := coalesce .Values.server.config (omit .Values.configs.cm "create" "annotations") -}}
+{{- $config := (mergeOverwrite (deepCopy (omit .Values.configs.cm "create" "annotations")) (.Values.server.config | default dict))  -}}
 {{- $preset := include "argo-cd.config.cm.presets" . | fromYaml | default dict -}}
-{{- mergeOverwrite $preset $config | toYaml }}
+{{- range $key, $value := mergeOverwrite $preset $config }}
 {{ $key }}: {{ toString $value | toYaml }}
 {{- end }}
 {{- end -}}
 {{/*
@ -181,11 +194,13 @@ Argo Params Default Configuration Presets
 */}}
 {{- define "argo-cd.config.params.presets" -}}
 repo.server: "{{ include "argo-cd.repoServer.fullname" . }}:{{ .Values.repoServer.service.port }}"
 server.repo.server.strict.tls: {{ .Values.repoServer.certificateSecret.enabled | toString }}
 {{- with include "argo-cd.redis.server" . }}
 redis.server: {{ . | quote }}
 {{- end }}
 {{- if .Values.dex.enabled }}
-server.dex.server: "http://{{ include "argo-cd.dex.fullname" . }}:{{ .Values.dex.servicePortHttp }}"
+server.dex.server: {{ include "argo-cd.dex.server" . | quote }}
 server.dex.server.strict.tls: {{ .Values.dex.certificateSecret.enabled | toString }}
 {{- end }}
 {{- range $component := tuple "controller" "server" "reposerver" }}
 {{ $component }}.log.format: {{ $.Values.global.logging.format | quote }}
@ -198,8 +213,8 @@ Merge Argo Params Configuration with Preset Configuration
 */}}
 {{- define "argo-cd.config.params" -}}
 {{- $config := omit .Values.configs.params "annotations" }}
-{{- $preset := include "argo-cd.config.params.presets" $ | fromYaml | default dict -}}
+{{- $preset := include "argo-cd.config.params.presets" . | fromYaml | default dict -}}
 {{- range $key, $value := mergeOverwrite $preset $config }}
-{{ $key }}: {{ $value | quote }}
+{{ $key }}: {{ toString $value | toYaml }}
 {{- end }}
 {{- end -}}
--- a/charts/argo-cd/templates/argocd-application-controller/networkpolicy.yaml
+++ b/charts/argo-cd/templates/argocd-application-controller/networkpolicy.yaml
@ -10,7 +10,7 @@ spec:
  - from:
    - namespaceSelector: {}
    ports:
-    - port: controller
+    - port: metrics
  podSelector:
    matchLabels:
      {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }}
--- a/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml
+++ b/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml
@ -1,16 +1,23 @@
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  {{- with (mergeOverwrite (deepCopy .Values.global.statefulsetAnnotations) .Values.controller.statefulsetAnnotations) }}
  annotations:
    {{- range $key, $value := . }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
  {{- end }}
  name: {{ template "argo-cd.controller.fullname" . }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
 spec:
  replicas: {{ .Values.controller.replicas }}
  # TODO: Remove for breaking release as history limit cannot be patched
  revisionHistoryLimit: 5
  serviceName: {{ include "argo-cd.controller.fullname" . }}
  selector:
    matchLabels:
      {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }}
  serviceName: {{ template "argo-cd.controller.fullname" . }}
  revisionHistoryLimit: 5
  replicas: {{ .Values.controller.replicas }}
  template:
    metadata:
      annotations:
@ -81,10 +88,6 @@ spec:
        image: {{ default .Values.global.image.repository .Values.controller.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.controller.image.tag }}
        imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.controller.image.imagePullPolicy }}
        name: {{ .Values.controller.name }}
        {{- with .Values.controller.containerSecurityContext }}
        securityContext:
          {{- toYaml . | nindent 10 }}
        {{- end }}
        env:
          {{- with .Values.controller.env }}
            {{- toYaml . | nindent 10 }}
@ -163,6 +166,12 @@ spec:
                name: argocd-cmd-params-cm
                key: controller.repo.server.strict.tls
                optional: true
          - name: ARGOCD_APPLICATION_CONTROLLER_PERSIST_RESOURCE_HEALTH
            valueFrom:
              configMapKeyRef:
                name: argocd-cmd-params-cm
                key: controller.resource.health.persist
                optional: true
          - name: ARGOCD_APP_STATE_CACHE_EXPIRATION
            valueFrom:
              configMapKeyRef:
@ -175,6 +184,12 @@ spec:
                name: argocd-cmd-params-cm
                key: redis.server
                optional: true
          - name: REDIS_COMPRESSION
            valueFrom:
              configMapKeyRef:
                name: argocd-cmd-params-cm
                key: redis.compression
                optional: true
          - name: REDISDB
            valueFrom:
              configMapKeyRef:
@ -205,6 +220,12 @@ spec:
                name: argocd-cmd-params-cm
                key: otlp.address
                optional: true
          - name: ARGOCD_APPLICATION_NAMESPACES
            valueFrom:
              configMapKeyRef:
                name: argocd-cmd-params-cm
                key: application.namespaces
                optional: true
        {{- with .Values.controller.envFrom }}
        envFrom:
          {{- toYaml . | nindent 10 }}
@ -213,34 +234,28 @@ spec:
        - name: metrics
          containerPort: {{ .Values.controller.containerPort }}
          protocol: TCP
-        livenessProbe:
+        readinessProbe:
          httpGet:
            path: /healthz
-            port: {{ .Values.controller.containerPort }}
+            port: metrics
          initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }}
          periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }}
          timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }}
          successThreshold: {{ .Values.controller.livenessProbe.successThreshold }}
          failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }}
        readinessProbe:
          tcpSocket:
            port: {{ .Values.controller.containerPort }}
          initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }}
          periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }}
          timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }}
          successThreshold: {{ .Values.controller.readinessProbe.successThreshold }}
          failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }}
        workingDir: /home/argocd
        volumeMounts:
        - name: argocd-home
          mountPath: /home/argocd
        - mountPath: /app/config/controller/tls
          name: argocd-repo-server-tls
        {{- with .Values.controller.volumeMounts }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
        resources:
          {{- toYaml .Values.controller.resources | nindent 10 }}
        securityContext:
          {{- toYaml .Values.controller.containerSecurityContext | nindent 10 }}
        workingDir: /home/argocd
        volumeMounts:
        {{- with .Values.controller.volumeMounts }}
          {{- toYaml . | nindent 8 }}
        {{- end }}
        - mountPath: /app/config/controller/tls
          name: argocd-repo-server-tls
        - mountPath: /home/argocd
          name: argocd-home
      {{- with .Values.controller.extraContainers }}
        {{- toYaml . | nindent 6 }}
      {{- end }}
@ -273,10 +288,15 @@ spec:
        {{- toYaml . | nindent 6 }}
      {{- end }}
      volumes:
-      - emptyDir: {}
+      {{- with .Values.controller.volumes }}
-        name: argocd-home
+        {{- toYaml . | nindent 6 }}
      {{- end }}
      - name: argocd-home
        emptyDir: {}
      - name: argocd-repo-server-tls
        secret:
          secretName: argocd-repo-server-tls
          optional: true
          items:
          - key: tls.crt
            path: tls.crt
@ -284,11 +304,6 @@ spec:
            path: tls.key
          - key: ca.crt
            path: ca.crt
          optional: true
          secretName: argocd-repo-server-tls
      {{- with .Values.controller.volumes }}
        {{- toYaml . | nindent 6 }}
      {{- end }}
      {{- with .Values.controller.initContainers }}
      initContainers:
        {{- toYaml . | nindent 6 }}
--- a/charts/argo-cd/templates/argocd-applicationset/role.yaml
+++ b/charts/argo-cd/templates/argocd-applicationset/role.yaml
@ -47,9 +47,20 @@ rules:
  - apiGroups:
    - ""
    resources:
    - secrets
    - configmaps
    verbs:
    - create
    - update
    - delete
    - get
    - list
    - patch
    - watch
  - apiGroups:
    - ""
    resources:
    - secrets
    verbs:
    - get
    - list
    - watch
@ -62,16 +73,6 @@ rules:
    - get
    - list
    - watch
  # Leader election
  - apiGroups:
    - ""
    resources:
    - configmaps
    verbs:
    - create
    - update
    - delete
    - patch
  - apiGroups:
    - coordination.k8s.io
    resources:
--- a/charts/argo-cd/templates/argocd-configs/argocd-cm.yaml
+++ b/charts/argo-cd/templates/argocd-configs/argocd-cm.yaml
@ -1,16 +1,16 @@
-{{- if (coalesce .Values.server.configEnabled .Values.configs.cm.create) }}
+{{- if (hasKey .Values.server "configEnabled") | ternary .Values.server.configEnabled .Values.configs.cm.create }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: argocd-cm
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "cm") | nindent 4 }}
-  {{- with (coalesce .Values.server.configAnnotations .Values.configs.cm.annotations) }}
+  {{- with (mergeOverwrite (deepCopy .Values.configs.cm.annotations) (.Values.server.configAnnotations | default dict)) }}
  annotations:
    {{- range $key, $value := . }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
  {{- end }}
 data:
-  {{- include "argo-cd.config.cm" . | nindent 2 }}
+  {{- include "argo-cd.config.cm" . | trim | nindent 2 }}
 {{- end }}
--- a/charts/argo-cd/templates/argocd-configs/argocd-dex-server-tls-secret.yaml
+++ b/charts/argo-cd/templates/argocd-configs/argocd-dex-server-tls-secret.yaml
@ -0,0 +1,24 @@
 {{- if and .Values.dex.enabled .Values.dex.certificateSecret.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: argocd-dex-server-tls
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.dex.name "name" "dex-server-tls") | nindent 4 }}
    {{- with .Values.dex.certificateSecret.labels }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- with .Values.dex.certificateSecret.annotations }}
  annotations:
    {{- range $key, $value := . }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
  {{- end }}
 type: kubernetes.io/tls
 data:
  {{- with .Values.dex.certificateSecret.ca }}
  ca.crt: {{ . | b64enc | quote }}
  {{- end }}
  tls.crt: {{ .Values.dex.certificateSecret.crt | b64enc | quote }}
  tls.key: {{ .Values.dex.certificateSecret.key | b64enc | quote }}
 {{- end }}
--- a/charts/argo-cd/templates/argocd-configs/argocd-gpg-keys-cm.yaml
+++ b/charts/argo-cd/templates/argocd-configs/argocd-gpg-keys-cm.yaml
@ -4,13 +4,13 @@ metadata:
  name: argocd-gpg-keys-cm
  labels:
    {{- include "argo-cd.labels" (dict "context" . "name" "gpg-keys-cm") | nindent 4 }}
-  {{- with .Values.configs.gpgKeysAnnotations }}
+  {{ with (mergeOverwrite (deepCopy .Values.configs.gpg.annotations) (.Values.configs.gpgKeysAnnotations | default dict)) -}}
  annotations:
    {{- range $key, $value := . }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
  {{- end }}
-{{- with .Values.configs.gpgKeys }}
+{{ with (mergeOverwrite (deepCopy .Values.configs.gpg.keys) (.Values.configs.gpgKeys | default dict)) -}}
 data:
  {{- toYaml . | nindent 2 }}
 {{- end }}
--- a/charts/argo-cd/templates/argocd-configs/argocd-rbac-cm.yaml
+++ b/charts/argo-cd/templates/argocd-configs/argocd-rbac-cm.yaml
@ -1,17 +1,17 @@
-{{- if (coalesce .Values.server.rbacConfigCreate .Values.configs.rbac.create) }}
+{{- if (hasKey .Values.server "rbacConfigCreate") | ternary .Values.server.rbacConfigCreate .Values.configs.rbac.create }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: argocd-rbac-cm
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "rbac-cm") | nindent 4 }}
-  {{- with (coalesce .Values.server.rbacConfigAnnotations .Values.configs.rbac.annotations) }}
+  {{- with (mergeOverwrite (deepCopy .Values.configs.rbac.annotations) (.Values.server.rbacConfigAnnotations | default dict)) }}
  annotations:
    {{- range $key, $value := . }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
  {{- end }}
-{{- with (coalesce .Values.server.rbacConfig (omit .Values.configs.rbac "create" "annotations")) }}
+{{- with (mergeOverwrite (deepCopy (omit .Values.configs.rbac "create" "annotations")) (.Values.server.rbacConfig | default dict)) }}
 data:
  {{- toYaml . | nindent 2 }}
 {{- end }}
--- a/charts/argo-cd/templates/argocd-configs/argocd-repo-server-tls-secret.yaml
+++ b/charts/argo-cd/templates/argocd-configs/argocd-repo-server-tls-secret.yaml
@ -0,0 +1,24 @@
 {{- if and .Values.repoServer.enabled .Values.repoServer.certificateSecret.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: argocd-repo-server-tls
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" "repo-server-tls") | nindent 4 }}
    {{- with .Values.repoServer.certificateSecret.labels }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- with .Values.repoServer.certificateSecret.annotations }}
  annotations:
    {{- range $key, $value := . }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
  {{- end }}
 type: kubernetes.io/tls
 data:
  {{- with .Values.repoServer.certificateSecret.ca }}
  ca.crt: {{ . | b64enc | quote }}
  {{- end }}
  tls.crt: {{ .Values.repoServer.certificateSecret.crt | b64enc | quote }}
  tls.key: {{ .Values.repoServer.certificateSecret.key | b64enc | quote }}
 {{- end }}
--- a/charts/argo-cd/templates/argocd-configs/argocd-server-tls-secret.yaml
+++ b/charts/argo-cd/templates/argocd-configs/argocd-server-tls-secret.yaml
@ -0,0 +1,21 @@
 {{- if and .Values.server.certificateSecret.enabled (not .Values.server.certificate.enabled) }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: argocd-server-tls
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "server-tls") | nindent 4 }}
    {{- with .Values.server.certificateSecret.labels }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- with .Values.server.certificateSecret.annotations }}
  annotations:
    {{- range $key, $value := . }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
  {{- end }}
 type: kubernetes.io/tls
 data:
  tls.crt: {{ .Values.server.certificateSecret.crt | b64enc | quote }}
  tls.key: {{ .Values.server.certificateSecret.key | b64enc | quote }}
 {{- end }}
--- a/charts/argo-cd/templates/argocd-configs/argocd-styles-cm.yaml
+++ b/charts/argo-cd/templates/argocd-configs/argocd-styles-cm.yaml
@ -2,7 +2,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-custom-styles
+  name: argocd-styles-cm
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
 data:
--- a/charts/argo-cd/templates/argocd-configs/cluster-secrets.yaml
+++ b/charts/argo-cd/templates/argocd-configs/cluster-secrets.yaml
@ -27,5 +27,5 @@ stringData:
    {{- end }}
  {{- end }}
  config: |
-    {{- required "A valid .Values.configs.clusterCredentials[].config entry is required!" .config | toPrettyJson | nindent 4 }}
+    {{- required "A valid .Values.configs.clusterCredentials[].config entry is required!" .config | toRawJson | nindent 4 }}
 {{- end }}
--- a/charts/argo-cd/templates/argocd-notifications/bots/slack/deployment.yaml
+++ b/charts/argo-cd/templates/argocd-notifications/bots/slack/deployment.yaml
@ -2,12 +2,20 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  {{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.notifications.deploymentAnnotations) }}
  annotations:
    {{- range $key, $value := . }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
  {{- end }}
  name: {{ template "argo-cd.notifications.fullname" . }}-bot
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.bots.slack.name "name" .Values.notifications.bots.slack.name) | nindent 4 }}
 spec:
  replicas: 1
  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
  strategy:
-    {{- .Values.notifications.bots.slack.updateStrategy | toYaml | nindent 4 }}
+    type: Recreate
  selector:
    matchLabels:
      {{- include "argo-cd.selectorLabels" (dict "context" . "component" .Values.notifications.bots.slack.name "name" "metrics") | nindent 6 }}
@ -20,14 +28,15 @@ spec:
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
-      serviceAccountName: {{ template "argo-cd.notificationsBotsSlackServiceAccountName" . }}
+      {{- with .Values.global.securityContext }}
-      securityContext: {{- toYaml (mergeOverwrite (deepCopy .Values.global.securityContext) .Values.notifications.securityContext) | nindent 8 }}
+      securityContext:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ include "argo-cd.notificationsBotsSlackServiceAccountName" . }}
      containers:
-        - name: {{ template "argo-cd.notifications.fullname" . }}-bot
+        - name: {{ include "argo-cd.notifications.fullname" . }}-bot
          image: {{ default .Values.global.image.repository .Values.notifications.bots.slack.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.notifications.bots.slack.image.tag }}
          imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.notifications.bots.slack.image.pullPolicy }}
          resources:
            {{- toYaml .Values.notifications.bots.slack.resources | nindent 12 }}
          command:
            - argocd-notifications
            - bot
@ -35,19 +44,20 @@ spec:
          ports:
          - containerPort: 8080
            name: http
-          {{- with .Values.notifications.bots.slack.containerSecurityContext }}
+          resources:
-          securityContext: {{- toYaml . | nindent 12 }}
+            {{- toYaml .Values.notifications.bots.slack.resources | nindent 12 }}
-          {{- end }}
+          securityContext:
            {{- toYaml .Values.notifications.bots.slack.containerSecurityContext | nindent 12 }}
      {{- with .Values.notifications.bots.slack.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
-    {{- with .Values.notifications.bots.slack.affinity }}
+      {{- with .Values.notifications.bots.slack.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-    {{- with .Values.notifications.bots.slack.tolerations }}
+      {{- with .Values.notifications.bots.slack.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
 {{ end }}
--- a/charts/argo-cd/templates/argocd-notifications/deployment.yaml
+++ b/charts/argo-cd/templates/argocd-notifications/deployment.yaml
@ -2,10 +2,18 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  {{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.notifications.deploymentAnnotations) }}
  annotations:
    {{- range $key, $value := . }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
  {{- end }}
  name: {{ include "argo-cd.notifications.fullname" . }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
 spec:
  replicas: 1
  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
  strategy:
    type: Recreate
  selector:
@ -38,30 +46,16 @@ spec:
        - name: {{ .Values.notifications.name }}
          image: {{ default .Values.global.image.repository .Values.notifications.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.notifications.image.tag }}
          imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.notifications.image.imagePullPolicy }}
          resources:
            {{- toYaml .Values.notifications.resources | nindent 12 }}
          command:
            - argocd-notifications
            - --loglevel={{ default .Values.global.logging.level .Values.notifications.logLevel }}
            - --logformat={{ default .Values.global.logging.format .Values.notifications.logFormat }}
            {{- if .Values.notifications.metrics.enabled }}
            - --metrics-port={{ .Values.notifications.metrics.port }}
            {{- end }}
            - --namespace={{ .Release.Namespace }}
            - --argocd-repo-server={{ template "argo-cd.repoServer.fullname" . }}:{{ .Values.repoServer.service.port }}
            {{- range .Values.notifications.extraArgs }}
            - {{ . | squote }}
            {{- end }}
          workingDir: /app
          ports:
          {{- if .Values.notifications.metrics.enabled }}
          - containerPort: {{ .Values.notifications.metrics.port }}
            name: metrics
            protocol: TCP
          {{- end }}
          {{- if .Values.notifications.containerSecurityContext }}
          securityContext: {{- toYaml .Values.notifications.containerSecurityContext | nindent 12 }}
          {{- end }}
          {{- with .Values.notifications.extraEnv }}
          env:
            {{- toYaml . | nindent 12 }}
@ -70,6 +64,15 @@ spec:
          envFrom:
            {{- toYaml . | nindent 12 }}
          {{- end }}
          ports:
          - name: metrics
            containerPort: {{ .Values.notifications.metrics.port }}
            protocol: TCP
          resources:
            {{- toYaml .Values.notifications.resources | nindent 12 }}
          securityContext:
            {{- toYaml .Values.notifications.containerSecurityContext | nindent 12 }}
          workingDir: /app
          volumeMounts:
            - name: tls-certs
              mountPath: /app/config/tls
--- a/charts/argo-cd/templates/argocd-repo-server/deployment.yaml
+++ b/charts/argo-cd/templates/argocd-repo-server/deployment.yaml
@ -1,21 +1,30 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  {{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.repoServer.deploymentAnnotations) }}
  annotations:
    {{- range $key, $value := . }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
  {{- end }}
  name: {{ template "argo-cd.repoServer.fullname" . }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
 spec:
  {{- if not .Values.repoServer.autoscaling.enabled }}
  replicas: {{ .Values.repoServer.replicas }}
  {{- end }}
  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
  selector:
    matchLabels:
      {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.repoServer.name) | nindent 6 }}
  revisionHistoryLimit: 5
  {{- if (ne .Values.repoServer.autoscaling.enabled true) }}
  replicas: {{ .Values.repoServer.replicas }}
  {{- end }}
  template:
    metadata:
      annotations:
        checksum/cmd-params: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmd-params-cm.yaml") . | sha256sum }}
        {{- if .Values.repoServer.certificateSecret.enabled }}
        checksum/repo-server-tls: {{ include (print $.Template.BasePath "/argocd-configs/argocd-repo-server-tls-secret.yaml") . | sha256sum }}
        {{- end }}
        {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.repoServer.podAnnotations) }}
        {{- range $key, $value := . }}
        {{ $key }}: {{ $value | quote }}
@ -55,10 +64,6 @@ spec:
        {{- with .Values.repoServer.extraArgs }}
          {{- toYaml . | nindent 8 }}
        {{- end }}
        {{- with .Values.repoServer.containerSecurityContext }}
        securityContext:
          {{- toYaml . | nindent 10 }}
        {{- end }}
        env:
          {{- with .Values.repoServer.env }}
            {{- toYaml . | nindent 10 }}
@ -127,6 +132,12 @@ spec:
                name: argocd-cmd-params-cm
                key: redis.server
                optional: true
          - name: REDIS_COMPRESSION
            valueFrom:
              configMapKeyRef:
                name: argocd-cmd-params-cm
                key: redis.compression
                optional: true
          - name: REDISDB
            valueFrom:
              configMapKeyRef:
@ -169,6 +180,30 @@ spec:
                name: argocd-cmd-params-cm
                key: reposerver.plugin.tar.exclusions
                optional: true
          - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
            valueFrom:
              configMapKeyRef:
                key: reposerver.allow.oob.symlinks
                name: argocd-cmd-params-cm
                optional: true
          - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
            valueFrom:
              configMapKeyRef:
                key: reposerver.streamed.manifest.max.tar.size
                name: argocd-cmd-params-cm
                optional: true
          - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
            valueFrom:
              configMapKeyRef:
                key: reposerver.streamed.manifest.max.extracted.size
                name: argocd-cmd-params-cm
                optional: true
          - name: ARGOCD_GIT_MODULES_ENABLED
            valueFrom:
              configMapKeyRef:
                key: reposerver.enable.git.submodule
                name: argocd-cmd-params-cm
                optional: true
          - name: HELM_CACHE_HOME
            value: /helm-working-dir
          - name: HELM_CONFIG_HOME
@ -183,53 +218,51 @@ spec:
        {{- if .Values.repoServer.volumeMounts }}
          {{- toYaml .Values.repoServer.volumeMounts | nindent 8 }}
        {{- end }}
        - mountPath: /app/config/ssh
          name: ssh-known-hosts
        - mountPath: /app/config/tls
          name: tls-certs
        - mountPath: /app/config/gpg/source
          name: gpg-keys
        - mountPath: /app/config/gpg/keys
          name: gpg-keyring
        {{- if .Values.configs.knownHosts }}
        - mountPath: /app/config/ssh
          name: ssh-known-hosts
        {{- end }}
        - mountPath: /app/config/tls
          name: tls-certs
        - mountPath: /app/config/reposerver/tls
          name: argocd-repo-server-tls
        - mountPath: /tmp
          name: tmp-dir
        - mountPath: /helm-working-dir
          name: helm-working-dir
        - mountPath: /home/argocd/cmp-server/plugins
          name: plugins
        - mountPath: /tmp
          name: tmp
        ports:
        - name: repo-server
          containerPort: {{ .Values.repoServer.containerPort }}
          protocol: TCP
        {{ if .Values.repoServer.metrics.enabled }}
        - name: metrics
          containerPort: 8084
          protocol: TCP
        {{- end }}
        livenessProbe:
-          tcpSocket:
+          httpGet:
-            port: {{ .Values.repoServer.containerPort }}
+            path: /healthz?full=true
            port: metrics
          initialDelaySeconds: {{ .Values.repoServer.livenessProbe.initialDelaySeconds }}
          periodSeconds: {{ .Values.repoServer.livenessProbe.periodSeconds }}
          timeoutSeconds: {{ .Values.repoServer.livenessProbe.timeoutSeconds }}
          successThreshold: {{ .Values.repoServer.livenessProbe.successThreshold }}
          failureThreshold: {{ .Values.repoServer.livenessProbe.failureThreshold }}
        readinessProbe:
-          tcpSocket:
+          httpGet:
-            port: {{ .Values.repoServer.containerPort }}
+            path: /healthz
            port: metrics
          initialDelaySeconds: {{ .Values.repoServer.readinessProbe.initialDelaySeconds }}
          periodSeconds: {{ .Values.repoServer.readinessProbe.periodSeconds }}
          timeoutSeconds: {{ .Values.repoServer.readinessProbe.timeoutSeconds }}
          successThreshold: {{ .Values.repoServer.readinessProbe.successThreshold }}
          failureThreshold: {{ .Values.repoServer.readinessProbe.failureThreshold }}
        {{- with .Values.repoServer.resources }}
        resources:
-          {{- toYaml . | nindent 10 }}
+          {{- toYaml .Values.repoServer.resources | nindent 10 }}
-        {{- end }}
+        securityContext:
          {{- toYaml .Values.repoServer.containerSecurityContext | nindent 10 }}
      {{- with .Values.repoServer.extraContainers }}
        {{- toYaml . | nindent 6 }}
      {{- end }}
@ -265,23 +298,29 @@ spec:
      {{- with .Values.repoServer.volumes }}
        {{- toYaml . | nindent 6 }}
      {{- end }}
      - name: helm-working-dir
        emptyDir: {}
      - name: plugins
        emptyDir: {}
      - name: var-files
        emptyDir: {}
      - name: tmp
        emptyDir: {}
      - name: ssh-known-hosts
        configMap:
          name: argocd-ssh-known-hosts-cm
      - name: tls-certs
        configMap:
          name: argocd-tls-certs-cm
      - name: gpg-keys
        configMap:
          name: argocd-gpg-keys-cm
-      - emptyDir: {}
+      - name: gpg-keyring
        name: gpg-keyring
      {{- if .Values.configs.knownHosts }}
      - configMap:
          name: argocd-ssh-known-hosts-cm
        name: ssh-known-hosts
      {{- end }}
      - configMap:
          name: argocd-tls-certs-cm
        name: tls-certs
      - name: helm-working-dir
        emptyDir: {}
      - name: argocd-repo-server-tls
        secret:
          secretName: argocd-repo-server-tls
          optional: true
          items:
          - key: tls.crt
            path: tls.crt
@ -289,14 +328,6 @@ spec:
            path: tls.key
          - key: ca.crt
            path: ca.crt
          optional: true
          secretName: argocd-repo-server-tls
      - emptyDir: {}
        name: tmp-dir
      - emptyDir: {}
        name: var-files
      - emptyDir: {}
        name: plugins
      initContainers:
      - command:
        - cp
--- a/charts/argo-cd/templates/argocd-server/certificate.yaml
+++ b/charts/argo-cd/templates/argocd-server/certificate.yaml
@ -2,10 +2,11 @@
 apiVersion: {{ include "argo-cd.apiVersion.cert-manager" . }}
 kind: Certificate
 metadata:
-  name: {{ template "argo-cd.server.fullname" . }}
+  name: {{ include "argo-cd.server.fullname" . }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
 spec:
  secretName: {{ .Values.server.certificate.secretName }}
  commonName: {{ .Values.server.certificate.domain | quote }}
  dnsNames:
    - {{ .Values.server.certificate.domain | quote }}
@ -15,6 +16,9 @@ spec:
  {{- with .Values.server.certificate.duration }}
  duration: {{ . | quote }}
  {{- end }}
  {{- with .Values.server.certificate.renewBefore }}
  renewBefore: {{ . | quote }}
  {{- end }}
  issuerRef:
    {{- with .Values.server.certificate.issuer.group }}
    group: {{ . | quote }}
@ -25,8 +29,4 @@ spec:
  privateKey:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  {{- with .Values.server.certificate.renewBefore }}
  renewBefore: {{ . | quote }}
  {{- end }}
  secretName: {{ .Values.server.certificate.secretName | quote }}
 {{- end }}
--- a/charts/argo-cd/templates/argocd-server/clusterrole.yaml
+++ b/charts/argo-cd/templates/argocd-server/clusterrole.yaml
@ -2,7 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ template "argo-cd.server.fullname" . }}
+  name: {{ include "argo-cd.server.fullname" . }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
 rules:
@ -27,12 +27,21 @@ rules:
      - pods/log
    verbs:
      - get
-  {{- if eq (index (coalesce .Values.server.config .Values.configs.cm) "exec.enabled") "true" }}
+  {{- if eq (toString (index (coalesce .Values.server.config .Values.configs.cm) "exec.enabled")) "true" }}
  - apiGroups:
-    - ""
+      - ""
    resources:
-    - pods/exec
+      - pods/exec
    verbs:
-    - create
+      - create
  {{- end }}
  - apiGroups:
      - argoproj.io
    resources:
      - applications
    verbs:
      - get
      - list
      - update
      - watch
 {{- end }}
--- a/charts/argo-cd/templates/argocd-server/deployment.yaml
+++ b/charts/argo-cd/templates/argocd-server/deployment.yaml
@ -1,17 +1,23 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  {{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.server.deploymentAnnotations) }}
  annotations:
    {{- range $key, $value := . }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
  {{- end }}
  name: {{ template "argo-cd.server.fullname" . }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
 spec:
  {{- if not .Values.server.autoscaling.enabled }}
  replicas: {{ .Values.server.replicas }}
  {{- end }}
  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
  selector:
    matchLabels:
      {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 6 }}
  revisionHistoryLimit: 5
  {{- if (ne .Values.server.autoscaling.enabled true) }}
  replicas: {{ .Values.server.replicas }}
  {{- end }}
  template:
    metadata:
      annotations:
@ -52,10 +58,6 @@ spec:
        {{- with .Values.server.extraArgs }}
          {{- toYaml . | nindent 8 }}
        {{- end }}
        {{- with .Values.server.containerSecurityContext }}
        securityContext:
          {{- toYaml . | nindent 10 }}
        {{- end }}
        env:
          {{- with .Values.server.env }}
            {{- toYaml . | nindent 10 }}
@ -84,7 +86,7 @@ spec:
                name: argocd-cmd-params-cm
                key: server.log.format
                optional: true
-          - name: ARGOCD_REPO_SERVER_LOGLEVEL
+          - name: ARGOCD_SERVER_LOG_LEVEL
            valueFrom:
              configMapKeyRef:
                name: argocd-cmd-params-cm
@ -144,6 +146,18 @@ spec:
                name: argocd-cmd-params-cm
                key: server.repo.server.strict.tls
                optional: true
          - name: ARGOCD_SERVER_DEX_SERVER_PLAINTEXT
            valueFrom:
              configMapKeyRef:
                name: argocd-cmd-params-cm
                key: server.dex.server.plaintext
                optional: true
          - name: ARGOCD_SERVER_DEX_SERVER_STRICT_TLS
            valueFrom:
              configMapKeyRef:
                name: argocd-cmd-params-cm
                key: server.dex.server.strict.tls
                optional: true
          - name: ARGOCD_TLS_MIN_VERSION
            valueFrom:
              configMapKeyRef:
@ -198,6 +212,12 @@ spec:
                name: argocd-cmd-params-cm
                key: redis.server
                optional: true
          - name: REDIS_COMPRESSION
            valueFrom:
              configMapKeyRef:
                name: argocd-cmd-params-cm
                key: redis.compression
                optional: true
          - name: REDISDB
            valueFrom:
              configMapKeyRef:
@ -234,51 +254,48 @@ spec:
                name: argocd-cmd-params-cm
                key: otlp.address
                optional: true
          - name: ARGOCD_APPLICATION_NAMESPACES
            valueFrom:
              configMapKeyRef:
                name: argocd-cmd-params-cm
                key: application.namespaces
                optional: true
        {{- with .Values.server.envFrom }}
        envFrom:
          {{- toYaml . | nindent 10 }}
        {{- end }}
        volumeMounts:
        {{- with .Values.server.volumeMounts }}
-          {{- toYaml . | nindent 8}}
+          {{- toYaml . | nindent 8 }}
        {{- end }}
        {{- if .Values.server.extensions.enabled }}
        - name: extensions
          mountPath: /tmp/extensions/
        {{- end }}
        {{- if .Values.configs.knownHosts }}
        - mountPath: /app/config/ssh
          name: ssh-known-hosts
        {{- end }}
        - mountPath: /app/config/tls
          name: tls-certs
        - mountPath: /app/config/server/tls
          name: argocd-repo-server-tls
-        {{- if .Values.configs.styles }}
+        - mountPath: /app/config/dex/tls
-        - mountPath: "/shared/app/custom/custom.styles.css"
+          name: argocd-dex-server-tls
          subPath: "custom.styles.css"
          name: custom-styles
        {{- end }}
        {{- if .Values.server.containerSecurityContext.readOnlyRootFilesystem }}
        - mountPath: /home/argocd/.aws
          name: aws-config
        {{- end }}
        - mountPath: /home/argocd
          name: plugins-home
        - mountPath: /shared/app/custom
          name: styles
        - mountPath: /tmp
-          name: tmp-dir
+          name: tmp
        {{- if .Values.server.extensions.enabled }}
        - mountPath: /tmp/extensions
          name: extensions
        {{- end }}
        ports:
        - name: {{ .Values.server.name }}
          containerPort: {{ .Values.server.containerPort }}
          protocol: TCP
        {{ if .Values.server.metrics.enabled }}
        - name: metrics
          containerPort: 8083
          protocol: TCP
        {{- end }}
        livenessProbe:
          httpGet:
-            path: /healthz
+            path: /healthz?full=true
            port: {{ .Values.server.containerPort }}
          initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }}
          periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }}
@ -294,10 +311,10 @@ spec:
          timeoutSeconds: {{ .Values.server.readinessProbe.timeoutSeconds }}
          successThreshold: {{ .Values.server.readinessProbe.successThreshold }}
          failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }}
        {{- with .Values.server.resources }}
        resources:
-          {{- toYaml . | nindent 10 }}
+          {{- toYaml .Values.server.resources | nindent 10 }}
-        {{- end }}
+        securityContext:
          {{- toYaml .Values.server.containerSecurityContext | nindent 10 }}
        {{- with .Values.server.lifecycle }}
        lifecycle:
          {{- toYaml . | nindent 10 }}
@ -309,11 +326,15 @@ spec:
      - name: argocd-extensions
        image: {{ .Values.server.extensions.image.repository }}:{{ .Values.server.extensions.image.tag }}
        imagePullPolicy: {{ .Values.server.extensions.image.imagePullPolicy }}
        resources:
          {{- toYaml .Values.server.extensions.resources | nindent 10 }}
        securityContext:
          {{- toYaml .Values.server.extensions.containerSecurityContext | nindent 10 }}
        volumeMounts:
          - name: extensions
            mountPath: /tmp/extensions/
-        resources:
+          - name: tmp
-          {{- toYaml .Values.server.extensions.resources | nindent 10 }}
+            mountPath: /tmp
      {{- end }}
      {{- with .Values.server.nodeSelector }}
      nodeSelector:
@ -351,27 +372,24 @@ spec:
      - name: extensions
        emptyDir: {}
      {{- end }}
-      - emptyDir: {}
+      - name: plugins-home
-        name: tmp-dir
+        emptyDir: {}
-      {{- if .Values.server.containerSecurityContext.readOnlyRootFilesystem }}
+      - name: tmp
-      - emptyDir: {}
+        emptyDir: {}
-        name: aws-config
+      - name: ssh-known-hosts
-      {{- end }}
+        configMap:
      {{- if .Values.configs.styles }}
      - configMap:
          name: argocd-custom-styles
        name: custom-styles
      {{- end }}
      {{- if .Values.configs.knownHosts }}
      - configMap:
          name: argocd-ssh-known-hosts-cm
-        name: ssh-known-hosts
+      - name: tls-certs
-      {{- end }}
+        configMap:
      - configMap:
          name: argocd-tls-certs-cm
-        name: tls-certs
+      - name: styles
        configMap:
          name: argocd-styles-cm
          optional: true
      - name: argocd-repo-server-tls
        secret:
          secretName: argocd-repo-server-tls
          optional: true
          items:
          - key: tls.crt
            path: tls.crt
@ -379,10 +397,15 @@ spec:
            path: tls.key
          - key: ca.crt
            path: ca.crt
      - name: argocd-dex-server-tls
        secret:
          secretName: argocd-dex-server-tls
          optional: true
-          secretName: argocd-repo-server-tls
+          items:
-      - emptyDir: {}
+          - key: tls.crt
-        name: plugins-home
+            path: tls.crt
          - key: ca.crt
            path: ca.crt
      {{- with .Values.server.initContainers }}
      initContainers:
        {{- toYaml . | nindent 6 }}
--- a/charts/argo-cd/templates/argocd-server/role.yaml
+++ b/charts/argo-cd/templates/argocd-server/role.yaml
@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ template "argo-cd.server.fullname" . }}
+  name: {{ include "argo-cd.server.fullname" . }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
 rules:
@ -22,6 +22,7 @@ rules:
  - argoproj.io
  resources:
  - applications
  - applicationsets
  - appprojects
  {{- if .Values.server.extensions.enabled }}
  - argocdextensions
--- a/charts/argo-cd/templates/crds/crd-application.yaml
+++ b/charts/argo-cd/templates/crds/crd-application.yaml
@ -343,8 +343,8 @@ spec:
                          and is only valid for applications sourced from Git.
                        type: string
                      plugin:
-                        description: ConfigManagementPlugin holds config management
+                        description: Plugin holds config management plugin specific
-                          plugin specific options
+                          options
                        properties:
                          env:
                            description: Env is a list of environment variable entries
@ -689,8 +689,7 @@ spec:
                      and is only valid for applications sourced from Git.
                    type: string
                  plugin:
-                    description: ConfigManagementPlugin holds config management plugin
+                    description: Plugin holds config management plugin specific options
                      specific options
                    properties:
                      env:
                        description: Env is a list of environment variable entries
@ -1045,8 +1044,8 @@ spec:
                            and is only valid for applications sourced from Git.
                          type: string
                        plugin:
-                          description: ConfigManagementPlugin holds config management
+                          description: Plugin holds config management plugin specific
-                            plugin specific options
+                            options
                          properties:
                            env:
                              description: Env is a list of environment variable entries
@ -1417,8 +1416,8 @@ spec:
                                  from Git.
                                type: string
                              plugin:
-                                description: ConfigManagementPlugin holds config management
+                                description: Plugin holds config management plugin
-                                  plugin specific options
+                                  specific options
                                properties:
                                  env:
                                    description: Env is a list of environment variable
@ -1761,8 +1760,8 @@ spec:
                              and is only valid for applications sourced from Git.
                            type: string
                          plugin:
-                            description: ConfigManagementPlugin holds config management
+                            description: Plugin holds config management plugin specific
-                              plugin specific options
+                              options
                            properties:
                              env:
                                description: Env is a list of environment variable
@ -1813,6 +1812,10 @@ spec:
                  reconciled using the latest git version
                format: date-time
                type: string
              resourceHealthSource:
                description: 'ResourceHealthSource indicates where the resource health
                  status is stored: inline if not set or appTree'
                type: string
              resources:
                description: Resources is a list of Kubernetes resources managed by
                  this application
@ -1849,6 +1852,9 @@ spec:
                      description: SyncStatusCode is a type which represents possible
                        comparison results
                      type: string
                    syncWave:
                      format: int64
                      type: integer
                    version:
                      type: string
                  type: object
@ -2095,8 +2101,8 @@ spec:
                              and is only valid for applications sourced from Git.
                            type: string
                          plugin:
-                            description: ConfigManagementPlugin holds config management
+                            description: Plugin holds config management plugin specific
-                              plugin specific options
+                              options
                            properties:
                              env:
                                description: Env is a list of environment variable
--- a/charts/argo-cd/templates/crds/crd-applicationset.yaml
+++ b/charts/argo-cd/templates/crds/crd-applicationset.yaml
@ -1,4 +1,4 @@
-{{- if .Values.crds.install }}
+{{- if and .Values.crds.install .Values.applicationSet.enabled }}
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@ -9,7 +9,6 @@ metadata:
    {{- with .Values.crds.annotations }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
    controller-gen.kubebuilder.io/version: v0.3.0
  labels:
    app.kubernetes.io/name: applicationsets.argoproj.io
    app.kubernetes.io/part-of: argocd
@ -2381,6 +2380,8 @@ spec:
                                    properties:
                                      api:
                                        type: string
                                      appSecretName:
                                        type: string
                                      labels:
                                        items:
                                          type: string
@ -2403,6 +2404,31 @@ spec:
                                    - owner
                                    - repo
                                    type: object
                                  gitlab:
                                    properties:
                                      api:
                                        type: string
                                      labels:
                                        items:
                                          type: string
                                        type: array
                                      project:
                                        type: string
                                      pullRequestState:
                                        type: string
                                      tokenRef:
                                        properties:
                                          key:
                                            type: string
                                          secretName:
                                            type: string
                                        required:
                                        - key
                                        - secretName
                                        type: object
                                    required:
                                    - project
                                    type: object
                                  requeueAfterSeconds:
                                    format: int64
                                    type: integer
@ -2664,6 +2690,31 @@ spec:
                                type: object
                              scmProvider:
                                properties:
                                  azureDevOps:
                                    properties:
                                      accessTokenRef:
                                        properties:
                                          key:
                                            type: string
                                          secretName:
                                            type: string
                                        required:
                                        - key
                                        - secretName
                                        type: object
                                      allBranches:
                                        type: boolean
                                      api:
                                        type: string
                                      organization:
                                        type: string
                                      teamProject:
                                        type: string
                                    required:
                                    - accessTokenRef
                                    - organization
                                    - teamProject
                                    type: object
                                  bitbucket:
                                    properties:
                                      allBranches:
@ -2768,6 +2819,8 @@ spec:
                                        type: boolean
                                      api:
                                        type: string
                                      appSecretName:
                                        type: string
                                      organization:
                                        type: string
                                      tokenRef:
@ -3065,6 +3118,29 @@ spec:
                                    - spec
                                    type: object
                                type: object
                              selector:
                                properties:
                                  matchExpressions:
                                    items:
                                      properties:
                                        key:
                                          type: string
                                        operator:
                                          type: string
                                        values:
                                          items:
                                            type: string
                                          type: array
                                      required:
                                      - key
                                      - operator
                                      type: object
                                    type: array
                                  matchLabels:
                                    additionalProperties:
                                      type: string
                                    type: object
                                type: object
                            type: object
                          type: array
                        template:
@ -4534,6 +4610,8 @@ spec:
                                    properties:
                                      api:
                                        type: string
                                      appSecretName:
                                        type: string
                                      labels:
                                        items:
                                          type: string
@ -4556,6 +4634,31 @@ spec:
                                    - owner
                                    - repo
                                    type: object
                                  gitlab:
                                    properties:
                                      api:
                                        type: string
                                      labels:
                                        items:
                                          type: string
                                        type: array
                                      project:
                                        type: string
                                      pullRequestState:
                                        type: string
                                      tokenRef:
                                        properties:
                                          key:
                                            type: string
                                          secretName:
                                            type: string
                                        required:
                                        - key
                                        - secretName
                                        type: object
                                    required:
                                    - project
                                    type: object
                                  requeueAfterSeconds:
                                    format: int64
                                    type: integer
@ -4817,6 +4920,31 @@ spec:
                                type: object
                              scmProvider:
                                properties:
                                  azureDevOps:
                                    properties:
                                      accessTokenRef:
                                        properties:
                                          key:
                                            type: string
                                          secretName:
                                            type: string
                                        required:
                                        - key
                                        - secretName
                                        type: object
                                      allBranches:
                                        type: boolean
                                      api:
                                        type: string
                                      organization:
                                        type: string
                                      teamProject:
                                        type: string
                                    required:
                                    - accessTokenRef
                                    - organization
                                    - teamProject
                                    type: object
                                  bitbucket:
                                    properties:
                                      allBranches:
@ -4921,6 +5049,8 @@ spec:
                                        type: boolean
                                      api:
                                        type: string
                                      appSecretName:
                                        type: string
                                      organization:
                                        type: string
                                      tokenRef:
@ -5218,6 +5348,29 @@ spec:
                                    - spec
                                    type: object
                                type: object
                              selector:
                                properties:
                                  matchExpressions:
                                    items:
                                      properties:
                                        key:
                                          type: string
                                        operator:
                                          type: string
                                        values:
                                          items:
                                            type: string
                                          type: array
                                      required:
                                      - key
                                      - operator
                                      type: object
                                    type: array
                                  matchLabels:
                                    additionalProperties:
                                      type: string
                                    type: object
                                type: object
                            type: object
                          type: array
                        mergeKeys:
@ -5552,6 +5705,8 @@ spec:
                          properties:
                            api:
                              type: string
                            appSecretName:
                              type: string
                            labels:
                              items:
                                type: string
@ -5574,6 +5729,31 @@ spec:
                          - owner
                          - repo
                          type: object
                        gitlab:
                          properties:
                            api:
                              type: string
                            labels:
                              items:
                                type: string
                              type: array
                            project:
                              type: string
                            pullRequestState:
                              type: string
                            tokenRef:
                              properties:
                                key:
                                  type: string
                                secretName:
                                  type: string
                              required:
                              - key
                              - secretName
                              type: object
                          required:
                          - project
                          type: object
                        requeueAfterSeconds:
                          format: int64
                          type: integer
@ -5835,6 +6015,31 @@ spec:
                      type: object
                    scmProvider:
                      properties:
                        azureDevOps:
                          properties:
                            accessTokenRef:
                              properties:
                                key:
                                  type: string
                                secretName:
                                  type: string
                              required:
                              - key
                              - secretName
                              type: object
                            allBranches:
                              type: boolean
                            api:
                              type: string
                            organization:
                              type: string
                            teamProject:
                              type: string
                          required:
                          - accessTokenRef
                          - organization
                          - teamProject
                          type: object
                        bitbucket:
                          properties:
                            allBranches:
@ -5939,6 +6144,8 @@ spec:
                              type: boolean
                            api:
                              type: string
                            appSecretName:
                              type: string
                            organization:
                              type: string
                            tokenRef:
@ -6236,8 +6443,33 @@ spec:
                          - spec
                          type: object
                      type: object
                    selector:
                      properties:
                        matchExpressions:
                          items:
                            properties:
                              key:
                                type: string
                              operator:
                                type: string
                              values:
                                items:
                                  type: string
                                type: array
                            required:
                            - key
                            - operator
                            type: object
                          type: array
                        matchLabels:
                          additionalProperties:
                            type: string
                          type: object
                      type: object
                  type: object
                type: array
              goTemplate:
                type: boolean
              syncPolicy:
                properties:
                  preserveResourcesOnDeletion:
--- a/charts/argo-cd/templates/crds/crd-extension.yaml
+++ b/charts/argo-cd/templates/crds/crd-extension.yaml
@ -1,4 +1,4 @@
-{{- if .Values.crds.install }}
+{{- if and .Values.crds.install .Values.server.extensions.enabled }}
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
--- a/charts/argo-cd/templates/crds/crd-project.yaml
+++ b/charts/argo-cd/templates/crds/crd-project.yaml
@ -167,6 +167,10 @@ spec:
                      for apps which have orphaned resources
                    type: boolean
                type: object
              permitOnlyProjectScopedClusters:
                description: PermitOnlyProjectScopedClusters determines whether destinations
                  can only reference clusters which are project-scoped
                type: boolean
              roles:
                description: Roles are user defined RBAC roles associated with this
                  project
@ -229,6 +233,12 @@ spec:
                  - keyID
                  type: object
                type: array
              sourceNamespaces:
                description: SourceNamespaces defines the namespaces application resources
                  are allowed to be created in
                items:
                  type: string
                type: array
              sourceRepos:
                description: SourceRepos contains list of repository URLs which can
                  be used for deployment
--- a/charts/argo-cd/templates/dex/deployment.yaml
+++ b/charts/argo-cd/templates/dex/deployment.yaml
@ -2,10 +2,18 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  {{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.dex.deploymentAnnotations) }}
  annotations:
    {{- range $key, $value := . }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
  {{- end }}
  name: {{ template "argo-cd.dex.fullname" . }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.dex.name "name" .Values.dex.name) | nindent 4 }}
 spec:
  replicas: 1
  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
  selector:
    matchLabels:
      {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.dex.name) | nindent 6 }}
@ -13,6 +21,9 @@ spec:
    metadata:
      annotations:
        checksum/cmd-params: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmd-params-cm.yaml") . | sha256sum }}
        {{- if .Values.dex.certificateSecret.enabled }}
        checksum/dex-server-tls: {{ include (print $.Template.BasePath "/argocd-configs/argocd-dex-server-tls-secret.yaml") . | sha256sum }}
        {{- end }}
        {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.dex.podAnnotations) }}
        {{- range $key, $value := . }}
        {{ $key }}: {{ $value | quote }}
@ -36,12 +47,6 @@ spec:
      - name: copyutil
        image: {{ default .Values.global.image.repository .Values.dex.initImage.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.dex.initImage.tag }}
        imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.dex.initImage.imagePullPolicy }}
        resources:
          {{- toYaml .Values.dex.resources | nindent 10 }}
        {{- with .Values.dex.containerSecurityContext }}
        securityContext:
          {{- toYaml . | nindent 10 }}
        {{- end }}
        command:
        - cp
        - -n
@ -52,6 +57,10 @@ spec:
          name: static-files
        - mountPath: /tmp
          name: dexconfig
        resources:
          {{- toYaml .Values.dex.resources | nindent 10 }}
        securityContext:
          {{- toYaml .Values.dex.containerSecurityContext | nindent 10 }}
      {{- with .Values.dex.initContainers }}
        {{- toYaml . | nindent 6 }}
      {{- end }}
@ -64,10 +73,7 @@ spec:
        args:
        - rundex
        {{- with .Values.dex.extraArgs }}
-        {{- toYaml . | nindent 8 }}
+          {{- toYaml . | nindent 8 }}
        {{- end }}
        {{- if .Values.dex.containerSecurityContext }}
        securityContext: {{- toYaml .Values.dex.containerSecurityContext | nindent 10 }}
        {{- end }}
        env:
          {{- with .Values.dex.env }}
@ -98,31 +104,37 @@ spec:
          httpGet:
            path: /healthz/live
            port: metrics
-          {{- with .Values.dex.livenessProbe }}
+          initialDelaySeconds: {{ .Values.dex.livenessProbe.initialDelaySeconds }}
-            {{- omit . "enabled" | toYaml | nindent 10 }}
+          periodSeconds: {{ .Values.dex.livenessProbe.periodSeconds }}
-          {{- end }}
+          timeoutSeconds: {{ .Values.dex.livenessProbe.timeoutSeconds }}
          successThreshold: {{ .Values.dex.livenessProbe.successThreshold }}
          failureThreshold: {{ .Values.dex.livenessProbe.failureThreshold }}
        {{- end }}
        {{- if .Values.dex.readinessProbe.enabled }}
        readinessProbe:
          httpGet:
            path: /healthz/ready
            port: metrics
-          {{- with .Values.dex.readinessProbe }}
+          initialDelaySeconds: {{ .Values.dex.readinessProbe.initialDelaySeconds }}
-            {{- omit . "enabled" | toYaml | nindent 10 }}
+          periodSeconds: {{ .Values.dex.readinessProbe.periodSeconds }}
-          {{- end }}
+          timeoutSeconds: {{ .Values.dex.readinessProbe.timeoutSeconds }}
          successThreshold: {{ .Values.dex.readinessProbe.successThreshold }}
          failureThreshold: {{ .Values.dex.readinessProbe.failureThreshold }}
        {{- end }}
        resources:
          {{- toYaml .Values.dex.resources | nindent 10 }}
        securityContext:
          {{- toYaml .Values.dex.containerSecurityContext | nindent 10 }}
        volumeMounts:
        {{- with .Values.dex.volumeMounts }}
          {{- toYaml . | nindent 8 }}
        {{- end }}
        - name: static-files
          mountPath: /shared
        - name: dexconfig
          mountPath: /tmp
        - name: argocd-dex-server-tls
          mountPath: /tls
        {{- with .Values.dex.volumeMounts }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
        resources:
          {{- toYaml .Values.dex.resources | nindent 10 }}
      {{- with .Values.dex.extraContainers }}
        {{- toYaml . | nindent 6 }}
      {{- end }}
--- a/charts/argo-cd/templates/redis/deployment.yaml
+++ b/charts/argo-cd/templates/redis/deployment.yaml
@ -1,122 +1,131 @@
-{{- $redisHa := (index .Values "redis-ha") -}}
+{{- $redisHa := index .Values "redis-ha" -}}
 {{- if and .Values.redis.enabled (not $redisHa.enabled) -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ template "argo-cd.redis.fullname" . }}
+  {{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.redis.deploymentAnnotations) }}
  annotations:
    {{- range $key, $value := . }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
  {{- end }}
  name: {{ include "argo-cd.redis.fullname" . }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }}
 spec:
  replicas: 1
  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
  selector:
    matchLabels:
      app.kubernetes.io/name: {{ include "argo-cd.name" . }}-{{ .Values.redis.name }}
  template:
    metadata:
      labels:
        {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 8 }}
        {{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.redis.podLabels) }}
          {{- toYaml . | nindent 8 }}
        {{- end }}
      {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.redis.podAnnotations) }}
      annotations:
        {{- range $key, $value := . }}
        {{ $key }}: {{ $value | quote }}
        {{- end }}
      {{- end }}
      labels:
        {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 8 }}
        {{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.redis.podLabels) }}
          {{- toYaml . | nindent 8 }}
        {{- end }}
    spec:
      {{- with .Values.redis.imagePullSecrets | default .Values.global.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
-      automountServiceAccountToken: {{ .Values.redis.serviceAccount.automountServiceAccountToken }}
+      {{- with .Values.redis.securityContext }}
-      serviceAccountName: {{ template "argo-cd.redisServiceAccountName" . }}
+      securityContext:
-      {{- if .Values.redis.securityContext }}
+        {{- toYaml . | nindent 8 }}
-      securityContext: {{- toYaml .Values.redis.securityContext | nindent 8 }}
+      {{- end }}
      serviceAccountName: {{ include "argo-cd.redisServiceAccountName" . }}
      {{- with .Values.redis.initContainers }}
      initContainers:
        {{- toYaml . | nindent 6 }}
      {{- end }}
      containers:
-      - name: {{ template "argo-cd.redis.fullname" . }}
+      - name: {{ .Values.redis.name }}
        image: {{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }}
        imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.redis.image.imagePullPolicy }}
        args:
        - --save
        - ""
        - --appendonly
        - "no"
        {{- with .Values.redis.extraArgs }}
-        {{- . | toYaml | nindent 8 }}
+          {{- toYaml . | nindent 8 }}
        {{- end }}
-        image: {{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }}
+        {{- with .Values.redis.env }}
        imagePullPolicy: {{ .Values.redis.image.imagePullPolicy}}
        {{- if .Values.redis.containerSecurityContext }}
        securityContext: {{- toYaml .Values.redis.containerSecurityContext | nindent 10 }}
        {{- end }}
        {{- if .Values.redis.env }}
        env:
-{{- toYaml .Values.redis.env | nindent 8 }}
+          {{- toYaml . | nindent 8 }}
        {{- end }}
        {{- with .Values.redis.envFrom }}
-        envFrom: {{- toYaml . | nindent 8 }}
+        envFrom:
          {{- toYaml . | nindent 8 }}
        {{- end }}
        ports:
-        - containerPort: {{ .Values.redis.containerPort }}
+        - name: redis
-          name: redis
+          containerPort: {{ .Values.redis.containerPort }}
-{{- if .Values.redis.volumeMounts }}
+          protocol: TCP
        volumeMounts:
 {{- toYaml .Values.redis.volumeMounts | nindent 10 }}
 {{- end }}
        resources:
-{{- toYaml .Values.redis.resources | nindent 10 }}
+          {{- toYaml .Values.redis.resources | nindent 10 }}
        securityContext:
          {{- toYaml .Values.redis.containerSecurityContext | nindent 10 }}
        {{- with .Values.redis.volumeMounts }}
        volumeMounts:
          {{- toYaml . | nindent 10 }}
        {{- end }}
      {{- if .Values.redis.metrics.enabled }}
      - name: metrics
        image: {{ .Values.redis.metrics.image.repository }}:{{ .Values.redis.metrics.image.tag }}
        imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.redis.metrics.image.imagePullPolicy }}
        env:
        - name: REDIS_ADDR
          value: {{ printf "redis://localhost:%v" .Values.redis.containerPort }}
        - name: REDIS_EXPORTER_WEB_LISTEN_ADDRESS
          value: {{ printf "0.0.0.0:%v" .Values.redis.metrics.containerPort }}
        image: {{ .Values.redis.metrics.image.repository }}:{{ .Values.redis.metrics.image.tag }}
        imagePullPolicy: {{ .Values.redis.metrics.image.imagePullPolicy}}
        ports:
-        - containerPort: {{ .Values.redis.metrics.containerPort }}
+        - name: metrics
-          name: metrics
+          containerPort: {{ .Values.redis.metrics.containerPort }}
          protocol: TCP
-        resources: {{- toYaml .Values.redis.metrics.resources | nindent 10 }}
+        resources:
-        {{- with .Values.redis.containerSecurityContext }}
+          {{- toYaml .Values.redis.metrics.resources | nindent 10 }}
-        securityContext: {{- toYaml . | nindent 10 }}
+        securityContext:
-        {{- end }}
+          {{- toYaml .Values.redis.metrics.containerSecurityContext | nindent 10 }}
      {{- end }}
-    {{- with .Values.redis.extraContainers }}
+      {{- with .Values.redis.extraContainers }}
-      {{- toYaml . | nindent 6 }}
+        {{- toYaml . | nindent 6 }}
-    {{- end }}
+      {{- end }}
-    {{- if .Values.redis.nodeSelector }}
+      {{- with .Values.redis.nodeSelector }}
      nodeSelector:
-{{- toYaml .Values.redis.nodeSelector | nindent 8 }}
+        {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-    {{- if .Values.redis.tolerations }}
+      {{- with .Values.redis.tolerations }}
      tolerations:
-{{- toYaml .Values.redis.tolerations | nindent 8 }}
+        {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-    {{- if .Values.redis.affinity }}
+      {{- with .Values.redis.affinity }}
      affinity:
-{{- toYaml .Values.redis.affinity | nindent 8 }}
+        {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
-    {{- with .Values.redis.topologySpreadConstraints }}
+      {{- with .Values.redis.topologySpreadConstraints }}
      topologySpreadConstraints:
-      {{- range $constraint := . }}
+        {{- range $constraint := . }}
      - {{ toYaml $constraint | nindent 8 | trim }}
        {{- if not $constraint.labelSelector }}
        labelSelector:
          matchLabels:
            app.kubernetes.io/name: {{ include "argo-cd.name" $ }}-{{ $.Values.redis.name }}
        {{- end }}
        {{- end }}
      {{- end }}
-    {{- end }}
+      {{- with .Values.redis.priorityClassName }}
-{{- if .Values.redis.volumes }}
+      priorityClassName: {{ . }}
      {{- end }}
      {{- with .Values.redis.volumes }}
      volumes:
-{{- toYaml .Values.redis.volumes | nindent 8}}
+        {{- toYaml . | nindent 8}}
 {{- end }}
      {{- if .Values.redis.initContainers }}
      initContainers:
      {{- toYaml .Values.redis.initContainers | nindent 6 }}
      {{- end }}
 {{- if .Values.redis.priorityClassName }}
      priorityClassName: {{ .Values.redis.priorityClassName }}
 {{- end }}
 {{- end }}
--- a/charts/argo-cd/values.yaml
+++ b/charts/argo-cd/values.yaml
@ -12,7 +12,7 @@ kubeVersionOverride: ""
 # If you want to template helm charts but cannot access k8s API server
 # you can set api versions here
 apiVersionOverrides:
-  # -- String to override apiVersion of certmanager resources rendered by this helm chart
+  # -- String to override apiVersion of cert-manager resources rendered by this helm chart
  certmanager: "" # cert-manager.io/v1
  # -- String to override apiVersion of GKE resources rendered by this helm chart
  cloudgoogle: "" # cloud.google.com/v1
@ -40,7 +40,16 @@ crds:
  # -- Annotations to be added to all CRDs
  annotations: {}
 ## Globally shared configuration
 global:
  # -- Common labels for the all resources
  additionalLabels: {}
    # app: argo-cd
  # -- Number of old deployment ReplicaSets to retain. The rest will be garbage collected.
  revisionHistoryLimit: 3
  # Default image used by all components
  image:
    # -- If defined, a repository applied to all Argo CD deployments
    repository: quay.io/codefresh/argocd
@ -52,16 +61,27 @@ global:
  # -- Secrets with credentials to pull images from a private registry
  imagePullSecrets: []
  # Default logging options used by all components
  logging:
    # -- Set the global logging format. Either: `text` or `json`
    format: text
    # -- Set the global logging level. One of: `debug`, `info`, `warn` or `error`
    level: info
  # -- Annotations for the all deployed Statefulsets
  statefulsetAnnotations: {}
  # -- Annotations for the all deployed Deployments
  deploymentAnnotations: {}
  # -- Annotations for the all deployed pods
  podAnnotations: {}
  # -- Labels for the all deployed pods
  podLabels: {}
-  # -- Toggle and define securityContext. See [values.yaml]
+
  # -- Toggle and define pod-level security context.
  # @default -- `{}` (See [values.yaml])
  securityContext: {}
  #  runAsUser: 999
  #  runAsGroup: 999
@ -73,10 +93,6 @@ global:
  #   hostnames:
  #   - git.myhostname
  # -- Additional labels to add to all resources
  additionalLabels: {}
    # app: argo-cd
  networkPolicy:
    # -- Create NetworkPolicy objects for all components
    create: false
@ -88,33 +104,36 @@ configs:
  # General Argo CD configuration
  ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml
  cm:
-    # -- Create the argocd-cm configmap for [Declarative setup]
+    # -- Create the argocd-cm configmap for [declarative setup]
    create: true
    # -- Annotations to be added to argocd-cm configmap
    annotations: {}
    # -- Argo CD's externally facing base URL (optional). Required when configuring SSO
    url: ""
    # -- The name of tracking label used by Argo CD for resource pruning
    # @default -- Defaults to app.kubernetes.io/instance
    application.instanceLabelKey: argocd.argoproj.io/instance
    # -- Enable logs RBAC enforcement
    ## Ref: https://argo-cd.readthedocs.io/en/latest/operator-manual/upgrading/2.3-2.4/#enable-logs-rbac-enforcement
-    server.rbac.log.enforce.enable: "false"
+    server.rbac.log.enforce.enable: false
    # -- Enable exec feature in Argo UI
    ## Ref: https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac/#exec-resource
-    exec.enabled: "false"
+    exec.enabled: false
    # -- Enable local admin user
    ## Ref: https://argo-cd.readthedocs.io/en/latest/faq/#how-to-disable-admin-user
-    admin.enabled: "true"
+    admin.enabled: true
    # -- Timeout to discover if a new manifests version got published to the repository
    timeout.reconciliation: 180s
    # -- Timeout to refresh application data as well as target manifests cache
-    timeout.hard.reconciliation: "0"
+    timeout.hard.reconciliation: 0
    # Dex configuration
    # dex.config: |
@ -135,6 +154,10 @@ configs:
    #   issuer: https://login.microsoftonline.com/TENANT_ID/v2.0
    #   clientID: CLIENT_ID
    #   clientSecret: $oidc.azuread.clientSecret
    #   rootCA: |
    #     -----BEGIN CERTIFICATE-----
    #     ... encoded certificate data here ...
    #     -----END CERTIFICATE-----
    #   requestedIDTokenClaims:
    #     groups:
    #       essential: true
@ -217,6 +240,22 @@ configs:
    # The scope value can be a string, or a list of strings.
    scopes: "[groups]"
  # GnuPG public keys for commit verification
  ## Ref: https://argo-cd.readthedocs.io/en/stable/user-guide/gpg-verification/
  gpg:
    # -- Annotations to be added to argocd-gpg-keys-cm configmap
    annotations: {}
    # -- [GnuPG] public keys to add to the keyring
    # @default -- `{}` (See [values.yaml])
    ## Note: Public keys should be exported with `gpg --export --armor <KEY>`
    keys: {}
      # 4AEE18F83AFDEB23: |
      #   -----BEGIN PGP PUBLIC KEY BLOCK-----
      #   ...
      #   -----END PGP PUBLIC KEY BLOCK-----
  # -- Provide one or multiple [external cluster credentials]
  # @default -- `[]` (See [values.yaml])
  ## Ref:
@ -244,30 +283,6 @@ configs:
    #       insecure: false
    #       caData: "<base64 encoded certificate>"
  # -- GnuPG key ring annotations
  gpgKeysAnnotations: {}
  # -- [GnuPG](https://argo-cd.readthedocs.io/en/stable/user-guide/gpg-verification/) keys to add to the key ring
  # @default -- `{}` (See [values.yaml])
  gpgKeys: {}
    # 4AEE18F83AFDEB23: |
    #     -----BEGIN PGP PUBLIC KEY BLOCK-----
    #
    #     mQENBFmUaEEBCACzXTDt6ZnyaVtueZASBzgnAmK13q9Urgch+sKYeIhdymjuMQta
    #     x15OklctmrZtqre5kwPUosG3/B2/ikuPYElcHgGPL4uL5Em6S5C/oozfkYzhwRrT
    #     SQzvYjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ
    #     7Fy4+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPa
    #     buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v
    #     yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAG0NUdpdEh1YiAod2ViLWZs
    #     b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+iQEiBBMBCAAW
    #     BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEH/iATWFmi2oxlBh3wAsySNCNV4IPf
    #     DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6
    #     9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws
    #     +8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5
    #     4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O
    #     j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48=
    #     =Bvzs
    #     -----END PGP PUBLIC KEY BLOCK-----
  # -- Known Hosts configmap annotations
  knownHostsAnnotations: {}
  knownHosts:
@ -373,6 +388,8 @@ configs:
  # -- Annotations to be added to `configs.repositories` Secret
  repositoriesAnnotations: {}
  # Argo CD sensitive data
  # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#sensitive-data-and-sso-client-secrets
  secret:
    # -- Create the argocd-secret
    createSecret: true
@ -399,16 +416,10 @@ configs:
      # LDAP_PASSWORD: "mypassword"
    # -- Argo TLS Data
-    argocdServerTlsConfig:
+    # DEPRECATED - Use server.certificate or server.certificateSecret
-      {}
+    # argocdServerTlsConfig:
-      # key:
+    #  key: ''
-      # crt: |
+    #  crt: ''
      #   -----BEGIN CERTIFICATE-----
      #   <cert data>
      #   -----END CERTIFICATE-----
      #   -----BEGIN CERTIFICATE-----
      #   <ca cert data>
      #   -----END CERTIFICATE-----
    # -- Bcrypt hashed admin password
    ## Argo expects the password in the secret to be bcrypt hashed. You can create this hash with
@ -535,6 +546,9 @@ controller:
  # - secretRef:
  #     name: secret-name
  # -- Annotations for the application controller StatefulSet
  statefulsetAnnotations: {}
  # -- Annotations to be added to application controller pods
  podAnnotations: {}
@ -542,20 +556,22 @@ controller:
  podLabels: {}
  # -- Application controller container-level security context
  # @default -- See [values.yaml]
  containerSecurityContext:
-    {}
+    runAsNonRoot: true
-    # capabilities:
+    readOnlyRootFilesystem: true
-    #   drop:
+    allowPrivilegeEscalation: false
-    #     - all
+    seccompProfile:
-    # readOnlyRootFilesystem: true
+      type: RuntimeDefault
-    # runAsNonRoot: true
+    capabilities:
      drop:
      - ALL
  # -- Application controller listening port
  containerPort: 8082
-  ## Readiness and liveness probes for default backend
+  # Rediness probe for application controller
  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
  ##
  readinessProbe:
    # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
    failureThreshold: 3
@ -567,17 +583,6 @@ controller:
    successThreshold: 1
    # -- Number of seconds after which the [probe] times out
    timeoutSeconds: 1
  livenessProbe:
    # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
    failureThreshold: 3
    # -- Number of seconds after the container has started before [probe] is initiated
    initialDelaySeconds: 10
    # -- How often (in seconds) to perform the [probe]
    periodSeconds: 10
    # -- Minimum consecutive successes for the [probe] to be considered successful after having failed
    successThreshold: 1
    # -- Number of seconds after which the [probe] times out
    timeoutSeconds: 1
  # -- Additional volumeMounts to the application controller main container
  volumeMounts: []
@ -801,7 +806,7 @@ dex:
    # -- Dex image repository
    repository: ghcr.io/dexidp/dex
    # -- Dex image tag
-    tag: v2.35.3-distroless
+    tag: v2.35.3
    # -- Dex imagePullPolicy
    # @default -- `""` (defaults to global.image.imagePullPolicy)
    imagePullPolicy: ""
@ -810,6 +815,7 @@ dex:
  # @default -- `[]` (defaults to global.imagePullSecrets)
  imagePullSecrets: []
  # Argo CD init image that creates Dex config
  initImage:
    # -- Argo CD init image repository
    # @default -- `""` (defaults to global.image.repository)
@ -832,12 +838,44 @@ dex:
  # - secretRef:
  #     name: secret-name
  # TLS certificate configuration via Secret
  ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/#configuring-tls-to-argocd-dex-server
  ## Note: Issuing certificates via cert-manager in not supported right now because it's not possible to restart Dex automatically without extra controllers.
  certificateSecret:
    # -- Create argocd-dex-server-tls secret
    enabled: false
    # -- Labels to be added to argocd-dex-server-tls secret
    labels: {}
    # -- Annotations to be added to argocd-dex-server-tls secret
    annotations: {}
    # -- Certificate authority. Required for self-signed certificates.
    ca: ''
    # -- Certificate private key
    key: ''
    # -- Certificate data. Must contain SANs of Dex service (ie: argocd-dex-server, argocd-dex-server.argo-cd.svc)
    crt: ''
  # -- Annotations to be added to the Dex server Deployment
  deploymentAnnotations: {}
  # -- Annotations to be added to the Dex server pods
  podAnnotations: {}
  # -- Labels to be added to the Dex server pods
  podLabels: {}
  # -- Dex container-level security context
  # @default -- See [values.yaml]
  containerSecurityContext:
    runAsNonRoot: true
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
    seccompProfile:
      type: RuntimeDefault
    capabilities:
      drop:
      - ALL
  ## Probes for Dex server
  ## Supported from Dex >= 2.28.0
  livenessProbe:
@ -918,14 +956,6 @@ dex:
  # -- Priority class for dex
  priorityClassName: ""
  # -- Dex container-level security context
  containerSecurityContext:
    {}
    # capabilities:
    #   drop:
    #     - all
    # readOnlyRootFilesystem: true
  # -- Resource limits and requests for dex
  resources: {}
  #  limits:
@ -982,7 +1012,7 @@ redis:
    # -- Redis repository
    repository: quay.io/codefresh/redis
    # -- Redis tag
-    tag: 7.0.4-alpine
+    tag: 7.0.5-alpine
    # -- Redis imagePullPolicy
    imagePullPolicy: IfNotPresent
@ -1011,12 +1041,31 @@ redis:
  # - secretRef:
  #     name: secret-name
  # -- Annotations to be added to the Redis server Deployment
  deploymentAnnotations: {}
  # -- Annotations to be added to the Redis server pods
  podAnnotations: {}
  # -- Labels to be added to the Redis server pods
  podLabels: {}
  # -- Redis pod-level security context
  # @default -- See [values.yaml]
  securityContext:
    runAsNonRoot: true
    runAsUser: 999
    seccompProfile:
      type: RuntimeDefault
  # -- Redis container-level security context
  # @default -- See [values.yaml]
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
      - ALL
  # -- [Node selector]
  nodeSelector: {}
  # -- [Tolerations] for use with node taints
@ -1035,19 +1084,6 @@ redis:
  # -- Priority class for redis
  priorityClassName: ""
  # -- Redis container-level security context
  containerSecurityContext:
    {}
    # capabilities:
    #   drop:
    #     - all
    # readOnlyRootFilesystem: true
  # -- Redis pod-level security context
  securityContext:
    runAsNonRoot: true
    runAsUser: 999
  serviceAccount:
    # -- Create a service account for the redis pod
    create: false
@ -1109,6 +1145,19 @@ redis:
      imagePullPolicy: IfNotPresent
    # -- Port to use for redis-exporter sidecar
    containerPort: 9121
    # -- Redis exporter security context
    # @default -- See [values.yaml]
    containerSecurityContext:
      runAsNonRoot: true
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
      seccompProfile:
        type: RuntimeDefault
      capabilities:
        drop:
        - ALL
    # -- Resource limits and requests for redis-exporter sidecar
    resources: {}
      # limits:
@ -1309,6 +1358,9 @@ server:
  # @default -- `""` (defaults to global.logging.level)
  # logLevel: ""
  # -- Annotations to be added to server Deployment
  deploymentAnnotations: {}
  # -- Annotations to be added to server pods
  podAnnotations: {}
@ -1320,7 +1372,6 @@ server:
  ## Readiness and liveness probes for default backend
  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
  ##
  readinessProbe:
    # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
    failureThreshold: 3
@ -1368,13 +1419,17 @@ server:
  # -- Priority class for the Argo CD server
  priorityClassName: ""
-  # -- Servers container-level security context
+  # -- Server container-level security context
  # @default -- See [values.yaml]
  containerSecurityContext:
-    {}
+    runAsNonRoot: true
-    # capabilities:
+    readOnlyRootFilesystem: true
-    #   drop:
+    allowPrivilegeEscalation: false
-    #     - all
+    seccompProfile:
-    # readOnlyRootFilesystem: true
+      type: RuntimeDefault
    capabilities:
      drop:
      - ALL
  # -- Resource limits and requests for the Argo CD server
  resources: {}
@ -1385,16 +1440,34 @@ server:
  #    cpu: 50m
  #    memory: 64Mi
-  ## Certificate configuration
+  # TLS certificate configuration via cert-manager
  ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/#tls-certificates-used-by-argocd-server
  certificate:
    # -- Deploy a Certificate resource (requires cert-manager)
    enabled: false
    # -- The name of the Secret that will be automatically created and managed by this Certificate resource
    secretName: argocd-server-tls
    # -- Certificate primary domain (commonName)
    domain: argocd.example.com
-    # -- The requested 'duration' (i.e. lifetime) of the Certificate. Value must be in units accepted by Go time.ParseDuration
+    # -- Certificate Subject Alternate Names (SANs)
    additionalHosts: []
    # -- The requested 'duration' (i.e. lifetime) of the certificate.
    # @default -- `""` (defaults to 2160h = 90d if not specified)
    ## Ref: https://cert-manager.io/docs/usage/certificate/#renewal
    duration: ""
-    # -- How long before the currently issued certificate's expiry cert-manager should renew the certificate. Value must be in units accepted by Go time.ParseDuration
+    # -- How long before the expiry a certificate should be renewed.
    # @default -- `""` (defaults to 360h = 15d if not specified)
    ## Ref: https://cert-manager.io/docs/usage/certificate/#renewal
    renewBefore: ""
    # Certificate issuer
    ## Ref: https://cert-manager.io/docs/concepts/issuer
    issuer:
      # -- Certificate issuer group. Set if using an external issuer. Eg. `cert-manager.io`
      group: ""
      # -- Certificate issuer kind. Either `Issuer` or `ClusterIssuer`
      kind: ""
      # -- Certificate isser name. Eg. `letsencrypt`
      name: ""
    # Private key of the certificate
    privateKey:
      # -- Rotation policy of private key when certificate is re-issued. Either: `Never` or `Always`
@ -1405,17 +1478,20 @@ server:
      algorithm: RSA
      # -- Key bit size of the private key. If algorithm is set to `Ed25519`, size is ignored.
      size: 2048
-    issuer:
+
-      # -- Certificate issuer group. Set if using an external issuer. Eg. `cert-manager.io`
+  # TLS certificate configuration via Secret
-      group: ""
+  ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/#tls-certificates-used-by-argocd-server
-      # -- Certificate issuer kind. Either `Issuer` or `ClusterIssuer`
+  certificateSecret:
-      kind: ""
+    # -- Create argocd-server-tls secret
-      # -- Certificate isser name. Eg. `letsencrypt`
+    enabled: false
-      name: ""
+    # -- Annotations to be added to argocd-server-tls secret
-    # -- Certificate manager additional hosts
+    annotations: {}
-    additionalHosts: []
+    # -- Labels to be added to argocd-server-tls secret
-    # -- The name of the Secret that will be automatically created and managed by this Certificate resource
+    labels: {}
-    secretName: argocd-server-tls
+    # -- Private Key of the certificate
    key: ''
    # -- Certificate data
    crt: ''
  ## Server service configuration
  service:
@ -1543,7 +1619,7 @@ server:
    # -- Ingress TLS configuration
    tls:
      []
-      # - secretName: argocd-tls-certificate
+      # - secretName: your-certificate-name
      #   hosts:
      #     - argocd.example.com
@ -1609,7 +1685,7 @@ server:
    # -- Ingress TLS configuration for dedicated [gRPC-ingress]
    tls:
      []
-      # - secretName: argocd-tls-certificate
+      # - secretName: your-certificate-name
      #   hosts:
      #     - argocd.example.com
@ -1729,6 +1805,18 @@ server:
      # -- Image pull policy for extensions
      imagePullPolicy: IfNotPresent
    # -- Server UI extensions container-level security context
    # @default -- See [values.yaml]
    containerSecurityContext:
      runAsNonRoot: true
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
      seccompProfile:
        type: RuntimeDefault
      capabilities:
        drop:
        - ALL
    # -- Resource limits and requests for the argocd-extensions container
    resources: {}
    #  limits:
@ -1828,6 +1916,9 @@ repoServer:
  # @default -- `""` (defaults to global.logging.format)
  # logLevel: ""
  # -- Annotations to be added to repo server Deployment
  deploymentAnnotations: {}
  # -- Annotations to be added to repo server pods
  podAnnotations: {}
@ -1839,7 +1930,6 @@ repoServer:
  ## Readiness and liveness probes for default backend
  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
  ##
  readinessProbe:
    # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
    failureThreshold: 3
@ -1893,12 +1983,16 @@ repoServer:
  priorityClassName: ""
  # -- Repo server container-level security context
  # @default -- See [values.yaml]
  containerSecurityContext:
-    {}
+    runAsNonRoot: true
-    # capabilities:
+    readOnlyRootFilesystem: true
-    #   drop:
+    allowPrivilegeEscalation: false
-    #     - all
+    seccompProfile:
-    # readOnlyRootFilesystem: true
+      type: RuntimeDefault
    capabilities:
      drop:
      - ALL
  # -- Resource limits and requests for the repo server pods
  resources: {}
@ -1909,6 +2003,23 @@ repoServer:
  #    cpu: 10m
  #    memory: 64Mi
  # TLS certificate configuration via Secret
  ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/#configuring-tls-to-argocd-repo-server
  ## Note: Issuing certificates via cert-manager in not supported right now because it's not possible to restart repo server automatically without extra controllers.
  certificateSecret:
    # -- Create argocd-repo-server-tls secret
    enabled: false
    # -- Annotations to be added to argocd-repo-server-tls secret
    annotations: {}
    # -- Labels to be added to argocd-repo-server-tls secret
    labels: {}
    # -- Certificate authority. Required for self-signed certificates.
    ca: ''
    # -- Certificate private key
    key: ''
    # -- Certificate data. Must contain SANs of Repo service (ie: argocd-repo-server, argocd-repo-server.argo-cd.svc)
    crt: ''
  ## Repo server service configuration
  service:
    # -- Repo server service annotations
@ -2402,14 +2513,26 @@ notifications:
    # service.slack: |
    #   token: $slack-token
  # -- Annotations to be applied to the notifications controller Deployment
  deploymentAnnotations: {}
  # -- Annotations to be applied to the controller Pods
  podAnnotations: {}
  # -- Labels to be applied to the controller Pods
  podLabels: {}
-  # -- Container Security Context
+  # -- Notification controller container-level security Context
-  containerSecurityContext: {}
+  # @default -- See [values.yaml]
  containerSecurityContext:
    runAsNonRoot: true
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
    seccompProfile:
      type: RuntimeDefault
    capabilities:
      drop:
      - ALL
  # -- Priority class for the controller pods
  priorityClassName: ""
@ -2723,10 +2846,6 @@ notifications:
      ## You have to set secret.notifiers.slack.signingSecret
      enabled: false
      # -- The deployment strategy to use to replace existing pods with new ones
      updateStrategy:
        type: Recreate
      ## Slack bot Pod Disruption Budget
      ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
      pdb:
@ -2778,12 +2897,17 @@ notifications:
        # -- Annotations applied to created service account
        annotations: {}
-      # -- Pod Security Context
+      # -- Slack bot container-level security Context
-      securityContext:
+      # @default -- See [values.yaml]
      containerSecurityContext:
        runAsNonRoot: true
-
+        readOnlyRootFilesystem: true
-      # -- Container Security Context
+        allowPrivilegeEscalation: false
-      containerSecurityContext: {}
+        seccompProfile:
          type: RuntimeDefault
        capabilities:
          drop:
          - ALL
      # -- Resource limits and requests for the Slack bot
      resources: {}
--- a/charts/argo-workflows/Chart.yaml
+++ b/charts/argo-workflows/Chart.yaml
@ -1,9 +1,9 @@
 apiVersion: v2
-appVersion: v3.4.2
+appVersion: v3.4.4
 name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
-version: 0.20.4
+version: 0.20.12
 icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png
 home: https://github.com/argoproj/argo-helm
 sources:
@ -13,4 +13,4 @@ maintainers:
    url: https://argoproj.github.io/
 annotations:
  artifacthub.io/changes: |
-    - "[Changed]: Enable to set different imagePullPolicy for mainContainer and executor"
+    - "[Changed]: Update Argo Workflows to v3.4.4"
--- a/charts/argo-workflows/README.md
+++ b/charts/argo-workflows/README.md
@ -62,6 +62,7 @@ Fields to note:
 | workflow.rbac.create | bool | `true` | Adds Role and RoleBinding for the above specified service account to be able to run workflows. A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below) |
 | workflow.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
 | workflow.serviceAccount.create | bool | `false` | Specifies whether a service account should be created |
 | workflow.serviceAccount.labels | object | `{}` | Labels applied to created service account |
 | workflow.serviceAccount.name | string | `"argo-workflow"` | Service account which is used to run workflows |
 ### Workflow Controller
@ -107,12 +108,15 @@ Fields to note:
 | controller.podSecurityContext | object | `{}` | SecurityContext to set on the controller pods |
 | controller.priorityClassName | string | `""` | Leverage a PriorityClass to ensure your pods survive resource shortages. |
 | controller.rbac.create | bool | `true` | Adds Role and RoleBinding for the controller. |
 | controller.rbac.secretWhitelist | list | `[]` | Allows controller to get, list, and watch certain k8s secrets |
 | controller.replicas | int | `1` | The number of controller pods to run |
 | controller.resourceRateLimit | object | `{}` | Globally limits the rate at which pods are created. This is intended to mitigate flooding of the Kubernetes API server by workflows with a large amount of parallel nodes. |
 | controller.resources | object | `{}` | Resource limits and requests for the controller |
 | controller.retentionPolicy | object | `{}` | Workflow retention by number of workflows |
 | controller.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | the controller container's securityContext |
 | controller.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
 | controller.serviceAccount.create | bool | `true` | Create a service account for the controller |
 | controller.serviceAccount.labels | object | `{}` | Labels applied to created service account |
 | controller.serviceAccount.name | string | `""` | Service account name |
 | controller.serviceAnnotations | object | `{}` | Annotations to be applied to the controller Service |
 | controller.serviceLabels | object | `{}` | Optional labels to add to the controller Service |
@ -199,6 +203,7 @@ Fields to note:
 | server.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true}` | Servers container-level security context |
 | server.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
 | server.serviceAccount.create | bool | `true` | Create a service account for the server |
 | server.serviceAccount.labels | object | `{}` | Labels applied to created service account |
 | server.serviceAccount.name | string | `""` | Service account name |
 | server.serviceAnnotations | object | `{}` | Annotations to be applied to the UI Service |
 | server.serviceLabels | object | `{}` | Optional labels to add to the UI Service |
@ -220,6 +225,7 @@ Fields to note:
 | artifactRepository.azure | object | `{}` (See [values.yaml]) | Store artifact in Azure Blob Storage |
 | artifactRepository.gcs | object | `{}` (See [values.yaml]) | Store artifact in a GCS object store |
 | artifactRepository.s3 | object | See [values.yaml] | Store artifact in a S3-compliant object store |
 | customArtifactRepository | object | `{}` | The section of custom artifact repository. Will be added to the config in case useDefaultArtifactRepo is set to false |
 | useDefaultArtifactRepo | bool | `false` | Influences the creation of the ConfigMap for the workflow-controller itself. |
 | useStaticCredentials | bool | `true` | Use static credentials for S3 (eg. when not using AWS IRSA) |
--- a/charts/argo-workflows/README.md.gotmpl
+++ b/charts/argo-workflows/README.md.gotmpl
@ -42,7 +42,7 @@ Fields to note:
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 {{- range .Values }}
-  {{- if not (or (hasPrefix "workflow" .Key) (hasPrefix "controller" .Key) (hasPrefix "executor" .Key) (hasPrefix "server" .Key) (hasPrefix "artifactRepository" .Key) (hasPrefix "use" .Key) (hasPrefix "mainContainer" .Key) ) }}
+  {{- if not (or (hasPrefix "workflow" .Key) (hasPrefix "controller" .Key) (hasPrefix "executor" .Key) (hasPrefix "server" .Key) (hasPrefix "artifactRepository" .Key) (hasPrefix "customArtifact" .Key) (hasPrefix "use" .Key) (hasPrefix "mainContainer" .Key) ) }}
 | {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
  {{- end }}
 {{- end }}
@ -102,7 +102,7 @@ Fields to note:
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 {{- range .Values }}
-  {{- if or (hasPrefix "artifactRepository" .Key) (hasPrefix "use" .Key) }}
+  {{- if or (hasPrefix "artifactRepository" .Key) (hasPrefix "use" .Key) (hasPrefix "customArtifact" .Key) }}
 | {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
  {{- end }}
 {{- end }}
--- a/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml
+++ b/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml
@ -164,6 +164,17 @@ rules:
  resourceNames:
  {{/* for HTTP templates */}}
  - argo-workflows-agent-ca-certificates
 {{- with .Values.controller.rbac.secretWhitelist }}
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
  - watch
  resourceNames: {{- toYaml . | nindent 4 }}
 {{- end }}
 {{- if .Values.controller.clusterWorkflowTemplates.enabled }}
 ---
--- a/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml
+++ b/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml
@ -92,6 +92,10 @@ data:
          {{- toYaml . | nindent 10 }}
        {{- end }}
      {{- end }}
    {{- else }}
      {{- if .Values.customArtifactRepository }}
    artifactRepository: {{- toYaml .Values.customArtifactRepository | nindent 6 }}
      {{- end }}
    {{- end }}
    {{- if .Values.controller.metricsConfig.enabled }}
    metricsConfig:
@ -163,3 +167,6 @@ data:
    {{- with .Values.controller.navColor }}
    navColor: {{ . }}
    {{- end }}
    {{- with .Values.controller.retentionPolicy }}
    retentionPolicy: {{- toYaml . | nindent 6 }}
    {{- end }}
--- a/charts/argo-workflows/templates/controller/workflow-controller-sa.yaml
+++ b/charts/argo-workflows/templates/controller/workflow-controller-sa.yaml
@ -5,6 +5,9 @@ metadata:
  name: {{ template "argo-workflows.controllerServiceAccountName" . }}
  labels:
    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
  {{- with .Values.controller.serviceAccount.labels  }}
    {{- toYaml . | nindent 4 }}
  {{- end }}
  {{ with .Values.controller.serviceAccount.annotations }}
  annotations:
    {{- toYaml .| nindent 4 }}
--- a/charts/argo-workflows/templates/controller/workflow-sa.yaml
+++ b/charts/argo-workflows/templates/controller/workflow-sa.yaml
@ -7,6 +7,9 @@ metadata:
  name: {{ $.Values.workflow.serviceAccount.name }}
  labels:
    {{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $.Values.controller.name) | nindent 4 }}
  {{- with $.Values.workflow.serviceAccount.labels  }}
    {{- toYaml . | nindent 4 }}
  {{- end }}
    {{- with $namespace }}
  namespace: {{ . }}
    {{- end }}
--- a/charts/argo-workflows/templates/server/server-cluster-roles.yaml
+++ b/charts/argo-workflows/templates/server/server-cluster-roles.yaml
@ -30,7 +30,7 @@ rules:
  - list
  - watch
  - delete
-  {{- if .Values.server.sso }}
+{{- if .Values.server.sso }}
 - apiGroups:
  - ""
  resources:
@ -46,7 +46,7 @@ rules:
  - secrets
  verbs:
  - create
-    {{- if .Values.server.sso.rbac }}
+  {{- if .Values.server.sso.rbac }}
 - apiGroups:
  - ""
  resources:
@ -55,8 +55,8 @@ rules:
  - get
  - list
  - watch
    {{- end }}
  {{- end }}
 {{- end }}
 - apiGroups:
  - ""
  resources:
--- a/charts/argo-workflows/templates/server/server-sa.yaml
+++ b/charts/argo-workflows/templates/server/server-sa.yaml
@ -5,6 +5,9 @@ metadata:
  name: {{ template "argo-workflows.serverServiceAccountName" . }}
  labels:
    {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
  {{- with .Values.server.serviceAccount.labels  }}
    {{- toYaml . | nindent 4 }}
  {{- end }}
  {{- with .Values.server.serviceAccount.annotations  }}
  annotations:
    {{- toYaml . | nindent 4 }}
--- a/charts/argo-workflows/values.yaml
+++ b/charts/argo-workflows/values.yaml
@ -41,6 +41,8 @@ workflow:
  serviceAccount:
    # -- Specifies whether a service account should be created
    create: false
    # -- Labels applied to created service account
    labels: {}
    # -- Annotations applied to created service account
    annotations: {}
    # -- Service account which is used to run workflows
@ -70,6 +72,8 @@ controller:
  rbac:
    # -- Adds Role and RoleBinding for the controller.
    create: true
    # -- Allows controller to get, list, and watch certain k8s secrets
    secretWhitelist: []
  # -- Limits the maximum number of incomplete workflows in a namespace
  namespaceParallelism:
@ -179,6 +183,8 @@ controller:
    create: true
    # -- Service account name
    name: ""
    # -- Labels applied to created service account
    labels: {}
    # -- Annotations applied to created service account
    annotations: {}
@ -285,6 +291,12 @@ controller:
  # -- Extra containers to be added to the controller deployment
  extraContainers: []
  # -- Workflow retention by number of workflows
  retentionPolicy: {}
  #  completed: 10
  #  failed: 3
  #  errored: 3
 # mainContainer adds default config for main container that could be overriden in workflows template
 mainContainer:
  # -- imagePullPolicy to apply to Workflow main container. Defaults to `.Values.images.pullPolicy`.
@ -364,6 +376,8 @@ server:
    create: true
    # -- Service account name
    name: ""
    # -- Labels applied to created service account
    labels: {}
    # -- Annotations applied to created service account
    annotations: {}
@ -602,3 +616,17 @@ artifactRepository:
  # accountKeySecret:
  #  name: my-azure-storage-credentials
  #  key: account-access-key
 # -- The section of custom artifact repository.
 # Will be added to the config in case useDefaultArtifactRepo is set to false
 customArtifactRepository: {}
 # customArtifactRepository:
 #   archiveLogs: true
 #   artifactory:
 #     repoUrl: https://artifactory.example.com/raw
 #     usernameSecret:
 #       name: artifactory-creds
 #       key: username
 #     passwordSecret:
 #       name: artifactory-creds
 #       key: password
--- a/scripts/lint.sh
+++ b/scripts/lint.sh
@ -9,7 +9,7 @@ echo -e "\n-- Linting all Helm Charts --\n"
 docker run \
     -v "$SRCROOT:/workdir" \
     --entrypoint /bin/sh \
-     quay.io/helmpack/chart-testing:v3.7.0 \
+     quay.io/helmpack/chart-testing:v3.7.1 \
     -c cd /workdir \
     ct lint \
     --config .github/configs/ct-lint.yaml \