From 513df3df8f7cd781fec944ea3699568831265507 Mon Sep 17 00:00:00 2001 From: Jason Meridth Date: Fri, 5 May 2023 09:13:41 -0500 Subject: [PATCH 1/5] fix(argo-workflows): Add missing argo-workflows.apiVersion.autoscaling helper function for HPA configuration (#2001) fix: Add missing argo-workflows.apiVersion.autoscaling helper function for HPA configuration Signed-off-by: jmeridth --- charts/argo-workflows/Chart.yaml | 6 +++--- charts/argo-workflows/templates/_helpers.tpl | 13 +++++++++++++ 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/charts/argo-workflows/Chart.yaml b/charts/argo-workflows/Chart.yaml index 51e901cc..2d52acbd 100644 --- a/charts/argo-workflows/Chart.yaml +++ b/charts/argo-workflows/Chart.yaml @@ -3,7 +3,7 @@ appVersion: v3.4.7 name: argo-workflows description: A Helm chart for Argo Workflows type: application -version: 0.25.1 +version: 0.25.2 icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png home: https://github.com/argoproj/argo-helm sources: @@ -13,5 +13,5 @@ maintainers: url: https://argoproj.github.io/ annotations: artifacthub.io/changes: | - - kind: added - description: Add Prometheus ServiceMonitor relabelings, metricRelabelings & targetLabels + - kind: fix + description: Add missing argo-workflows.apiVersion.autoscaling helper function used for HPA configuration diff --git a/charts/argo-workflows/templates/_helpers.tpl b/charts/argo-workflows/templates/_helpers.tpl index 7719052d..2fbcc708 100644 --- a/charts/argo-workflows/templates/_helpers.tpl +++ b/charts/argo-workflows/templates/_helpers.tpl @@ -153,3 +153,16 @@ Return full image name including or excluding registry based on existence {{ .image.repository }} {{- end -}} {{- end -}} + +{{/* +Return the appropriate apiVersion for autoscaling +*/}} +{{- define "argo-workflows.apiVersion.autoscaling" -}} +{{- if .Values.apiVersionOverrides.autoscaling -}} +{{- print .Values.apiVersionOverrides.autoscaling -}} +{{- else if semverCompare "<1.23-0" (include "argo-cd.kubeVersion" .) -}} +{{- print "autoscaling/v2beta1" -}} +{{- else -}} +{{- print "autoscaling/v2" -}} +{{- end -}} +{{- end -}} From 2197c8e0402ab1074761af8d5f45825f0d59d4e1 Mon Sep 17 00:00:00 2001 From: Jason Meridth Date: Fri, 5 May 2023 09:30:53 -0500 Subject: [PATCH 2/5] fix(argo-workflows): Drop .Values.useDefaultArtifactRepo flag to simplify usage (#2002) Fixes #1140 - [x] remove `.Values.useDefaultArtifactRepo` to ensure if items populated they get into the configmap. - [x] change structure of `.Values.customArtifactRepository` to only include the custom information Signed-off-by: jmeridth --- charts/argo-workflows/Chart.yaml | 4 ++-- charts/argo-workflows/README.md | 3 +-- .../workflow-controller-config-map.yaml | 7 ++---- charts/argo-workflows/values.yaml | 22 ++++++++----------- 4 files changed, 14 insertions(+), 22 deletions(-) diff --git a/charts/argo-workflows/Chart.yaml b/charts/argo-workflows/Chart.yaml index 2d52acbd..443bffb7 100644 --- a/charts/argo-workflows/Chart.yaml +++ b/charts/argo-workflows/Chart.yaml @@ -3,7 +3,7 @@ appVersion: v3.4.7 name: argo-workflows description: A Helm chart for Argo Workflows type: application -version: 0.25.2 +version: 0.26.0 icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png home: https://github.com/argoproj/argo-helm sources: @@ -14,4 +14,4 @@ maintainers: annotations: artifacthub.io/changes: | - kind: fix - description: Add missing argo-workflows.apiVersion.autoscaling helper function used for HPA configuration + description: Drop .Values.useDefaultArtifactRepo flag to simplify usage diff --git a/charts/argo-workflows/README.md b/charts/argo-workflows/README.md index d918b444..dae6972b 100644 --- a/charts/argo-workflows/README.md +++ b/charts/argo-workflows/README.md @@ -308,8 +308,7 @@ Fields to note: | artifactRepository.azure | object | `{}` (See [values.yaml]) | Store artifact in Azure Blob Storage | | artifactRepository.gcs | object | `{}` (See [values.yaml]) | Store artifact in a GCS object store | | artifactRepository.s3 | object | See [values.yaml] | Store artifact in a S3-compliant object store | -| customArtifactRepository | object | `{}` | The section of custom artifact repository. Will be added to the config in case useDefaultArtifactRepo is set to false | -| useDefaultArtifactRepo | bool | `false` | Influences the creation of the ConfigMap for the workflow-controller itself. | +| customArtifactRepository | object | `{}` | The section of custom artifact repository. Utilize a custom artifact repository that is not one of the current base ones (s3, gcs, azure) | | useStaticCredentials | bool | `true` | Use static credentials for S3 (eg. when not using AWS IRSA) | ## Breaking changes from the deprecated `argo` chart diff --git a/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml b/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml index 7327ecac..55720eb2 100644 --- a/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml +++ b/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml @@ -55,7 +55,6 @@ data: securityContext: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} - {{- if .Values.useDefaultArtifactRepo }} artifactRepository: {{- if .Values.artifactRepository.archiveLogs }} archiveLogs: {{ .Values.artifactRepository.archiveLogs }} @@ -96,10 +95,8 @@ data: {{- toYaml . | nindent 10 }} {{- end }} {{- end }} - {{- else }} - {{- if .Values.customArtifactRepository }} - artifactRepository: {{- toYaml .Values.customArtifactRepository | nindent 6 }} - {{- end }} + {{- if .Values.customArtifactRepository }} + {{- toYaml .Values.customArtifactRepository | nindent 6 }} {{- end }} {{- if .Values.controller.metricsConfig.enabled }} metricsConfig: diff --git a/charts/argo-workflows/values.yaml b/charts/argo-workflows/values.yaml index 7dddf89e..c1c0229e 100644 --- a/charts/argo-workflows/values.yaml +++ b/charts/argo-workflows/values.yaml @@ -639,8 +639,6 @@ extraObjects: [] # secretName: argo-server-sso-secrets-store # type: Opaque -# -- Influences the creation of the ConfigMap for the workflow-controller itself. -useDefaultArtifactRepo: false # -- Use static credentials for S3 (eg. when not using AWS IRSA) useStaticCredentials: true artifactRepository: @@ -702,18 +700,16 @@ artifactRepository: # key: account-access-key # -- The section of custom artifact repository. -# Will be added to the config in case useDefaultArtifactRepo is set to false +# Utilize a custom artifact repository that is not one of the current base ones (s3, gcs, azure) customArtifactRepository: {} -# customArtifactRepository: -# archiveLogs: true -# artifactory: -# repoUrl: https://artifactory.example.com/raw -# usernameSecret: -# name: artifactory-creds -# key: username -# passwordSecret: -# name: artifactory-creds -# key: password +# artifactory: +# repoUrl: https://artifactory.example.com/raw +# usernameSecret: +# name: artifactory-creds +# key: username +# passwordSecret: +# name: artifactory-creds +# key: password emissary: # -- The command/args for each image on workflow, needed when the command is not specified and the emissary executor is used. From e980b71b83c037c6e8503413aeeff27aedc48ebd Mon Sep 17 00:00:00 2001 From: Cyril Jouve Date: Fri, 5 May 2023 22:19:18 +0200 Subject: [PATCH 3/5] feat(argo-cd): allow extraObjects to contain string template (#1993) [argo-cd] allow extraObjects to contain string template Signed-off-by: Cyril Jouve Signed-off-by: Marco Kilchhofer Co-authored-by: Marco Kilchhofer --- charts/argo-cd/Chart.yaml | 6 +++--- charts/argo-cd/templates/extra-manifests.yaml | 6 +++++- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml index 9d222608..75944916 100644 --- a/charts/argo-cd/Chart.yaml +++ b/charts/argo-cd/Chart.yaml @@ -3,7 +3,7 @@ appVersion: v2.7.1 kubeVersion: ">=1.22.0-0" description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. name: argo-cd -version: 5.31.1 +version: 5.32.0 home: https://github.com/argoproj/argo-helm icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png sources: @@ -23,5 +23,5 @@ dependencies: condition: redis-ha.enabled annotations: artifacthub.io/changes: | - - kind: changed - description: Update Argo CD v2.7.1 + - kind: added + description: Allow extraObjects to contain string templates diff --git a/charts/argo-cd/templates/extra-manifests.yaml b/charts/argo-cd/templates/extra-manifests.yaml index a9bb3b6b..f17b1a93 100644 --- a/charts/argo-cd/templates/extra-manifests.yaml +++ b/charts/argo-cd/templates/extra-manifests.yaml @@ -1,4 +1,8 @@ {{ range .Values.extraObjects }} --- -{{ tpl (toYaml .) $ }} +{{- if typeIs "string" . }} + {{- tpl . $ }} +{{- else }} + {{- tpl (toYaml .) $ }} +{{- end }} {{ end }} From 71462b7f6d29c68cb5b39ddc57e3e4daf416867a Mon Sep 17 00:00:00 2001 From: Marco Kilchhofer Date: Fri, 5 May 2023 22:21:46 +0200 Subject: [PATCH 4/5] feat(github): Add OpenSSF Scorecard action (#2009) Signed-off-by: Marco Kilchhofer Co-authored-by: Marko Bevc --- .github/workflows/scorecard.yml | 72 +++++++++++++++++++++++++++++++++ README.md | 1 + 2 files changed, 73 insertions(+) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000..c5ec1159 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,72 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '21 6 * * 6' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 + with: + sarif_file: results.sarif diff --git a/README.md b/README.md index ac71eb3e..e8544439 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ [![Chart Publish](https://github.com/argoproj/argo-helm/actions/workflows/publish.yml/badge.svg?branch=main)](https://github.com/argoproj/argo-helm/actions/workflows/publish.yml) [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/argo)](https://artifacthub.io/packages/search?repo=argo) [![CLOMonitor](https://img.shields.io/endpoint?url=https://clomonitor.io/api/projects/cncf/argo/badge)](https://clomonitor.io/projects/cncf/argo) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/argoproj/argo-helm/badge)](https://api.securityscorecards.dev/projects/github.com/argoproj/argo-helm) Argo Helm is a collection of **community maintained** charts for [https://argoproj.github.io](https://argoproj.github.io) projects. The charts can be added using following command: From fe901f4dfb786c45a0d6a022e8a731b0564db70e Mon Sep 17 00:00:00 2001 From: Jason Meridth Date: Fri, 5 May 2023 15:23:04 -0500 Subject: [PATCH 5/5] chore(github): Update repo files (#2006) - [x] DELETE OWNERS file, not parsed, only used for bookkeeping, CODEOWNERS does this - [x] update CODEOWNERS to people who have committed in the last year - [x] create EMERITUS.md to list former CODEOWNERS and thank them for their contribution - [x] create SECURITY.md so people know how to report security issues - [x] turn on private vulnerability reporting in the repository - [x] create CODE_OF_CONDUCT.md linking to CNCF code of conduct By adding a code of conduct and security file we can set our Community Standards to 100% [here](https://github.com/argoproj/argo-helm/community) Signed-off-by: jmeridth Co-authored-by: Marko Bevc --- CODEOWNERS | 14 ++++++-------- CODE_OF_CONDUCT.md | 9 +++++++++ EMERITUS.md | 12 ++++++++++++ OWNERS | 9 --------- SECURITY.md | 21 +++++++++++++++++++++ 5 files changed, 48 insertions(+), 17 deletions(-) create mode 100644 CODE_OF_CONDUCT.md create mode 100644 EMERITUS.md delete mode 100644 OWNERS create mode 100644 SECURITY.md diff --git a/CODEOWNERS b/CODEOWNERS index aea8942f..bd5df3d0 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,16 +1,14 @@ -# https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners - -# Other and new charts -/charts/ @oliverbaehler +# All +* @mkilchhofer @jmeridth # Argo Workflows -/charts/argo-workflows/ @stefansedich @paguos @vladlosev @yann-soubeyrand @jmeridth @yu-croco +/charts/argo-workflows/ @vladlosev @yann-soubeyrand @jmeridth @yu-croco # Argo CD -/charts/argo-cd/ @davidkarlsen @mr-sour @yann-soubeyrand @mbevc1 @mkilchhofer @yu-croco @jmeridth @pdrastil +/charts/argo-cd/ @mbevc1 @mkilchhofer @yu-croco @jmeridth @pdrastil # Argo Events -/charts/argo-events/ @jbehling @VaibhavPage @pdrastil +/charts/argo-events/ @pdrastil @jmeridth # Argo Rollouts -/charts/argo-rollouts/ +/charts/argo-rollouts/ @jmeridth diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..37789a9d --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,9 @@ +# Code of Conduct + +We adhere to the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md). Please reference the link for details. + +## TL;DR (too long didn't read) + +Be kind + +Your participation is at the discression of the maintainers of this project. diff --git a/EMERITUS.md b/EMERITUS.md new file mode 100644 index 00000000..2c299690 --- /dev/null +++ b/EMERITUS.md @@ -0,0 +1,12 @@ +# Emeritus Approvers + +These are the people who have been approvers in the past, and have since retired from the role. + +We thank them for their service to the project. + +* @oliverbaehler +* @stefansedich +* @paguos +* @yann-soubeyrand +* @davidkarlsen +* @jbehling diff --git a/OWNERS b/OWNERS deleted file mode 100644 index e393c5ba..00000000 --- a/OWNERS +++ /dev/null @@ -1,9 +0,0 @@ -owners: -- alexec -- alexmt -- jessesuen - -approvers: -- alexec -- alexmt -- jessesuen diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..7c30259c --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions and Upstream Reporting + +Each helm chart currently supports the designated application version in the Chart.yaml. There is a chance a security issue you've discovered may not be with the helm chart but with the upstream application. Please visit that application's Security policy docueent to find out how to report the security issue. + +* [Security Policy for Argo Workflows](https://github.com/argoproj/argo-workflows/blob/master/SECURITY.md) +* [Security Policy for Argo Events](https://github.com/argoproj/argo-events/blob/master/SECURITY.md) +* [Security Policy for Argo Rollouts](https://github.com/argoproj/argo-rollouts/blob/master/docs/security.md) +* [Security Policy for Argo CD](https://github.com/argoproj/argo-cd/blob/master/SECURITY.md) +* [Security Policy for Argo CD Image Updater](https://github.com/argoproj-labs/argocd-image-updater/blob/master/SECURITY.md) + +## Reporting a Vulnerability for Argo Helm Charts + +We have enabled the ability to privately report security issues through the Security tab above. + +[Here are the details on how to file](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability) on how to do that + +A repository owner/maintainer will respond as fast as possible to coordinate confirmation of issue and remediation. + +Thank you for helping to ensure this code stays secure.