From 79a24410b5fe781fabdc9986cbcbe54094599471 Mon Sep 17 00:00:00 2001 From: Petr Drastil Date: Tue, 13 Feb 2024 12:13:41 +0100 Subject: [PATCH 1/4] chore(argo-cd): Remove server.config leftovers (#2504) --- charts/argo-cd/Chart.yaml | 4 ++-- .../templates/argocd-application-controller/statefulset.yaml | 2 +- charts/argo-cd/templates/argocd-repo-server/deployment.yaml | 2 +- charts/argo-cd/templates/argocd-server/role.yaml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml index f77a7adb..c2dc5617 100644 --- a/charts/argo-cd/Chart.yaml +++ b/charts/argo-cd/Chart.yaml @@ -3,7 +3,7 @@ appVersion: v2.10.0 kubeVersion: ">=1.23.0-0" description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. name: argo-cd -version: 6.0.8 +version: 6.0.9 home: https://github.com/argoproj/argo-helm icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png sources: @@ -27,4 +27,4 @@ annotations: url: https://argoproj.github.io/argo-helm/pgp_keys.asc artifacthub.io/changes: | - kind: fixed - description: Fixed port name for argocd-repo-server and applicationset webhook for Istio service discovery + description: Conditions that still checked for old configuration sections diff --git a/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml b/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml index c08a4a34..8c929e41 100644 --- a/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml +++ b/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml @@ -22,7 +22,7 @@ spec: metadata: annotations: checksum/cmd-params: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmd-params-cm.yaml") . | sha256sum }} - {{- if (hasKey .Values.server "configEnabled") | ternary .Values.server.configEnabled .Values.configs.cm.create }} + {{- if .Values.configs.cm.create }} checksum/cm: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cm.yaml") . | sha256sum }} {{- end }} {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.controller.podAnnotations) }} diff --git a/charts/argo-cd/templates/argocd-repo-server/deployment.yaml b/charts/argo-cd/templates/argocd-repo-server/deployment.yaml index 2d232591..9f72d33b 100755 --- a/charts/argo-cd/templates/argocd-repo-server/deployment.yaml +++ b/charts/argo-cd/templates/argocd-repo-server/deployment.yaml @@ -30,7 +30,7 @@ spec: {{- if .Values.repoServer.certificateSecret.enabled }} checksum/repo-server-tls: {{ include (print $.Template.BasePath "/argocd-configs/argocd-repo-server-tls-secret.yaml") . | sha256sum }} {{- end }} - {{- if (hasKey .Values.server "configEnabled") | ternary .Values.server.configEnabled .Values.configs.cm.create }} + {{- if .Values.configs.cm.create }} checksum/cm: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cm.yaml") . | sha256sum }} {{- end }} {{- if .Values.configs.cmp.create }} diff --git a/charts/argo-cd/templates/argocd-server/role.yaml b/charts/argo-cd/templates/argocd-server/role.yaml index adc6f014..1a2b3851 100644 --- a/charts/argo-cd/templates/argocd-server/role.yaml +++ b/charts/argo-cd/templates/argocd-server/role.yaml @@ -42,7 +42,7 @@ rules: verbs: - create - list -{{- if eq (toString (index (coalesce .Values.server.config .Values.configs.cm) "exec.enabled")) "true" }} +{{- if eq (toString (index .Values.configs.cm "exec.enabled")) "true" }} - apiGroups: - "" resources: From 866ee08bc06036fadd167e0a6d576c63c1be068a Mon Sep 17 00:00:00 2001 From: Luke Date: Tue, 13 Feb 2024 04:27:08 -0700 Subject: [PATCH 2/4] chore(argo-cd): update notifications links to latest documentation (#2503) Signed-off-by: lukepatrick Signed-off-by: Petr Drastil Co-authored-by: Petr Drastil --- charts/argo-cd/Chart.yaml | 4 ++-- charts/argo-cd/values.yaml | 20 ++++++++++---------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml index c2dc5617..32dec045 100644 --- a/charts/argo-cd/Chart.yaml +++ b/charts/argo-cd/Chart.yaml @@ -3,7 +3,7 @@ appVersion: v2.10.0 kubeVersion: ">=1.23.0-0" description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. name: argo-cd -version: 6.0.9 +version: 6.0.10 home: https://github.com/argoproj/argo-helm icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png sources: @@ -27,4 +27,4 @@ annotations: url: https://argoproj.github.io/argo-helm/pgp_keys.asc artifacthub.io/changes: | - kind: fixed - description: Conditions that still checked for old configuration sections + description: Update notifications links to updated documentation diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index 7fad7539..7d58a699 100644 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -2967,7 +2967,7 @@ notifications: extraVolumes: [] # -- Define user-defined context - ## For more information: https://argocd-notifications.readthedocs.io/en/stable/templates/#defining-user-defined-context + ## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/templates/#defining-user-defined-context context: {} # region: east # environmentName: staging @@ -2984,19 +2984,19 @@ notifications: # -- Generic key:value pairs to be inserted into the secret ## Can be used for templates, notification services etc. Some examples given below. - ## For more information: https://argocd-notifications.readthedocs.io/en/stable/services/overview/ + ## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/services/overview/ items: {} # slack-token: - # # For more information: https://argocd-notifications.readthedocs.io/en/stable/services/slack/ + # # For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/services/slack/ # grafana-apiKey: - # # For more information: https://argocd-notifications.readthedocs.io/en/stable/services/grafana/ + # # For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/services/grafana/ # webhooks-github-token: # email-username: # email-password: - # For more information: https://argocd-notifications.readthedocs.io/en/stable/services/email/ + # For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/services/email/ metrics: # -- Enables prometheus metrics server @@ -3038,7 +3038,7 @@ notifications: # -- Configures notification services such as slack, email or custom webhook # @default -- See [values.yaml] - ## For more information: https://argocd-notifications.readthedocs.io/en/stable/services/overview/ + ## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/services/overview/ notifiers: {} # service.slack: | # token: $slack-token @@ -3138,7 +3138,7 @@ notifications: rules: [] # -- Contains centrally managed global application subscriptions - ## For more information: https://argocd-notifications.readthedocs.io/en/stable/subscriptions/ + ## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/subscriptions/ subscriptions: [] # # subscription for on-sync-status-unknown trigger notifications # - recipients: @@ -3154,7 +3154,7 @@ notifications: # - on-sync-status-unknown # -- The notification template is used to generate the notification content - ## For more information: https://argocd-notifications.readthedocs.io/en/stable/templates/ + ## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/templates/ templates: {} # template.app-deployed: | # email: @@ -3371,7 +3371,7 @@ notifications: # }] # -- The trigger defines the condition when the notification should be sent - ## For more information: https://argocd-notifications.readthedocs.io/en/stable/triggers/ + ## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/triggers/ triggers: {} # trigger.on-deployed: | # - description: Application is synced and healthy. Triggered once per commit. @@ -3405,6 +3405,6 @@ notifications: # - app-sync-succeeded # when: app.status.operationState.phase in ['Succeeded'] # - # For more information: https://argocd-notifications.readthedocs.io/en/stable/triggers/#default-triggers + # For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/triggers/#default-triggers # defaultTriggers: | # - on-sync-status-unknown From 6c47b2a69bf076c371f35d46785b1271ea32b31b Mon Sep 17 00:00:00 2001 From: Florian Blampey Date: Tue, 13 Feb 2024 12:42:29 +0100 Subject: [PATCH 3/4] fix(argo-cd): Use `with` instead of `range` on reposerver serviceaccount (#2506) fixes #2505 with instead of range serviceaccount reposerver Signed-off-by: Florian Blampey Signed-off-by: Marco Maurer (-Kilchhofer) Co-authored-by: Marco Maurer (-Kilchhofer) --- charts/argo-cd/Chart.yaml | 4 ++-- .../argo-cd/templates/argocd-repo-server/serviceaccount.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml index 32dec045..95b46b16 100644 --- a/charts/argo-cd/Chart.yaml +++ b/charts/argo-cd/Chart.yaml @@ -3,7 +3,7 @@ appVersion: v2.10.0 kubeVersion: ">=1.23.0-0" description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. name: argo-cd -version: 6.0.10 +version: 6.0.11 home: https://github.com/argoproj/argo-helm icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png sources: @@ -27,4 +27,4 @@ annotations: url: https://argoproj.github.io/argo-helm/pgp_keys.asc artifacthub.io/changes: | - kind: fixed - description: Update notifications links to updated documentation + description: Use `with` instead of `range` on reposerver serviceaccount diff --git a/charts/argo-cd/templates/argocd-repo-server/serviceaccount.yaml b/charts/argo-cd/templates/argocd-repo-server/serviceaccount.yaml index 945483fa..2facd9af 100644 --- a/charts/argo-cd/templates/argocd-repo-server/serviceaccount.yaml +++ b/charts/argo-cd/templates/argocd-repo-server/serviceaccount.yaml @@ -13,7 +13,7 @@ metadata: {{- end }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }} - {{- range $key, $value := .Values.repoServer.serviceAccount.labels }} + {{- with .Values.repoServer.serviceAccount.labels }} {{- toYaml . | nindent 4 }} {{- end }} {{- end }} From c0b7a7e074ff1eb0bee134a04fed351f3de9b633 Mon Sep 17 00:00:00 2001 From: Petr Drastil Date: Tue, 13 Feb 2024 16:26:29 +0100 Subject: [PATCH 4/4] chore(argo-cd): Disable argocd-repo-server cluster role by default (#2498) Signed-off-by: Petr Drastil --- charts/argo-cd/Chart.yaml | 6 +++--- .../argo-cd/templates/argocd-repo-server/clusterrole.yaml | 6 +++--- .../templates/argocd-repo-server/clusterrolebinding.yaml | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml index 95b46b16..8ad20a03 100644 --- a/charts/argo-cd/Chart.yaml +++ b/charts/argo-cd/Chart.yaml @@ -3,7 +3,7 @@ appVersion: v2.10.0 kubeVersion: ">=1.23.0-0" description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. name: argo-cd -version: 6.0.11 +version: 6.0.12 home: https://github.com/argoproj/argo-helm icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png sources: @@ -26,5 +26,5 @@ annotations: fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc artifacthub.io/changes: | - - kind: fixed - description: Use `with` instead of `range` on reposerver serviceaccount + - kind: security + description: Argo CD repo-server cluster role is not deployed by default diff --git a/charts/argo-cd/templates/argocd-repo-server/clusterrole.yaml b/charts/argo-cd/templates/argocd-repo-server/clusterrole.yaml index e6efa08a..23439b18 100644 --- a/charts/argo-cd/templates/argocd-repo-server/clusterrole.yaml +++ b/charts/argo-cd/templates/argocd-repo-server/clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if .Values.createClusterRoles }} +{{- if and .Values.createClusterRoles .Values.repoServer.clusterRoleRules.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -6,8 +6,8 @@ metadata: labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }} rules: - {{- if .Values.repoServer.clusterRoleRules.enabled }} - {{- toYaml .Values.repoServer.clusterRoleRules.rules | nindent 2 }} + {{- with .Values.repoServer.clusterRoleRules.rules }} + {{- toYaml . | nindent 2 }} {{- else }} - apiGroups: - '*' diff --git a/charts/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml b/charts/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml index f15b1cec..8531520c 100644 --- a/charts/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml +++ b/charts/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.createClusterRoles }} +{{- if and .Values.createClusterRoles .Values.repoServer.clusterRoleRules.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: