chore(argo-cd): Remove deprecated features and redesign Ingress (#2407)

* chore(argo-cd): Remove deprecated features Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * Remove wildcard catch all ingress rule Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * Add ingress extra rules Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * Remove unnecessary ingress variables Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * Improve documentation Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * Replace ingress paths and hosts with single backend service Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * Use only port number to support all ingress controllers Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * Minor gRPC fixes Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * Simplify TLS configuration Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * Decouple AWS and GKE ALB from generic ingress Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * Remove map nesting for ApplicationSet ingress Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * Use example.com domain Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * Remove fallback for argocd-cm checksum annotation Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * Add revisionHistoryLimit for controller Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * Update README Signed-off-by: Petr Drastil <petr.drastil@gmail.com> * Update README Signed-off-by: Petr Drastil <petr.drastil@gmail.com> --------- Signed-off-by: Petr Drastil <petr.drastil@gmail.com>
2024-02-07 22:40:05 +01:00 · 2024-02-07 22:40:05 +01:00 · b8212e0b30
commit b8212e0b30
parent 0b79f5e5c1
33 changed files with 685 additions and 634 deletions
--- a/charts/argo-cd/Chart.yaml
+++ b/charts/argo-cd/Chart.yaml
@ -3,7 +3,7 @@ appVersion: v2.10.0
 kubeVersion: ">=1.23.0-0"
 description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 5.55.0
+version: 6.0.0
 home: https://github.com/argoproj/argo-helm
 icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
 sources:
@ -26,5 +26,13 @@ annotations:
    fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
    url: https://argoproj.github.io/argo-helm/pgp_keys.asc
  artifacthub.io/changes: |
    - kind: removed
      description: Support for deprecated features
    - kind: removed
      description: Wildcard catch all ingress rule
    - kind: added
      description: Ingress extra rules to allow custom ingress custom rules
    - kind: added
      description: Dedicated ingress implementation for AWS and GKE Application Load Balancers
    - kind: changed
-      description: Upgrade argo-cd to v2.10.0
+      description: Support for multiple ingress hosts and paths refactored into `extraHosts` and `extraPaths`
--- a/charts/argo-cd/README.md
+++ b/charts/argo-cd/README.md
@ -105,15 +105,84 @@ For full list of changes please check ArtifactHub [changelog].
 Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version.
 ### 6.0.0
 This version **removes support for**:
 * deprecated component options `logLevel` and `logFormat`
 * deprecated component arguments `<components>.args.<feature>` that were replaced with `configs.params`
 * deprecated configuration `server.config` that was replaced with `configs.cm`
 * deprecated configuration `server.rbacConfig` that was replaced with `configs.rbac`
 Major version also contains breaking **changes related to Argo CD Ingress** resources that were hard to extend and maintain for various ingress controller implementations.
 Please review your setup and adjust to new configuration options:
 * catch all rule was removed for security reasons. If you need this please use `server.ingress.extraRules` to provide ingress rule without hostname
 * ingress rule for `paths` changed to `path` as there is only single Argo CD backend path
 * ingress rule for `hosts` changed to `hostname` as there can be only single SSO redirect for given hostname
 * ingress TLS for server uses by default `argocd-server-tls` secret required by Argo CD server, additional ingresses are using `<hostname>-tls` secret when `tls: true`
 * additional hostnames and routing can be provided via `extraHosts` configuration section
 * additional TLS secrets can be provided via `extraTls` configuration section
 Specific ingress implementations for cloud providers were decoupled from generic ingress resource.
 To configure AWS Application Load Balancer:
 ```yaml
 server:
  ingress:
    enabled: true
    controller: aws
    annotations:
      alb.ingress.kubernetes.io/backend-protocol: HTTPS
      alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
    aws:
      backendProtocolVersion: HTTP2
      serviceType: NodePort
 ```
 To configure GKE Application Load Balancer:
 ```yaml
 configs:
  params:
    "server.insecure": true
 server:
  service:
    annotations:
      cloud.google.com/neg: '{"ingress": true}'
      cloud.google.com/backend-config: '{"ports": {"http":"argocd-server"}}'
  ingress:
    enabled: true
    controller: gke
    gke:
      backendConfig:
        healthCheck:
          checkIntervalSec: 30
          timeoutSec: 5
          healthyThreshold: 1
          unhealthyThreshold: 2
          type: HTTP
          requestPath: /healthz
          port: 8080
      frontendConfig:
        redirectToHttps:
          enabled: true 
 ```
 ### 5.53.0
 Argocd-repo-server can now optionally use Persistent Volumes for its mountpoints instead of only emptydir()
 ### 5.52.0
 Because [Argo CD Extensions] is now deprecated and no further changes will be made, we switched to [Argo CD Extension Installer], adding an Argo CD Extension Installer to init-container in the Argo CD API server.
 If you used old mechanism, please move to new mechanism. For more details, please refer `.Values.server.extensions` in values.yaml.
 ### 5.35.0
 This version supports Kubernetes version `>=1.23.0-0`. The current supported version of Kubernetes is v1.24 or later and we align with the Amazon EKS calendar, because many AWS users follow a conservative approach.
 Please see more information about EoL: [Amazon EKS EoL][EKS EoL].
@ -399,7 +468,7 @@ NAME: my-release
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| apiVersionOverrides.cloudgoogle | string | `""` | String to override apiVersion of GKE resources rendered by this helm chart |
+| apiVersionOverrides | object | `{}` |  |
 | crds.additionalLabels | object | `{}` | Addtional labels to be added to all CRDs |
 | crds.annotations | object | `{}` | Annotations to be added to all CRDs |
 | crds.install | bool | `true` | Install and upgrade CRDs |
@ -516,7 +585,6 @@ NAME: my-release
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | controller.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules to the deployment |
 | controller.args | object | `{}` | DEPRECATED - Application controller commandline flags |
 | controller.clusterRoleRules.enabled | bool | `false` | Enable custom rules for the application controller's ClusterRole resource |
 | controller.clusterRoleRules.rules | list | `[]` | List of custom rules for the application controller's ClusterRole resource |
 | controller.containerPorts.metrics | int | `8082` | Metrics container port |
@ -575,6 +643,7 @@ NAME: my-release
 | controller.readinessProbe.timeoutSeconds | int | `1` | Number of seconds after which the [probe] times out |
 | controller.replicas | int | `1` | The number of application controller pods to run. Additional replicas will cause sharding of managed clusters across number of replicas. |
 | controller.resources | object | `{}` | Resource limits and requests for the application controller pods |
 | controller.revisionHistoryLimit | int | `5` | Maximum number of controller revisions that will be maintained in StatefulSet history |
 | controller.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
 | controller.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
 | controller.serviceAccount.create | bool | `true` | Create a service account for the application controller |
@ -686,12 +755,6 @@ NAME: my-release
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | server.GKEbackendConfig.enabled | bool | `false` | Enable BackendConfig custom resource for Google Kubernetes Engine |
 | server.GKEbackendConfig.spec | object | `{}` | [BackendConfigSpec] |
 | server.GKEfrontendConfig.enabled | bool | `false` | Enable FrontConfig custom resource for Google Kubernetes Engine |
 | server.GKEfrontendConfig.spec | object | `{}` | [FrontendConfigSpec] |
 | server.GKEmanagedCertificate.domains | list | `["argocd.example.com"]` | Domains for the Google Managed Certificate |
 | server.GKEmanagedCertificate.enabled | bool | `false` | Enable ManagedCertificate custom resource for Google Kubernetes Engine. |
 | server.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules to the deployment |
 | server.autoscaling.behavior | object | `{}` | Configures the scaling behavior of the target in both Up and Down directions. |
 | server.autoscaling.enabled | bool | `false` | Enable Horizontal Pod Autoscaler ([HPA]) for the Argo CD server |
@ -744,28 +807,37 @@ NAME: my-release
 | server.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the Argo CD server |
 | server.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry |
 | server.ingress.annotations | object | `{}` | Additional ingress annotations |
 | server.ingress.aws.backendProtocolVersion | string | `"HTTP2"` | Backend protocol version for the AWS ALB gRPC service |
 | server.ingress.aws.serviceType | string | `"NodePort"` | Service type for the AWS ALB gRPC service |
 | server.ingress.controller | string | `"generic"` | Specific implementation for ingress controller. One of `generic`, `aws` or `gke` |
 | server.ingress.enabled | bool | `false` | Enable an ingress resource for the Argo CD server |
-| server.ingress.extraPaths | list | `[]` | Additional ingress paths |
+| server.ingress.extraHosts | list | `[]` (See [values.yaml]) | The list of additional hostnames to be covered by ingress record |
-| server.ingress.hosts | list | `[]` | List of ingress hosts |
+| server.ingress.extraPaths | list | `[]` (See [values.yaml]) | Additional ingress paths |
-| server.ingress.https | bool | `false` | Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp` |
+| server.ingress.extraRules | list | `[]` (See [values.yaml]) | Additional ingress rules |
 | server.ingress.extraTls | list | `[]` (See [values.yaml]) | Additional TLS configuration |
 | server.ingress.gke.backendConfig | object | `{}` (See [values.yaml]) | Google [BackendConfig] resource, for use with the GKE Ingress Controller |
 | server.ingress.gke.frontendConfig | object | `{}` (See [values.yaml]) | Google [FrontendConfig] resource, for use with the GKE Ingress Controller |
 | server.ingress.gke.managedCertificate.create | bool | `true` | Create ManagedCertificate resource and annotations for Google Load balancer |
 | server.ingress.gke.managedCertificate.extraDomains | list | `[]` | Additional domains for ManagedCertificate resource |
 | server.ingress.hostname | string | `"argocd.example.com"` | Argo CD server hostname |
 | server.ingress.ingressClassName | string | `""` | Defines which ingress controller will implement the resource |
 | server.ingress.labels | object | `{}` | Additional ingress labels |
 | server.ingress.path | string | `"/"` | The path to Argo CD server |
 | server.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` |
-| server.ingress.paths | list | `["/"]` | List of ingress paths |
+| server.ingress.tls | bool | `false` | Enable TLS configuration for the hostname defined at `server.ingress.hostname` |
 | server.ingress.tls | list | `[]` | Ingress TLS configuration |
 | server.ingressGrpc.annotations | object | `{}` | Additional ingress annotations for dedicated [gRPC-ingress] |
 | server.ingressGrpc.awsALB.backendProtocolVersion | string | `"HTTP2"` | Backend protocol version for the AWS ALB gRPC service |
 | server.ingressGrpc.awsALB.serviceType | string | `"NodePort"` | Service type for the AWS ALB gRPC service |
 | server.ingressGrpc.enabled | bool | `false` | Enable an ingress resource for the Argo CD server for dedicated [gRPC-ingress] |
-| server.ingressGrpc.extraPaths | list | `[]` | Additional ingress paths for dedicated [gRPC-ingress] |
+| server.ingressGrpc.extraHosts | list | `[]` (See [values.yaml]) | The list of additional hostnames to be covered by ingress record |
-| server.ingressGrpc.hosts | list | `[]` | List of ingress hosts for dedicated [gRPC-ingress] |
+| server.ingressGrpc.extraPaths | list | `[]` (See [values.yaml]) | Additional ingress paths for dedicated [gRPC-ingress] |
-| server.ingressGrpc.https | bool | `false` | Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp` |
+| server.ingressGrpc.extraRules | list | `[]` (See [values.yaml]) | Additional ingress rules |
 | server.ingressGrpc.extraTls | list | `[]` (See [values.yaml]) | Additional TLS configuration for dedicated [gRPC-ingress] |
 | server.ingressGrpc.hostname | string | `""` | Argo CD server hostname for dedicated [gRPC-ingress] |
 | server.ingressGrpc.ingressClassName | string | `""` | Defines which ingress controller will implement the resource [gRPC-ingress] |
 | server.ingressGrpc.isAWSALB | bool | `false` | Setup up gRPC ingress to work with an AWS ALB |
 | server.ingressGrpc.labels | object | `{}` | Additional ingress labels for dedicated [gRPC-ingress] |
 | server.ingressGrpc.path | string | `"/"` | Argo CD server ingress path for dedicated [gRPC-ingress] |
 | server.ingressGrpc.pathType | string | `"Prefix"` | Ingress path type for dedicated [gRPC-ingress]. One of `Exact`, `Prefix` or `ImplementationSpecific` |
-| server.ingressGrpc.paths | list | `["/"]` | List of ingress paths for dedicated [gRPC-ingress] |
+| server.ingressGrpc.tls | bool | `false` | Enable TLS configuration for the hostname defined at `server.ingressGrpc.hostname` |
 | server.ingressGrpc.tls | list | `[]` | Ingress TLS configuration for dedicated [gRPC-ingress] |
 | server.initContainers | list | `[]` | Init containers to add to the server pod |
 | server.lifecycle | object | `{}` | Specify postStart and preStop lifecycle hooks for your argo-cd-server container |
 | server.livenessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
@ -1101,7 +1173,6 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | applicationSet.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules |
 | applicationSet.args | object | `{}` | DEPRECATED - ApplicationSet controller command line flags |
 | applicationSet.certificate.additionalHosts | list | `[]` | Certificate Subject Alternate Names (SANs) |
 | applicationSet.certificate.annotations | object | `{}` | Annotations to be applied to the ApplicationSet Certificate |
 | applicationSet.certificate.domain | string | `"argocd.example.com"` | Certificate primary domain (commonName) |
@ -1125,7 +1196,7 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
 | applicationSet.dnsConfig | object | `{}` | [DNS configuration] |
 | applicationSet.dnsPolicy | string | `"ClusterFirst"` | Alternative DNS policy for ApplicationSet controller pods |
 | applicationSet.enabled | bool | `true` | Enable ApplicationSet controller |
-| applicationSet.extraArgs | list | `[]` | List of extra cli args to add |
+| applicationSet.extraArgs | list | `[]` | ApplicationSet controller command line flags |
 | applicationSet.extraContainers | list | `[]` | Additional containers to be added to the ApplicationSet controller pod |
 | applicationSet.extraEnv | list | `[]` | Environment variables to pass to the ApplicationSet controller |
 | applicationSet.extraEnvFrom | list | `[]` (See [values.yaml]) | envFrom to pass to the ApplicationSet controller |
@ -1135,6 +1206,18 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
 | applicationSet.image.repository | string | `""` (defaults to global.image.repository) | Repository to use for the ApplicationSet controller |
 | applicationSet.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the ApplicationSet controller |
 | applicationSet.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | If defined, uses a Secret to pull an image from a private Docker registry or repository. |
 | applicationSet.ingress.annotations | object | `{}` | Additional ingress annotations |
 | applicationSet.ingress.enabled | bool | `false` | Enable an ingress resource for ApplicationSet webhook |
 | applicationSet.ingress.extraHosts | list | `[]` (See [values.yaml]) | The list of additional hostnames to be covered by ingress record |
 | applicationSet.ingress.extraPaths | list | `[]` (See [values.yaml]) | Additional ingress paths |
 | applicationSet.ingress.extraRules | list | `[]` (See [values.yaml]) | Additional ingress rules |
 | applicationSet.ingress.extraTls | list | `[]` (See [values.yaml]) | Additional ingress TLS configuration |
 | applicationSet.ingress.hostname | string | `"argocd.example.com"` | Argo CD ApplicationSet hostname |
 | applicationSet.ingress.ingressClassName | string | `""` | Defines which ingress ApplicationSet controller will implement the resource |
 | applicationSet.ingress.labels | object | `{}` | Additional ingress labels |
 | applicationSet.ingress.path | string | `"/api/webhook"` | List of ingress paths |
 | applicationSet.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` |
 | applicationSet.ingress.tls | bool | `false` | Enable TLS configuration for the hostname defined at `applicationSet.webhook.ingress.hostname` |
 | applicationSet.initContainers | list | `[]` | Init containers to add to the ApplicationSet controller pod |
 | applicationSet.livenessProbe.enabled | bool | `false` | Enable Kubernetes liveness probe for ApplicationSet controller |
 | applicationSet.livenessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
@ -1190,15 +1273,6 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
 | applicationSet.terminationGracePeriodSeconds | int | `30` | terminationGracePeriodSeconds for container lifecycle hook |
 | applicationSet.tolerations | list | `[]` (defaults to global.tolerations) | [Tolerations] for use with node taints |
 | applicationSet.topologySpreadConstraints | list | `[]` (defaults to global.topologySpreadConstraints) | Assign custom [TopologySpreadConstraints] rules to the ApplicationSet controller |
 | applicationSet.webhook.ingress.annotations | object | `{}` | Additional ingress annotations |
 | applicationSet.webhook.ingress.enabled | bool | `false` | Enable an ingress resource for Webhooks |
 | applicationSet.webhook.ingress.extraPaths | list | `[]` | Additional ingress paths |
 | applicationSet.webhook.ingress.hosts | list | `[]` | List of ingress hosts |
 | applicationSet.webhook.ingress.ingressClassName | string | `""` | Defines which ingress ApplicationSet controller will implement the resource |
 | applicationSet.webhook.ingress.labels | object | `{}` | Additional ingress labels |
 | applicationSet.webhook.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` |
 | applicationSet.webhook.ingress.paths | list | `["/api/webhook"]` | List of ingress paths |
 | applicationSet.webhook.ingress.tls | list | `[]` | Ingress TLS configuration |
 ## Notifications
--- a/charts/argo-cd/README.md.gotmpl
+++ b/charts/argo-cd/README.md.gotmpl
@ -104,15 +104,84 @@ For full list of changes please check ArtifactHub [changelog].
 Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version.
 ### 6.0.0
 This version **removes support for**:
 * deprecated component options `logLevel` and `logFormat`
 * deprecated component arguments `<components>.args.<feature>` that were replaced with `configs.params`
 * deprecated configuration `server.config` that was replaced with `configs.cm`
 * deprecated configuration `server.rbacConfig` that was replaced with `configs.rbac`
 Major version also contains breaking **changes related to Argo CD Ingress** resources that were hard to extend and maintain for various ingress controller implementations.
 Please review your setup and adjust to new configuration options:
 * catch all rule was removed for security reasons. If you need this please use `server.ingress.extraRules` to provide ingress rule without hostname
 * ingress rule for `paths` changed to `path` as there is only single Argo CD backend path
 * ingress rule for `hosts` changed to `hostname` as there can be only single SSO redirect for given hostname
 * ingress TLS for server uses by default `argocd-server-tls` secret required by Argo CD server, additional ingresses are using `<hostname>-tls` secret when `tls: true`
 * additional hostnames and routing can be provided via `extraHosts` configuration section
 * additional TLS secrets can be provided via `extraTls` configuration section
 Specific ingress implementations for cloud providers were decoupled from generic ingress resource.
 To configure AWS Application Load Balancer:
 ```yaml
 server:
  ingress:
    enabled: true
    controller: aws
    annotations:
      alb.ingress.kubernetes.io/backend-protocol: HTTPS
      alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
    aws:
      backendProtocolVersion: HTTP2
      serviceType: NodePort
 ```
 To configure GKE Application Load Balancer:
 ```yaml
 configs:
  params:
    "server.insecure": true
 server:
  service:
    annotations:
      cloud.google.com/neg: '{"ingress": true}'
      cloud.google.com/backend-config: '{"ports": {"http":"argocd-server"}}'
  ingress:
    enabled: true
    controller: gke
    gke:
      backendConfig:
        healthCheck:
          checkIntervalSec: 30
          timeoutSec: 5
          healthyThreshold: 1
          unhealthyThreshold: 2
          type: HTTP
          requestPath: /healthz
          port: 8080
      frontendConfig:
        redirectToHttps:
          enabled: true  
 ```
 ### 5.53.0
 Argocd-repo-server can now optionally use Persistent Volumes for its mountpoints instead of only emptydir()
 ### 5.52.0
 Because [Argo CD Extensions] is now deprecated and no further changes will be made, we switched to [Argo CD Extension Installer], adding an Argo CD Extension Installer to init-container in the Argo CD API server.
 If you used old mechanism, please move to new mechanism. For more details, please refer `.Values.server.extensions` in values.yaml.
 ### 5.35.0
 This version supports Kubernetes version `>=1.23.0-0`. The current supported version of Kubernetes is v1.24 or later and we align with the Amazon EKS calendar, because many AWS users follow a conservative approach.
 Please see more information about EoL: [Amazon EKS EoL][EKS EoL].
--- a/charts/argo-cd/templates/NOTES.txt
+++ b/charts/argo-cd/templates/NOTES.txt
@ -1,133 +1,3 @@
 {{- if .Values.controller.args.statusProcessors }}
 DEPRECATED option controller.args.statusProcessors - Use configs.params.controller.status.processors
 {{- end }}
 {{- if .Values.controller.args.operationProcessors }}
 DEPRECATED option controller.args.operationProcessors - Use configs.params.controller.operation.processors
 {{- end }}
 {{- if .Values.controller.args.appResyncPeriod }}
 DEPRECATED option controller.args.appResyncPeriod - Use server.config.timeout.reconciliation
 {{- end }}
 {{- if .Values.controller.args.appHardResyncPeriod }}
 DEPRECATED option controller.args.appHardResyncPeriod - Use server.config.timeout.hard.reconciliation
 {{- end }}
 {{- if .Values.controller.args.selfHealTimeout }}
 DEPRECATED option controller.args.selfHealTimeout -  Use configs.params.controller.self.heal.timeout.seconds
 {{- end }}
 {{- if .Values.controller.args.repoServerTimeoutSeconds }}
 DEPRECATED option controller.args.repoServerTimeoutSeconds - Use configs.params.controller.repo.server.timeout.seconds
 {{- end }}
 {{- if .Values.controller.logFormat }}
 DEPRECATED option controller.logFormat - Use configs.params.controller.log.format
 {{- end }}
 {{- if .Values.controller.logLevel }}
 DEPRECATED option controller.logLevel - Use configs.params.controller.log.level
 {{- end }}
 {{- if .Values.server.logFormat }}
 DEPRECATED option server.logFormat - Use configs.params.server.log.format
 {{- end }}
 {{- if .Values.server.logLevel }}
 DEPRECATED option server.logLevel - Use configs.params.server.log.level
 {{- end }}
 {{- if has "--insecure" .Values.server.extraArgs }}
 DEPRECATED option server.extraArgs."--insecure" - Use configs.params.server.insecure
 {{- end }}
 {{- if .Values.repoServer.logFormat }}
 DEPRECATED option repoServer.logFormat - Use configs.params.repoServer.log.format
 {{- end }}
 {{- if .Values.repoServer.logLevel }}
 DEPRECATED option repoServer.logLevel - Use configs.params.repoServer.log.level
 {{- end }}
 {{- if or .Values.server.config (hasKey .Values.server "configEnabled") .Values.server.configAnnotations }}
 DEPRECATED option server.config - Use configs.cm
 {{- end }}
 {{- if or .Values.server.rbacConfig (hasKey .Values.server "rbacConfigCreate") .Values.server.rbacConfigAnnotations }}
 DEPRECATED option server.rbacConfig - Use configs.rbac
 {{- end }}
 {{- if .Values.configs.secret.argocdServerTlsConfig }}
 DEPRECATED option config.secret.argocdServerTlsConfig - Use server.certificate or server.certificateSecret
 {{- end }}
 {{- if .Values.configs.gpgKeys }}
 DEPRECATED option configs.gpgKeys - Use config.gpg.keys
 {{- end }}
 {{- if .Values.configs.gpgKeysAnnotations }}
 DEPRECATED option configs.gpgKeysAnnotations - Use config.gpg.annotations
 {{- end }}
 {{- if hasKey (.Values.controller.clusterAdminAccess | default dict) "enabled" }}
 DEPRECATED option .controller.clusterAdminAccess.enabled - Use createClusterRoles
 {{- end }}
 {{- if hasKey (.Values.server.clusterAdminAccess | default dict) "enabled" }}
 DEPRECATED option .server.clusterAdminAccess.enabled - Use createClusterRoles
 {{- end }}
 {{- if hasKey (.Values.repoServer.clusterAdminAccess | default dict) "enabled" }}
 DEPRECATED option .server.clusterAdminAccess.enabled - Use createClusterRoles
 {{- end }}
 {{- if .Values.configs.knownHostsAnnotations }}
 DEPRECATED option configs.knownHostsAnnotations - Use configs.ssh.annotations
 {{- end }}
 {{- if hasKey .Values.configs "knownHosts" }}
 DEPRECATED option configs.knownHosts.data.ssh_known_hosts - Use configs.ssh.knownHosts
 {{- end }}
 {{- if .Values.configs.tlsCertsAnnotations }}
 DEPRECATED option configs.tlsCertsAnnotations - Use configs.tls.annotations
 {{- end }}
 {{- if hasKey .Values.configs "tlsCerts" }}
 DEPRECATED option configs.tlsCerts.data - Use configs.tls.certificates
 {{- end }}
 {{- if .Values.applicationSet.replicaCount }}
 DEPRECATED option applicationSet.replicaCount - Use applicationSet.replicas
 {{- end }}
 {{- if .Values.applicationSet.logFormat }}
 DEPRECATED option applicationSet.logFormat - Use configs.params.applicationsetcontroller.log.format
 {{- end }}
 {{- if .Values.applicationSet.logLevel }}
 DEPRECATED option applicationSet.logLevel - Use configs.params.applicationsetcontroller.log.level
 {{- end }}
 {{- if .Values.applicationSet.args.policy }}
 DEPRECATED option applicationSet.args.policy - Use configs.params.applicationsetcontroller.policy
 {{- end }}
 {{- if .Values.applicationSet.args.dryRun }}
 DEPRECATED option applicationSet.args.dryRun - Use configs.params.applicationsetcontroller.dryRun
 {{- end }}
 {{- if .Values.controller.service }}
 REMOVED option controller.service - Use controller.metrics
 {{- end }}
 {{- if .Values.repoServer.copyutil }}
 REMOVED option repoSever.copyutil.resources - Use repoServer.resources
 {{- end }}
 {{- if .Values.applicationSet.args.debug }}
 REMOVED option applicationSet.args.debug - Use applicationSet.logLevel: debug
 {{- end }}
 {{- if .Values.applicationSet.args.enableLeaderElection }}
 REMOVED option applicationSet.args.enableLeaderElection - Value determined based on replicas
 {{- end }}
 {{- if .Values.controller.containerPort }}
 REMOVED option controller.containerPort - Use controller.containerPorts
 {{- end }}
 {{- if .Values.server.containerPort }}
 REMOVED option server.containerPort - Use server.containerPorts
 {{- end }}
 {{- if .Values.repoServer.containerPort }}
 REMOVED option repoServer.containerPort - Use repoServer.containerPorts
 {{- end }}
 {{- if .Values.applicationSet.args.metricsAddr }}
 REMOVED option applicationSet.args.metricsAddr - Use applicationSet.containerPorts
 {{- end }}
 {{- if .Values.applicationSet.args.probeBindAddr }}
 REMOVED option applicationSet.args.probeBindAddr - Use applicationSet.containerPorts
 {{- end }}
 {{- if .Values.redis.containerPort }}
 REMOVED option redis.containerPort - Use redis.containerPorts
 {{- end }}
 {{- if .Values.redis.metrics.containerPort }}
 REMOVED option redis.metrics.containerPort - Use redis.containerPorts
 {{- end }}
 {{- if .Values.apiVersionOverrides.autoscaling }}
 REMOVED option apiVersionOverrides.autoscaling - API autoscaling/v2 is GA from 1.23
 {{- end }}
 {{- if .Values.apiVersionOverrides.certmanager }}
 REMOVED option apiVersionOverrides.certmanager - API v1 is only possible option after K8s 1.22
 {{- end }}
 In order to access the server UI you have the following options:
 1. kubectl port-forward service/{{ include "argo-cd.fullname" . }}-server -n {{ .Release.Namespace }} 8080:443
@ -139,7 +9,7 @@ In order to access the server UI you have the following options:
      - Set the `configs.params."server.insecure"` in the values file and terminate SSL at your ingress: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-2-multiple-ingress-objects-and-hosts
-{{ if eq (toString (index (coalesce .Values.server.config .Values.configs.cm) "admin.enabled")) "true" -}}
+{{ if eq (toString (index .Values.configs.cm "admin.enabled")) "true" -}}
 After reaching the UI the first time you can login with username: admin and the random password generated during the installation. You can find the password by running:
 kubectl -n {{ .Release.Namespace }} get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
--- a/charts/argo-cd/templates/_helpers.tpl
+++ b/charts/argo-cd/templates/_helpers.tpl
@ -173,7 +173,7 @@ Argo Configuration Preset Values (Incluenced by Values configuration)
 Merge Argo Configuration with Preset Configuration
 */}}
 {{- define "argo-cd.config.cm" -}}
-{{- $config := (mergeOverwrite (deepCopy (omit .Values.configs.cm "create" "annotations")) (.Values.server.config | default dict))  -}}
+{{- $config := omit .Values.configs.cm "create" "annotations" -}}
 {{- $preset := include "argo-cd.config.cm.presets" . | fromYaml | default dict -}}
 {{- range $key, $value := mergeOverwrite $preset $config }}
 {{- $fmted := $value | toString }}
--- a/charts/argo-cd/templates/_versions.tpl
+++ b/charts/argo-cd/templates/_versions.tpl
@ -5,16 +5,3 @@ Return the target Kubernetes version
 {{- define "argo-cd.kubeVersion" -}}
 {{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride }}
 {{- end }}
 {{/*
 Return the appropriate apiVersion for GKE resources
 */}}
 {{- define "argo-cd.apiVersions.cloudgoogle" -}}
 {{- if .Values.apiVersionOverrides.cloudgoogle -}}
 {{- print .Values.apiVersionOverrides.cloudgoogle -}}
 {{- else if .Capabilities.APIVersions.Has "cloud.google.com/v1" -}}
 {{- print "cloud.google.com/v1" -}}
 {{- else -}}
 {{- print "cloud.google.com/v1beta1" -}}
 {{- end -}}
 {{- end -}}
--- a/charts/argo-cd/templates/argocd-application-controller/clusterrole.yaml
+++ b/charts/argo-cd/templates/argocd-application-controller/clusterrole.yaml
@ -1,5 +1,4 @@
-{{- $config := .Values.controller.clusterAdminAccess | default dict -}}
+{{- if .Values.createClusterRoles }}
 {{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
--- a/charts/argo-cd/templates/argocd-application-controller/clusterrolebinding.yaml
+++ b/charts/argo-cd/templates/argocd-application-controller/clusterrolebinding.yaml
@ -1,5 +1,4 @@
-{{- $config := .Values.controller.clusterAdminAccess | default dict -}}
+{{- if .Values.createClusterRoles }}
 {{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
--- a/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml
+++ b/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml
@ -13,8 +13,7 @@ metadata:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
 spec:
  replicas: {{ .Values.controller.replicas }}
-  # TODO: Remove for breaking release as history limit cannot be patched
+  revisionHistoryLimit: {{ .Values.controller.revisionHistoryLimit | default .Values.global.revisionHistoryLimit }}
  revisionHistoryLimit: 5
  serviceName: {{ include "argo-cd.controller.fullname" . }}
  selector:
    matchLabels:
@ -66,38 +65,6 @@ spec:
        - {{ . }}
        {{- end }}
        {{- end }}
        {{- with .Values.controller.args.statusProcessors }}
        - --status-processors
        - {{ . | quote }}
        {{- end }}
        {{- with .Values.controller.args.operationProcessors }}
        - --operation-processors
        - {{ . | quote }}
        {{- end }}
        {{- with .Values.controller.args.appResyncPeriod }}
        - --app-resync
        - {{ . | quote }}
        {{- end }}
        {{- with .Values.controller.args.appHardResyncPeriod }}
        - --app-hard-resync
        - {{ . | quote }}
        {{- end }}
        {{- with .Values.controller.args.selfHealTimeout }}
        - --self-heal-timeout-seconds
        - {{ . | quote }}
        {{- end }}
        {{- with .Values.controller.args.repoServerTimeoutSeconds }}
        - --repo-server-timeout-seconds
        - {{ . | quote }}
        {{- end }}
        {{- with .Values.controller.logFormat }}
        - --logformat
        - {{ . | quote }}
        {{- end }}
        {{- with .Values.controller.logLevel }}
        - --loglevel
        - {{ . | quote }}
        {{- end }}
        {{- with .Values.controller.extraArgs }}
          {{- toYaml . | nindent 8 }}
        {{- end }}
--- a/charts/argo-cd/templates/argocd-applicationset/deployment.yaml
+++ b/charts/argo-cd/templates/argocd-applicationset/deployment.yaml
@ -17,7 +17,7 @@ spec:
  strategy:
    {{- trim . | nindent 4 }}
  {{- end }}
-  replicas: {{ .Values.applicationSet.replicas | default .Values.applicationSet.replicaCount }}
+  replicas: {{ .Values.applicationSet.replicas }}
  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
  selector:
    matchLabels:
@ -65,20 +65,6 @@ spec:
            - --metrics-addr=:{{ .Values.applicationSet.containerPorts.metrics }}
            - --probe-addr=:{{ .Values.applicationSet.containerPorts.probe }}
            - --webhook-addr=:{{ .Values.applicationSet.containerPorts.webhook }}
            {{- with .Values.applicationSet.args.policy }}
            - --policy={{ . }}
            {{- end }}
            {{- with .Values.applicationSet.args.dryRun }}
            - --dry-run={{ . }}
            {{- end }}
            {{- with .Values.applicationSet.logFormat }}
            - --logformat
            - {{ . }}
            {{- end }}
            {{- with .Values.applicationSet.logLevel }}
            - --loglevel
            - {{ . }}
            {{- end }}
            {{- with .Values.applicationSet.extraArgs }}
              {{- toYaml . | nindent 12 }}
            {{- end }}
--- a/charts/argo-cd/templates/argocd-applicationset/ingress.yaml
+++ b/charts/argo-cd/templates/argocd-applicationset/ingress.yaml
@ -0,0 +1,64 @@
 {{- if and .Values.applicationSet.enabled .Values.applicationSet.ingress.enabled -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: {{ include "argo-cd.applicationSet.fullname" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
    {{- with .Values.applicationSet.ingress.labels }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- with .Values.applicationSet.ingress.annotations }}
  annotations:
    {{- range $key, $value := . }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
  {{- end }}
 spec:
  {{- with .Values.applicationSet.ingress.ingressClassName }}
  ingressClassName: {{ . }}
  {{- end }}
  rules:
    {{- if .Values.applicationSet.ingress.hostname }}
    - host: {{ .Values.applicationSet.ingress.hostname }}
      http:
        paths:
          {{- with .Values.applicationSet.ingress.extraPaths }}
            {{- toYaml . | nindent 10 }}
          {{- end }}
          - path: {{ .Values.applicationSet.ingress.path }}
            pathType: {{ $.Values.applicationSet.ingress.pathType }}
            backend:
              service:
                name: {{ include "argo-cd.applicationSet.fullname" $ }}
                port:
                  number: {{ .Values.applicationSet.service.port }}
    {{- end }}
    {{- range .Values.server.ingress.extraHosts }}
    - host: {{ .name | quote }}
      http:
        paths:
          - path: {{ default .Values.server.ingress.path .path }}
            pathType: {{ default .Values.server.ingress.pathType .pathType }}
            backend:
              service:
                name: {{ include "argo-cd.applicationSet.fullname" . }}
                port:
                  number: {{ .Values.applicationSet.service.port }}
    {{- end }}
    {{- with .Values.applicationSet.ingress.extraRules }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- if or .Values.applicationSet.ingress.tls .Values.applicationSet.ingress.extraTls }}
  tls:
    {{- if .Values.applicationSet.ingress.tls }}
    - hosts:
      - {{ .Values.applicationSet.ingress.hostname }}
      secretName: argocd-application-controller-tls
    {{- end }}
    {{- with .Values.applicationSet.ingress.extraTls }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- end }}
 {{- end }}
--- a/charts/argo-cd/templates/argocd-applicationset/webhook-ingress.yaml
+++ b/charts/argo-cd/templates/argocd-applicationset/webhook-ingress.yaml
@ -1,73 +0,0 @@
 {{- if and .Values.applicationSet.enabled .Values.applicationSet.webhook.ingress.enabled -}}
 {{- $servicePort := .Values.applicationSet.service.portName -}}
 {{- $paths := .Values.applicationSet.webhook.ingress.paths -}}
 {{- $extraPaths := .Values.applicationSet.webhook.ingress.extraPaths -}}
 {{- $pathType := .Values.applicationSet.webhook.ingress.pathType -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: {{ include "argo-cd.applicationSet.fullname" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
    {{- with .Values.applicationSet.webhook.ingress.labels }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- with .Values.applicationSet.webhook.ingress.annotations }}
  annotations:
    {{- range $key, $value := . }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
  {{- end }}
 spec:
  {{- with .Values.applicationSet.webhook.ingress.ingressClassName }}
  ingressClassName: {{ . }}
  {{- end }}
  rules:
  {{- if .Values.applicationSet.webhook.ingress.hosts }}
    {{- range $host := .Values.applicationSet.webhook.ingress.hosts }}
    - host: {{ $host }}
      http:
        paths:
          {{- with $extraPaths }}
          {{- toYaml . | nindent 10 }}
          {{- end }}
          {{- range $p := $paths }}
          - path: {{ $p }}
            pathType: {{ $pathType }}
            backend:
              service:
                name: {{ include "argo-cd.applicationSet.fullname" $ }}
                port:
                  {{- if kindIs "float64" $servicePort }}
                  number: {{ $servicePort }}
                  {{- else }}
                  name: {{ $servicePort }}
                  {{- end }}
          {{- end -}}
    {{- end -}}
  {{- else }}
    - http:
        paths:
          {{- with $extraPaths }}
          {{- toYaml . | nindent 10 }}
          {{- end }}
          {{- range $p := $paths }}
          - path: {{ $p }}
            pathType: {{ $pathType }}
            backend:
              service:
                name: {{ include "argo-cd.applicationSet.fullname" $ }}
                port:
                  {{- if kindIs "float64" $servicePort }}
                  number: {{ $servicePort }}
                  {{- else }}
                  name: {{ $servicePort }}
                  {{- end }}
          {{- end -}}
  {{- end -}}
  {{- with .Values.applicationSet.webhook.ingress.tls }}
  tls:
    {{- toYaml . | nindent 4 }}
  {{- end -}}
 {{- end -}}
--- a/charts/argo-cd/templates/argocd-configs/argocd-cm.yaml
+++ b/charts/argo-cd/templates/argocd-configs/argocd-cm.yaml
@ -1,4 +1,4 @@
-{{- if (hasKey .Values.server "configEnabled") | ternary .Values.server.configEnabled .Values.configs.cm.create }}
+{{- if .Values.configs.cm.create }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@ -6,7 +6,7 @@ metadata:
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "cm") | nindent 4 }}
-  {{- with (mergeOverwrite (deepCopy .Values.configs.cm.annotations) (.Values.server.configAnnotations | default dict)) }}
+  {{- with .Values.configs.cm.annotations }}
  annotations:
    {{- range $key, $value := . }}
    {{ $key }}: {{ $value | quote }}
--- a/charts/argo-cd/templates/argocd-configs/argocd-gpg-keys-cm.yaml
+++ b/charts/argo-cd/templates/argocd-configs/argocd-gpg-keys-cm.yaml
@ -5,13 +5,13 @@ metadata:
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "name" "gpg-keys-cm") | nindent 4 }}
-  {{ with (mergeOverwrite (deepCopy .Values.configs.gpg.annotations) (.Values.configs.gpgKeysAnnotations | default dict)) -}}
+  {{- with .Values.configs.gpg.annotations }}
  annotations:
    {{- range $key, $value := . }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
  {{- end }}
-{{ with (mergeOverwrite (deepCopy .Values.configs.gpg.keys) (.Values.configs.gpgKeys | default dict)) -}}
+{{- with .Values.configs.gpg.keys }}
 data:
  {{- toYaml . | nindent 2 }}
 {{- end }}
--- a/charts/argo-cd/templates/argocd-configs/argocd-rbac-cm.yaml
+++ b/charts/argo-cd/templates/argocd-configs/argocd-rbac-cm.yaml
@ -1,4 +1,4 @@
-{{- if (hasKey .Values.server "rbacConfigCreate") | ternary .Values.server.rbacConfigCreate .Values.configs.rbac.create }}
+{{- if .Values.configs.rbac.create }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@ -6,13 +6,13 @@ metadata:
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "rbac-cm") | nindent 4 }}
-  {{- with (mergeOverwrite (deepCopy .Values.configs.rbac.annotations) (.Values.server.rbacConfigAnnotations | default dict)) }}
+  {{- with .Values.configs.rbac.annotations }}
  annotations:
    {{- range $key, $value := . }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
  {{- end }}
-{{- with (mergeOverwrite (deepCopy (omit .Values.configs.rbac "create" "annotations")) (.Values.server.rbacConfig | default dict)) }}
+{{- with (omit .Values.configs.rbac "create" "annotations") }}
 data:
  {{- toYaml . | nindent 2 }}
 {{- end }}
--- a/charts/argo-cd/templates/argocd-configs/argocd-secret.yaml
+++ b/charts/argo-cd/templates/argocd-configs/argocd-secret.yaml
@ -16,7 +16,7 @@ metadata:
    {{- end }}
  {{- end }}
 type: Opaque
-{{- if or .Values.configs.secret.githubSecret (or .Values.configs.secret.gitlabSecret .Values.configs.secret.bitbucketUUID .Values.configs.secret.bitbucketServerSecret .Values.configs.secret.gogsSecret (and .Values.configs.secret.azureDevops.username .Values.configs.secret.azureDevops.password) .Values.configs.secret.argocdServerAdminPassword .Values.configs.secret.argocdServerTlsConfig .Values.configs.secret.extra) }}
+{{- if or .Values.configs.secret.githubSecret (or .Values.configs.secret.gitlabSecret .Values.configs.secret.bitbucketUUID .Values.configs.secret.bitbucketServerSecret .Values.configs.secret.gogsSecret (and .Values.configs.secret.azureDevops.username .Values.configs.secret.azureDevops.password) .Values.configs.secret.argocdServerAdminPassword .Values.configs.secret.extra) }}
 # Setting a blank data again will wipe admin password/key/cert
 data:
  {{- with .Values.configs.secret.githubSecret }}
@ -38,10 +38,6 @@ data:
  webhook.azuredevops.username: {{ .Values.configs.secret.azureDevops.username | b64enc }}
  webhook.azuredevops.password: {{ .Values.configs.secret.azureDevops.password | b64enc }}
  {{- end }}
  {{- with .Values.configs.secret.argocdServerTlsConfig }}
  tls.key: {{ .key | b64enc }}
  tls.crt: {{ .crt | b64enc }}
  {{- end }}
  {{- if .Values.configs.secret.argocdServerAdminPassword }}
  admin.password: {{ .Values.configs.secret.argocdServerAdminPassword | b64enc }}
  admin.passwordMtime: {{ default (dateInZone "2006-01-02T15:04:05Z" (now) "UTC") .Values.configs.secret.argocdServerAdminPasswordMtime | b64enc }}
--- a/charts/argo-cd/templates/argocd-configs/argocd-ssh-known-hosts-cm.yaml
+++ b/charts/argo-cd/templates/argocd-configs/argocd-ssh-known-hosts-cm.yaml
@ -5,7 +5,7 @@ metadata:
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "name" "ssh-known-hosts-cm") | nindent 4 }}
-  {{- with (mergeOverwrite (deepCopy .Values.configs.ssh.annotations) (.Values.configs.knownHostsAnnotations | default dict)) }}
+  {{- with .Values.configs.ssh.annotations }}
  annotations:
    {{- range $key, $value := . }}
    {{ $key }}: {{ $value | quote }}
@ -13,11 +13,7 @@ metadata:
  {{- end }}
 data:
  ssh_known_hosts: |
-    {{- if hasKey .Values.configs "knownHosts" }}
+    {{- .Values.configs.ssh.knownHosts | nindent 4 }}
      {{- .Values.configs.knownHosts.data.ssh_known_hosts | nindent 4 }}
    {{- else }}
      {{- .Values.configs.ssh.knownHosts | nindent 4 }}
    {{- end }}
    {{- with .Values.configs.ssh.extraHosts }}
      {{- . | nindent 4 }}
    {{- end }}
--- a/charts/argo-cd/templates/argocd-configs/argocd-tls-certs-cm.yaml
+++ b/charts/argo-cd/templates/argocd-configs/argocd-tls-certs-cm.yaml
@ -5,19 +5,13 @@ metadata:
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "name" "tls-certs-cm") | nindent 4 }}
-  {{- with (mergeOverwrite (deepCopy .Values.configs.tls.annotations) (.Values.configs.tlsCertsAnnotations | default dict)) }}
+  {{- with .Values.configs.tls.annotations }}
  annotations:
    {{- range $key, $value := . }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
  {{- end }}
 {{- if hasKey .Values.configs "tlsCerts" }}
  {{- with .Values.configs.tlsCerts }}
    {{- toYaml . | nindent 0 }}
  {{- end }}
 {{- else }}
 {{- with .Values.configs.tls.certificates }}
 data:
  {{- toYaml . | nindent 2 }}
 {{- end }}
 {{- end }}
--- a/charts/argo-cd/templates/argocd-repo-server/clusterrole.yaml
+++ b/charts/argo-cd/templates/argocd-repo-server/clusterrole.yaml
@ -1,5 +1,4 @@
-{{- $config := .Values.repoServer.clusterAdminAccess | default dict -}}
+{{- if .Values.createClusterRoles }}
 {{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
--- a/charts/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml
+++ b/charts/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml
@ -1,5 +1,4 @@
-{{- $config := .Values.repoServer.clusterAdminAccess | default dict -}}
+{{- if .Values.createClusterRoles }}
 {{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
--- a/charts/argo-cd/templates/argocd-repo-server/deployment.yaml
+++ b/charts/argo-cd/templates/argocd-repo-server/deployment.yaml
@ -74,14 +74,6 @@ spec:
        - /usr/local/bin/argocd-repo-server
        - --port={{ .Values.repoServer.containerPorts.server }}
        - --metrics-port={{ .Values.repoServer.containerPorts.metrics }}
        {{- with .Values.repoServer.logFormat }}
        - --logformat
        - {{ . | quote }}
        {{- end }}
        {{- with .Values.repoServer.logLevel }}
        - --loglevel
        - {{ . | quote }}
        {{- end }}
        {{- with .Values.repoServer.extraArgs }}
          {{- toYaml . | nindent 8 }}
        {{- end }}
--- a/charts/argo-cd/templates/argocd-server/aws/ingress.yaml
+++ b/charts/argo-cd/templates/argocd-server/aws/ingress.yaml
@ -0,0 +1,71 @@
 {{- if and .Values.server.ingress.enabled (eq .Values.server.ingress.controller "aws") }}
 {{- $insecure := index .Values.configs.params "server.insecure" | toString -}}
 {{- $servicePort := eq $insecure "true" | ternary .Values.server.service.servicePortHttp .Values.server.service.servicePortHttps -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: {{ include "argo-cd.server.fullname" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
    {{- with .Values.server.ingress.labels }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
  annotations:
    alb.ingress.kubernetes.io/conditions.{{ include "argo-cd.server.fullname" . }}-grpc: |
      [{"field":"http-header","httpHeaderConfig":{"httpHeaderName": "Content-Type", "values":["application/grpc"]}}]
    {{- range $key, $value := .Values.server.ingress.annotations }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
 spec:
  {{- with .Values.server.ingress.ingressClassName }}
  ingressClassName: {{ . }}
  {{- end }}
  rules:
    - host: {{ .Values.server.ingress.hostname }}
      http:
        paths:
          {{- with .Values.server.ingress.extraPaths }}
            {{- toYaml . | nindent 10 }}
          {{- end }}
          - path: {{ .Values.server.ingress.path }}
            pathType: {{ $.Values.server.ingress.pathType }}
            backend:
              service:
                name: {{ include "argo-cd.server.fullname" . }}
                port:
                  number: {{ $servicePort }}
          - path: {{ .Values.server.ingress.path }}
            pathType: {{ $.Values.server.ingressGrpc.pathType }}
            backend:
              service:
                name: {{ include "argo-cd.server.fullname" $ }}-grpc
                port:
                  number: {{ $servicePort }}
    {{- range .Values.server.ingress.extraHosts }}
    - host: {{ .name | quote }}
      http:
        paths:
          - path: {{ default .Values.server.ingress.path .path }}
            pathType: {{ default .Values.server.ingress.pathType .pathType }}
            backend:
              service:
                name: {{ include "argo-cd.server.fullname" . }}
                port:
                  number: {{ $servicePort }}
    {{- end }}
    {{- with .Values.server.ingress.extraRules }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }}
  tls:
    {{- if .Values.server.ingress.tls }}
    - hosts:
      - {{ .Values.server.ingress.hostname }}
      secretName: argocd-server-tls
    {{- end }}
    {{- with .Values.server.ingress.extraTls }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- end }}
 {{- end }}
--- a/charts/argo-cd/templates/argocd-server/aws/service.yaml
+++ b/charts/argo-cd/templates/argocd-server/aws/service.yaml
@ -1,9 +1,9 @@
-{{- if and .Values.server.ingressGrpc.enabled .Values.server.ingressGrpc.isAWSALB -}}
+{{- if and .Values.server.ingress.enabled (eq .Values.server.ingress.controller "aws") }}
 apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    alb.ingress.kubernetes.io/backend-protocol-version: {{ .Values.server.ingressGrpc.awsALB.backendProtocolVersion }}
+    alb.ingress.kubernetes.io/backend-protocol-version: {{ .Values.server.ingress.aws.backendProtocolVersion }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" (print .Values.server.name "-gprc") "name" (print .Values.server.name "-grpc")) | nindent 4 }}
  name: {{ template "argo-cd.server.fullname" . }}-grpc
@ -21,5 +21,5 @@ spec:
  selector:
    {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 4 }}
  sessionAffinity: None
-  type: {{ .Values.server.ingressGrpc.awsALB.serviceType }}
+  type: {{ .Values.server.ingress.aws.serviceType }}
 {{- end -}}
--- a/charts/argo-cd/templates/argocd-server/clusterrole.yaml
+++ b/charts/argo-cd/templates/argocd-server/clusterrole.yaml
@ -1,5 +1,4 @@
-{{- $config := .Values.server.clusterAdminAccess | default dict -}}
+{{- if .Values.createClusterRoles }}
 {{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@ -31,7 +30,7 @@ rules:
      - pods/log
    verbs:
      - get
-  {{- if eq (toString (index (coalesce .Values.server.config .Values.configs.cm) "exec.enabled")) "true" }}
+  {{- if eq (toString (index .Values.configs.cm "exec.enabled")) "true" }}
  - apiGroups:
      - ""
    resources:
--- a/charts/argo-cd/templates/argocd-server/clusterrolebinding.yaml
+++ b/charts/argo-cd/templates/argocd-server/clusterrolebinding.yaml
@ -1,5 +1,4 @@
-{{- $config := .Values.server.clusterAdminAccess | default dict -}}
+{{- if .Values.createClusterRoles }}
 {{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
--- a/charts/argo-cd/templates/argocd-server/deployment.yaml
+++ b/charts/argo-cd/templates/argocd-server/deployment.yaml
@ -27,7 +27,7 @@ spec:
    metadata:
      annotations:
        checksum/cmd-params: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmd-params-cm.yaml") . | sha256sum }}
-        {{- if (hasKey .Values.server "configEnabled") | ternary .Values.server.configEnabled .Values.configs.cm.create }}
+        {{- if .Values.configs.cm.create }}
        checksum/cm: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cm.yaml") . | sha256sum }}
        {{- end }}
        {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.server.podAnnotations) }}
@ -68,14 +68,6 @@ spec:
        - /usr/local/bin/argocd-server
        - --port={{ .Values.server.containerPorts.server }}
        - --metrics-port={{ .Values.server.containerPorts.metrics }}
        {{- with .Values.server.logFormat }}
        - --logformat
        - {{ . | quote }}
        {{- end }}
        {{- with .Values.server.logLevel }}
        - --loglevel
        - {{ . | quote }}
        {{- end }}
        {{- with .Values.server.extraArgs }}
          {{- toYaml . | nindent 8 }}
        {{- end }}
--- a/charts/argo-cd/templates/argocd-server/gke/backendconfig.yaml
+++ b/charts/argo-cd/templates/argocd-server/gke/backendconfig.yaml
@ -1,11 +1,13 @@
-{{- if .Values.server.GKEbackendConfig.enabled }}
+{{- if and .Values.server.ingress.enabled (eq .Values.server.ingress.controller "gke") .Values.server.ingress.gke.backendConfig }}
-apiVersion: {{ include "argo-cd.apiVersions.cloudgoogle" . }}
+apiVersion: cloud.google.com/v1
 kind: BackendConfig
 metadata:
-  name: {{ template "argo-cd.server.fullname" . }}
+  name: {{ include "argo-cd.server.fullname" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
 {{- with .Values.server.ingress.gke.backendConfig }}
 spec:
-  {{- toYaml .Values.server.GKEbackendConfig.spec | nindent 2 }}
+  {{- toYaml . | nindent 2 }}
 {{- end }}
 {{- end }}
--- a/charts/argo-cd/templates/argocd-server/gke/frontendconfig.yaml
+++ b/charts/argo-cd/templates/argocd-server/gke/frontendconfig.yaml
@ -1,11 +1,13 @@
-{{- if .Values.server.GKEfrontendConfig.enabled }}
+{{- if and .Values.server.ingress.enabled (eq .Values.server.ingress.controller "gke") .Values.server.ingress.gke.frontendConfig }}
 apiVersion: networking.gke.io/v1beta1
 kind: FrontendConfig
 metadata:
-  name: {{ template "argo-cd.server.fullname" . }}
+  name: {{ include "argo-cd.server.fullname" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
 {{- with .Values.server.ingress.gke.frontendConfig }}
 spec:
-  {{- toYaml .Values.server.GKEfrontendConfig.spec | nindent 2 }}
+  {{- toYaml . | nindent 2 }}
 {{- end }}
 {{- end }}
--- a/charts/argo-cd/templates/argocd-server/gke/ingress.yaml
+++ b/charts/argo-cd/templates/argocd-server/gke/ingress.yaml
@ -0,0 +1,69 @@
 {{- if and .Values.server.ingress.enabled (eq .Values.server.ingress.controller "gke") }}
 {{- $insecure := index .Values.configs.params "server.insecure" | toString -}}
 {{- $servicePort := eq $insecure "true" | ternary .Values.server.service.servicePortHttp .Values.server.service.servicePortHttps -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: {{ include "argo-cd.server.fullname" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
    {{- with .Values.server.ingress.labels }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
  annotations:
    ingressClassName: "gce"
    {{- if .Values.server.ingress.gke.managedCertificate.create }}
    networking.gke.io/managed-certificates: {{ include "argo-cd.server.fullname" . }}
    {{- end }}
    {{- if .Values.server.ingress.gke.frontendConfig }}
    networking.gke.io/v1beta1.FrontendConfig: {{ include "argo-cd.server.fullname" . }}
    {{- end }}
    {{- range $key, $value := .Values.server.ingress.annotations }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
 spec:
  {{- with .Values.server.ingress.ingressClassName }}
  ingressClassName: {{ . }}
  {{- end }}
  rules:
    - host: {{ .Values.server.ingress.hostname }}
      http:
        paths:
          {{- with .Values.server.ingress.extraPaths }}
            {{- toYaml . | nindent 10 }}
          {{- end }}
          - path: {{ .Values.server.ingress.path }}
            pathType: {{ .Values.server.ingress.pathType }}
            backend:
              service:
                name: {{ include "argo-cd.server.fullname" . }}
                port:
                  number: {{ $servicePort }}
    {{- range .Values.server.ingress.extraHosts }}
    - host: {{ .name | quote }}
      http:
        paths:
          - path: {{ default .Values.server.ingress.path .path }}
            pathType: {{ default .Values.server.ingress.pathType .pathType }}
            backend:
              service:
                name: {{ include "argo-cd.server.fullname" . }}
                port:
                  number: {{ $servicePort }}
    {{- end }}
    {{- with .Values.server.ingress.extraRules }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }}
  tls:
    {{- if .Values.server.ingress.tls }}
    - hosts:
      - {{ .Values.server.ingress.hostname }}
      secretName: argocd-server-tls
    {{- end }}
    {{- with .Values.server.ingress.extraTls }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- end }}
 {{- end }}
--- a/charts/argo-cd/templates/argocd-server/gke/managedcertificate.yaml
+++ b/charts/argo-cd/templates/argocd-server/gke/managedcertificate.yaml
@ -1,12 +1,15 @@
-{{- if .Values.server.GKEmanagedCertificate.enabled }}
+{{- if and .Values.server.ingress.enabled (eq .Values.server.ingress.controller "gke") .Values.server.ingress.gke.managedCertificate.create }}
 apiVersion: networking.gke.io/v1
 kind: ManagedCertificate
 metadata:
-  name: {{ template "argo-cd.server.fullname" . }}
+  name: {{ include "argo-cd.server.fullname" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
 spec:
  domains:
-    {{- with .Values.server.GKEmanagedCertificate.domains }}
+    - {{ .Values.server.ingress.hostname }}
-    {{- toYaml . | nindent 4 }}
+    {{- with .Values.server.ingress.gke.managedCertificate.extraDomains }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
 {{- end }}
--- a/charts/argo-cd/templates/argocd-server/ingress-grpc.yaml
+++ b/charts/argo-cd/templates/argocd-server/ingress-grpc.yaml
@ -1,8 +1,7 @@
-{{- if and .Values.server.ingressGrpc.enabled (not .Values.server.ingressGrpc.isAWSALB) -}}
+{{- if and .Values.server.ingressGrpc.enabled (eq .Values.server.ingress.controller "generic") -}}
-{{- $servicePort := ternary .Values.server.service.servicePortHttps .Values.server.service.servicePortHttp .Values.server.ingressGrpc.https -}}
+{{- $hostname := .Values.server.ingressGrpc.hostname | default (printf "grpc.%s" .Values.server.ingress.hostname) -}}
-{{- $paths := .Values.server.ingressGrpc.paths -}}
+{{- $insecure := index .Values.configs.params "server.insecure" | toString -}}
-{{- $extraPaths := .Values.server.ingressGrpc.extraPaths -}}
+{{- $servicePort := eq $insecure "true" | ternary .Values.server.service.servicePortHttp .Values.server.service.servicePortHttps -}}
 {{- $pathType := .Values.server.ingressGrpc.pathType -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@ -24,50 +23,43 @@ spec:
  ingressClassName: {{ . }}
  {{- end }}
  rules:
-  {{- if .Values.server.ingressGrpc.hosts }}
+    - host: {{ $hostname }}
    {{- range $host := .Values.server.ingressGrpc.hosts }}
    - host: {{ $host }}
      http:
        paths:
-          {{- with $extraPaths }}
+          {{- with .Values.server.ingressGrpc.extraPaths }}
-          {{- toYaml . | nindent 10 }}
+            {{- toYaml . | nindent 10 }}
          {{- end }}
-          {{- range $p := $paths }}
+          - path: {{ .Values.server.ingressGrpc.path }}
-          - path: {{ $p }}
+            pathType: {{ .Values.server.ingressGrpc.pathType }}
            pathType: {{ $pathType }}
            backend:
              service:
-                name: {{ include "argo-cd.server.fullname" $ }}
+                name: {{ include "argo-cd.server.fullname" . }}
                port:
                  {{- if kindIs "float64" $servicePort }}
                  number: {{ $servicePort }}
-                  {{- else }}
+    {{- range .Values.server.ingressGrpc.extraHosts }}
-                  name: {{ $servicePort }}
+    - host: {{ .name | quote }}
-                  {{- end }}
+      http:
          {{- end -}}
    {{- end -}}
  {{- else }}
    - http:
        paths:
-          {{- with $extraPaths }}
+          - path: {{ default .Values.server.ingressGrpc.path .path }}
-          {{- toYaml . | nindent 10 }}
+            pathType: {{ default .Values.server.ingressGrpc.pathType .pathType }}
          {{- end }}
          {{- range $p := $paths }}
          - path: {{ $p }}
            pathType: {{ $pathType }}
            backend:
              service:
-                name: {{ include "argo-cd.server.fullname" $ }}
+                name: {{ include "argo-cd.server.fullname" . }}
                port:
                  {{- if kindIs "float64" $servicePort }}
                  number: {{ $servicePort }}
-                  {{- else }}
+    {{- end }}
-                  name: {{ $servicePort }}
+    {{- with .Values.server.ingressGrpc.extraRules }}
-                  {{- end }}
+      {{- toYaml . | nindent 4 }}
-          {{- end -}}
+    {{- end }}
-  {{- end -}}
+  {{- if or .Values.server.ingressGrpc.tls .Values.server.ingressGrpc.extraTls }}
  {{- with .Values.server.ingressGrpc.tls }}
  tls:
-    {{- toYaml . | nindent 4 }}
+    {{- if .Values.server.ingressGrpc.tls }}
-  {{- end -}}
+    - hosts:
-{{- end -}}
+      - {{ $hostname }}
      secretName: {{ printf "%s-tls" $hostname }}
    {{- end }}
    {{- with .Values.server.ingressGrpc.tls }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- end }}
 {{- end }}
--- a/charts/argo-cd/templates/argocd-server/ingress.yaml
+++ b/charts/argo-cd/templates/argocd-server/ingress.yaml
@ -1,8 +1,6 @@
-{{- if .Values.server.ingress.enabled -}}
+{{- if and .Values.server.ingress.enabled (eq .Values.server.ingress.controller "generic") }}
-{{- $servicePort := ternary .Values.server.service.servicePortHttps .Values.server.service.servicePortHttp .Values.server.ingress.https -}}
+{{- $insecure := index .Values.configs.params "server.insecure" | toString -}}
-{{- $paths := .Values.server.ingress.paths -}}
+{{- $servicePort := eq $insecure "true" | ternary .Values.server.service.servicePortHttp .Values.server.service.servicePortHttps -}}
 {{- $extraPaths := .Values.server.ingress.extraPaths -}}
 {{- $pathType := .Values.server.ingress.pathType -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@ -13,78 +11,54 @@ metadata:
    {{- with .Values.server.ingress.labels }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
-  {{- if .Values.server.ingress.annotations }}
+  {{- with .Values.server.ingress.annotations }}
  annotations:
-    {{- range $key, $value := .Values.server.ingress.annotations }}
+    {{- range $key, $value := . }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
    {{- if and .Values.server.ingressGrpc.isAWSALB .Values.server.ingressGrpc.enabled }}
    alb.ingress.kubernetes.io/conditions.{{ template "argo-cd.server.fullname" . }}-grpc: |
      [{"field":"http-header","httpHeaderConfig":{"httpHeaderName": "Content-Type", "values":["application/grpc"]}}]
    {{- end }}
  {{- end }}
 spec:
  {{- with .Values.server.ingress.ingressClassName }}
  ingressClassName: {{ . }}
  {{- end }}
  rules:
-  {{- if .Values.server.ingress.hosts }}
+    - host: {{ .Values.server.ingress.hostname }}
    {{- range $host := .Values.server.ingress.hosts }}
    - host: {{ $host | quote }}
      http:
        paths:
-          {{- with $extraPaths }}
+          {{- with .Values.server.ingress.extraPaths }}
-          {{- toYaml . | nindent 10 }}
+            {{- toYaml . | nindent 10 }}
          {{- end }}
-          {{- range $p := $paths }}
+          - path: {{ .Values.server.ingress.path }}
-          {{- if and $.Values.server.ingressGrpc.isAWSALB $.Values.server.ingressGrpc.enabled }}
+            pathType: {{ $.Values.server.ingress.pathType }}
          - path: {{ $p }}
            pathType: {{ $.Values.server.ingressGrpc.pathType }}
            backend:
              service:
-                name: {{ template "argo-cd.server.fullname" $ }}-grpc
+                name: {{ include "argo-cd.server.fullname" . }}
                port:
                  {{- if kindIs "float64" $servicePort }}
                  number: {{ $servicePort }}
-                  {{- else }}
+    {{- range .Values.server.ingress.extraHosts }}
-                  name: {{ $servicePort }}
+    - host: {{ .name | quote }}
-                  {{- end }}
+      http:
            {{- end }}
          - path: {{ $p }}
            pathType: {{ $pathType }}
            backend:
              service:
                name: {{ include "argo-cd.server.fullname" $ }}
                port:
                  {{- if kindIs "float64" $servicePort }}
                  number: {{ $servicePort }}
                  {{- else }}
                  name: {{ $servicePort }}
                  {{- end }}
          {{- end -}}
    {{- end -}}
  {{- else }}
    - http:
        paths:
-          {{- with $extraPaths }}
+          - path: {{ default .Values.server.ingress.path .path }}
-          {{- toYaml . | nindent 10 }}
+            pathType: {{ default .Values.server.ingress.pathType .pathType }}
          {{- end }}
          {{- range $p := $paths }}
          - path: {{ $p }}
            pathType: {{ $pathType }}
            backend:
              service:
-                name: {{ include "argo-cd.server.fullname" $ }}
+                name: {{ include "argo-cd.server.fullname" . }}
                port:
                  {{- if kindIs "float64" $servicePort }}
                  number: {{ $servicePort }}
-                  {{- else }}
+    {{- end }}
-                  name: {{ $servicePort }}
+    {{- with .Values.server.ingress.extraRules }}
-                  {{- end }}
+      {{- toYaml . | nindent 4 }}
-          {{- end -}}
+    {{- end }}
-  {{- end -}}
+  {{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }}
  {{- with .Values.server.ingress.tls }}
  tls:
-    {{- toYaml . | nindent 4 }}
+    {{- if .Values.server.ingress.tls }}
-  {{- end -}}
+    - hosts:
-{{- end -}}
+      - {{ .Values.server.ingress.hostname }}
      secretName: argocd-server-tls
    {{- end }}
    {{- with .Values.server.ingress.extraTls }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- end }}
 {{- end }}
--- a/charts/argo-cd/values.yaml
+++ b/charts/argo-cd/values.yaml
@ -11,9 +11,7 @@ kubeVersionOverride: ""
 # Override APIVersions
 # If you want to template helm charts but cannot access k8s API server
 # you can set api versions here
-apiVersionOverrides:
+apiVersionOverrides: {}
  # -- String to override apiVersion of GKE resources rendered by this helm chart
  cloudgoogle: "" # cloud.google.com/v1
 # -- Create aggregated roles that extend existing cluster roles to interact with argo-cd resources
 ## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
@ -442,16 +440,6 @@ configs:
    #       insecure: false
    #       caData: "<base64 encoded certificate>"
  # DEPRECATED - Moved to configs.ssh.annotations
  # knownHostsAnnotations: {}
  # DEPRECATED - Moved to configs.ssh.knownHosts
  # knownHosts: {}
  # DEPRECATED - Moved to configs.tls.annotations
  # tlsCertsAnnotations: {}
  # DEPRECATED - Moved to configs.tls.certificates
  # tlsCerts: {}
  # -- Repository credentials to be used as Templates for other repos
  ## Creates a secret for each key/value specified below to create repository credentials
  credentialTemplates: {}
@ -533,12 +521,6 @@ configs:
      {}
      # LDAP_PASSWORD: "mypassword"
    # -- Argo TLS Data
    # DEPRECATED - Use server.certificate or server.certificateSecret
    # argocdServerTlsConfig:
    #  key: ''
    #  crt: ''
    # -- Bcrypt hashed admin password
    ## Argo expects the password in the secret to be bcrypt hashed. You can create this hash with
    ## `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/'`
@ -595,6 +577,9 @@ controller:
  # Additional replicas will cause sharding of managed clusters across number of replicas.
  replicas: 1
  # -- Maximum number of controller revisions that will be maintained in StatefulSet history
  revisionHistoryLimit: 5
  ## Application controller Pod Disruption Budget
  ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
  pdb:
@ -627,22 +612,6 @@ controller:
  # @default -- `[]` (defaults to global.imagePullSecrets)
  imagePullSecrets: []
  # -- DEPRECATED - Application controller commandline flags
  args: {}
  # DEPRECATED - Use configs.params to override
  #  # -- define the application controller `--status-processors`
  #  statusProcessors: "20"
  #  # -- define the application controller `--operation-processors`
  #  operationProcessors: "10"
  #  # -- define the application controller `--app-hard-resync`
  #  appHardResyncPeriod: "0"
  #  # -- define the application controller `--app-resync`
  #  appResyncPeriod: "180"
  #  # -- define the application controller `--self-heal-timeout-seconds`
  #  selfHealTimeout: "5"
  #  # -- define the application controller `--repo-server-timeout-seconds`
  #  repoServerTimeoutSeconds: "60"
  # -- Additional command line arguments to pass to application controller
  extraArgs: []
@ -1992,29 +1961,47 @@ server:
    # -- Automount API credentials for the Service Account
    automountServiceAccountToken: true
  # Argo CD server ingress configuration
  ingress:
    # -- Enable an ingress resource for the Argo CD server
    enabled: false
-    # -- Additional ingress annotations
+    # -- Specific implementation for ingress controller. One of `generic`, `aws` or `gke`
-    annotations: {}
+    ## Additional configuration might be required in related configuration sections
    controller: generic
    # -- Additional ingress labels
    labels: {}
    # -- Additional ingress annotations
    ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-1-ssl-passthrough
    annotations: {}
      # nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
      # nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    # -- Defines which ingress controller will implement the resource
    ingressClassName: ""
-    # -- List of ingress hosts
+    # -- Argo CD server hostname
-    ## Argo Ingress.
+    ## NOTE: Hostname must be provided if Ingress is enabled
-    ## Hostnames must be provided if Ingress is enabled.
+    hostname: argocd.example.com
-    ## Secrets must be manually created in the namespace
+
-    hosts: []
+    # -- The path to Argo CD server
-      # - argocd.example.com
+    path: /
    # -- List of ingress paths
    paths:
      - /
    # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
    pathType: Prefix
    # -- Enable TLS configuration for the hostname defined at `server.ingress.hostname`
    ## TLS certificate will be retrieved from a TLS secret `argocd-server-tls`
    ## You can create this secret via `certificate` or `certificateSecret` option
    tls: false
    # -- The list of additional hostnames to be covered by ingress record
    # @default -- `[]` (See [values.yaml])
    extraHosts: []
      # - name: argocd.example.com
      #   path: /
    # -- Additional ingress paths
    # @default -- `[]` (See [values.yaml])
    extraPaths: []
      # - path: /*
      #   pathType: Prefix
@ -2024,17 +2011,70 @@ server:
      #       port:
      #         name: use-annotation
-    # -- Ingress TLS configuration
+    # -- Additional ingress rules
-    tls: []
+    # @default -- `[]` (See [values.yaml])
-      # - secretName: your-certificate-name
+    extraRules: []
-      #   hosts:
+      # - host: example.example.com
-      #     - argocd.example.com
+      #   http:
      #       path: /
      #       backend:
      #         service:
      #           name: example-svc
      #           port:
      #             name: http
-    # -- Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp`
+    # -- Additional TLS configuration
-    https: false
+    # @default -- `[]` (See [values.yaml])
    extraTls: []
      # - hosts:
      #   - argocd.example.com
      #   secretName: your-certificate-name
-  # dedicated ingress for gRPC as documented at
+    # AWS specific options for Application Load Balancer
-  # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/
+    # Applies only when `serv.ingress.controller` is set to `aws`
    ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#aws-application-load-balancers-albs-and-classic-elb-http-mode
    aws:
      # -- Backend protocol version for the AWS ALB gRPC service
      ## This tells AWS to send traffic from the ALB using HTTP2. Can use gRPC as well if you want to leverage gRPC specific features
      backendProtocolVersion: HTTP2
      # -- Service type for the AWS ALB gRPC service
      ## Can be of type NodePort or ClusterIP depending on which mode you are running.
      ## Instance mode needs type NodePort, IP mode needs type ClusterIP
      ## Ref: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/how-it-works/#ingress-traffic
      serviceType: NodePort
    # Google specific options for Google Application Load Balancer
    # Applies only when `server.ingress.controller` is set to `gke`
    ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#google-cloud-load-balancers-with-kubernetes-ingress
    gke:
      # -- Google [BackendConfig] resource, for use with the GKE Ingress Controller
      # @default -- `{}` (See [values.yaml])
      ## Ref: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
      backendConfig: {}
        # iap:
        #  enabled: true
        #  oauthclientCredentials:
        #    secretName: argocd-secret
      # -- Google [FrontendConfig] resource, for use with the GKE Ingress Controller
      # @default -- `{}` (See [values.yaml])
      ## Ref: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
      frontendConfig: {}
        # redirectToHttps:
        #   enabled: true
        #   responseCodeName: RESPONSE_CODE
      # Managed GKE certificate for ingress hostname
      managedCertificate:
        # -- Create ManagedCertificate resource and annotations for Google Load balancer
        ## Ref: https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs
        create: true
        # -- Additional domains for ManagedCertificate resource
        extraDomains: []
          # - argocd.example.com
  # Dedicated gRPC ingress for ingress controllers that supports only single backend protocol per Ingress resource
  # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-2-multiple-ingress-objects-and-hosts
  ingressGrpc:
    # -- Enable an ingress resource for the Argo CD server for dedicated [gRPC-ingress]
    enabled: false
@ -2047,32 +2087,27 @@ server:
    # -- Defines which ingress controller will implement the resource [gRPC-ingress]
    ingressClassName: ""
-    awsALB:
+    # -- Argo CD server hostname for dedicated [gRPC-ingress]
-      # -- Service type for the AWS ALB gRPC service
+    hostname: ""
      ## Service Type if isAWSALB is set to true
      ## Can be of type NodePort or ClusterIP depending on which mode you are
      ## are running. Instance mode needs type NodePort, IP mode needs type
      ## ClusterIP
      ## Ref: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/how-it-works/#ingress-traffic
      serviceType: NodePort
      # -- Backend protocol version for the AWS ALB gRPC service
      ## This tells AWS to send traffic from the ALB using HTTP2. Can use gRPC as well if you want to leverage gRPC specific features
      backendProtocolVersion: HTTP2
-    # -- List of ingress hosts for dedicated [gRPC-ingress]
+    # -- Argo CD server ingress path for dedicated [gRPC-ingress]
-    ## Argo Ingress.
+    path: /
    ## Hostnames must be provided if Ingress is enabled.
    ## Secrets must be manually created in the namespace
    ##
    hosts: []
      # - argocd.example.com
    # -- List of ingress paths for dedicated [gRPC-ingress]
    paths:
      - /
    # -- Ingress path type for dedicated [gRPC-ingress]. One of `Exact`, `Prefix` or `ImplementationSpecific`
    pathType: Prefix
    # -- Enable TLS configuration for the hostname defined at `server.ingressGrpc.hostname`
    ## TLS certificate will be retrieved from a TLS secret with name: `<hostname>-tls`
    tls: false
    # -- The list of additional hostnames to be covered by ingress record
    # @default -- `[]` (See [values.yaml])
    extraHosts: []
      # - name: grpc.argocd.example.com
      #   path: /
    # -- Additional ingress paths for dedicated [gRPC-ingress]
    # @default -- `[]` (See [values.yaml])
    extraPaths: []
      # - path: /*
      #   pathType: Prefix
@ -2082,15 +2117,25 @@ server:
      #       port:
      #         name: use-annotation
-    # -- Ingress TLS configuration for dedicated [gRPC-ingress]
+    # -- Additional ingress rules
-    tls: []
+    # @default -- `[]` (See [values.yaml])
    extraRules: []
      # - host: example.example.com
      #   http:
      #       path: /
      #       backend:
      #         service:
      #           name: example-svc
      #           port:
      #             name: http
    # -- Additional TLS configuration for dedicated [gRPC-ingress]
    # @default -- `[]` (See [values.yaml])
    extraTls: []
      # - secretName: your-certificate-name
      #   hosts:
      #     - argocd.example.com
    # -- Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp`
    https: false
  # Create a OpenShift Route with SSL passthrough for UI and CLI
  # Consider setting 'hostname' e.g. https://argocd.apps-crc.testing/ using your Default Ingress Controller Domain
  # Find your domain with: kubectl describe --namespace=openshift-ingress-operator ingresscontroller/default | grep Domain:
@ -2107,38 +2152,6 @@ server:
    # -- Termination policy of Openshift Route
    termination_policy: None
  GKEbackendConfig:
    # -- Enable BackendConfig custom resource for Google Kubernetes Engine
    enabled: false
    # -- [BackendConfigSpec]
    spec: {}
  #  spec:
  #    iap:
  #      enabled: true
  #      oauthclientCredentials:
  #        secretName: argocd-secret
  ## Create a Google Managed Certificate for use with the GKE Ingress Controller
  ## https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs
  GKEmanagedCertificate:
    # -- Enable ManagedCertificate custom resource for Google Kubernetes Engine.
    enabled: false
    # -- Domains for the Google Managed Certificate
    domains:
    - argocd.example.com
  ## Create a Google FrontendConfig Custom Resource, for use with the GKE Ingress Controller
  ## https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
  GKEfrontendConfig:
    # -- Enable FrontConfig custom resource for Google Kubernetes Engine
    enabled: false
    # -- [FrontendConfigSpec]
    spec: {}
  # spec:
  #   redirectToHttps:
  #     enabled: true
  #     responseCodeName: RESPONSE_CODE
 ## Repo Server
 repoServer:
  # -- Repo server name
@ -2558,16 +2571,7 @@ applicationSet:
  # @default -- `[]` (defaults to global.imagePullSecrets)
  imagePullSecrets: []
-  # -- DEPRECATED - ApplicationSet controller command line flags
+  # -- ApplicationSet controller command line flags
  args: {}
    # DEPRECATED - Use configs.params.applicationsetcontroller.policy to override
    # -- How application is synced between the generator and the cluster
    # policy: sync
    # DEPRECATED - Use configs.params.applicationsetcontroller.dryrun to override
    # -- Enable dry run mode
    # dryRun: false
  # -- List of extra cli args to add
  extraArgs: []
  # -- Environment variables to pass to the ApplicationSet controller
@ -2772,51 +2776,6 @@ applicationSet:
  # @default -- `""` (defaults to global.priorityClassName)
  priorityClassName: ""
  ## Webhook for the Git Generator
  ## Ref: https://argocd-applicationset.readthedocs.io/en/master/Generators-Git/#webhook-configuration)
  webhook:
    ingress:
      # -- Enable an ingress resource for Webhooks
      enabled: false
      # -- Additional ingress annotations
      annotations: {}
      # -- Additional ingress labels
      labels: {}
      # -- Defines which ingress ApplicationSet controller will implement the resource
      ingressClassName: ""
      # -- List of ingress hosts
      ## Hostnames must be provided if Ingress is enabled.
      ## Secrets must be manually created in the namespace
      hosts: []
        # - argocd-applicationset.example.com
      # -- List of ingress paths
      paths:
        - /api/webhook
      # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
      pathType: Prefix
      # -- Additional ingress paths
      extraPaths: []
        # - path: /*
        #   backend:
        #     serviceName: ssl-redirect
        #     servicePort: use-annotation
        ## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used)
        # - path: /*
        #   pathType: Prefix
        #   backend:
        #     service:
        #       name: ssl-redirect
        #       port:
        #         name: use-annotation
      # -- Ingress TLS configuration
      tls: []
        # - secretName: argocd-applicationset-tls
        #   hosts:
        #     - argocd-applicationset.example.com
  # TLS certificate configuration via cert-manager
  ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/#tls-configuration
  certificate:
@ -2858,6 +2817,69 @@ applicationSet:
    # -- Annotations to be applied to the ApplicationSet Certificate
    annotations: {}
  ## Ingress for the Git Generator webhook
  ## Ref: https://argocd-applicationset.readthedocs.io/en/master/Generators-Git/#webhook-configuration)
  ingress:
    # -- Enable an ingress resource for ApplicationSet webhook
    enabled: false
    # -- Additional ingress labels
    labels: {}
    # -- Additional ingress annotations
    annotations: {}
    # -- Defines which ingress ApplicationSet controller will implement the resource
    ingressClassName: ""
    # -- Argo CD ApplicationSet hostname
    ## NOTE: Hostname must be provided if Ingress is enabled
    hostname: argocd.example.com
    # -- List of ingress paths
    path: /api/webhook
    # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
    pathType: Prefix
    # -- Enable TLS configuration for the hostname defined at `applicationSet.webhook.ingress.hostname`
    ## TLS certificate will be retrieved from a TLS secret with name:`argocd-application-controller-tls`
    tls: false
    # -- The list of additional hostnames to be covered by ingress record
    # @default -- `[]` (See [values.yaml])
    extraHosts: []
      # - name: argocd.example.com
      #   path: /
    # -- Additional ingress paths
    # @default -- `[]` (See [values.yaml])
    extraPaths: []
      # - path: /*
      #   pathType: Prefix
      #   backend:
      #     service:
      #       name: ssl-redirect
      #       port:
      #         name: use-annotation
    # -- Additional ingress rules
    # @default -- `[]` (See [values.yaml])
    extraRules: []
      # - host: example.example.com
      #   http:
      #       path: /
      #       backend:
      #         service:
      #           name: example-svc
      #           port:
      #             name: http
    # -- Additional ingress TLS configuration
    # @default -- `[]` (See [values.yaml])
    extraTls: []
      # - secretName: argocd-applicationset-tls
      #   hosts:
      #     - argocd-applicationset.example.com
 ## Notifications controller
 notifications:
  # -- Enable notifications controller