From 1416d5e082b97878ab9c8cbe99e299669ee747d9 Mon Sep 17 00:00:00 2001 From: Marco Kilchhofer Date: Mon, 12 Jul 2021 12:54:17 +0200 Subject: [PATCH 1/4] fix(argocd-applicationset): Cleanup old CRD installation method (#827) Signed-off-by: Marco Kilchhofer --- charts/argocd-applicationset/.helmignore | 1 + charts/argocd-applicationset/Chart.yaml | 8 ++++--- charts/argocd-applicationset/README.md | 23 +++++++++++++++---- .../ci/default-values.yaml | 2 -- .../ci/leader-election-values.yaml | 2 -- .../argocd-applicationset/templates/crds.yaml | 6 ----- charts/argocd-applicationset/values.yaml | 2 -- 7 files changed, 24 insertions(+), 20 deletions(-) delete mode 100644 charts/argocd-applicationset/templates/crds.yaml diff --git a/charts/argocd-applicationset/.helmignore b/charts/argocd-applicationset/.helmignore index 0e8a0eb3..5bdaa3eb 100644 --- a/charts/argocd-applicationset/.helmignore +++ b/charts/argocd-applicationset/.helmignore @@ -21,3 +21,4 @@ .idea/ *.tmproj .vscode/ +ci/ diff --git a/charts/argocd-applicationset/Chart.yaml b/charts/argocd-applicationset/Chart.yaml index 2facbad1..b91b1441 100644 --- a/charts/argocd-applicationset/Chart.yaml +++ b/charts/argocd-applicationset/Chart.yaml @@ -2,10 +2,10 @@ apiVersion: v2 name: argocd-applicationset description: A Helm chart for installing ArgoCD ApplicationSet type: application -version: 0.1.7 +version: 1.0.0 appVersion: "v0.1.0" home: https://github.com/argoproj/argo-helm -icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png +icon: https://argocd-applicationset.readthedocs.io/en/stable/assets/logo.png keywords: - argoproj - appset @@ -14,4 +14,6 @@ maintainers: - name: maruina annotations: artifacthub.io/changes: | - - "[Added]: Initialize Changelog" + - "[Removed]: CRD installation via templates folder. CRDs are now only handled via the '/crds' folder in the same way like the ArgoCD chart." + - "[Removed]: Exclude '/ci' folder from being packaged into the final chart archive." + - "[Changed]: Fix icon url" diff --git a/charts/argocd-applicationset/README.md b/charts/argocd-applicationset/README.md index b200d9cf..0b59414b 100644 --- a/charts/argocd-applicationset/README.md +++ b/charts/argocd-applicationset/README.md @@ -10,6 +10,11 @@ This is a **community maintained** chart. This chart installs the [applicationse This chart currently installs the non-HA version of Argo CD ApplicationSet. +## Prerequisites + +- Helm v3.0.0+ +- The ApplicationSet controller **must** be installed into the same namespace as the Argo CD it is targetting. + ## Installing the Chart To install the chart with the release name `my-release`: @@ -23,10 +28,6 @@ NAME: my-release ... ``` -### Helm v3 Compatibility - -Users of Helm v3 should set the `installCRDs` value to `false` to avoid warnings about nonexistent webhooks. - ### Testing Users can test the chart with [kind](https://kind.sigs.k8s.io/) and [ct](https://github.com/helm/chart-testing). @@ -38,6 +39,19 @@ kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/st ct install --namespace argocd ``` +## Notes on CRD Installation + +Some users would prefer to install the CRDs _outside_ of the chart. You can disable the CRD installation of this chart by using `--skip-crds` when installing the chart. + +You then can install the CRDs manually from `crds` folder or via the manifests from the upstream project repo: + +```console +kubectl apply -k https://github.com/argoproj-labs/applicationset.git/manifests/crds?ref= + +# Eg. version v0.1.0 +kubectl apply -k https://github.com/argoproj-labs/applicationset.git/manifests/crds?ref=v0.1.0 +``` + ## Values | Key | Type | Default | Description | @@ -56,7 +70,6 @@ ct install --namespace argocd | image.repository | string | `"quay.io/argocdapplicationset/argocd-applicationset"` | If defined, a repository applied to the ApplicationSet deployment. | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | imagePullSecrets | list | `[]` | If defined, uses a Secret to pull an image from a private Docker registry or repository. | -| installCRDs | bool | `true` | Install Custom Resource Definition | | mountSSHKnownHostsVolume | bool | `true` | Mount the `argocd-ssh-known-hosts-cm` volume | | mountTLSCertsVolume | bool | `true` | Mount the `argocd-tls-certs-cm` volume | | mountGPGKeysVolume | bool | `false` | Mount the `argocd-gpg-keys-cm` volume | diff --git a/charts/argocd-applicationset/ci/default-values.yaml b/charts/argocd-applicationset/ci/default-values.yaml index eb1b7aae..233dd8e2 100644 --- a/charts/argocd-applicationset/ci/default-values.yaml +++ b/charts/argocd-applicationset/ci/default-values.yaml @@ -4,8 +4,6 @@ replicaCount: 1 -installCRDs: false # this needs to be false with ct - image: # The image repository repository: quay.io/argocdapplicationset/argocd-applicationset diff --git a/charts/argocd-applicationset/ci/leader-election-values.yaml b/charts/argocd-applicationset/ci/leader-election-values.yaml index e7201ac1..39ec3078 100644 --- a/charts/argocd-applicationset/ci/leader-election-values.yaml +++ b/charts/argocd-applicationset/ci/leader-election-values.yaml @@ -2,5 +2,3 @@ args: enableLeaderElection: true replicaCount: 3 - -installCRDs: false diff --git a/charts/argocd-applicationset/templates/crds.yaml b/charts/argocd-applicationset/templates/crds.yaml deleted file mode 100644 index 45ab72d4..00000000 --- a/charts/argocd-applicationset/templates/crds.yaml +++ /dev/null @@ -1,6 +0,0 @@ -{{- if .Values.installCRDs }} -{{- range $path, $_ := .Files.Glob "crds/*.yaml" }} -{{ $.Files.Get $path }} ---- -{{- end }} -{{- end }} diff --git a/charts/argocd-applicationset/values.yaml b/charts/argocd-applicationset/values.yaml index 1be0c0ff..ac4b3bd9 100644 --- a/charts/argocd-applicationset/values.yaml +++ b/charts/argocd-applicationset/values.yaml @@ -4,8 +4,6 @@ replicaCount: 1 -installCRDs: true - image: # The image repository repository: quay.io/argocdapplicationset/argocd-applicationset From 62699ffc827757b5ed5842c593e9e4bd19120226 Mon Sep 17 00:00:00 2001 From: Marco Kilchhofer Date: Mon, 12 Jul 2021 13:06:50 +0200 Subject: [PATCH 2/4] fix(argo-cd): Add ServiceAccount for redis (#828) * Add ability to create ServiceAccount for redis Signed-off-by: Marco Kilchhofer * Use correct default for ServiceAccounts in _helpers.tpl Signed-off-by: Marco Kilchhofer * Bump version and update changelog Signed-off-by: Marco Kilchhofer --- charts/argo-cd/Chart.yaml | 4 ++-- charts/argo-cd/templates/_helpers.tpl | 19 +++++++++++++++---- .../argo-cd/templates/redis/deployment.yaml | 3 ++- .../templates/redis/serviceaccount.yaml | 15 +++++++++++++++ charts/argo-cd/values.yaml | 8 ++++++++ 5 files changed, 42 insertions(+), 7 deletions(-) create mode 100644 charts/argo-cd/templates/redis/serviceaccount.yaml diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml index 6be2a125..3a503aca 100644 --- a/charts/argo-cd/Chart.yaml +++ b/charts/argo-cd/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 2.0.4 description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes. name: argo-cd -version: 3.8.0 +version: 3.8.1 home: https://github.com/argoproj/argo-helm icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png keywords: @@ -21,4 +21,4 @@ dependencies: condition: redis-ha.enabled annotations: artifacthub.io/changes: | - - "[Added]: Ability to override API versions" + - "[Fixed]: Cannot create a service account for redis" diff --git a/charts/argo-cd/templates/_helpers.tpl b/charts/argo-cd/templates/_helpers.tpl index 177d1db8..c5d2adab 100644 --- a/charts/argo-cd/templates/_helpers.tpl +++ b/charts/argo-cd/templates/_helpers.tpl @@ -71,7 +71,7 @@ Create the name of the controller service account to use */}} {{- define "argo-cd.controllerServiceAccountName" -}} {{- if .Values.controller.serviceAccount.create -}} - {{ default (include "argo-cd.fullname" .) .Values.controller.serviceAccount.name }} + {{ default (include "argo-cd.controller.fullname" .) .Values.controller.serviceAccount.name }} {{- else -}} {{ default "default" .Values.controller.serviceAccount.name }} {{- end -}} @@ -82,18 +82,29 @@ Create the name of the dex service account to use */}} {{- define "argo-cd.dexServiceAccountName" -}} {{- if .Values.dex.serviceAccount.create -}} - {{ default (include "argo-cd.fullname" .) .Values.dex.serviceAccount.name }} + {{ default (include "argo-cd.dex.fullname" .) .Values.dex.serviceAccount.name }} {{- else -}} {{ default "default" .Values.dex.serviceAccount.name }} {{- end -}} {{- end -}} +{{/* +Create the name of the redis service account to use +*/}} +{{- define "argo-cd.redisServiceAccountName" -}} +{{- if .Values.redis.serviceAccount.create -}} + {{ default (include "argo-cd.redis.fullname" .) .Values.redis.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.redis.serviceAccount.name }} +{{- end -}} +{{- end -}} + {{/* Create the name of the ArgoCD server service account to use */}} {{- define "argo-cd.serverServiceAccountName" -}} {{- if .Values.server.serviceAccount.create -}} - {{ default (include "argo-cd.fullname" .) .Values.server.serviceAccount.name }} + {{ default (include "argo-cd.server.fullname" .) .Values.server.serviceAccount.name }} {{- else -}} {{ default "default" .Values.server.serviceAccount.name }} {{- end -}} @@ -104,7 +115,7 @@ Create the name of the repo-server service account to use */}} {{- define "argo-cd.repoServerServiceAccountName" -}} {{- if .Values.repoServer.serviceAccount.create -}} - {{ default (include "argo-cd.fullname" .) .Values.repoServer.serviceAccount.name }} + {{ default (include "argo-cd.repoServer.fullname" .) .Values.repoServer.serviceAccount.name }} {{- else -}} {{ default "default" .Values.repoServer.serviceAccount.name }} {{- end -}} diff --git a/charts/argo-cd/templates/redis/deployment.yaml b/charts/argo-cd/templates/redis/deployment.yaml index a6f0c46a..05500337 100755 --- a/charts/argo-cd/templates/redis/deployment.yaml +++ b/charts/argo-cd/templates/redis/deployment.yaml @@ -30,7 +30,8 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - automountServiceAccountToken: false + automountServiceAccountToken: {{ .Values.redis.serviceAccount.automountServiceAccountToken }} + serviceAccountName: {{ template "argo-cd.redisServiceAccountName" . }} {{- if .Values.redis.securityContext }} securityContext: {{- toYaml .Values.redis.securityContext | nindent 8 }} {{- end }} diff --git a/charts/argo-cd/templates/redis/serviceaccount.yaml b/charts/argo-cd/templates/redis/serviceaccount.yaml new file mode 100644 index 00000000..ae67d3b2 --- /dev/null +++ b/charts/argo-cd/templates/redis/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.redis.enabled .Values.redis.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.redis.serviceAccount.automountServiceAccountToken }} +metadata: + name: {{ template "argo-cd.redisServiceAccountName" . }} +{{- if .Values.redis.serviceAccount.annotations }} + annotations: + {{- range $key, $value := .Values.redis.serviceAccount.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- end }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} +{{- end }} diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index 6edc3e29..3ecfd228 100755 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -365,6 +365,14 @@ redis: fsGroup: 1000 runAsNonRoot: true + serviceAccount: + create: false + name: "" + ## Annotations applied to created service account + annotations: {} + ## Automount API credentials for the Service Account + automountServiceAccountToken: false + resources: {} # limits: # cpu: 200m From 9c69a87f6719446cde3e1f6cec10c8bd6f4c61a3 Mon Sep 17 00:00:00 2001 From: Marco Kilchhofer Date: Tue, 13 Jul 2021 08:25:41 +0200 Subject: [PATCH 3/4] docs(argo-cd): Upgrading notes for ServiceAccount change in 3.8.1 (#830) Signed-off-by: Marco Kilchhofer --- charts/argo-cd/Chart.yaml | 4 ++-- charts/argo-cd/README.md | 28 ++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml index 3a503aca..ea3fbc45 100644 --- a/charts/argo-cd/Chart.yaml +++ b/charts/argo-cd/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 2.0.4 description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes. name: argo-cd -version: 3.8.1 +version: 3.8.2 home: https://github.com/argoproj/argo-helm icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png keywords: @@ -21,4 +21,4 @@ dependencies: condition: redis-ha.enabled annotations: artifacthub.io/changes: | - - "[Fixed]: Cannot create a service account for redis" + - "[Changed]: Add important upgrading notes to README concerning potential ServiceAccount renamings introduced in chart version 3.8.1+." diff --git a/charts/argo-cd/README.md b/charts/argo-cd/README.md index 219e76ab..1c12a617 100644 --- a/charts/argo-cd/README.md +++ b/charts/argo-cd/README.md @@ -34,6 +34,34 @@ Changes in the `CustomResourceDefinition` resources shall be fixed easily by cop ## Upgrading +### 3.8.1 + +This bugfix version potentially introduces a rename (and recreation) of one or more ServiceAccounts. It _only happens_ when you use one of these customization: + +```yaml +# Case 1) - only happens when you do not specify a custom name (repoServer.serviceAccount.name) +repoServer: + serviceAccount: + create: true + +# Case 2) +controller: + serviceAccount: + name: "" # or + +# Case 3) +dex: + serviceAccount: + name: "" # or + +# Case 4) +server: + serviceAccount: + name: "" # or +``` + +Please check if you are affected by one of these cases **before you upgrade**, especially when you use **cloud IAM roles for service accounts.** (eg. IRSA on AWS or Workload Identity for GKE) + ### 3.2.* With this minor version we introduced the evaluation for the ingress manifest (depending on the capabilities version), See [Pull Request](https://github.com/argoproj/argo-helm/pull/637). From 922799081d6037d71971baf3fecf3519c35326e9 Mon Sep 17 00:00:00 2001 From: Marco Kilchhofer Date: Tue, 13 Jul 2021 08:35:25 +0200 Subject: [PATCH 4/4] feat(argo-cd): Add ability to create network policies (#800) Signed-off-by: Marco Kilchhofer --- charts/argo-cd/Chart.yaml | 7 +++-- charts/argo-cd/README.md | 2 ++ .../networkpolicy.yaml | 19 ++++++++++++ .../argocd-repo-server/networkpolicy.yaml | 31 +++++++++++++++++++ .../argocd-server/networkpolicy.yaml | 16 ++++++++++ .../argo-cd/templates/dex/networkpolicy.yaml | 31 +++++++++++++++++++ .../templates/networkpolicy-default-deny.yaml | 12 +++++++ .../argo-cd/templates/redis/deployment.yaml | 2 +- .../templates/redis/networkpolicy.yaml | 29 +++++++++++++++++ charts/argo-cd/values.yaml | 4 +++ 10 files changed, 149 insertions(+), 4 deletions(-) create mode 100644 charts/argo-cd/templates/argocd-application-controller/networkpolicy.yaml create mode 100644 charts/argo-cd/templates/argocd-repo-server/networkpolicy.yaml create mode 100644 charts/argo-cd/templates/argocd-server/networkpolicy.yaml create mode 100644 charts/argo-cd/templates/dex/networkpolicy.yaml create mode 100644 charts/argo-cd/templates/networkpolicy-default-deny.yaml create mode 100644 charts/argo-cd/templates/redis/networkpolicy.yaml diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml index ea3fbc45..60ff890e 100644 --- a/charts/argo-cd/Chart.yaml +++ b/charts/argo-cd/Chart.yaml @@ -2,9 +2,9 @@ apiVersion: v2 appVersion: 2.0.4 description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes. name: argo-cd -version: 3.8.2 +version: 3.9.0 home: https://github.com/argoproj/argo-helm -icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png +icon: https://argoproj.github.io/argo-cd/assets/logo.png keywords: - argoproj - argocd @@ -21,4 +21,5 @@ dependencies: condition: redis-ha.enabled annotations: artifacthub.io/changes: | - - "[Changed]: Add important upgrading notes to README concerning potential ServiceAccount renamings introduced in chart version 3.8.1+." + - "[Added]: Ability to create network policies" + - "[Changed]: Fix icon url" diff --git a/charts/argo-cd/README.md b/charts/argo-cd/README.md index 1c12a617..bb929e93 100644 --- a/charts/argo-cd/README.md +++ b/charts/argo-cd/README.md @@ -136,6 +136,8 @@ NAME: my-release | global.securityContext | Toggle and define securityContext | See [values.yaml](values.yaml) | | global.imagePullSecrets | If defined, uses a Secret to pull an image from a private Docker registry or repository. | `[]` | | global.hostAliases | Mapping between IP and hostnames that will be injected as entries in the pod's hosts files | `[]` | +| global.networkPolicy.create | Create NetworkPolicy objects for all components | `false` | +| global.networkPolicy.defaultDenyIngress | Default deny all ingress traffic | `false` | | kubeVersionOverride | Override the Kubernetes version, which is used to evaluate certain manifests | `""` | | nameOverride | Provide a name in place of `argocd` | `"argocd"` | | fullnameOverride | String to fully override `"argo-cd.fullname"` | `""` | diff --git a/charts/argo-cd/templates/argocd-application-controller/networkpolicy.yaml b/charts/argo-cd/templates/argocd-application-controller/networkpolicy.yaml new file mode 100644 index 00000000..9116fbcf --- /dev/null +++ b/charts/argo-cd/templates/argocd-application-controller/networkpolicy.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.networkPolicy.create }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} + name: {{ template "argo-cd.controller.fullname" . }} +spec: + ingress: + - from: + - namespaceSelector: {} + ports: + - port: controller + podSelector: + matchLabels: + {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }} + policyTypes: + - Ingress +{{- end }} diff --git a/charts/argo-cd/templates/argocd-repo-server/networkpolicy.yaml b/charts/argo-cd/templates/argocd-repo-server/networkpolicy.yaml new file mode 100644 index 00000000..0d9274ed --- /dev/null +++ b/charts/argo-cd/templates/argocd-repo-server/networkpolicy.yaml @@ -0,0 +1,31 @@ +{{- if .Values.global.networkPolicy.create }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }} + name: {{ template "argo-cd.repoServer.fullname" . }} +spec: + ingress: + - from: + - podSelector: + matchLabels: + {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 10 }} + - podSelector: + matchLabels: + {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 10 }} + ports: + - port: repo-server + protocol: TCP + {{- if .Values.repoServer.metrics.enabled }} + - from: + - namespaceSelector: {} + ports: + - port: metrics + {{- end }} + podSelector: + matchLabels: + {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.repoServer.name) | nindent 6 }} + policyTypes: + - Ingress +{{- end }} diff --git a/charts/argo-cd/templates/argocd-server/networkpolicy.yaml b/charts/argo-cd/templates/argocd-server/networkpolicy.yaml new file mode 100644 index 00000000..8300d696 --- /dev/null +++ b/charts/argo-cd/templates/argocd-server/networkpolicy.yaml @@ -0,0 +1,16 @@ +{{- if .Values.global.networkPolicy.create }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} + name: {{ template "argo-cd.server.fullname" . }} +spec: + ingress: + - {} + podSelector: + matchLabels: + {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 6 }} + policyTypes: + - Ingress +{{- end }} diff --git a/charts/argo-cd/templates/dex/networkpolicy.yaml b/charts/argo-cd/templates/dex/networkpolicy.yaml new file mode 100644 index 00000000..e79a2e3e --- /dev/null +++ b/charts/argo-cd/templates/dex/networkpolicy.yaml @@ -0,0 +1,31 @@ +{{- if and .Values.global.networkPolicy.create .Values.dex.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.dex.name "name" .Values.dex.name) | nindent 4 }} + name: {{ template "argo-cd.dex.fullname" . }} +spec: + ingress: + - from: + - podSelector: + matchLabels: + {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 10 }} + ports: + - port: http + protocol: TCP + - port: grpc + protocol: TCP + {{- if .Values.dex.metrics.enabled }} + - from: + - namespaceSelector: {} + ports: + - port: metrics + protocol: TCP + {{- end }} + podSelector: + matchLabels: + {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.dex.name) | nindent 6 }} + policyTypes: + - Ingress +{{- end }} diff --git a/charts/argo-cd/templates/networkpolicy-default-deny.yaml b/charts/argo-cd/templates/networkpolicy-default-deny.yaml new file mode 100644 index 00000000..3d47a397 --- /dev/null +++ b/charts/argo-cd/templates/networkpolicy-default-deny.yaml @@ -0,0 +1,12 @@ +{{- if and .Values.global.networkPolicy.create .Values.global.networkPolicy.defaultDenyIngress }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + {{- include "argo-cd.labels" (dict "context" .) | nindent 4 }} + name: {{ template "argo-cd.fullname" . }}-default-deny +spec: + podSelector: {} + policyTypes: + - Ingress +{{- end }} diff --git a/charts/argo-cd/templates/redis/deployment.yaml b/charts/argo-cd/templates/redis/deployment.yaml index 05500337..5b5879a3 100755 --- a/charts/argo-cd/templates/redis/deployment.yaml +++ b/charts/argo-cd/templates/redis/deployment.yaml @@ -59,8 +59,8 @@ spec: {{- end }} ports: - containerPort: {{ .Values.redis.containerPort }} + name: redis {{- if .Values.redis.volumeMounts }} - volumeMounts: {{- toYaml .Values.redis.volumeMounts | nindent 10 }} {{- end }} diff --git a/charts/argo-cd/templates/redis/networkpolicy.yaml b/charts/argo-cd/templates/redis/networkpolicy.yaml new file mode 100644 index 00000000..881e257c --- /dev/null +++ b/charts/argo-cd/templates/redis/networkpolicy.yaml @@ -0,0 +1,29 @@ +{{- $redisHa := (index .Values "redis-ha") -}} +{{- if and .Values.global.networkPolicy.create .Values.redis.enabled (not $redisHa.enabled) }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} + name: {{ template "argo-cd.redis.fullname" . }} +spec: + ingress: + - from: + - podSelector: + matchLabels: + {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 10 }} + - podSelector: + matchLabels: + {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.repoServer.name) | nindent 10 }} + - podSelector: + matchLabels: + {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 10 }} + ports: + - port: redis + protocol: TCP + podSelector: + matchLabels: + {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.redis.name) | nindent 6 }} + policyTypes: + - Ingress +{{- end }} diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index 3ecfd228..452aba69 100755 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -20,6 +20,10 @@ global: # hostnames: # - git.myhostname + networkPolicy: + create: false + defaultDenyIngress: false + # Override APIVersions # If you want to template helm charts but cannot access k8s API server # you can set api versions here