DevFW-CICD/argocd-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(argo-cd): Move argocd-cm and argocd-rbac-cm to config section (#1528)

Browse source 
Signed-off-by: Petr Drastil <petr.drastil@gmail.com>
This commit is contained in:
Petr Drastil 2022-10-25 19:05:38 +02:00 committed by GitHub
parent 24de82b214
commit c8f7efb68f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 170 additions and 154 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
charts/argo-cd/Chart.yaml
View file

@ -2,7 +2,7 @@ apiVersion: v2
appVersion: v2.4.15
description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
name: argo-cd
version: 5.6.8
version: 5.7.0
home: https://github.com/argoproj/argo-helm
icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
sources:
@ -22,4 +22,6 @@ dependencies:
condition: redis-ha.enabled
annotations:
artifacthub.io/changes: |
- "[Changed]: DRY cleanup of metrics templates"
- "[Added]: Configuration sections configs.cm and configs.rbac"
- "[Deprecated]: Generic configuration via server.config"
- "[Deprecated]: Argo RBAC configuration via server.rbacConfig"

19
charts/argo-cd/README.md
View file

@ -370,6 +370,14 @@ NAME: my-release
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| configs.clusterCredentials | list | `[]` (See [values.yaml]) | Provide one or multiple [external cluster credentials] |
| configs.cm."admin.enabled" | string | `"true"` | Enable local admin user |
| configs.cm."application.instanceLabelKey" | string | Defaults to app.kubernetes.io/instance | The name of tracking label used by Argo CD for resource pruning |
| configs.cm."exec.enabled" | string | `"false"` | Enable exec feature in Argo UI |
| configs.cm."server.rbac.log.enforce.enable" | string | `"false"` | Enable logs RBAC enforcement |
| configs.cm."timeout.hard.reconciliation" | string | `"0"` | Timeout to refresh application data as well as target manifests cache |
| configs.cm."timeout.reconciliation" | string | `"180s"` | Timeout to discover if a new manifests version got published to the repository |
| configs.cm.annotations | object | `{}` | Annotations to be added to argocd-cm configmap |
| configs.cm.create | bool | `true` | Create the argocd-cm configmap for [Declarative setup] |
| configs.credentialTemplates | object | `{}` | Repository credentials to be used as Templates for other repos |
| configs.credentialTemplatesAnnotations | object | `{}` | Annotations to be added to `configs.credentialTemplates` Secret |
| configs.gpgKeys | object | `{}` (See [values.yaml]) | [GnuPG](https://argo-cd.readthedocs.io/en/stable/user-guide/gpg-verification/) keys to add to the key ring |
@ -390,6 +398,11 @@ NAME: my-release
| configs.params."server.staticassets" | string | `"/shared/app"` | Directory path that contains additional static assets |
| configs.params."server.x.frame.options" | string | `"sameorigin"` | Set X-Frame-Options header in HTTP responses to value. To disable, set to "". |
| configs.params.annotations | object | `{}` | Annotations to be added to the argocd-cmd-params-cm ConfigMap |
| configs.rbac."policy.csv" | string | `''` (See [values.yaml]) | File containing user-defined policies and role definitions. |
| configs.rbac."policy.default" | string | `""` | The name of the default role which Argo CD will falls back to, when authorizing API requests (optional). If omitted or empty, users may be still be able to login, but will see no apps, projects, etc... |
| configs.rbac.annotations | object | `{}` | Annotations to be added to argocd-rbac-cm configmap |
| configs.rbac.create | bool | `true` | Create the argocd-rbac-cm configmap with ([Argo CD RBAC policy]) definitions. If false, it is expected the configmap will be created by something else. Argo CD will not work if there is no configmap created with the name above. |
| configs.rbac.scopes | string | `"[groups]"` | OIDC scopes to examine during rbac enforcement (in addition to `sub` scope). The scope value can be a string, or a list of strings. |
| configs.repositories | object | `{}` | Repositories list to be used by applications |
| configs.repositoriesAnnotations | object | `{}` | Annotations to be added to `configs.repositories` Secret |
| configs.secret.annotations | object | `{}` | Annotations to be added to argocd-secret |
@ -586,9 +599,6 @@ NAME: my-release
| server.certificate.renewBefore | string | `""` | How long before the currently issued certificate's expiry cert-manager should renew the certificate. Value must be in units accepted by Go time.ParseDuration |
| server.certificate.secretName | string | `"argocd-server-tls"` | The name of the Secret that will be automatically created and managed by this Certificate resource |
| server.clusterAdminAccess.enabled | bool | `true` | Enable RBAC for local cluster deployments |
| server.config | object | See [values.yaml] | [General Argo CD configuration] |
| server.configAnnotations | object | `{}` | Annotations to be added to Argo CD ConfigMap |
| server.configEnabled | bool | `true` | Manage Argo CD configmap (Declarative Setup) |
| server.containerPort | int | `8080` | Configures the server port |
| server.containerSecurityContext | object | `{}` | Servers container-level security context |
| server.env | list | `[]` | Environment variables to pass to Argo CD server |
@ -659,9 +669,6 @@ NAME: my-release
| server.podAnnotations | object | `{}` | Annotations to be added to server pods |
| server.podLabels | object | `{}` | Labels to be added to server pods |
| server.priorityClassName | string | `""` | Priority class for the Argo CD server |
| server.rbacConfig | object | `{}` | Argo CD rbac config ([Argo CD RBAC policy]) |
| server.rbacConfigAnnotations | object | `{}` | Annotations to be added to Argo CD rbac ConfigMap |
| server.rbacConfigCreate | bool | `true` | Whether or not to create the configmap. If false, it is expected the configmap will be created by something else. Argo CD will not work if there is no configMap created with the name above. |
| server.readinessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
| server.readinessProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before [probe] is initiated |
| server.readinessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] |

8
charts/argo-cd/templates/NOTES.txt
View file

@ -34,6 +34,12 @@ DEPRECATED option repoServer.logFormat - Use configs.params.repoServer.log.forma
{{- if .Values.repoServer.logLevel }}
DEPRECATED option repoServer.logLevel - Use configs.params.repoServer.log.level
{{- end }}
{{- if or .Values.server.config .Values.server.configEnabled .Values.server.configAnnotations }}
DEPRECATED option server.config - Use configs.cm
{{- end }}
{{- if or .Values.server.rbacConfig .Values.server.rbacConfigCreate .Values.server.rbacConfigAnnotations }}
DEPRECATED option server.rbacConfig - Use configs.rbac
{{- end }}
{{- if .Values.controller.service }}
REMOVED option controller.service - Use controller.metrics
{{- end }}
@ -52,7 +58,7 @@ In order to access the server UI you have the following options:
- Set the `configs.params."server.insecure"` in the values file and terminate SSL at your ingress: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-2-multiple-ingress-objects-and-hosts
{{ if eq (index .Values.server.config "admin.enabled") "true" -}}
{{ if eq (index (coalesce .Values.server.config .Values.configs.cm) "admin.enabled") "true" -}}
After reaching the UI the first time you can login with username: admin and the random password generated during the installation. You can find the password by running:
kubectl -n {{ .Release.Namespace }} get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

14
charts/argo-cd/templates/_helpers.tpl
View file

@ -161,19 +161,19 @@ Create the name of the notifications bots slack service account to use
{{/*
Argo Configuration Preset Values (Incluenced by Values configuration)
*/}}
{{- define "argo-cd.config.presets" -}}
{{- if .Values.configs.styles }}
{{- define "argo-cd.config.cm.presets" -}}
{{- if .Values.configs.styles -}}
ui.cssurl: "./custom/custom.styles.css"
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Merge Argo Configuration with Preset Configuration
*/}}
{{- define "argo-cd.config" -}}
{{- if .Values.server.configEnabled -}}
{{- toYaml (mergeOverwrite (default dict (fromYaml (include "argo-cd.config.presets" $))) .Values.server.config) }}
{{- end -}}
{{- define "argo-cd.config.cm" -}}
{{- $config := coalesce .Values.server.config (omit .Values.configs.cm "create" "annotations") -}}
{{- $preset := include "argo-cd.config.cm.presets" . | fromYaml | default dict -}}
{{- mergeOverwrite $preset $config | toYaml }}
{{- end -}}
{{/*

6
charts/argo-cd/templates/argocd-configs/argocd-cm.yaml
View file

@ -1,16 +1,16 @@
{{- if .Values.server.configEnabled }}
{{- if (coalesce .Values.server.configEnabled .Values.configs.cm.create) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "cm") | nindent 4 }}
{{- with .Values.server.configAnnotations }}
{{- with (coalesce .Values.server.configAnnotations .Values.configs.cm.annotations) }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
data:
{{- include "argo-cd.config" $ | nindent 2 }}
{{- include "argo-cd.config.cm" . | nindent 2 }}
{{- end }}

6
charts/argo-cd/templates/argocd-configs/argocd-rbac-cm.yaml
View file

@ -1,17 +1,17 @@
{{- if .Values.server.rbacConfigCreate }}
{{- if (coalesce .Values.server.rbacConfigCreate .Values.configs.rbac.create) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "rbac-cm") | nindent 4 }}
{{- with .Values.server.rbacConfigAnnotations }}
{{- with (coalesce .Values.server.rbacConfigAnnotations .Values.configs.rbac.annotations) }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- with .Values.server.rbacConfig }}
{{- with (coalesce .Values.server.rbacConfig (omit .Values.configs.rbac "create" "annotations")) }}
data:
{{- toYaml . | nindent 2 }}
{{- end }}

2
charts/argo-cd/templates/argocd-server/clusterrole.yaml
View file

@ -27,7 +27,7 @@ rules:
- pods/log
verbs:
- get
{{- if eq (index .Values.server.config "exec.enabled") "true" }}
{{- if eq (index (coalesce .Values.server.config .Values.configs.cm) "exec.enabled") "true" }}
- apiGroups:
- ""
resources:

263
charts/argo-cd/values.yaml
View file

@ -85,6 +85,138 @@ global:
## Argo Configs
configs:
# General Argo CD configuration
## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml
cm:
# -- Create the argocd-cm configmap for [Declarative setup]
create: true
# -- Annotations to be added to argocd-cm configmap
annotations: {}
# -- The name of tracking label used by Argo CD for resource pruning
# @default -- Defaults to app.kubernetes.io/instance
application.instanceLabelKey: argocd.argoproj.io/instance
# -- Enable logs RBAC enforcement
## Ref: https://argo-cd.readthedocs.io/en/latest/operator-manual/upgrading/2.3-2.4/#enable-logs-rbac-enforcement
server.rbac.log.enforce.enable: "false"
# -- Enable exec feature in Argo UI
## Ref: https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac/#exec-resource
exec.enabled: "false"
# -- Enable local admin user
## Ref: https://argo-cd.readthedocs.io/en/latest/faq/#how-to-disable-admin-user
admin.enabled: "true"
# -- Timeout to discover if a new manifests version got published to the repository
timeout.reconciliation: 180s
# -- Timeout to refresh application data as well as target manifests cache
timeout.hard.reconciliation: "0"
# Dex configuration
# dex.config: |
# connectors:
# # GitHub example
# - type: github
# id: github
# name: GitHub
# config:
# clientID: aabbccddeeff00112233
# clientSecret: $dex.github.clientSecret # Alternatively $<some_K8S_secret>:dex.github.clientSecret
# orgs:
# - name: your-github-org
# OIDC configuration as an alternative to dex (optional).
# oidc.config: |
# name: AzureAD
# issuer: https://login.microsoftonline.com/TENANT_ID/v2.0
# clientID: CLIENT_ID
# clientSecret: $oidc.azuread.clientSecret
# requestedIDTokenClaims:
# groups:
# essential: true
# requestedScopes:
# - openid
# - profile
# - email
# Argo CD configuration parameters
## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cmd-params-cm.yaml
params:
# -- Annotations to be added to the argocd-cmd-params-cm ConfigMap
annotations: {}
## Generic parameters
# -- Open-Telemetry collector address: (e.g. "otel-collector:4317")
otlp.address: ''
## Controller Properties
# -- Number of application status processors
controller.status.processors: 20
# -- Number of application operation processors
controller.operation.processors: 10
# -- Specifies timeout between application self heal attempts
controller.self.heal.timeout.seconds: 5
# -- Repo server RPC call timeout seconds.
controller.repo.server.timeout.seconds: 60
## Server properties
# -- Run server without TLS
server.insecure: false
# -- Value for base href in index.html. Used if Argo CD is running behind reverse proxy under subpath different from /
server.basehref: /
# -- Used if Argo CD is running behind reverse proxy under subpath different from /
server.rootpath: ''
# -- Directory path that contains additional static assets
server.staticassets: /shared/app
# -- Disable Argo CD RBAC for user authentication
server.disable.auth: false
# -- Enable GZIP compression
server.enable.gzip: false
# -- Set X-Frame-Options header in HTTP responses to value. To disable, set to "".
server.x.frame.options: sameorigin
## Repo-server properties
# -- Limit on number of concurrent manifests generate requests. Any value less the 1 means no limit.
reposerver.parallelism.limit: 0
# Argo CD RBAC policy configuration
## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md
rbac:
# -- Create the argocd-rbac-cm configmap with ([Argo CD RBAC policy]) definitions.
# If false, it is expected the configmap will be created by something else.
# Argo CD will not work if there is no configmap created with the name above.
create: true
# -- Annotations to be added to argocd-rbac-cm configmap
annotations: {}
# -- The name of the default role which Argo CD will falls back to, when authorizing API requests (optional).
# If omitted or empty, users may be still be able to login, but will see no apps, projects, etc...
policy.default: ''
# -- File containing user-defined policies and role definitions.
# @default -- `''` (See [values.yaml])
policy.csv: ''
# Policy rules are in the form:
# p, subject, resource, action, object, effect
# Role definitions and bindings are in the form:
# g, subject, inherited-subject
# policy.csv |
# p, role:org-admin, applications, *, */*, allow
# p, role:org-admin, clusters, get, *, allow
# p, role:org-admin, repositories, *, *, allow
# p, role:org-admin, logs, get, *, allow
# p, role:org-admin, exec, create, */*, allow
# g, your-github-org:your-team, role:org-admin
# -- OIDC scopes to examine during rbac enforcement (in addition to `sub` scope).
# The scope value can be a string, or a list of strings.
scopes: "[groups]"
# -- Provide one or multiple [external cluster credentials]
# @default -- `[]` (See [values.yaml])
## Ref:
@ -296,46 +428,6 @@ configs:
# background: linear-gradient(to bottom, #999, #777, #333, #222, #111);
# }
# Argo CD configuration parameters
## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cmd-params-cm.yaml
params:
# -- Annotations to be added to the argocd-cmd-params-cm ConfigMap
annotations: {}
## Generic parameters
# -- Open-Telemetry collector address: (e.g. "otel-collector:4317")
otlp.address: ''
## Controller Properties
# -- Number of application status processors
controller.status.processors: 20
# -- Number of application operation processors
controller.operation.processors: 10
# -- Specifies timeout between application self heal attempts
controller.self.heal.timeout.seconds: 5
# -- Repo server RPC call timeout seconds.
controller.repo.server.timeout.seconds: 60
## Server properties
# -- Run server without TLS
server.insecure: false
# -- Value for base href in index.html. Used if Argo CD is running behind reverse proxy under subpath different from /
server.basehref: /
# -- Used if Argo CD is running behind reverse proxy under subpath different from /
server.rootpath: ''
# -- Directory path that contains additional static assets
server.staticassets: /shared/app
# -- Disable Argo CD RBAC for user authentication
server.disable.auth: false
# -- Enable GZIP compression
server.enable.gzip: false
# -- Set X-Frame-Options header in HTTP responses to value. To disable, set to "".
server.x.frame.options: sameorigin
## Repo-server properties
# -- Limit on number of concurrent manifests generate requests. Any value less the 1 means no limit.
reposerver.parallelism.limit: 0
# -- Array of extra K8s manifests to deploy
extraObjects: []
# - apiVersion: secrets-store.csi.x-k8s.io/v1
@ -1540,97 +1632,6 @@ server:
# -- Termination policy of Openshift Route
termination_policy: None
# -- Manage Argo CD configmap (Declarative Setup)
## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml
configEnabled: true
# -- [General Argo CD configuration]
# @default -- See [values.yaml]
config:
# Argo CD's externally facing base URL (optional). Required when configuring SSO
url: ""
# Argo CD instance label key
application.instanceLabelKey: argocd.argoproj.io/instance
# Enable logs RBAC enforcement
# Ref: https://argo-cd.readthedocs.io/en/latest/operator-manual/upgrading/2.3-2.4/#enable-logs-rbac-enforcement
server.rbac.log.enforce.enable: "false"
# exec.enabled indicates whether the UI exec feature is enabled. It is disabled by default.
# Ref: https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac/#exec-resource
exec.enabled: "false"
# admin.enabled indicates whether the admin user is enabled. It is enabled by default.
# https://argo-cd.readthedocs.io/en/latest/faq/#how-to-disable-admin-user
admin.enabled: "true"
# Application reconciliation timeout is the max amount of time required to discover if a new manifests version got
# published to the repository. Reconciliation by timeout is disabled if timeout is set to 0. Three minutes by default.
timeout.reconciliation: 180s
# Timeout to refresh application data as well as target manifests cache
timeout.hard.reconciliation: "0"
# Dex configuration
# dex.config: |
# connectors:
# # GitHub example
# - type: github
# id: github
# name: GitHub
# config:
# clientID: aabbccddeeff00112233
# clientSecret: $dex.github.clientSecret # Alternatively $<some_K8S_secret>:dex.github.clientSecret
# orgs:
# - name: your-github-org
# OIDC configuration as an alternative to dex (optional).
# oidc.config: |
# name: AzureAD
# issuer: https://login.microsoftonline.com/TENANT_ID/v2.0
# clientID: CLIENT_ID
# clientSecret: $oidc.azuread.clientSecret
# requestedIDTokenClaims:
# groups:
# essential: true
# requestedScopes:
# - openid
# - profile
# - email
# -- Annotations to be added to Argo CD ConfigMap
configAnnotations: {}
# -- Argo CD rbac config ([Argo CD RBAC policy])
## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md
rbacConfig:
{}
# policy.csv is a file containing user-defined RBAC policies and role definitions (optional).
# Policy rules are in the form:
# p, subject, resource, action, object, effect
# Role definitions and bindings are in the form:
# g, subject, inherited-subject
# See https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md for additional information.
# policy.csv: |
# # Grant all members of the group 'my-org:team-alpha; the ability to sync apps in 'my-project'
# p, my-org:team-alpha, applications, sync, my-project/*, allow
# # Grant all members of 'my-org:team-beta' admins
# g, my-org:team-beta, role:admin
# policy.default is the name of the default role which Argo CD will falls back to, when
# authorizing API requests (optional). If omitted or empty, users may be still be able to login,
# but will see no apps, projects, etc...
# policy.default: role:readonly
# scopes controls which OIDC scopes to examine during rbac enforcement (in addition to `sub` scope).
# If omitted, defaults to: '[groups]'. The scope value can be a string, or a list of strings.
# scopes: '[cognito:groups, email]'
# -- Annotations to be added to Argo CD rbac ConfigMap
rbacConfigAnnotations: {}
# -- Whether or not to create the configmap. If false, it is expected the configmap will be created
# by something else. Argo CD will not work if there is no configMap created with the name above.
rbacConfigCreate: true
## Enable Admin ClusterRole resources.
## Enable if you would like to grant rights to Argo CD to deploy to the local Kubernetes cluster.
clusterAdminAccess: