feat(argo-cd): Add probes for Dex server (#890)

* Add probes for Dex server >= 2.28.0

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* Enable metrics port and allow user to configure only retries

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* Update README

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* Place probe configuration on top-level

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

charts/argo-cd/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: 2.1.0
 description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 3.13.2
+version: 3.14.0
 home: https://github.com/argoproj/argo-helm
 icon: https://argoproj.github.io/argo-cd/assets/logo.png
 keywords:
@@ -21,4 +21,4 @@ dependencies:
     condition: redis-ha.enabled
 annotations:
   artifacthub.io/changes: |
-    - "[Changed]: Parameterized dex service port names for istio-ingress 403 error"
+    - "[Added]: Probe configuration for Dex server"

charts/argo-cd/README.md

@@ -36,7 +36,7 @@ Changes in the `CustomResourceDefinition` resources shall be fixed easily by cop
 
 ### 3.13.0
 
-This release removes the flag `--staticassets` from argocd server as it has been dropped upstream. If this flag needs to be enabled e.g for older releases of ArgoCD, it can be passed via the `server.extraArgs` field 
+This release removes the flag `--staticassets` from argocd server as it has been dropped upstream. If this flag needs to be enabled e.g for older releases of ArgoCD, it can be passed via the `server.extraArgs` field
 
 ### 3.10.2
 
@@ -71,7 +71,7 @@ server:
 
 Please check if you are affected by one of these cases **before you upgrade**, especially when you use **cloud IAM roles for service accounts.** (eg. IRSA on AWS or Workload Identity for GKE)
 
-### 3.2.* 
+### 3.2.*
 
 With this minor version we introduced the evaluation for the ingress manifest (depending on the capabilities version), See [Pull Request](https://github.com/argoproj/argo-helm/pull/637).
 [Issue 703](https://github.com/argoproj/argo-helm/issues/703) reported that the capabilities evaluation is **not handled correctly when deploying the chart via an ArgoCD instance**,
@@ -81,7 +81,7 @@ If you are running a cluster version prior to `1.19` you can avoid this issue by
 
 ```yaml
 kubeVersionOverride: "1.18.0"
-``` 
+```
 
 Then you should no longer encounter this issue.
 
@@ -391,6 +391,18 @@ NAME: my-release
 | dex.nodeSelector | [Node selector](https://kubernetes.io/docs/user-guide/node-selection/) | `{}` |
 | dex.podAnnotations | Annotations for the Dex server pods | `{}` |
 | dex.podLabels | Labels for the Dex server pods | `{}` |
+| dex.livenessProbe.enabled | Enable Kubernetes liveness probe for Dex >= 2.28.0 | `false` |
+| dex.livenessProbe.failureThreshold | [Kubernetes probe configuration](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes) | `3` |
+| dex.livenessProbe.initialDelaySeconds | [Kubernetes probe configuration](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes) |`10` |
+| dex.livenessProbe.periodSeconds | [Kubernetes probe configuration](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes) | `10` |
+| dex.livenessProbe.successThreshold | [Kubernetes probe configuration](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes) | `1` |
+| dex.livenessProbe.timeoutSeconds | [Kubernetes probe configuration](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes) | `1` |
+| dex.readinessProbe.enabled | Enable Kubernetes readiness probe for Dex >= 2.28.0 | `false` |
+| dex.readinessProbe.failureThreshold | [Kubernetes probe configuration](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes) | `3` |
+| dex.readinessProbe.initialDelaySeconds | [Kubernetes probe configuration](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes) |`10` |
+| dex.readinessProbe.periodSeconds | [Kubernetes probe configuration](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes) | `10` |
+| dex.readinessProbe.successThreshold | [Kubernetes probe configuration](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes) | `1` |
+| dex.readinessProbe.timeoutSeconds | [Kubernetes probe configuration](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes) | `1` |
 | dex.priorityClassName | Priority class for dex | `""` |
 | dex.resources | Resource limits and requests for dex | `{}` |
 | dex.serviceAccount.automountServiceAccountToken | Automount API credentials for the Service Account | `true` |
@@ -447,14 +459,14 @@ through `xxx.extraArgs`
 
 
 ### Using AWS ALB Ingress Controller With GRPC
-If you are using an AWS ALB Ingress controller, you will need to set `server.ingressGrpc.isAWSALB` to `true`. This will create a second service with the annotation `alb.ingress.kubernetes.io/backend-protocol-version: HTTP2` and modify the server ingress to add a condition annotation to route GRPC traffic to the new service. 
+If you are using an AWS ALB Ingress controller, you will need to set `server.ingressGrpc.isAWSALB` to `true`. This will create a second service with the annotation `alb.ingress.kubernetes.io/backend-protocol-version: HTTP2` and modify the server ingress to add a condition annotation to route GRPC traffic to the new service.
 
 Example:
 ```yaml
 server:
   ingress:
     enabled: true
-    annotations: 
+    annotations:
       alb.ingress.kubernetes.io/backend-protocol: HTTPS
       alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
       alb.ingress.kubernetes.io/scheme: internal
@@ -464,5 +476,5 @@ server:
     isAWSALB: true
     awsALB:
       serviceType: ClusterIP
-      
+
 ```

charts/argo-cd/templates/dex/deployment.yaml

@@ -73,10 +73,26 @@ spec:
         - name: grpc
           containerPort: {{ .Values.dex.containerPortGrpc }}
           protocol: TCP
-        {{- if .Values.dex.metrics.enabled }}
         - name: metrics
           containerPort: {{ .Values.dex.containerPortMetrics }}
           protocol: TCP
+        {{- if .Values.dex.livenessProbe.enabled }}
+        livenessProbe:
+          httpGet:
+            path: /healthz/live
+            port: metrics
+          {{- with .Values.dex.livenessProbe }}
+            {{- omit . "enabled" | toYaml | nindent 10 }}
+          {{- end }}
+        {{- end }}
+        {{- if .Values.dex.readinessProbe.enabled }}
+        readinessProbe:
+          httpGet:
+            path: /healthz/ready
+            port: metrics
+          {{- with .Values.dex.readinessProbe }}
+            {{- omit . "enabled" | toYaml | nindent 10 }}
+          {{- end }}
         {{- end }}
         volumeMounts:
         - mountPath: /tmp

charts/argo-cd/values.yaml

@@ -259,6 +259,23 @@ dex:
   ##
   podLabels: {}
 
+  ## Probes for Dex server
+  ## Supported from Dex >= 2.28.0
+  livenessProbe:
+    enabled: false
+    failureThreshold: 3
+    initialDelaySeconds: 10
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 1
+  readinessProbe:
+    enabled: false
+    failureThreshold: 3
+    initialDelaySeconds: 10
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 1
+
   serviceAccount:
     create: true
     name: argocd-dex-server