diff --git a/.github/workflows/lint-and-test.yml b/.github/workflows/lint-and-test.yml index 9d546935..c0a183e7 100644 --- a/.github/workflows/lint-and-test.yml +++ b/.github/workflows/lint-and-test.yml @@ -13,7 +13,7 @@ jobs: options: --user 1001 steps: - name: Checkout - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Run ah lint working-directory: ./charts run: ah lint @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 @@ -32,7 +32,7 @@ jobs: version: v3.10.1 # Also update in publish.yaml - name: Set up python - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: 3.9 diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 2d45de12..be77f1ae 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -19,7 +19,7 @@ jobs: name: Validate PR title runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@c3cd5d1ea3580753008872425915e343e351ab54 # v5.2.0 + - uses: amannn/action-semantic-pull-request@47b15d52c5c30e94a17ec87eb8dd51ff5221fed9 # v5.3.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index ca354e86..3738002c 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 @@ -65,3 +65,20 @@ jobs: skip_packaging: true env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + + - name: Login to GHCR + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Push chart to GHCR + run: | + shopt -s nullglob + for pkg in .cr-release-packages/*.tgz; do + if [ -z "${pkg:-}" ]; then + break + fi + helm push "${pkg}" oci://ghcr.io/${{ github.repository }} + done diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 8a924219..3273e72d 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -33,12 +33,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0 + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 with: results_file: results.sarif results_format: sarif diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 1f7745b5..d67ddefc 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -64,7 +64,7 @@ Each release for each chart must be immutable. Any change to a chart (even just ### Chart Versioning -Currently we require a chart version bump for every change to a chart, including updating information for older verions. This may change in the future. +Currently we require a chart version bump for every change to a chart, including updating information for older versions. This may change in the future. ### Artifact Hub Annotations diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml index 20da3b0c..7ec6e011 100644 --- a/charts/argo-cd/Chart.yaml +++ b/charts/argo-cd/Chart.yaml @@ -3,7 +3,7 @@ appVersion: v2.8.1-cap-CR-20837 kubeVersion: ">=1.23.0-0" description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. name: argo-cd -version: 5.46.2-4-cap-CR-20837 +version: 5.50.1-0-cap-CR-20837 home: https://github.com/argoproj/argo-helm icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png sources: diff --git a/charts/argo-cd/README.md b/charts/argo-cd/README.md index 7c35ff9d..fd4d61e1 100644 --- a/charts/argo-cd/README.md +++ b/charts/argo-cd/README.md @@ -562,6 +562,7 @@ NAME: my-release | controller.serviceAccount.labels | object | `{}` | Labels applied to created service account | | controller.serviceAccount.name | string | `"argocd-application-controller"` | Service account name | | controller.statefulsetAnnotations | object | `{}` | Annotations for the application controller StatefulSet | +| controller.terminationGracePeriodSeconds | int | `30` | terminationGracePeriodSeconds for container lifecycle hook | | controller.tolerations | list | `[]` (defaults to global.tolerations) | [Tolerations] for use with node taints | | controller.topologySpreadConstraints | list | `[]` (defaults to global.topologySpreadConstraints) | Assign custom [TopologySpreadConstraints] rules to the application controller | | controller.volumeMounts | list | `[]` | Additional volumeMounts to the application controller main container | @@ -654,6 +655,7 @@ NAME: my-release | repoServer.serviceAccount.create | bool | `true` | Create repo server service account | | repoServer.serviceAccount.labels | object | `{}` | Labels applied to created service account | | repoServer.serviceAccount.name | string | `""` | Repo server service account name | +| repoServer.terminationGracePeriodSeconds | int | `30` | terminationGracePeriodSeconds for container lifecycle hook | | repoServer.tolerations | list | `[]` (defaults to global.tolerations) | [Tolerations] for use with node taints | | repoServer.topologySpreadConstraints | list | `[]` (defaults to global.topologySpreadConstraints) | Assign custom [TopologySpreadConstraints] rules to the repo server | | repoServer.useEphemeralHelmWorkingDir | bool | `true` | Toggle the usage of a ephemeral Helm working directory | @@ -808,6 +810,7 @@ NAME: my-release | server.serviceAccount.create | bool | `true` | Create server service account | | server.serviceAccount.labels | object | `{}` | Labels applied to created service account | | server.serviceAccount.name | string | `"argocd-server"` | Server service account name | +| server.terminationGracePeriodSeconds | int | `30` | terminationGracePeriodSeconds for container lifecycle hook | | server.tolerations | list | `[]` (defaults to global.tolerations) | [Tolerations] for use with node taints | | server.topologySpreadConstraints | list | `[]` (defaults to global.topologySpreadConstraints) | Assign custom [TopologySpreadConstraints] rules to the Argo CD server | | server.volumeMounts | list | `[]` | Additional volumeMounts to the server main container | @@ -916,6 +919,7 @@ server: | dex.servicePortHttp | int | `5556` | Service port for HTTP access | | dex.servicePortHttpName | string | `"http"` | Service port name for HTTP access | | dex.servicePortMetrics | int | `5558` | Service port for metrics access | +| dex.terminationGracePeriodSeconds | int | `30` | terminationGracePeriodSeconds for container lifecycle hook | | dex.tolerations | list | `[]` (defaults to global.tolerations) | [Tolerations] for use with node taints | | dex.topologySpreadConstraints | list | `[]` (defaults to global.topologySpreadConstraints) | Assign custom [TopologySpreadConstraints] rules to dex | | dex.volumeMounts | list | `[]` | Additional volumeMounts to the dex main container | @@ -948,7 +952,7 @@ server: | redis.extraContainers | list | `[]` | Additional containers to be added to the redis pod | | redis.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Redis image pull policy | | redis.image.repository | string | `"quay.io/codefresh/redis"` | Redis repository | -| redis.image.tag | string | `"7.0.11-alpine"` | Redis tag | +| redis.image.tag | string | `"7.0.13-alpine"` | Redis tag | | redis.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry | | redis.initContainers | list | `[]` | Init containers to add to the redis pod | | redis.metrics.enabled | bool | `false` | Deploy metrics service | @@ -987,6 +991,7 @@ server: | redis.serviceAccount.create | bool | `false` | Create a service account for the redis pod | | redis.serviceAccount.name | string | `""` | Service account name for redis pod | | redis.servicePort | int | `6379` | Redis service port | +| redis.terminationGracePeriodSeconds | int | `30` | terminationGracePeriodSeconds for container lifecycle hook | | redis.tolerations | list | `[]` (defaults to global.tolerations) | [Tolerations] for use with node taints | | redis.topologySpreadConstraints | list | `[]` (defaults to global.topologySpreadConstraints) | Assign custom [TopologySpreadConstraints] rules to redis | | redis.volumeMounts | list | `[]` | Additional volumeMounts to the redis container | @@ -1001,20 +1006,22 @@ The main options are listed here: | Key | Type | Default | Description | |-----|------|---------|-------------| | redis-ha.additionalAffinities | object | `{}` | Additional affinities to add to the Redis server pods. | -| redis-ha.affinity | object | `{}` | Assign custom [affinity] rules to the Redis pods. | +| redis-ha.affinity | string | `""` | Assign custom [affinity] rules to the Redis pods. | +| redis-ha.containerSecurityContext | object | See [values.yaml] | Redis HA statefulset container-level security context | | redis-ha.enabled | bool | `false` | Enables the Redis HA subchart and disables the custom Redis single node deployment | | redis-ha.exporter.enabled | bool | `false` | Enable Prometheus redis-exporter sidecar | | redis-ha.exporter.image | string | `"public.ecr.aws/bitnami/redis-exporter"` | Repository to use for the redis-exporter | | redis-ha.exporter.tag | string | `"1.53.0"` | Tag to use for the redis-exporter | | redis-ha.haproxy.additionalAffinities | object | `{}` | Additional affinities to add to the haproxy pods. | -| redis-ha.haproxy.affinity | object | `{}` | Assign custom [affinity] rules to the haproxy pods. | +| redis-ha.haproxy.affinity | string | `""` | Assign custom [affinity] rules to the haproxy pods. | +| redis-ha.haproxy.containerSecurityContext | object | See [values.yaml] | HAProxy container-level security context | | redis-ha.haproxy.enabled | bool | `true` | Enabled HAProxy LoadBalancing/Proxy | | redis-ha.haproxy.hardAntiAffinity | bool | `true` | Whether the haproxy pods should be forced to run on separate nodes. | | redis-ha.haproxy.metrics.enabled | bool | `true` | HAProxy enable prometheus metric scraping | | redis-ha.haproxy.tolerations | list | `[]` | [Tolerations] for use with node taints for haproxy pods. | | redis-ha.hardAntiAffinity | bool | `true` | Whether the Redis server pods should be forced to run on separate nodes. | | redis-ha.image.repository | string | `"redis"` | Redis repository | -| redis-ha.image.tag | string | `"7.0.11-alpine"` | Redis tag | +| redis-ha.image.tag | string | `"7.0.13-alpine"` | Redis tag | | redis-ha.persistentVolume.enabled | bool | `false` | Configures persistence on Redis nodes | | redis-ha.redis.config | object | See [values.yaml] | Any valid redis config options in this section will be applied to each server (see `redis-ha` chart) | | redis-ha.redis.config.save | string | `'""'` | Will save the DB if both the given number of seconds and the given number of write operations against the DB occurred. `""` is disabled | @@ -1135,6 +1142,7 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide | applicationSet.serviceAccount.create | bool | `true` | Create ApplicationSet controller service account | | applicationSet.serviceAccount.labels | object | `{}` | Labels applied to created service account | | applicationSet.serviceAccount.name | string | `"argocd-applicationset-controller"` | ApplicationSet controller service account name | +| applicationSet.terminationGracePeriodSeconds | int | `30` | terminationGracePeriodSeconds for container lifecycle hook | | applicationSet.tolerations | list | `[]` (defaults to global.tolerations) | [Tolerations] for use with node taints | | applicationSet.topologySpreadConstraints | list | `[]` (defaults to global.topologySpreadConstraints) | Assign custom [TopologySpreadConstraints] rules to the ApplicationSet controller | | applicationSet.webhook.ingress.annotations | object | `{}` | Additional ingress annotations | @@ -1153,6 +1161,7 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide |-----|------|---------|-------------| | notifications.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules | | notifications.argocdUrl | string | `nil` | Argo CD dashboard url; used in place of {{.context.argocdUrl}} in templates | +| notifications.clusterRoleRules.rules | list | `[]` | List of custom rules for the notifications controller's ClusterRole resource | | notifications.cm.create | bool | `true` | Whether helm chart creates notifications controller config map | | notifications.containerPorts.metrics | int | `9001` | Metrics container port | | notifications.containerSecurityContext | object | See [values.yaml] | Notification controller container-level security Context | @@ -1213,6 +1222,7 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide | notifications.serviceAccount.name | string | `"argocd-notifications-controller"` | Notification controller service account name | | notifications.subscriptions | list | `[]` | Contains centrally managed global application subscriptions | | notifications.templates | object | `{}` | The notification template is used to generate the notification content | +| notifications.terminationGracePeriodSeconds | int | `30` | terminationGracePeriodSeconds for container lifecycle hook | | notifications.tolerations | list | `[]` (defaults to global.tolerations) | [Tolerations] for use with node taints | | notifications.topologySpreadConstraints | list | `[]` (defaults to global.topologySpreadConstraints) | Assign custom [TopologySpreadConstraints] rules to the application controller | | notifications.triggers | object | `{}` | The trigger defines the condition when the notification should be sent | diff --git a/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml b/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml index 3583a2b7..31bce299 100644 --- a/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml +++ b/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml @@ -52,6 +52,9 @@ spec: {{- with .Values.controller.priorityClassName | default .Values.global.priorityClassName }} priorityClassName: {{ . }} {{- end }} + {{- if .Values.controller.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- end }} serviceAccountName: {{ include "argo-cd.controllerServiceAccountName" . }} containers: - args: diff --git a/charts/argo-cd/templates/argocd-applicationset/deployment.yaml b/charts/argo-cd/templates/argocd-applicationset/deployment.yaml index d30dc924..100daf5f 100644 --- a/charts/argo-cd/templates/argocd-applicationset/deployment.yaml +++ b/charts/argo-cd/templates/argocd-applicationset/deployment.yaml @@ -52,6 +52,9 @@ spec: {{- with .Values.applicationSet.priorityClassName | default .Values.global.priorityClassName }} priorityClassName: {{ . }} {{- end }} + {{- if .Values.applicationSet.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.applicationSet.terminationGracePeriodSeconds }} + {{- end }} serviceAccountName: {{ include "argo-cd.applicationSetServiceAccountName" . }} containers: - name: {{ .Values.applicationSet.name }} diff --git a/charts/argo-cd/templates/argocd-notifications/clusterrole.yaml b/charts/argo-cd/templates/argocd-notifications/clusterrole.yaml new file mode 100644 index 00000000..927d30a0 --- /dev/null +++ b/charts/argo-cd/templates/argocd-notifications/clusterrole.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.notifications.enabled .Values.createClusterRoles }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "argo-cd.notifications.fullname" . }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }} +rules: + {{- with .Values.notifications.clusterRoleRules.rules }} + {{- toYaml . | nindent 2 }} + {{- end }} + - apiGroups: + - "argoproj.io" + resources: + - "applications" + verbs: + - get + - list + - watch + - update + - patch +{{- end }} diff --git a/charts/argo-cd/templates/argocd-notifications/clusterrolebinding.yaml b/charts/argo-cd/templates/argocd-notifications/clusterrolebinding.yaml new file mode 100644 index 00000000..3dba71a2 --- /dev/null +++ b/charts/argo-cd/templates/argocd-notifications/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.notifications.enabled .Values.createClusterRoles }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "argo-cd.notifications.fullname" . }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "argo-cd.notifications.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "argo-cd.notificationsServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/argo-cd/templates/argocd-notifications/deployment.yaml b/charts/argo-cd/templates/argocd-notifications/deployment.yaml index d2eca77f..edee786a 100644 --- a/charts/argo-cd/templates/argocd-notifications/deployment.yaml +++ b/charts/argo-cd/templates/argocd-notifications/deployment.yaml @@ -51,6 +51,9 @@ spec: {{- with .Values.notifications.priorityClassName | default .Values.global.priorityClassName }} priorityClassName: {{ . }} {{- end }} + {{- if .Values.notifications.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.notifications.terminationGracePeriodSeconds }} + {{- end }} serviceAccountName: {{ include "argo-cd.notificationsServiceAccountName" . }} containers: - name: {{ .Values.notifications.name }} @@ -75,13 +78,19 @@ spec: configMapKeyRef: key: notificationscontroller.log.level name: argocd-cmd-params-cm - optional: true + optional: true - name: ARGOCD_NOTIFICATIONS_CONTROLLER_LOGFORMAT valueFrom: configMapKeyRef: key: notificationscontroller.log.format name: argocd-cmd-params-cm optional: true + - name: ARGOCD_APPLICATION_NAMESPACES + valueFrom: + configMapKeyRef: + key: application.namespaces + name: argocd-cmd-params-cm + optional: true {{- with .Values.notifications.extraEnvFrom }} envFrom: {{- toYaml . | nindent 12 }} diff --git a/charts/argo-cd/templates/argocd-repo-server/deployment.yaml b/charts/argo-cd/templates/argocd-repo-server/deployment.yaml index 3080c79f..515984d7 100755 --- a/charts/argo-cd/templates/argocd-repo-server/deployment.yaml +++ b/charts/argo-cd/templates/argocd-repo-server/deployment.yaml @@ -33,6 +33,9 @@ spec: {{- if (hasKey .Values.server "configEnabled") | ternary .Values.server.configEnabled .Values.configs.cm.create }} checksum/cm: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cm.yaml") . | sha256sum }} {{- end }} + {{- if .Values.configs.cmp.create }} + checksum/cmp-cm: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmp-cm.yaml") . | sha256sum }} + {{- end }} {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.repoServer.podAnnotations) }} {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} @@ -59,6 +62,9 @@ spec: {{- with .Values.repoServer.priorityClassName | default .Values.global.priorityClassName }} priorityClassName: {{ . }} {{- end }} + {{- if .Values.repoServer.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.repoServer.terminationGracePeriodSeconds }} + {{- end }} serviceAccountName: {{ include "argo-cd.repoServerServiceAccountName" . }} containers: - name: {{ .Values.repoServer.name }} diff --git a/charts/argo-cd/templates/argocd-server/clusterrole.yaml b/charts/argo-cd/templates/argocd-server/clusterrole.yaml index 3d2c44b5..838016fa 100644 --- a/charts/argo-cd/templates/argocd-server/clusterrole.yaml +++ b/charts/argo-cd/templates/argocd-server/clusterrole.yaml @@ -48,6 +48,7 @@ rules: - apiGroups: - batch resources: + {{/* supports triggering jobs from UI */}} - jobs verbs: - create @@ -56,5 +57,6 @@ rules: resources: - workflows verbs: + {{/* supports triggering workflows from UI */}} - create {{- end }} diff --git a/charts/argo-cd/templates/argocd-server/deployment.yaml b/charts/argo-cd/templates/argocd-server/deployment.yaml index e3f322cb..983121a9 100755 --- a/charts/argo-cd/templates/argocd-server/deployment.yaml +++ b/charts/argo-cd/templates/argocd-server/deployment.yaml @@ -53,6 +53,9 @@ spec: {{- with .Values.server.priorityClassName | default .Values.global.priorityClassName }} priorityClassName: {{ . }} {{- end }} + {{- if .Values.server.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} + {{- end }} serviceAccountName: {{ include "argo-cd.serverServiceAccountName" . }} containers: - name: {{ .Values.server.name }} diff --git a/charts/argo-cd/templates/argocd-server/servicemonitor.yaml b/charts/argo-cd/templates/argocd-server/servicemonitor.yaml index f876a1a1..d036a8e1 100644 --- a/charts/argo-cd/templates/argocd-server/servicemonitor.yaml +++ b/charts/argo-cd/templates/argocd-server/servicemonitor.yaml @@ -12,10 +12,10 @@ metadata: {{- with .Values.server.metrics.serviceMonitor.additionalLabels }} {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.server.metrics.serviceMonitor.annotations }} annotations: - {{- range $key, $value := .Values.server.metrics.serviceMonitor.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: endpoints: - port: {{ .Values.server.metrics.service.portName }} diff --git a/charts/argo-cd/templates/crds/crd-applicationset.yaml b/charts/argo-cd/templates/crds/crd-applicationset.yaml index 71d43763..0a758688 100644 --- a/charts/argo-cd/templates/crds/crd-applicationset.yaml +++ b/charts/argo-cd/templates/crds/crd-applicationset.yaml @@ -4481,10 +4481,16 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: type: boolean + forceNamespace: + type: boolean images: items: type: string @@ -4661,10 +4667,16 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: type: boolean + forceNamespace: + type: boolean images: items: type: string @@ -9044,10 +9056,16 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: type: boolean + forceNamespace: + type: boolean images: items: type: string @@ -9224,10 +9242,16 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: type: boolean + forceNamespace: + type: boolean images: items: type: string @@ -11488,10 +11512,16 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: type: boolean + forceNamespace: + type: boolean images: items: type: string @@ -11668,10 +11698,16 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: type: boolean + forceNamespace: + type: boolean images: items: type: string diff --git a/charts/argo-cd/templates/dex/deployment.yaml b/charts/argo-cd/templates/dex/deployment.yaml index abca6e14..9f782c8d 100755 --- a/charts/argo-cd/templates/dex/deployment.yaml +++ b/charts/argo-cd/templates/dex/deployment.yaml @@ -55,6 +55,9 @@ spec: {{- with .Values.dex.priorityClassName | default .Values.global.priorityClassName }} priorityClassName: {{ . }} {{- end }} + {{- if .Values.dex.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.dex.terminationGracePeriodSeconds }} + {{- end }} serviceAccountName: {{ template "argo-cd.dexServiceAccountName" . }} containers: - name: {{ .Values.dex.name }} diff --git a/charts/argo-cd/templates/redis/deployment.yaml b/charts/argo-cd/templates/redis/deployment.yaml index 419e5f31..3f272d02 100755 --- a/charts/argo-cd/templates/redis/deployment.yaml +++ b/charts/argo-cd/templates/redis/deployment.yaml @@ -48,6 +48,9 @@ spec: {{- with .Values.redis.priorityClassName | default .Values.global.priorityClassName }} priorityClassName: {{ . }} {{- end }} + {{- if .Values.redis.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.redis.terminationGracePeriodSeconds }} + {{- end }} serviceAccountName: {{ include "argo-cd.redisServiceAccountName" . }} containers: - name: {{ .Values.redis.name }} diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index 50a4ee6e..05da696b 100644 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -329,7 +329,7 @@ configs: [ssh.github.com]:443 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= bitbucket.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIQmuzMBuKdWeF4+a2sjSSpBK0iqitSQ+5BM9KhpexuGt20JpTVM7u5BDZngncgrqDMbWdxMWWOGtZ9UgbqgZE= bitbucket.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIazEu89wgQZ4bqs3d63QSMzYVa0MuJ2e2gKTKqu+UUO - bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== + bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M= github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= @@ -734,6 +734,9 @@ controller: # -- Number of seconds after which the [probe] times out timeoutSeconds: 1 + # -- terminationGracePeriodSeconds for container lifecycle hook + terminationGracePeriodSeconds: 30 + # -- Priority class for the application controller pods # @default -- `""` (defaults to global.priorityClassName) priorityClassName: "" @@ -1077,6 +1080,9 @@ dex: # -- Number of seconds after which the [probe] times out timeoutSeconds: 1 + # -- terminationGracePeriodSeconds for container lifecycle hook + terminationGracePeriodSeconds: 30 + serviceAccount: # -- Create dex service account create: true @@ -1165,7 +1171,7 @@ redis: # -- Redis repository repository: quay.io/codefresh/redis # -- Redis tag - tag: 7.0.11-alpine + tag: 7.0.13-alpine # -- Redis image pull policy # @default -- `""` (defaults to global.image.imagePullPolicy) imagePullPolicy: "" @@ -1282,6 +1288,7 @@ redis: # -- Redis container-level security context # @default -- See [values.yaml] containerSecurityContext: + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: @@ -1315,6 +1322,9 @@ redis: # topologyKey: topology.kubernetes.io/zone # whenUnsatisfiable: DoNotSchedule + # -- terminationGracePeriodSeconds for container lifecycle hook + terminationGracePeriodSeconds: 30 + serviceAccount: # -- Create a service account for the redis pod create: false @@ -1384,7 +1394,7 @@ redis-ha: # -- Redis repository repository: redis # -- Redis tag - tag: 7.0.11-alpine + tag: 7.0.13-alpine ## Prometheus redis-exporter sidecar exporter: # -- Enable Prometheus redis-exporter sidecar @@ -1418,9 +1428,14 @@ redis-ha: # -- Additional affinities to add to the haproxy pods. additionalAffinities: {} # -- Assign custom [affinity] rules to the haproxy pods. - affinity: {} + affinity: | + # -- [Tolerations] for use with node taints for haproxy pods. tolerations: [] + # -- HAProxy container-level security context + # @default -- See [values.yaml] + containerSecurityContext: + readOnlyRootFilesystem: true # -- Whether the Redis server pods should be forced to run on separate nodes. hardAntiAffinity: true @@ -1429,7 +1444,7 @@ redis-ha: additionalAffinities: {} # -- Assign custom [affinity] rules to the Redis pods. - affinity: {} + affinity: | # -- [Tolerations] for use with node taints for Redis pods. tolerations: [] @@ -1448,6 +1463,10 @@ redis-ha: # -- Enforcement policy, hard or soft # @default -- `""` (defaults to `ScheduleAnyway`) whenUnsatisfiable: "" + # -- Redis HA statefulset container-level security context + # @default -- See [values.yaml] + containerSecurityContext: + readOnlyRootFilesystem: true # External Redis parameters externalRedis: @@ -1711,6 +1730,9 @@ server: # -- Number of seconds after which the [probe] times out timeoutSeconds: 1 + # -- terminationGracePeriodSeconds for container lifecycle hook + terminationGracePeriodSeconds: 30 + # -- Priority class for the Argo CD server pods # @default -- `""` (defaults to global.priorityClassName) priorityClassName: "" @@ -2254,6 +2276,9 @@ repoServer: # -- Number of seconds after which the [probe] times out timeoutSeconds: 1 + # -- terminationGracePeriodSeconds for container lifecycle hook + terminationGracePeriodSeconds: 30 + # -- [Node selector] # @default -- `{}` (defaults to global.nodeSelector) nodeSelector: {} @@ -2611,6 +2636,9 @@ applicationSet: # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded failureThreshold: 3 + # -- terminationGracePeriodSeconds for container lifecycle hook + terminationGracePeriodSeconds: 30 + # -- [Node selector] # @default -- `{}` (defaults to global.nodeSelector) nodeSelector: {} @@ -2924,6 +2952,9 @@ notifications: drop: - ALL + # -- terminationGracePeriodSeconds for container lifecycle hook + terminationGracePeriodSeconds: 30 + # -- [Node selector] # @default -- `{}` (defaults to global.nodeSelector) nodeSelector: {} @@ -2969,6 +3000,12 @@ notifications: # -- Whether helm chart creates notifications controller config map create: true + ## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource. + ## Defaults to off + clusterRoleRules: + # -- List of custom rules for the notifications controller's ClusterRole resource + rules: [] + # -- Contains centrally managed global application subscriptions ## For more information: https://argocd-notifications.readthedocs.io/en/stable/subscriptions/ subscriptions: [] diff --git a/charts/argo-rollouts/Chart.yaml b/charts/argo-rollouts/Chart.yaml index 457f76a0..1e917ca4 100644 --- a/charts/argo-rollouts/Chart.yaml +++ b/charts/argo-rollouts/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: v1.6.0 description: A Helm chart for Argo Rollouts name: argo-rollouts -version: 2.32.0 +version: 2.32.2 home: https://github.com/argoproj/argo-helm icon: https://argoproj.github.io/argo-rollouts/assets/logo.png keywords: @@ -18,5 +18,10 @@ annotations: fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc artifacthub.io/changes: | +<<<<<<< HEAD - kind: changed description: Upgrade Argo Rollouts to v1.6.0 +======= + - kind: fixed + description: Update AnalysisRun CRD to match upstream +>>>>>>> argo-cd-5.50.1 diff --git a/charts/argo-rollouts/templates/controller/deployment.yaml b/charts/argo-rollouts/templates/controller/deployment.yaml index 966491c8..23dc14cb 100644 --- a/charts/argo-rollouts/templates/controller/deployment.yaml +++ b/charts/argo-rollouts/templates/controller/deployment.yaml @@ -48,7 +48,7 @@ spec: {{- if not .Values.clusterInstall }} - --namespaced {{- end }} - {{- if gt .Values.controller.replicas 1.0 }} + {{- if gt (int .Values.controller.replicas) 1 }} - --leader-elect {{- end }} {{- with .Values.controller.extraArgs }} diff --git a/charts/argo-rollouts/templates/crds/analysis-run-crd.yaml b/charts/argo-rollouts/templates/crds/analysis-run-crd.yaml index 7324e908..39ce8ed8 100644 --- a/charts/argo-rollouts/templates/crds/analysis-run-crd.yaml +++ b/charts/argo-rollouts/templates/crds/analysis-run-crd.yaml @@ -189,13 +189,22 @@ spec: datadog: properties: apiVersion: + default: v1 + enum: + - v1 + - v2 + type: string + formula: type: string interval: + default: 5m type: string + queries: + additionalProperties: + type: string + type: object query: type: string - required: - - query type: object graphite: properties: @@ -2809,6 +2818,22 @@ spec: type: string authentication: properties: +<<<<<<< HEAD +======= + oauth2: + properties: + clientId: + type: string + clientSecret: + type: string + scopes: + items: + type: string + type: array + tokenUrl: + type: string + type: object +>>>>>>> argo-cd-5.50.1 sigv4: properties: profile: @@ -2857,6 +2882,31 @@ spec: type: object web: properties: + authentication: + properties: + oauth2: + properties: + clientId: + type: string + clientSecret: + type: string + scopes: + items: + type: string + type: array + tokenUrl: + type: string + type: object + sigv4: + properties: + profile: + type: string + region: + type: string + roleArn: + type: string + type: object + type: object body: type: string headers: diff --git a/charts/argo-workflows/Chart.yaml b/charts/argo-workflows/Chart.yaml index 85de8f7e..44d16bab 100644 --- a/charts/argo-workflows/Chart.yaml +++ b/charts/argo-workflows/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: v3.4.11 +appVersion: v3.5.0 name: argo-workflows description: A Helm chart for Argo Workflows type: application -version: 0.33.3 +version: 0.37.0 icon: https://argoproj.github.io/argo-workflows/assets/logo.png home: https://github.com/argoproj/argo-helm sources: @@ -16,5 +16,5 @@ annotations: fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc artifacthub.io/changes: | - - kind: fixed - description: Add HA docs and example + - kind: changed + description: Updated supported scaling parameters based on https://argoproj.github.io/argo-workflows/scaling/ diff --git a/charts/argo-workflows/README.md b/charts/argo-workflows/README.md index 732baecd..03811169 100644 --- a/charts/argo-workflows/README.md +++ b/charts/argo-workflows/README.md @@ -108,6 +108,7 @@ Fields to note: |-----|------|---------|-------------| | apiVersionOverrides.autoscaling | string | `""` | String to override apiVersion of autoscaling rendered by this helm chart | | apiVersionOverrides.cloudgoogle | string | `""` | String to override apiVersion of GKE resources rendered by this helm chart | +| commonLabels | object | `{}` | Labels to set on all resources | | crds.annotations | object | `{}` | Annotations to be added to all CRDs | | crds.install | bool | `true` | Install and upgrade CRDs | | crds.keep | bool | `true` | Keep CRDs on chart uninstall | @@ -141,6 +142,7 @@ Fields to note: | controller.affinity | object | `{}` | Assign custom [affinity] rules | | controller.clusterWorkflowTemplates.enabled | bool | `true` | Create a ClusterRole and CRB for the controller to access ClusterWorkflowTemplates. | | controller.columns | list | `[]` | Configure Argo Server to show custom [columns] | +| controller.cronWorkflowWorkers | string | `nil` | Number of cron workflow workers Only valid for 3.5+ | | controller.deploymentAnnotations | object | `{}` | deploymentAnnotations is an optional map of annotations to be applied to the controller Deployment | | controller.extraArgs | list | `[]` | Extra arguments to be added to the controller | | controller.extraContainers | list | `[]` | Extra containers to be added to the controller deployment | @@ -181,6 +183,7 @@ Fields to note: | controller.pdb.enabled | bool | `false` | Configure [Pod Disruption Budget] for the controller pods | | controller.persistence | object | `{}` | enable persistence using postgres | | controller.podAnnotations | object | `{}` | podAnnotations is an optional map of annotations to be applied to the controller Pods | +| controller.podCleanupWorkers | string | `nil` | Number of pod cleanup workers | | controller.podGCDeleteDelayDuration | string | `5s` (Argo Workflows default) | The duration in seconds before the pods in the GC queue get deleted. A zero value indicates that the pods will be deleted immediately. | | controller.podGCGracePeriodSeconds | string | `30` seconds (Kubernetes default) | Specifies the duration in seconds before a terminating pod is forcefully killed. A zero value indicates that the pod will be forcefully terminated immediately. | | controller.podLabels | object | `{}` | Optional labels to add to the controller pods | @@ -220,6 +223,7 @@ Fields to note: | controller.workflowDefaults | object | `{}` | Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level. Only valid for 2.7+ | | controller.workflowNamespaces | list | `["default"]` | Specify all namespaces where this workflow controller instance will manage workflows. This controls where the service account and RBAC resources will be created. Only valid when singleNamespace is false. | | controller.workflowRestrictions | object | `{}` | Restricts the Workflows that the controller will process. Only valid for 2.9+ | +| controller.workflowTTLWorkers | string | `nil` | Number of workflow TTL workers | | controller.workflowWorkers | string | `nil` | Number of workflow workers | ### Workflow Main Container @@ -256,6 +260,7 @@ Fields to note: | server.GKEmanagedCertificate.domains | list | `["argoworkflows.example.com"]` | Domains for the Google Managed Certificate | | server.GKEmanagedCertificate.enabled | bool | `false` | Enable ManagedCertificate custom resource for Google Kubernetes Engine. | | server.affinity | object | `{}` | Assign custom [affinity] rules | +| server.authMode | string | `""` | Auth Mode is available from `server` , `client` or `sso`. If you chose `sso` , please configure `.Values.server.sso` as well. | | server.autoscaling.behavior | object | `{}` | Configures the scaling behavior of the target in both Up and Down directions. This is only available on HPA apiVersion `autoscaling/v2beta2` and newer | | server.autoscaling.enabled | bool | `false` | Enable Horizontal Pod Autoscaler ([HPA]) for the Argo Server | | server.autoscaling.maxReplicas | int | `5` | Maximum number of replicas for the Argo Server [HPA] | @@ -267,7 +272,7 @@ Fields to note: | server.clusterWorkflowTemplates.enabled | bool | `true` | Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates. | | server.deploymentAnnotations | object | `{}` | optional map of annotations to be applied to the ui Deployment | | server.enabled | bool | `true` | Deploy the Argo Server | -| server.extraArgs | list | `[]` | Extra arguments to provide to the Argo server binary, such as for disabling authentication. | +| server.extraArgs | list | `[]` | Extra arguments to provide to the Argo server binary. | | server.extraContainers | list | `[]` | Extra containers to be added to the server deployment | | server.extraEnv | list | `[]` | Extra environment variables to provide to the argo-server container | | server.extraInitContainers | list | `[]` | Enables init containers to be added to the server deployment | @@ -315,7 +320,7 @@ Fields to note: | server.sso.clientSecret.key | string | `"client-secret"` | Key of a secret to retrieve the app OIDC client secret | | server.sso.clientSecret.name | string | `"argo-server-sso"` | Name of a secret to retrieve the app OIDC client secret | | server.sso.customGroupClaimName | string | `""` | Override claim name for OIDC groups | -| server.sso.enabled | bool | `false` | Create SSO configuration | +| server.sso.enabled | bool | `false` | Create SSO configuration. If you set `true` , please also set `.Values.server.authMode` as `sso`. | | server.sso.insecureSkipVerify | bool | `false` | Skip TLS verification for the HTTP client | | server.sso.issuer | string | `"https://accounts.google.com"` | The root URL of the OIDC identity provider | | server.sso.issuerAlias | string | `""` | Alternate root URLs that can be included for some OIDC providers | diff --git a/charts/argo-workflows/templates/_helpers.tpl b/charts/argo-workflows/templates/_helpers.tpl index f81e6fc4..0713264f 100644 --- a/charts/argo-workflows/templates/_helpers.tpl +++ b/charts/argo-workflows/templates/_helpers.tpl @@ -79,6 +79,9 @@ helm.sh/chart: {{ include "argo-workflows.chart" .context }} {{ include "argo-workflows.selectorLabels" (dict "context" .context "component" .component "name" .name) }} app.kubernetes.io/managed-by: {{ .context.Release.Service }} app.kubernetes.io/part-of: argo-workflows +{{- with .context.Values.commonLabels }} +{{ toYaml .}} +{{- end }} {{- end }} {{/* diff --git a/charts/argo-workflows/templates/controller/workflow-aggregate-roles.yaml b/charts/argo-workflows/templates/controller/workflow-aggregate-roles.yaml index 977bb86b..ca2ae93e 100644 --- a/charts/argo-workflows/templates/controller/workflow-aggregate-roles.yaml +++ b/charts/argo-workflows/templates/controller/workflow-aggregate-roles.yaml @@ -20,6 +20,12 @@ rules: - cronworkflows/finalizers - clusterworkflowtemplates - clusterworkflowtemplates/finalizers + - workflowtasksets + - workflowtasksets/finalizers + - workflowtaskresults + - workflowtaskresults/finalizers + - workflowartifactgctasks + - workflowartifactgctasks/finalizers verbs: - get - list @@ -46,6 +52,12 @@ rules: - cronworkflows/finalizers - clusterworkflowtemplates - clusterworkflowtemplates/finalizers + - workflowtasksets + - workflowtasksets/finalizers + - workflowtaskresults + - workflowtaskresults/finalizers + - workflowartifactgctasks + - workflowartifactgctasks/finalizers verbs: - create - delete @@ -79,6 +91,12 @@ rules: - cronworkflows/finalizers - clusterworkflowtemplates - clusterworkflowtemplates/finalizers + - workflowtasksets + - workflowtasksets/finalizers + - workflowtaskresults + - workflowtaskresults/finalizers + - workflowartifactgctasks + - workflowartifactgctasks/finalizers verbs: - create - delete diff --git a/charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml b/charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml index c391bee8..132d7f8c 100644 --- a/charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml +++ b/charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml @@ -60,6 +60,18 @@ spec: - "--workflow-workers" - {{ . | quote }} {{- end }} + {{- with .Values.controller.workflowTTLWorkers }} + - "--workflow-ttl-workers" + - {{ . | quote }} + {{- end }} + {{- with .Values.controller.podCleanupWorkers }} + - "--pod-cleanup-workers" + - {{ . | quote }} + {{- end }} + {{- with .Values.controller.cronWorkflowWorkers }} + - "--cron-workflow-workers" + - {{ . | quote }} + {{- end }} {{- with .Values.controller.extraArgs }} {{- toYaml . | nindent 10 }} {{- end }} diff --git a/charts/argo-workflows/templates/crds/argoproj.io_workflowtaskresults.yaml b/charts/argo-workflows/templates/crds/argoproj.io_workflowtaskresults.yaml index e9bb93f6..861f1df8 100644 --- a/charts/argo-workflows/templates/crds/argoproj.io_workflowtaskresults.yaml +++ b/charts/argo-workflows/templates/crds/argoproj.io_workflowtaskresults.yaml @@ -441,6 +441,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -470,6 +472,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: diff --git a/charts/argo-workflows/templates/server/server-deployment.yaml b/charts/argo-workflows/templates/server/server-deployment.yaml index b2e50967..cea885da 100644 --- a/charts/argo-workflows/templates/server/server-deployment.yaml +++ b/charts/argo-workflows/templates/server/server-deployment.yaml @@ -52,6 +52,9 @@ spec: {{- with .Values.server.extraArgs }} {{- toYaml . | nindent 10 }} {{- end }} + {{- if .Values.server.authMode }} + - "--auth-mode={{ .Values.server.authMode }}" + {{- end }} - "--secure={{ .Values.server.secure }}" {{- if .Values.singleNamespace }} - "--namespaced" diff --git a/charts/argo-workflows/values.yaml b/charts/argo-workflows/values.yaml index d6d22464..cae5f749 100644 --- a/charts/argo-workflows/values.yaml +++ b/charts/argo-workflows/values.yaml @@ -26,6 +26,9 @@ nameOverride: # -- String to fully override "argo-workflows.fullname" template fullnameOverride: +# -- Labels to set on all resources +commonLabels: {} + # -- Override the Kubernetes version, which is used to evaluate certain manifests kubeVersionOverride: "" @@ -158,6 +161,10 @@ controller: # passwordSecret: # name: argo-postgres-config # key: password + # ssl: true + # # sslMode must be one of: disable, require, verify-ca, verify-full + # # you can find more information about those ssl options here: https://godoc.org/github.com/lib/pq + # sslMode: require # -- Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level. # Only valid for 2.7+ @@ -173,6 +180,13 @@ controller: # -- Number of workflow workers workflowWorkers: # 32 + # -- Number of workflow TTL workers + workflowTTLWorkers: # 4 + # -- Number of pod cleanup workers + podCleanupWorkers: # 4 + # -- Number of cron workflow workers + # Only valid for 3.5+ + cronWorkflowWorkers: # 8 # -- Restricts the Workflows that the controller will process. # Only valid for 2.9+ workflowRestrictions: {} @@ -522,14 +536,13 @@ server: # - name: FOO # value: "bar" - # -- Extra arguments to provide to the Argo server binary, such as for disabling authentication. + # -- Auth Mode is available from `server` , `client` or `sso`. If you chose `sso` , please configure `.Values.server.sso` as well. + ## Ref: https://argoproj.github.io/argo-workflows/argo-server-auth-mode/ + authMode: "" + + # -- Extra arguments to provide to the Argo server binary. + ## Ref: https://argoproj.github.io/argo-workflows/argo-server/#options extraArgs: [] - # If you want to disable authentication for purposes such as: - # - local dev-mode without authentication - # - gateway authentication through some other service such as KeyCloak - # uncomment the lines below and comment out the default empty list `extraArgs: []` above: - # extraArgs: - # - --auth-mode=server logging: # -- Set the logging level (one of: `debug`, `info`, `warn`, `error`) @@ -631,8 +644,7 @@ server: # SSO configuration when SSO is specified as a server auth mode. sso: - # -- Create SSO configuration - ## SSO is activated by adding --auth-mode=sso to the server command line. + # -- Create SSO configuration. If you set `true` , please also set `.Values.server.authMode` as `sso`. enabled: false # -- The root URL of the OIDC identity provider issuer: https://accounts.google.com